A Summary of the CSIAC March 2022 Paper, “Exploring Cryptocurrency”
BRISBANE, March 8, 2022 – In light of the March 2 release of the Cyber Security Industry Advisory Committee’s (CSIAC’s) recent paper, Monochrome provide summary of the recommendations and perspectives offered.
Following “Locked Out: Tackling Australia’s ransomware threat” and “Back to Business: Recognising and reducing cyber security risks in the hybrid workforce”, the Cyber Security Industry Advisory Committee has turned its focus towards Australia’s burgeoning crypto technology industry and the crypto-asset investment industry associated with it.
Titled “Exploring Cryptocurrency”, the paper provides a broad level overview touching on elements including secure storage, crypto usage in cyber crime and blockchain analytics with a number of included case studies. The paper also comments on prior CSIAC report findings, and provides guidance on an increasingly important sector in a post-Web2.0 world - cyber security.
While not all topics covered within the report are directly relevant to those looking to invest in bitcoin or other crypto-assets, there are a few outlined that stand prominent.
Firstly, the paper outlines three key areas of cryptocurrency risk:
The CSIAC notes “Cryptocurrency, with the possible exception of stablecoins, is highly volatile”. The table below compares the volatility of a 60/40 Portfolio, a portfolio holding 60% traditional growth assets and 40% traditional defensive assets, to bitcoin.
Monochrome posit that it is important for market participants to consider each individual crypto-asset or project on its own merits due to varying value propositions, use cases and risks.
The CSIAC point to market narratives being a strong driver of volatility across the asset class.
For many investors, the high volatility exhibited by crypto-assets such as Bitcoin may form part of it’s investment use case, with tools and strategies available to manage it.
Secondly, storage of cryptocurrency was identified as a major risk, with the Committee drawing particular attention to wallet type. Crypto storage wallets are categorised into ‘hot’ (with software connected to the internet) and ‘cold’ (a wallet that is not connected to the internet and is used for storing private keys), with CSIAC stating “It is predicted 2022 will see more sophisticated exploits being deployed by cyber criminals and state-sponsored actors targeting digital wallets and exchanges”.
Monochrome believes it is important to also differentiate between ‘custodial’ and ‘non-custodial’ crypto storage.
‘Non-custodial’ wallets are in effect wallets maintained by the user (be it an individual or group) who assumes the risk of storage. This introduces a high degree of sovereignty over holdings. Such a system is not insured and not regulated, putting the burden directly on the user.
‘Custodial’ wallets, however, are specialist third party services that offload the burden of risk onto regulated and insured entities such as Gemini, Fidelity or BitGo. The easiest example to draw would be that of a gold bullion custodian. Such a system often employs high-level security procedures such as ‘multi-sig’ custody that non-custodial wallet users may not have the capacity to employ themselves. The main drawback of such a wallet is that users do not directly control their holdings, and instead custody their holdings through this third party.
A relevant included case study in the report is that of the 2021 Bitmart hack, in which up to US$200m in tokens and cryptocurrency was stolen via a suspected compromised private key, leading to two of the exchange’s custodial ‘hot’ wallets being drained and laundered through a variety of privacy mixing tools designed to obfuscate the path of funds. Bitmart would later state that stolen funds would be compensated via use of business funds, with no overt mention of an insurance policy.
Such a hack highlights the lack of a current global regulatory approach to crypto-asset security - with a more robust custody process, particularly with regulated custodians, reducing the chance of such an event being successful.
The final key risk identified was operational exchange risk, or the notion that a hosting or exchange service may be a notable point of failure. Specifically looking at Digital Currency Exchanges (DCEs) or those that facilitate active trading of cryptocurrency, CSIAC pointed to price volatility and the associated potential shortfall of operating funds of entities servicing the market as a potential trigger for operator collapse.
The CSIAC pointed to the potential damage caused by exchange service outages (by virtue of excess traffic, technical fault, malicious actor or similar) as another major potential trigger. They note “It is estimated outages of the world’s two largest crypto exchanges in May 2021 resulted in losses of up to US$1 trillion worldwide”.
Cryptocurrency and Data Asset Policy and Regulation
CSIAC note that “The opportunity exists for Australia to embrace forward leaning regulatory settings that enhance confidence in and security of cryptocurrency”.
