Web3 Awaits a Framework – the NIST Cybersecurity and Data Privacy Frameworks Are Ready
In January, when leaders of the region’s rapidly expanding Web3 community met at the Cryptopia pop-up event to discuss crypto, decentralized finance (DeFi), nonfungible tokens (NFTs) and decentralized autonomous organizations (DAOs), the likelihood of new laws, regulations, and industry standards was a reoccurring theme.
But no one could have predicted the speed of last week’s (1) spectacular collapse of cryptocurrency Luna and its algorithmically linked stablecoin TerraUSD, a cryptocurrency that was supposed to be, well, stable, (2) the steep fall in value of other cryptocurrencies, including industry-leader Bitcoin, and (3) Coinbase reporting a $430 million quarterly loss and the loss of more than two million users.
Even so, rising out of the rubble of last week’s carnage, there are reasons to believe that with digital assets generally, strong steps will be taken to protect consumers, investors, and businesses, and that the new laws, regulations and industry standards forecasted earlier to provide some stability and certainty are beginning to take shape.
Regulation, ever-so slightly, is being assisted by expanded law enforcement – The Crypto Cops are coming!
On March 9, an Executive Order urged “strong steps to reduce the risks that digital assets could pose.” A few months prior, the Federal Reserve released a paper – “the first step in a public discussion” – that said digital assets should, among other things, “protect consumer privacy” and “protect against criminal activity.”
Similarly, on March 23 the Fed’s Chair said digital assets will be regulated to “keep the trust of users, [and] protect consumers.” For these same reasons, the Department of Justice recently appointed its first director of its National Cryptocurrency Enforcement Team, the FBI established its Virtual Asset Exploitation Unit, and the SEC announced it would double the size of its Crypto Assets and Cyber Unit by hiring 20 new enforcement officers to increase the overall force to 50 dedicated positions. The SEC has positioned itself as the chief government enforcer against crypto crime, with its cyber unit officers referred to in the Web3 world as “crypto cops.”
As previously noted, according to the Department of Justice the February arrests of cybercriminals linked to the theft of $4.5 billion in stolen bitcoin from a crypto exchange underscored how blockchain and crypto “comprise an expanding part of the U.S. financial system.”
Not to be left out, on April 7, the FDIC issued a letter stating “[c]rypto-related activities may pose significant safety and soundness risks, as well as financial stability and consumer protection concerns” and asking for feedback from supervised institutions about these risks including safety and soundness standards that should exist.
“A Framework! A Framework! We have got a Framework, and there cannot be any more Framework!”
“We really need a regulatory framework to guard against the risks … a comprehensive framework so that there are no gaps in the regulation,” Treasury Secretary Janet Yellen said a week ago before Congress. Frameworks often form the basis for industry standards and can lead to transparency about legal obligations. Indeed, even before last week’s meltdown, numerous elected and appointed officials had called for “some kind of framework” for digital assets.
We have been here before. In February 2013, an executive order was issued requiring government and private-sector organizations to collaborate on how “to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”
In 2014, the National Institute of Standards and Technology (NIST) published the Cybersecurity Framework (CSF). The Organization of American States and Amazon Web Services described it as:
[U]ndoubtedly a tool for cybersecurity risk management, which enables technological innovation while adjusting to all types of organizations (regardless of category or size) … [and is] a simple-approach strategy to cybersecurity governance, to make it possible to easily transfer technical notions to the business objectives and needs.
The CSF has become so widely accepted that the state of Utah has referenced it in its safe harbor statute, the Utah Cybersecurity Affirmative Defense Act. In short, if an organization’s written information security program “reasonably conforms” to the CSF, it would have an affirmative defense to a civil tort claim such as negligence if it experienced a “breach of security system” and was sued.
In 2020, NIST released a data privacy companion to the CSF known as the NIST Privacy Framework. This framework was designed to help organizations keep up with technology advancements and new uses for data. The PF purports to improve risk management through mitigation, transfer, avoidance and acceptance principles. It is designed for all types of organizations regardless of category or size and their objectives and needs, and can be “adaptable to any organization’s role(s) in the data processing ecosystem.”
A framework designed to “protect consumer privacy” and “protect against criminal activity” for the new technologies underpinning Web3 could take years. During this time consumers, investors, and businesses could become so disenchanted by the current threat landscape and the negative impacts it is having, that the ecosystem could be damaged beyond repair.
On their own initiative, Web3 organizations should adopt the CSF and NIST Privacy Framework, at least in part, and the Executive and Legislative branches should empower NIST to develop a framework similar to these that is complementary. NIST has already begun to investigate blockchain technologies at multiple levels.
For further information about Web3 and the frameworks, whose applications will be explained in subsequent advisories, see the previous articles in this series on crypto, DeFi, NFTs, and DAOs referred to at the beginning, or reach out to the authors who are actively engaged in facilitating a safe and secure Web3 ecosystem.