Quick take:
- Dray expects Web3 hacks to continue to increase in the coming years as mainstream adoption accelerates.
- He also thinks end to end security approaches should not change from blockchain to blockchain even though different chains may use different smart contracts.
- His company is currently conducting research in the field of AI but maintains an operator and a review will always be required to ensure the tools work effectively.
The cryptocurrency industry has lost nearly $6 billion to hackers over the past two years. However, although last year the figure fell to about $2 billion from $3.8 in 2022, this is by no means an indication that the industry is beginning to overcome the challenge.
Charles Dray, the founder and CEO of blockchain security firm Resonance thinks the circumstances that led to the decline in the amount lost to hackers may have been related to the bear market, rather than a triumphant victory over hackers. He estimates that by 2025, the work will experience about $10.5 trillion dollars in hacks per year by 2025.
Described as the next iteration of the Web, Web3 is not immune to these hacks. “Web3 cannot get away from Web2, and it means that businesses are going to have to find a way to marry two very different approaches to security to ensure the safety of their users in the era of decentralization,” Dray told CPO Magazine in a recent interview.
Dray’s company is developing a cybersecurity tech stack that integrates essential Web2 and Web3 security practices into a single platform. The company wants to address all types of threats that are likely to affect a company in the current environment.
Over the past two years, multiple mainstream brands including Nike, Gucci, Starbucks, and Adidas among others have all made their foray into Web3, either by offering digital collectibles of their products or through a customer loyalty program.
Dray wants to protect companies against any, and all threats that emerge, either from the existing internet or its future iteration.
Dray believes that focusing on Web3 security threats, which are generally threats that emanate from smart contracts, negates other aspects of security, especially given that decentralised apps are built on legacy technologies.
Dray offers further insights into addressing cybersecurity threats across Web2, Web2.5 and Web3 platforms in this engaging Q&A.
Multiple reports put the amount stolen by crypto hackers in 2023 between $1.7 billion and $2 billion. That’s about half the $3.8 billion stolen in 2022. What factors could have led to this decline? And do you expect the figure to continue falling in the coming years?
This web3 loss of information can be due to various factors and it can be misleading because hackers often keep attacks for more profitable circumstances. This loss reduction can also be due to bear market circumstances that reduced the value of tokens in 2023. Hacking groups may be slowing attacks to wait for a market rebound for more profitable gains, they may be attempting to instil a reduction of urgency which will cause projects to relax their security initiatives, or they may be targeting more profitable targets in other spaces (web2) while they wait and see until the web3 market rebounds. Either way, hacks will certainly increase in frequency and complexity as time goes on, and we can expect hackers to maintain patience keeping targets in their “back pockets” until a more profitable circumstance arises with growing companies.
We actually expect an increase in losses from hacks as a whole (web2, web2.5, and web3). It’s expected that the world will experience 10.5 Trillion in hacks per year by 2025. These statistics are quite startling. https://www.zippia.com/advice/cybersecurity-statistics/
The reason for the increasing amount of losses is multifaceted – Everything from struggling economies to increasing attacks from large hacker groups, talented hackers seeing ways to make money to offset their economic circumstances, to the increase of sophisticated attacks using AI, quantum computing and other emerging technologies, to the fragmented cybersecurity offerings and projects having difficulty navigating offerings in the space.
Furthermore, as sophisticated attacks increase, projects must continuously evolve their cybersecurity measures, but due to the focus on the growth and survival of businesses through sales, marketing, and other investments focused on growth, projects are bound to experience a dilemma in prioritisation, and hackers are ready to take advantage of that. Hackers will not only target web3 but every project they consider an opportunity for financial gain.
One of the blockchain industry’s biggest challenges has been fragmentation, with different chains and protocols offering different tooling for developers. However, recently we have seen more protocols focus on building infrastructure that supports blockchain interoperability. How does blockchain interoperability relate to blockchain cybersecurity?
Fragmentation of different chains and protocols and interoperability shouldn’t change the general approach to end-to-end cybersecurity. In general, regardless of interoperability or fragmentation, the practices behind cybersecurity should hold true even though different chains may use different smart contract languages and thus different tools and auditors to examine their code.
The foundational web2 security layer, such as penetration testing webapps, mobile apps, browser extensions, cloud security and configuration reviews, is a part of cybersecurity that should be relevant regardless of any build and circumstance. Projects loosening requirements for auditing their web3 code due to previous audits, or their code being forked from another project that has “already been audited” is a high risk that is often put to the side in the interest of cost.
It’s very important that projects assess their security as an end-to-end practice rather than a box to check to entice the community to use their protocol because hackers are keen on attacking projects that amplify their dedication to security but show no proof through continuous examination of both web3 and web2 components.
How does Resonance address cybersecurity in the space amid a lack of uniformity in the blockchain industry?
