The Cryptocurrency Bloodbath and the Future of CryptoRichard Bird on Crypto's Collapse, How Crypto Can Help Solve Problems in the Future Steve King (@sking1145) • August 2, 2022 33 Minutes
Commodity markets have created a cryptocurrency bloodbath that may not be over, but Richard Bird of SecZetta says crypto "is not invalidated as a mean of commerce and exchange because of the collapse that it is currently experiencing."
Bird looks to the economic patterns in history for perspective. He says the fact that "the practice and development of crypto markets and individual cryptocurrencies have gotten less mature" is "exactly what was going to happen."
A lot of the early crypto players weren't "ready for prime time," Bird says, and when the economic downturn hit, "you see who the true planners and survivors are."
In this episode of Cybersecurity Unplugged," Bird also discusses:
- How the blockchain can be used by opportunists "to create value or fuel opportunities for economic gain in the corporate world";
- The "huge mistake" of requiring people to "continuously authenticate as a different persona in every single company they interact with and how to change it";
- The problems that can arise from the "digital us" being a proxy for the "physical, analog us."
Richard Bird is the chief product officer for SecZetta. Bird has been a C-level executive in both the corporate and startup worlds and is internationally recognized for his expert insights, work and views on cybersecurity data privacy, digital consumer rights and identity-centric security. He's also a senior fellow with the CyberTheory Zero Trust Institute, a Forbes tech council member and the host of the "Who The Heck Are You" podcast. Bird has been interviewed frequently by media outlets, including The Wall Street Journal, CNBC, Bloomberg and the Financial Times and is known as the "father of identity management."
Anna Delaney: Welcome to Cybersecurity Unplugged, the CyberTheory podcast where we explore issues that matter in the world of cybersecurity.
Steve King: Good day, everyone. I am Steve King, managing director of CyberTheory. Today's episode is going to focus on the cryptocurrency market meltdown and the implications to identity proofing authentication and access management. Joining me today is Richard Bird, chief product officer for SecZetta. Richard is a multi-time C-level executive in both the corporate and startup worlds. He is internationally recognized for his expert insights, work and views on cybersecurity, data privacy, digital consumer rights and identity-centric security. He is also a senior fellow with the CyberTheory Zero Trust Institute, a Forbes tech council member, host of Who the Heck Are You podcast and has been interviewed frequently by media outlets, including The Wall Street Journal, CNBC, Bloomberg, Financial Times. He is also known as the father of identity management. Welcome, Richard. I am glad you could join me today.
Richard Bird: Thank you. I appreciate it as always, Steve. It's great to be on.
King: Thank you. Let's talk about crypto first. The commodity markets this week have created a cryptocurrency bloodbath, and these declines might not yet be over. In addition, many folks are wondering about the apparent ease with which cybercriminals can hack into cryptocurrency trading platforms and steal funds. What is your assessment about the security defense for cryptocurrency in general?
Bird: When you look at crypto, it's kind of funny to go back to its origins and how everything got started. It was a brilliant idea, from a conceptual basis. Everything works in theory and tells you to put it into operations. That's the problem that you've seen as it relates to crypto's evolution. You can make an argument on growth and maturity, but I don't know if that's accurate. When you look at crypto, you could make the argument that the practice and the development of crypto markets and individual cryptocurrencies have gotten less mature, which is understandable because there's economic patterns in history that clearly showed that this was exactly what was going to happen with crypto. I think those patterns also show that crypto is not invalidated as a means of commerce in exchange because of the collapse that it's currently experiencing. But I think when you look at its early stage, you know the theory and the market that it creates. The market then generates a massive amount of interest, investment dollars follow and then behind investment dollars follows immediate speculation. The industry of crypto as we've seen explodes in terms of its diversity. But a large percentage of those crypto players simply weren't ready for primetime. If you've been around for a long time, like you and me, every time there's an economic downturn, that's when primetime is. Not when it's Great Gatsbyesque, and everything is blowing up, and somebody takes the meme coins and all of a sudden says something about the money increased by value 7-8-9-X. It's when the going gets tough that you see who the true planners and survivors are, and we're seeing that in the crypto markets. From a security standpoint, it's been a whole lot of hype. I'd pitch that back to you to Steve. I know that you and I have both seen these kinds of hype cycles, probably the most recent being 98-99-2000. But how much of the crypto market do you feel has been driven by hype and energy and how much do you feel it's been driven by the financial-economic value and performance?
