By Scott Perry, Principal, Crypto and Digital Trust, Schellman
For the past several months, crypto companies have been given the lion’s share of attention from boards, businesses and leadership for their failures when audited or assessed. While the consequences are warranted, unfortunately, it seems that the story of cryptography is permanently cemented to the sketchy legacies of the cryptocurrency marketplace and exchanges – when really there is a wealth of other value in the cryptography technology that is completely untapped. The recent issues coming to light in the cryptocurrency industry has less to do with the technology, and much more with how the technology is governed and accepted by relying parties. In this article, I’d like to explore how technology, compliance and security leaders have misunderstood the technical value of cryptography and how digital trust governance and accountability of future-facing solutions will change the way the digital economy will operate.
A reintroduction: what are cryptography and digital trust?
To start with a fresh slate, it’s worth defining both cryptography and digital trust. Cryptography and digital trust services have historically been used to encrypt web traffic and establish traditional certificate-based identity hierarchies in closed networks. The cryptographic relationship between key pairs of a secure private key and available public key can be the fundamental basis in how we add more trust and confidence in higher-risk transactions, such as digital identity background screening, cryptocurrency transfers, etc.
Digital trust is the barrier to entry for those trying to join any community exchanging high-value digital assets, and, especially for companies trying to build greater assurance over the identity of its customers. A high degree of confidence in the identity of those who transact anonymously on the Internet is a prerequisite for future financial success and strategic tenacity. This is why cryptography is so critical in an increasingly digitalized market. The more that businesses can assure that their transactions are secure enough to mitigate imposter, malware and ransomware risks that are now prevalent in today’s Internet, the more their customers will have heightened confidence in their services.
However, there is another hurdle that technology leaders will need to overcome. According to McKinsey, 70% of customers believe that the companies they do business with on a daily basis are securing their data. This does not match the reality of the digital trust landscape, with 57% of executives reporting that their organizations have suffered at least one data breach in the past three years.
Not only does digital trust need to overcome the media din around crypto failures and bad actors, but solidify itself as an essential tool in executive toolkits as it relates to cybersecurity and customer success.
The state of the Web and practicing digital trust
In the digital economy, transactions are becoming of higher and higher value – such as government contracts that are executed entirely digitally – but there is not a solid infrastructure in place for greater assurance and oversight when it comes to those high-risk, high-value interactions. However, over the past seven years, there has been a movement towards using cryptography to create digital credentials and artifacts to allow individuals to identify and control their identities on the Web, which solves for this lack of oversight on interactions. This allows both individuals and Web providers to present themselves in ways that they see fit, ways that are both private and secure.
The current architecture of the Web does not allow for both private and secure identity management controlled by the user, and thus misses the opportunity for improved digital trust. As it stands, most individuals on the Web use application supplied login credentials for every provider or server platform. This creates a myriad of identities per person, which are only secure as long as those credentials remain protected by the user and the service provider. In this paradigm, individuals are obligated to give their personal information to a bevy of providers, decreasing their privacy and control each time they need to use a different service.
Due to demands for more privacy and personal control of identity information, the future of the digital economy will look very different. Instead of using login accounts, individuals collect a unique set of digital credentials stored on a secure digital wallet. Users, given their consent, would release their private information to authenticate their identity and access services. Essentially, every individual has their own “digital passbook” to join all online communities through verified service providers, connecting them to the organizations, groups and transactions that they choose to join. By using cryptography, IT leaders can reenergize the practice of ID management, and accreditation services too, thereby boosting the digital trust of online businesses.
Architecting the future of the digital economy
To make this a reality, IT and cybersecurity leaders need to put their, for lack of a better word, trust, in digital trust. There are several processes for which digital trust can be a crucial tool, all of which further the sanctity of secure, private Web interactions.
A primary use for digital trust is identity management. Individuals can use their credentials secured by private “keys” – i.e. the private piece of cryptography that proves that an individual is who they say they are – to log in to the Web. This private key, when verified against a mathematically linked public key, can automatically prove the authenticity of users who access platforms and services, ensuring they are not bots or spoofed identities.
In addition to identity management, cryptography can play an important role in credential management. Often for those, high-stakes, high-risk interactions, proof will be needed for those involved in the transaction. Cryptography can create tamper-proof and verifiable documents and certifications, ensuring that users’ important credentials are authentic when they are gaining access to certain communities online. Examples of documents that can have cryptographic attributes include, but are not limited to: birth certificates, driver’s licenses, gym memberships, bank accesses and industry associations. For those high-stake interactions, like purchasing art or signing government contracts online, these crypto applied digital credentials can be accessed, proven and transacted with confidence and trust.
Finally, cryptography can be instrumental in access management, perhaps the most valuable to security protocols. Using the aforementioned credential management, cryptography-based accounts will have these certifications built with cryptographic keys, allowing access to authorized rights, or sites that accept a user’s digital passbook. For cybersecurity, the implications of this kind of immediate, secure access management are huge, allowing the honeypots of digital identity information currently stored with tech service providers to be much more widely dispersed in secure personal data stores on their smartphones or in protect Web storage.
By architecting this level of digital trust into the Web, all high-caliber interactions would become tied to a verified identity supported by strong cryptography making them difficult to hack thus changing the game for cybersecurity. On the downside, this level of infrastructure would require a complete, new architecture of how individuals and providers support trusted transactions on the Web. To build this future of digital trust, organizations and countries need to come together over a set of common and interoperable standards allowing credentials to be more globally accepted throughout the Internet.
As leaders, we can talk about redesigning the Web as much as we’d like. Given the recent governance misuse of cryptocurrency, the technology needs a public relations refresh. It will begin with a redesignating of how the public views cryptography and digital trust. The fact is that we transact digitally today, we just need the mechanisms to filter the unwanted noise and criminal elements to exact more confidence in who you are interacting with digitally. Cybersecurity is headed towards an inflection point; it is critical that, cryptographically verified identity be fully adopted to support the kind of trusted digital marketplace that can enable a new wave of innovative applications.
Scott Perry is a Principal at Schellman where he heads up the crypto and digital trust services. Prior to joining Schellman in 2022, Scott owned and operated his own firm specializing in cybersecurity consulting audits and governance, GRC implementation, Digital Identity and verifiable credentials, and WebTrust. Scott has worked with the world’s most respected SSL-certificate issuers, aerospace and defense companies, and government agencies such as the US Senate Sergeant at Arms and the US Nuclear Regulatory Commission. He is the Co-Chair of the Trust Over IP (ToIP) Foundation Governance Stack Working Group and has contributed to the published Security Trust Frameworks for the Sovrin (Self-Sovereign Identity) Foundation, and the FinClusive Rulebook.