TECH advancements and increased interconnectedness offer many benefits to society. Whilst it poses new Cybersecurity risks and privacy threats. The world becomes chaotic when authentication techniques cannot discern what to trust or untrust. According to the World Economic Forum, “Zero Trust” is “a shift in the security approach on how to dynamically and holistically establish trust with an unknown, whether a human being or a machine”. Research suggests that the Zero Trust market is expected to grow from $31.1 billion in 2023 to $67.9 billion by 2028. So, let’s review the historical developments of internet safety and envisage what is next in improving Trust amid the race in various technologies.
Public Key Infrastructure was originally invented by the British intelligence agency GCHQ in the early 1970s as a centralized Certificate Authority (CA) based system. CAs are prone to hackers’ Man-in-the-Middle attacks. Instead of relying on CAs, Decentralized Public Key Infrastructure (DPKI) has key-value storage in a decentralized form for better security. Pretty Good Privacy (PGP) is a decentralized “web of trust” system developed by Phil Zimmermann long before the existence of Blockchain/ Distributed Ledger Technology (DLT). PGP is the common encryption standard in today’s market.
The internet highway is a “Public” space. It is dominated by Google and other Big TECHs, as well as many Hackers and Foreign Adversaries. PGP is no longer effective in the convoluted World Wide Web. According to NIST and NCCoE, “The proliferation of cloud computing, mobile device use, and the Internet of Things has dissolved conventional network boundaries.” Users of internet applications may opt-in/ opt-out of sharing. Organizations are only now catching-up in deployment of cybersecurity best practices. All of these do not change the fact that the internet highway is NOT a space for “Quiet Enjoyment” (QE) – a right of an occupant to enjoy and use premises in peace and without interference.
There are limitations of Privacy Enhancing Techniques. By “joining” (daisy chain/ mesh) multiple digital trails and metadata using Artificial Intelligence (A.I.), biometric recognition, geolocation and/or other technologies, Personal Identifiable Information and confidential data could be unveiled. Law enforcement agents may use such techniques to pinpoint wrongdoers. All giving rise to civic concerns about Massive Government Surveillance agencies and systems. In addition, disinformation, headline cases of non-compliance, tech companies’ failure, and/or other controversies have shaken peoples’ trust on technology.
People cannot rely on the government to fix privacy and security problems. Take the Consolidated Audit Trail (CAT) project – the world’s largest financial database as an example. The US Securities and Exchange Commission (SEC) asked FINRA CAT to comply with an outdated NIST’s CISP revision 4 of SP800-53 standard. Irony is – several U.S. agencies, including the SEC were hacked. Hackers do not necessarily come from outside, e.g., the Edward Snowden case embarrassed the Central Intelligence Agency. The SEC undermines the risk of function creep when they are users of CAT. The SEC recently adopted Cybersecurity rule calling for public companies to heighten related governance controls and disclosure.
While people love the convenience of physical token-less security screening tools using biometrics, such as CLEAR – NextGen Identity+, for digital identity to access secured areas (airport) and digital online space (LinkedIn verification), there are a few security incidents with the firm. Facial recognition is everywhere, and anyone’s biometrics information may already be collected by different machine learning libraries that are susceptible to attack or misuse.
Security controls should be embedded in the design of any systems. Minimize data-in-motion. ‘Data-in-use’ is more vulnerable than ‘at-rest’. The more users/ devices access data, the greater the risk hackers may alter/ add/ insert/ use (or reuse) the data abusively. If putting these principles in a broader context of architectural design of the Internet, the concept of having Metaverse makes sense. Crafting out private QE spaces from the public internet highway would better delineate: (1) the Authenticity of the People, (2) In-Door Places, and the (3) Ontology of Things.
| Authenticity Institute summarized 10 reasons for why DPKI has yet to be widely adopted (see table on right). We agree there are significant gaps in the awareness and know-how in the appropriate implementation of Zero Trust Architecture. Yet, we believe “Establishment Pushback” being the prominent factor hindering a paradigm shift.
Take electrification of paper-based Letter of Credit for example. It has been proven that billions can be saved by digitizing this trade finance process. |
Reasons | Categories |
| 1. Omits vital specifications | Implementation Flaws | |
| 2. Not enough privacy | ||
| 3. Reliable identities too scarce | ||
| 4. No legitimate authenticity source | ||
| 5. Signatures of objects not people | ||
| 6. Bizarre terminology | Perceptual issues/ insufficient education | |
| 7. Brilliant but too complex | ||
| 8. Encryption confusion | ||
| 9. Entrenched assumptions | Establishment Pushback | |
| 10. Privacy is TOO good! |
A consortium of major banks around the world established the Bolero system three decades ago in pursuing that goal. There are countless systems and projects that use Blockchain, smart contracts, and/or digitized networks to streamline the paper-intensive trade finance practice. Reality is – none of these initiatives have been able to sunset the Uniform Customs and Practice for Documentary Credits. The point is – technology is only one-third of the race in improving trust. People accustomed to data breaches class action settlements. Governance may play a small part in inducing change.
Using the US Government confiscated cryptocurrencies from illicit activities to showcase the “trust” issues, the biggest challenge faced by the regulators is, the entire flow mixes-in legitimate DLT initiatives with potential bad actors / foreign adversaries that hide under the guise of DeFi / De-dollarization movements. Authenticating who’s who is doing what at where and when via DPKI metaverse is good, but insufficient. 21st century’s challenges or “chaos” include: content moderation versus censorship, rogues hop around, “Street Kids” uprise with MEME stock phenomenon, digital “Nomads” could care less about ethics (conflict and the use of predictive data analytics), “Corpos” rent seeks in the Cyberpunk era, and/or allegedly cahoots activities.
Regardless of the present Internet space or Metaverse, weeding out misbehaviors, creating fair, reasonable and non-discriminatory mechanisms to align rights with obligations, and management of private rights with divergence of social costs are top priorities. Providers of DPKI should not stop at the point of building the next-gen future iteration of the Internet. Tenants and prospects of DPKI Metaverse demand for high quality “furnished” conditions of QE space. I.e., guarantee that the above-mentioned chaos is not happening. They also want frictionless transitions from legacy web/ social media platforms to Web3 at presumably “FREE” or justifiable return on investment.
It is a tall order. Zero Trust from a philosophical perspective could be inhuman and worked in counter of people’s social needs. A.I. ought to be democratized rather than being held in the hands of a few elites. Web3 defense builders should not perceive Big TECHs as the biggest societal threats. Authoritarians, insurgents, and human sloppiness are indeed the common “enemies”. Let’s be united while maintaining positive tensions in the technology arms race. Trust will be earned over time if we can reduce chaos and shape a safer and fair environment for all!
By Kelvin To, Founder and President of Data Boiler Technologies
At Data Boiler, we see big to continuously boil down the essential improvements that fit for your purpose. Between my patented inventions and the wealth of experience of my partner, Peter Martyn, we are about finding rare but high-impact values in controversial matters, straight talk of control flaws, leading innovation and change, creation of viable paths toward sustainable development and economic growth.