King: It’s entirely driven by greed, in my assessment, and I don't buy the absolute security and regulation stuff that we've been continually fed here that we've got Congress losing their minds over “we need more oversight.” I talked to folks that are experts in the cryptocurrency space and they say that crypto is already more highly regulated than adjacent Fiat markets. Whenever you see people having access to a billion-dollar gain and a 24-hour period, it's the greater fool theory. You were with Jamie Dimon back in the 2007-2008 meltdown, and there was Washington Mutual subsumption, I guess by JP Morgan Chase. So you know, firsthand, what you end up with there. My view is that this is entirely driven by greed that if I can buy some credit default swaps, I can find somebody to sell them to at some point.
Bird: I love that you brought the CDO example because there's another pattern in history. Here's where I struggle with crypto and I absolutely agree with you like crypto markets and crypto performance is a very greed and speculation-driven market. But when we look at CDOs, I think it gives us another reference point for why it should have been easy. For many of us, it was. Many of us didn't put money in the crypto market after we peeled apart. It should have been predictable that with any economic bump globally, crypto was going to be impacted negatively because when you look at history, there's very little in terms of a means of exchange that is not tied to something of direct value. CDOs, in theory, were all about mortgages. But having been an old hedge fund administrator, chief information officer, everyone knew after the first lump of CDOs were sold in the market and continuously passed, those collateralized debt obligations were tied to nothing. Once the pressure of that economic events started to cause people to start to look for liquidations, and getting out of those CDOs, they quickly learned that they weren't attached to anything. Crypto, I like the idea conceptually of the ability to do digital exchange. I think that there's a lot of potential value for it in the future. But that's not what crypto’s been, back to what you said. Crypto has been all about creating fictitious wealth that isn't attached to anything of intrinsic value. There's no way that those markets ever sustain themselves. We saw it with the internet bubble burst, with the CDOs, with the collapse of the economy during the OPEC oil crisis - all of them driven by the same thing - tons and tons of investing into vapor. It's going to happen again, before I'm in the dirt, maybe one or two times, but it won't be crypto. It'll be what everyone is talking about next, like quantum.
King: It is and you are right, it's hard to believe that we were unable to learn from history, which is amazing to me. If you count the documentaries in the movies that were made around the financial crisis, there must be seven or eight of them that were big-time events. You would think that everybody's seen them and understands but apparently not. I don't know. I side with Gates and Buffett in terms of their investment strategy. If it doesn't produce anything, I'm probably not going to invest in it.
Bird: I love the Gates and Buffett reference too because prudent investors have always won. Throughout history, 1000s of years, prudent investors have always won. Working in hedge funds when I was 15 years younger, better than I am now, was eye-opening, because this ability to shuffle things and make money, not shuffle things that had tangible value, but just move paper contract around, speculate, take options and move on derivatives and all that kind of stuff. It's like you said, we don't work from history because prudent investors continue to be successful over time. We have these flashes of these big things that happen over the duration of four or five years and then they collapse. But they do get reconfigured. I do want to come back, Steve, to a point that you made about the crypto players and their statements that they're more highly regulated than banks. That's baloney. When I hear that kind of stuff being talked about in the last several weeks that falls in the category of “Oh, poor me-ism.” You guys don't understand how regulated we are. For me, as a guy that used to sit in front of the Fed every two weeks, I can tell you that the level of oversight that crypto is exposed to in the United States is not even a scratch on the surface of what the banking industry has to manage. Now, that being said, I think that we're way out of the universe relative to the effectiveness of regulations and how much the banks need to manage against. I think it's ridiculous what the United States government has done to the banking industry in constraining them. The reason that I think it's ridiculous is because by creating a situation where banks can't be flexible and agile to meet customer opportunities and expectations, you create opportunities for the DeFi market, you create opportunities for the crypto market, and other financial services players to come in and operate with less regulation. Time and again, it's shown that when they operate with less regulation, things go wrong, they play dirty or they make mistakes that are substantial, but could have been avoided. I think that the regulatory environment, the banking industry, probably has stifled the innovation and growth that would have created opportunities for banks that have done this for centuries to be able to build a better mousetrap than we currently have with crypto markets today.
