Chris Finan, Former White House Cybersecurity Director, On The DAO Attack
Chris Finan is co-founder and CEO of Manifold Technology, a venture-backed technology startup that offers private blockchain technology to financial institutions for asset liquidity and next-generation financial services.
Finan previously led business development for Impermium, a cybersecurity startup Google acquired in 2013. Before that, he was product developer for Plan X, a Department of Defense cyber warfare research and development program. Finan served in the Obama administration as director for cybersecurity legislation and policy for the National Security Council. Prior to his position in the White House, he worked at the office of the assistant secretary of defense for legislative affairs in the Department of Defense.
Finan started his career in the U.S. Air Force as a pilot and intelligence officer, including a tour in Iraq where he served as an intelligence officer and counterterrorism liaison to the Iraqi government.
CoinReport spoke with Finan via email to get his perspective on the recent DAO attack and on blockchain technology.
CoinReport: How would you characterize the attack on The DAO?
Chris Finan: My understanding is that the attacker exploited a vulnerability caused by programming mistakes that had been anticipated as a general risk by some in the community but not broadly mitigated by known best practices.
CR: What repercussions do you observe from this attack?
CF: I think there will probably be some interesting second and third order effects. For example, I think it’s notable that the main focus of many of the loudest voices in the community right now is on encouraging support for the software fork to prevent the ether from being transferred. There doesn’t seem to be much concern about what that kind of collusion would mean for the credibility of the protocol writ large.
Collusion on a fork would effectively demonstrate the power of an unknown oligarchy to fundamentally change, eliminate or undermine any contract on the platform. How is that preferable to a public company that’s subject to SEC oversight and reporting being in control? Isn’t it the devil you know versus the one you don’t? I understand there’s a lot of money on the line in this instance, but I think clawing it back could end up being a pyrrhic victory for the platform.
And obviously, there are some broader lessons. Complex smart contracts, like any complex software code, are not easy to program well and are going to have an attack surface that increases commensurate with functional complexity. Further, it’s easy to envision more sophisticated vulnerability research and hacking techniques being used to target smart contract-enabled businesses as there’s more money on the line. I suspect we’re going to see more of this.
CR: What key lessons should cryptocurrency enthusiasts, investors and public and private organizations take away from this attack?
CF: Cryptocurrency protocols are not magic. They’re only as strong as their human developers and none of us are infallible. There’s always going to be a risk in taking the human completely out of the loop. And that risk increases the more complex the code needed to automate the financial activity and the more money that’s at stake. As we’ve seen this repeatedly demonstrated – from this DAO breach to the bitcoin blocksize debate – the downside of taking the human out of the loop is a lack of considered governance and accountability, which can have significant unintended consequences.
CR: Why are you in favor of centralized control when it comes to blockchain technology?
CF: I’m not in favor of centralized control for all use cases. Decentralized control protocols are incredibly empowering tools for individuals to move value to one another anonymously, and that’s a net positive for society at reasonable amounts. But decentralized control simply isn’t practical for institutional use cases. It doesn’t scale easily and, as we’re seeing, it doesn’t allow for transaction reversals to address fraud or mistakes. My argument is based in practicality. What problems are we trying to solve? I would argue they are rooted in a lack of transparency and efficiency, and you can address those problems elegantly with centralized control as long as you have a tamper-proof record that can be audited.
CR: What prompted the formation of Manifold Technology in 2014?
CF: We saw an opportunity to build a platform optimized for institutional use. When you distill the concept of a blockchain to its essence you can create much higher performing platforms that address a lot of institutional pain points. We’ve created a platform that empowers institutions to be much more efficient across their internal lines of business, as well as across consortia partners. And the immutable audit records our platform creates enhance both consumer and overseer trust.
CR: How has your experience working for the U.S. government and serving in the Air Force shaped your perception of blockchain technology and cybersecurity?
CF: That you don’t solve hard problems with technology. You solve them with a smart mix of people, process and technology. And that you should always be careful to not conflate means and ends. There are a whole lot of folks talking about the potential of blockchain technology, but most of them cannot articulate the problems they really need to solve. It’s a powerful enabler, but it’s no panacea.
Images courtesy of Manifold Technology