They identify the active role the Australian Securities and Investment Commission (ASIC) plays in regulating crypto-related financial product and services, as well as the role the Australian Transaction Reports and Analysis Centre (AUSTRAC) plays in DCE regulation. They note the Australian Prudential Regulation Authority (APRA) is looking to ‘modernise’ current frameworks to recognise emerging business models – including those using digital currencies or other crypto assets – that do not fit into current regulations, with an emphasis on new rules required to protect financial stability.
CSIAC believe there should be an emphasis on balancing flexibility to foster domestic innovation with cyber security requirements and investor protections, commenting that Australia’s current approach to regulating crypto-assets to date has been ‘light-touch’, seeking to expand existing financial services regulation to digital assets.
The Commission comment that “While this provides some confidence to digital asset market participants, regulatory uncertainty has created hesitancy in Australian companies and consumers in crypto adoption”.
Further, it notes the “key risk globally is the existence of unregulated cryptocurrency exchanges in jurisdictions that do not regulate, or do not effectively regulate, such businesses”. Such a risk is of particular importance to Australian investors and market participants, with some current investment products or services taking advantage of lax domicile regulations to facilitate exposure that would otherwise not pass local regulatory standards.
On Digital Currency Exchanges (DCEs)
To date, regulation of crypto-assets in Australia has centred on services provided by DCEs. Australian-based exchanges must comply with the same AML Act Know Your Customer obligations which apply to traditional financial institutions. They must also be registered with AUSTRAC.
The CSIAC state “Currently, there are no financial audit powers or minimum security baselines for DCEs, nor are there explicit consumer protections” and that “The lack of security baselines has hindered the integration of more established and legitimate exchanges into the broader economy and impacted their ability to deal with banks and traditional financial institutions”.
Conversely, the push for regulation and introduction of minimum regulatory standards has been driven by a number of Australia’s largest DCEs, which are in effect an industry looking to proactively embrace regulation.
Closing out the paper, the CSIAC comments that while there are a number of important steps currently being taken in relation to regulatory development, consumer protection laws and increasing market transparency by the likes of AUSTRAC, ASIC and APRA, there still remains much to do.
Harmonisation with international regulatory best practice, as well as clarification on the regulation of cryptocurrency service providers outside those defined as DCEs, are identified as potential means to help the maturity of the sector and make Australia a more attractive market for legitimate innovation, investment in and use of cryptocurrency.
Specific recommendations by the Committee to the Federal Government on cyber security and cyber crime in relation to crypto-assets and cryptocurrency are:
- Establishment of minimum cyber-security standards
- Proper resourcing of industry, government, law enforcement, regulatory and criminal intelligence agencies to meet demands of the complex digital world
- Coordination with like-minded nations to ensure consistency with enforcement and regulation
- Emphasis on transparency and education within the sector, providing market participants with accurate information on risks, regulatory requirements and cryptocurrencies
It should be noted that the CSIAC support a large number of the recommendations provided during the Senate Select Committee Report on Australia as a Technology and Financial Centre, and following the Bragg Report and ASIC Consultation Paper CP 343 (as well as response paper REP 705).
The close parallels drawn in recommendations between all three separate entities provide Australian market participants with confidence in the development of uniform regulatory frameworks for this nascent asset class.
What is the Cyber Security Industry Advisory Committee (CSIAC)?
Formed on the 20th of October, 2020 to assist in guiding the development of Australia’s Cyber Security Strategy 2020, the CSIAC is an independent industry advisory panel consisting of pioneering figures and representatives from a number of Australia’s leading information technology and security firms.
Offering strategic, independent advice, the committee represents local industry participant perspectives with an emphasis on cyber-security.
The Committee consists of:
- Andrew Penn, Industry Advisory Committee Chair, CEO of Telstra (former Chair of the Industry Advisory Panel)
- Cathie Reid, Industry Advisory Committee Deputy Chair, Chair of AUCloud
- Darren Kane, Chief Security Officer of NBN Co (former Industry Advisory Panel Member)
- Chris Deeble, AO CSC, Chief Executive of Northrop Grumman Australia (former Industry Advisory Panel Member)
- Bevan Slattery, Chairman of FibreSense, Founder and Chairman of Superloop
- Corinne Best, Trust and Risk Business Leader of PricewaterhouseCoopers Australia
- Patrick Wright, Group Executive Technology and Enterprise Operations NAB
- Rachael Falk, Chief Executive Officer Cyber Security CRC
- Professor Stephen Smith, Chair of Advisory Board, University of Western Australia Public Policy Institute
- David Tudehope, Chief Executive Officer, Macquarie Telecom Group