King: I'm sure that's true. As I recall, the SEC had domain authority over the rating agencies to back and it didn't seem to matter that much. So blockchain technology is all about cryptography and immutability, and decentralization and all of that. If you have cryptographic security and these assurances that no one can modify the data in a blockchain without the knowledge of the other folks that are involved, it seems pretty secure. Is it in your view?
Bird: I would say it could be. It still gets back down to that big bridge you have to cross between theory, concept and operationalization. We look at blockchain. Early Days blockchain specifically for what I'm known for blockchain for identity. The problem is that the digital us is a proxy for the physical or the analog us. Human beings are very messy, which means that we have a lot of aspects about being humans that are very sporadic, temporal and untrustworthy. I always like to use the example when I used to talk to folks in blockchain and self-sovereign identity and the early days of the conceptual uprising. I said I'm an old banker, so I'll give you a great example of the deficiencies of immutable ledgers as it relates to banking and I said, marital status is a component of identity, yes or no? Everyone SSI and blockchain would say, yes, absolutely, your marital status certainly falls into an identifying characteristic. I said, so I'm married but I have this is a hypothetical situation, I'll make sure everyone who's listening knows this. I've been married for 23 years, I've decided that I am going to be a horrible person and I engage in illicit affairs and my partner, my spouse, decides that they no longer want to be with me, and they move out to my second home. Then about six weeks later, they clear out every bit of the joint financial accounts that we have. So where in the immutable ledger does it say married, but it's complicated or married, but not living together anymore or married, but we hate each other. There's the mechanics of human society in translating them to the digital gets messy, because human beings are messy. That being said, I think that there's huge - and my mind has changed on this substantially over the last few years – fit-for-purpose opportunities for blockchain when it comes to identity. There are characteristics that are associated with being a human that are immutable. Not the least of which is our birth dates and our death dates. I think that the opportunity to leverage something like immutability, as it relates to human beings, is it creates solutions for problems like I've experienced personally, which is, I lost a family member. That family member has now existed in the digital world without any of my influence for several years because marketing organizations pick up the data, they craft a new persona and they send out credit card offers. I can see being able to leverage immutability and blockchain to give a better perspective on the digital you in a way that has benefit and value back to you. I think when we start to look at blockchain as an opportunistic way to create value or fuel opportunities for economic gain in the corporate world, then people are unfortunately going to take advantage of it until we start to pull it apart. Blockchain in the corporate enterprise setting and using it from an IT operations standpoint, maybe that's the next hype cycle. Who knows? We'll kind of see.
King: I'm sure Gartner will help us understand which one it is. If you were to create an idealized IAM system for all of this stuff, what would that look like? Think about in the zero trust context levels of granularity that we need to get to that we're not at now and all the rest of that. What would that look like?
Bird: When I get asked that question, I try to future cast what a not necessarily utopian state but an effective proxy world where the analog me and the digital me have a much tighter relationship. There are a couple of key things that I always touch on. The first is that we have made a huge mistake and we are acquiring a human being to have to continuously authenticate as a different persona in every single company, every single organization and every single agency that they interact with. It's this bizarre one-to-many relationship that creates massive security problems, because all I have to do is get one of you. I saw something recently. We all have 160 to 180 active internet accounts and identities - commerce and banking and all that kind of stuff. All I have to do is get one of those and I can do damage to you. I think that we look at the benefits of crypto and its association to the possibility of changing things. I'm starting to see a technical pathway to solve what I've been passionate about, ever since I got and into the solutions industry and out of corporate about six years ago, which is digital identity should be for the people. If you start with that, then this notion of Bring Your Own Authenticator - there's only one me and there's only one authenticator. We could start to do the mechanics around that, with something like an NFT for identity. The problem is still who owns the mint. Let's just push that off for a second. It's the operational piece, who owns the mint, but the idea that I could have some form of an authenticator that has a direct tie to me personally, and then I manifest that authenticator opens up a whole new world on a corporate identity side, the government entity side, because almost all of the security solutions that exist outside of the identity space exist because we can't prove that you are who you say you are. That's internal and external. If there is a high degree of surety that the analog person who's trying to engage in the digital is who they say they are, massive amounts of spend, overhead, friction, inefficiencies get driven out of the digital world, because of the fact that we've been layering tech upon tech and solution upon solution to try and mitigate the bad outcome of one person who's not who they are getting into the systems. The idea of a 'bring your own authenticator’ opens up the second tier of that utopian landscape and identity, which is the vast majority of energy is spent in the authorization area, after I've authenticated. That authorization plane is where there's a tremendous amount of stranded business value and opportunity for companies to accelerate improving customer experiences and all that kind of stuff. I'll tie this off with - that utopian state is necessary, because I don't know about you, but in the last three years, my digital consumer experiences have absolutely sucked.
