Jeudi 22 Décembre 2022
Laurent Leloup

Interview on the EU's legislative proposal on Digital Operational Resilience - big impact on the blockchain industry

David Carvalho is the Co-Founder & CEO of Naoris Protocol


Please tell us about yourself and the story behind Naoris Protocol?

I am the Co-Founder, CEO, and Chief Scientist of Naoris Protocol, with over 20 years of cybersecurity experience working as a Global Chief Information Security Officer level for multi-billion USD companies and high stakes environments. I’ve been an ethical hacker in cybersecurity since I was 15 years old and now advise nation-states that are also NATO members and highly regulated environments in the critical areas of Cyber Espionage, Cyber War, and Cyber Terrorism. I’ve been involved in Crypto since 2013 as an investor and miner in POS/POW blockchains and I’m involved in several initiatives in academia and society and cybersecurity-related innovations in critical spaces.

Naoris Protocol is developing a Decentralised CyberSecurity Mesh that brings trust to an untrusted hyper-connected world. The mesh protects devices from cyber threats and associated risks while enforcing CyberSecurity standards. It’s designed to increase cybersecurity principles and trust levels across every sector of the economy by converting any network's infrastructure into nodes securing its baseline, whilst ensuring systems are cyber secure, trusted, and safe to operate. Designed to be used for web2 networks like governments, enterprises, and organisations to the entire Web3 stack.

Can you give us your thoughts about the forthcoming DORA solution?

The DORA legislation had many drafts and pre-approvals before we got to this place, it’s been a long time coming. DORA is not just necessary, it's late, as the cyberthreats this regulation is addressing have been in place for over a decade, and since then, they have escalated exponentially. It’s now clear that cyberthreats have had a massive impact on national and regional economies as well as organisations and individuals. Cyberthreats have taken hold because boundaries, checks and balances have not been properly enforced and applied to ensure resiliency.

I think DORA is absolutely necessary to provide businesses and individuals the protection they need from cyberthreats and everyone needs to be held to account to ensure they are doing all they can to secure their data.

This is not the only legislation that’s coming on line, we have the DFA (Digital Financial Assets) consultation papers being drafted independently by the US and UK, the DMA (Digital Markets Act) which is more focused on Internet businesses, the DGA (Digital Governance Act) which creates a framework for increased data availability and re-use within the European Union and AI Reg (AI regulation) which is the regulatory proposal that aims to provide AI developers, deployers and users with clear requirements and obligations regarding specific uses of Al. All of these regulatory initiatives have fundamental game changing capabilities, and the aim is to have them solidly in place by 2030.

Do you think DORA goes far enough?

Obviously DORA has to address a number of challenges especially when it comes to integration with regulators. There is a lack of clarity in the regulation, for example it does not mandate how much companies should aim to spend on cybersecurity. There is also a lack of clarity on what methods should be employed in order to achieve a higher capability of threat mitigation.

It also doesn't go far enough around incentivising companies to adopt new leading edge technology. It does talk a lot about traditional cyber security solutions, but they have not been successful at mitigating risk. While approaches like the cybersecurity mesh, have been recognised and championed as the latest trend by Gartner, decentralised cybersecurity mesh that ensures devices and their processes can be trusted, along with maintaining an auditable trail of device compliance on chain in real time in an immutable ledger, allowing spaces to provably show regulators that standards across networks are maintained should be incentivized. So this is definitely a conversation Naoris Protocol would love to have in this space, as we bring a fresh solution to the multi-billion dollar cyber damage headache.

How do you think they will start to enforce and regulate?

I think the regulators will have human resource issues as they try to enforce the rules. Passing the legislation is one thing, but having a team of trained people who can effectively monitor and evaluate problems is another issue altogether. I see all stakeholders participating in the enforcement, because it ultimately benefits everyone to have robust compliance practices. A key issue that needs to be addressed, is to ensure that the data being fed into systems is known and trusted, currently, processes that generate that data are not trusted. The other issue is the audit capability that the regulators have. They don't have the manpower to properly audit every organisation. In other words, if there is any issue or compliance incident, the regulator will not have the capability to send a group of experts to every company to look at all their evidence, across all their systems, which may have multiple global offices and hundreds of networks and tens of thousands of employees. They would probably cover less than 1% both in infrastructure scope and in time of analysis. This is a big problem because it doesn’t really have the teeth that’s required.

Cyber attacks are escalating at an unprecedented rate, with hackers motivated by rewards for exploiting vulnerabilities or breaching systems. What are your thoughts on the current predicament for global digital security?

Global digital security is going to continue to travel in the same direction that it has been going. I don't think there will be any change in this trend. If anything, the trend is going to be accentuated. Having said that, there are some very interesting revolutionary technologies that Naoris Protocol is adopting that mitigate the multiple points of failure in terms of evolving digital ecosystems. In the past companies had the ability to isolate their connected devices within their organisations but now with cloud technology, remote working and the explosion of IoT they have to monitor multiple points of failure, Naoris Protocol leverages these these single points of failure by turning them into nodes for distributed validation that create resilience for digital operations exponentially, compared to local validations, which allows the environment to become a point of entry to the network by a hacker. This is what DORA is all about. It's all about maintaining truth and trust and negating single points of failure within untrusted environments.

So until this fundamental principle changes i.e. instead of leveraging infrastructures as a never ending list of points of risk, instead we leverage infrastructures as the baseline of a distributed consensus, we will be fighting against an unprecedented level of cyber threats and lack of trust on systems baselines.

