I’ve been casually involved in the Bitcoin community now for almost two years. A very close friend of mine and contributor to this site Andrew Miller introduced me to Bitcoin well before the topic had garnered much traction. I had the opportunity once while visiting him to meet a handful of the core developers and have some very good conversations about Bitcoin.
As a result of that conversation, and my experience in IT Audit and Compliance while working for Greenwire IT Consulting, I’ve noticed some “low-hanging-fruit” in Bitcoin. Although, I definitely feel like the lack of a central authority is what gives Bitcoin it’s flexibility and arguably a lot of its security. I do feel that as with any industry conducting financial transactions, industry best practices should be established externally, and even the best run companies require both internal and external scrutiny.
My Bitcoin Governance Suggestions:
- Implement PCI-DSS
Realistically, all companies accepting Bitcoin probably should already be conducting PCI-DSS audits. Although they are not directly accepting Credit Cards, audits of private data and standardised retenention policies are a must for all businesses. If the pizzeria around the corner has to meet PCI-DSS, Bitcoin processors should too.
- Outside Audit
I’ll be the first person to concede that PCI-DSS lacks teeth. It’s designed as a bare minimum to protect typical businesses from IT Risk. It could be said that Bitcoin doesn’t fit that risk profile, as we’re more or less dealing with Digital Cash. That doesn’t mean that there shouldn’t be an audit mechanism. It’s generally accepted that companies when left to their own devices will inadvertently ignore certain forms of risk. The Bitcoin industry should move to a form of voluntary audit and compliance to maintain best practices consistently. This also would serve to help identify ponzi schemes and other untrustworthy players from gaining unrealistic traction in the community.
- Penetration Testing
Pentesting is not cheap, and not 100% effective. But it is an industry best practice for a reason. Although we don’t yet know the details of the successful MtGox attack, there’s a reasonable chance that the exploited vulnerability may have been identifiable beforehand by a competent security professional. With the value of Bitcoins currently very high, there undoubtedly will be further attacks. Until all Bitcoin transactors start employing full time InfoSec professionals, hacks will continue to be the norm.
- Industry Group
Although there are a few attempts at building a Bitcoin industry group, one example being the Bitcoin Foundation, there is not set of industry best practices yet to govern how to handle digital cash.
Realistically, all of my suggestions are probably premature. Bitcoin is so new, and unstable the cost of compliance may cripple the small startups on the Bitcoin scene. But that said they need to happen, the cost of security compromises is hurting Bitcoins reputation and relegating it to the wild-west of currencies. When in reality when mixed with good governance Bitcoin could be as sound as traditional currency. As of now, however, in this author’s opinion the attitude against self-regulation is creating an environment that is unnecessarily risky.