Bird: After 20 years of digital transformation, they're horrible. Why is it that if I am going through multiple steps of your multi-channel system to get an answer to my problem, I've got to authenticate three to four different times. The call service agent is asking me knowledge-based questions or the system is telling me to click the stupid reCAPTCHA pictures. How is this where we're at? A lot of it is just simply because we're relying on an identity framework that is completely dependent on these independent accounts and these independent identities across all of these different organizations that we do business with. I think that that's where the big changes are going to come. I think we're in the window. I think that, especially with Apple wallet, Google Pay, everybody's trying to get into the Bring Your Own Authenticator business, even though they don't call it that. I think that you're going to start to see camps of corporations, especially with Apple's announcement about FIDO, lining up behind these big players in capitalizing on Facebook's missed opportunity. Facebook could have been the SSO and Federation for all website identity, but they dropped the ball. They didn't just drop the ball, they just put the ball in the Mariana Trench, and will never be able to recover it again.
King: Indeed, it's right. With bots and 5G isn't it going to get even more complicated and difficult to determine whether or not you've got a human being entity on the other end?
Bird: Without a doubt. Bots are such a great example of this. I always go back to patterns. When you give application developers a toy and you say, “Go forth and conquer,” they go crazy. I've said this repeatedly, when I've spoken. Cybersecurity is at least five to six years behind every major change in the technology landscape. It takes that long to catch up. APIs are such a great example. APIs have been around now for about 11 years. Companies are now trying to wrangle security, around 10 years of application developers doing whatever they do. I think that this rise of 5G and the rise of bot-driven transactions certainly is problematic. 5G means that people are going to screw things up faster. It's not necessarily going to create an opportunity for better customer experience; it’s going to create an opportunity for bad things to happen faster when somebody clicks that bad link in an SMS text and gets hacked on their cell. The bot side of the equation has been interesting to watch from a consumer as well as a corporate standpoint, because it's pretty clear that human beings are able to sus out bots pretty good. It might take you a couple of cycles going back and forth about your last order or UPS tracking. But after a pretty short amount of time, people are frustrated. It's interesting, me talking with people, family members, friends and colleagues, how quickly people go, “Okay, I'm going to figure out a way to bypass system.” I think that that doesn't mean that the evolution of bots and bot technology won't continue to grow to deepfake levels. I do think that there's still hope in people wanting genuine experiences, even when they're digital, that would suggest that where bots go is going to be a fits and starts growth, I think. We're still going to see people recognizing that there's value and true customer service and experiences and they're just going to shy away from them. It'll be interesting to see how it evolves. But on the 5G point, like I said, I think it's a fail faster technology. I don't have much hope that I'm going to get better bandwidth on my phone from my carrier with 5G.
King: No, and then speed is the enemy here. Anything that enables the bad guys to do what they do faster is always a bad sign for the good guys. We're already losing this war, and in my estimation, it's going to get more difficult with that kind of speed shift.
Bird: I agree. I always like to use the reference points of cars because I've had quite a few in my day. Putting 5G in your hand doesn't make you better at the internet, just like putting keys for Ferrari doesn't make you a racecar driver.
King: Good analogy. What are your final thoughts about technology? This is a very loaded and broad question. But is it worth introducing more new complexity and an increased load when we can barely keep up with what we already have?
Bird: It's a terrible idea, unfortunately.
King: Alright, all you startups out there, stop.