This is where a blockchain based, decentralised cybersecurity mesh really comes into its own because it allows us to for the first time trust the validation process itself, it also unifies every device at the cybersecurity and governance level, it negates the single point of failure weaknesses that are inherent with centralised cybersecurity systems, in addition, it creates an intelligent trust network by using Swarm AI, that detects behavioural changes and vulnerabilities in near real time, before hackers can infect and take over the entire network.

DORA talks a lot about phishing email scams and the recommendation of domain protection using DMARC. Do you think that this will prevent future email phishing scams and does it go far enough?

No, it doesn't go far enough. Does it help? Yes it helps. What would help further would be a fundamental shift in how the email SMTP protocol works.

The addition of capabilities to whitelist and blacklist emails, change how emails are registered, change how forwarding and receiving works - all from a trusted perspective; would mean that no one could spoof emails. Another issue that doesn’t exist in the protocol is the ability to encrypt email and manage keys, which blockchain can do. Domain-based Message Authentication Reporting and Conformance (DMARC) has been around for over 10 years and on the face of it, the uptake by organisations is high. It is estimated that over 60% of large companies, and 75% of government domains (in the US) have implemented it.

However many companies are still open to attack because according to research only 14% of DMARC deployments are complete (at enforcement). DMARC is an authentication standard and therefore you’re either at the level of enforcement or not. DMARC without enforcement doesn’t provide protection. Adding a DMARC record without an enforcement policy means that unauthenticated emails still get through.

It is these emails that escape detection by systems that are the biggest threat, and given that over 90% of the breaches are because of human error, and 75% of those breaches are phishing emails – we have a huge problem. So no, I don’t think current solutions are anyway near sufficient because humans and their borderless devices are creating the weak point.

Where do you think Naoris Protocol can add value in regards to DORA?

So from an auditability perspective Naoris Protocol is an absolutely revolutionary approach in enabling a regulator to actually know if a company is following the standards imposed by DORA or not, and that could be to provide audited evidence after something happens or to provide real time Proof of the State of Security during an event, which is ground breaking.

It's not just for the regulators, it's for the company themselves, so they know that they can trust whatever they are seeing in the control centre. They will have the capability to manage risk across their own 3rd parties, basically acting as mini regulators themselves in regards to their own risk, which I think is fundamental and this is impossible to do currently without a distributed system.

Through the distributed trust system that Naoris Protocol provides, we now have the capability to have real time eye’s on all machines, interrogating them at any point around the vast majority of controls that DORA requires. Naoris Protocol gives visibility to these digital controls letting us know if there are vulnerabilities in the system, if it has been patched, if best practices have been implemented, if there is password policy, if there's encryption in the system, and many other things that directly meet DORA requirements.

All controls are validated and registered on the blockchain. So it's like having an auditor in every machine all the time. It cannot lie. Every time you say or do something it's populated by the whole infrastructure to be known to be true, using highly resilient principles. That is only possible with a distributed platform and that's what we offer. So the capability for regulators to actually regulate through our distributed protocol would actually be possible, for the first time ever.

Regulators will have full assurance and a resilient cryptographic backing of truth, of what every system and every company (that is regulated), is generating data wise, and the trust status of that data.

This is the next step in the evolution of regulation and we are more than happy to allow regulators to participate in the process and to not just review what we have for the benefit of regulatory principles, but also society as a whole.

I believe that Naoris Protocol, with our connections to academia, universities and others will be able to connect with regulators and decision makers and partner with them in the creation of a whole new paradigm of auditability capacity, so that we can actually see resilience in real time, with full trust, so operations can continue within complex systems.

What new trends do you think are we going to see in the cybersecurity industry?

I think we're going to see more regulation like DORA pushing companies to become more mature by enforcing their boards to take responsibility for breaches that come directly from the lack of investment in this area, which of course impacts the bottom line of these companies.

I also think that we're going to see the adoption of revolutionary approaches to cyber risk mitigation. It's a great time to be an innovator and participant in the cybersecurity space.

I would say that the shift in the cyber security industry is going to be happening more from a reactive approach to a more proactive approach around risk mitigation, which will be based on trust, instead of based on just a response to threats.

And again, on that side, we are extremely well positioned to not just help regulators, nation states and authorities, but also companies across different markets, mitigate the risks that come from complexity of their environment and third parties, while maintaining full trust and assurance, so they can be resilient in leveraging their own infrastructure to protect themselves from attackers.

Collaboration amongst industry players should be a key focus because leveraging the power of their combined intelligence to validate data, would go a long way to preventing some of the mischief we are seeing today. Security consensus would not only make companies more secure, but regulators would be less likely to draw swords if they were provided with real time, zero-knowledge reports that were accurate and transparent.

Notes for editor: Please always refer to Naoris as Naoris Protocol only.

About Naoris Protocol
Naoris Protocol is the Decentralised CyberSecurity Mesh for the hyper-connected world. Our disruptive design pattern makes networks safer as they grow, not weaker, by turning each connected device into a trusted validator node. A robust Blockchain protocol that every company can use to protect against the escalating levels of cyber threat.

Devices are rewarded for trusted behaviour, fostering a secure environment. Participants earn $CYBER staking rewards for securing the network.

The more users, businesses, and governance structures that use the Decentralised Cyberecure Mesh, creating networks of networks, the stronger and more secure it becomes.
https://naorisprotocol.com/


Articles similaires