Bird: For me, it's not so much the security solutions where the solution space and tech startups are challenging. I said this last week in San Francisco: the one thing that I've learned now being on the solution side, after so long on the corporate side, is that nobody in the solution space writ large. This is a broadly general statement. If there's one or two founders out there that take exception to it, just know that you're the exception, and I love you. But in the investment community and working in the startup community, I am staggered by the reality that people that are in the solution space are opportunistic. They did not wake up one day and go, “You know what? There's this massive or a niche problem in the marketplace that needs to be solved and I'm going to wake up every day and do nothing but focus my attention on it until it gets fixed.” That is not the motivation in the solutions and industry. The solutions industry is opportunistic. Somebody sees a gap, they see that it has possibility to raise funding, they use that funding then to create revenue and hope to blow that thing up into a unicorn and get out next equity exit stage. None of that makes the world safer. None of that makes the world better. None of that makes the world less complicated. But it is the dynamic that all the solution players operate off of. I think that when I worry about the additional complexities, it's more the meta platform or major technology changes piece. The other thing that I said last week is you can look at the extant reality of technology today. And more than 90% of all workloads are run by mainframes on a daily basis. It doesn't matter how big the cloud has got, mid ranges are still around. I'm talking to people that are still running to ask for hundreds. I'm talking to people in the manufacturing industry that are still running Windows XP embedded on industrial control devices. I think that this complexity issue is missing the reality of human behavior, which is we never get rid of anything. When it comes to corporate technology acquisition, corporations are like, “You are aunt that hoards everything.” I know companies that you can walk into and say, “Hey, I really think that you need to buy X,” and they go, “Hang on, let me just take a look at the IMDB,” and they look and go, “Oh, yeah, we already have subscription licenses to that.” They are like, “Are you using it?” “No but we have it.” This hoarding mentality means that whatever comes next is just added to the woodpile, and that's where the complexity comes. My last leaving point would be, bring it back to identity. If you want to be exceptionally good at identity security, which you need to be, because 20 years of history shows us that that's how you're going to get breached four out of five times. If you want to be exceptionally good there, then you have to be exceptionally good at managing your identity experience across your mainframes, your mid-ranges and your client-server environment. Everybody now wants an Apple device in the corporate space. Now you're on the iOS side, you also have the Windows side because you got people that hate Apple. Then you've got cloud but you don't have just cloud, you have Google, Azure, AWS and maybe a couple of regional players. Everyone's talking about quantum. Quantum isn't going to take everything out, it's not going to take up a thing before. Quantum is going to be added to that stack. Everybody's going to have to try and manage across that with the exception of companies that start now and they're all pure greenfield but none of those companies are all pure greenfield and going with just cloud technologies are in the Fortune 2000. None of them. I don't even think that it's necessarily that there's too much tech or there's too much in the way of solutions, or there's too much in these IT or technology referential stacks. I think it's the fact that we don't get rid of anything that is causing the majority of our problems. That's probably a conversation for a whole another blog because there's corporate politics and budgets and all that that's tied up into why do people keep stuff on life support, that increases their complexity rather than going for a more elegant, simple or streamlined approach. But I don't think the next thing is the problem. I think it's the last 27 things that are the problem.
King: I agree 100% and the difficulty with that is that there's the perception that those last 27 things work. In fact, they're probably the only things that work. Your reluctance to get rid of them is understandable. What check processing has been running on COBOL systems for how many years? 50-60-70 or something?
Bird: Yeah. And it's back to what you said, it works. I shared something last week: if you've got something that works and solves 100% of your business problem, and some cloud application guy walks into your organization and says, “Hey, we've got a better faster, cooler, more redundant thing but it only solves 80% of your business problems, instead of 100.” Every time somebody is in that seat is going to default and go, “I'll stay with what I got.”
King: Of course. That's a whole other episode that we can talk about, too, is what is wrong with the current sales and marketing crowd, in terms of how they're going to market with this thing. We'll leave that for now. This was great. It's always refreshing and a pleasure chatting with you, Richard. I thank you for taking time out of your now ultra-busy day because of increased responsibilities at SecZetta. Congratulations on that. I wish you the best over there. I hope that the whole experience turns out to be as positive as we all expected when you went there, and I'm sure the audience appreciates it as well. Thanks again.
Bird: Thank you, had a blast. Always do.
King: Alright. Great! We'll catch up in a few months. Thanks, Richard. Take care.
Delaney: Thank you for joining us for another episode of Cybersecurity Unplugged. You can connect with us on LinkedIn or Facebook at CyberTheory, or send us an email at firstname.lastname@example.org. For more information about the podcast, visit cybertheory.io/podcast. Until next week. Thanks again.