Resonance has taken a deep dive into all the past, recent, and emerging attack vectors across web2, web2.5, and web3 that ultimately lead to the most frequent and profitable attacks by hackers, and we’ve aggregated each solution into an easy-to-use aggregation platform for any technical level, scope, timing, and budget. What each project decides to utilise is in their hands, but we’ve made onboarding effortless and the customised scoring approach the Resonance platform offers for each project makes it a no-brainer, and effortless solution to implement.
The fragmentation and dilemma of excessive choices includes hundreds of cybersecurity service providers, and thousands of cybersecurity product offerings making it extremely difficult for projects to navigate and this has been a continuous issue for generations even before web3 emerged. Our goal is to finally eliminate this issue for good, and we’ve already made significant strides in proving this approach is effective for a multitude of organisations in any vertical.
Recently AI has become an important aspect of the blockchain industry, particularly in helping guide and orient users with different protocols. Is your company deploying AI in its tooling and how effective is this approach to blockchain cybersecurity?
At Resonance, we are currently conducting research in the field of AI that could help assess the security of Rust and Solidity smart contracts as well as assess the security of web2 foundational layers. We have built several LLM models for security analysis, but at the moment it is more of a helper and an additional layer of testing used by our software and engineers rather than a replacement for engineers.
AI technology is very promising and we will continue to do more research in this field, but we believe there will always require an “operator” and review process to ensure these tools work most effectively. In addition to the tools we have built, our platform integrates various AI code analysis and risk analysis tools that allow users to analyse their code with a few clicks. Again, AI-powered tools should not be considered a replacement for traditional security assessments, but rather an additional layer for review – like a second or third look.
It is important that AI threat modelling is heavily performed on tools utilising AI to test consistency in case a threat actor attempts to trick the model into delivering incorrect or deceiving results. AI tools can sometimes generate false positives, and inconsistent results so it is important that the operator has a foundational understanding that AI is not 100% and requires manual review. It is also critical to test results thoroughly and continuously to decipher if findings and guidance powered by AI is valid.
Cybersecurity attackers are among the most adaptive, in both Web2 and Web3. How does Resonance deal with hackers that are constantly changing their tactics?
Resonance provides a unified full-spectrum cybersecurity software solution that allows customers to target their own deficiencies across different cybersecurity domains. Proper education, awareness, and preventive solutions encompassing monitoring, scoring, aggregation, and cybersecurity gap analysis are just some of the examples that constitute Resonance’s platform.
Resonance is always on the cutting edge of building applications that consider sophisticated and evolving threats across the web2 and the web3 space, and this enables organisations to be on top of their game in regards to cybersecurity, and always step ahead of malicious actors no matter how technical the user is, and for any budget, timeframe, or scope.
What would be your advice for a Web3 startup’s approach to cybersecurity ahead of launching their product? What’s the most common mistake that companies make when implementing their cybersecurity plan?
The most common mistake seen not only in web3 startups but also in well-established web2 enterprises is the fact that they often request a one-off “miracle solution”, that they either just run once and expects to fix everything, or they keep it running in the background and believe it will automatically shield them from every attack scenario. This usually serves to appease investors or social media/public relations, making the arguable statement of “we are secure”, but the fact is that some of these methods only cover projects on the surface level.
This is very disturbing because surface-level analysis allows for deeper attacks which can serve as honeypots for hackers. Resonance believes cybersecurity is a journey more than a single step. It’s a journey that must evolve with the tactics that hackers adjust over time, and continuously assess how sophisticated attacks impact their technology layers from the web2 foundations to the web3 and emerging tech stack. That’s why Resonance offers bundled solutions over time, creating a partnership with projects instead of being a simple service provider. Resonance gives projects the edge when it comes to cybersecurity without taking the project away from their most critical growth initiatives, but providing an effortless means to help assess and prevent cyberattacks across a multitude of evolving attack vectors.
How long do you think it will take before blockchain cybersecurity catches up with Web2 in terms of education, threat mitigation and the overall sense of security?
Nobody was born into Web3 since it’s so young. So most cybersecurity professionals in the Web3 space came from Web2 and they are already aware of most of the issues, except the novel ones. But that goes both ways, even the malicious actors are learning the ropes.
We are fortunate to have a brand new vision and a second chance at implementing cybersecurity from scratch in the Web3 world, which is something we are starting to do quite well as a community, but unknowns will continue to emerge. Sooner or later, once web3 adoption really starts to kick in, we will be better prepared to secure blockchains than we were 30 years ago. The foundational layer of web2 security must always be considered when projects consider cybersecurity, and the web3 layer shouldn’t be considered independent of web2.
Anything else about Web3 security you would like to add?
It’s important that the web3 community shifts away from prioritising excitement and moves towards a more holistic approach to building stable, secure projects that deliver a wholesome experience to users that even the project’s founders can feel safe fully investing in. Bias arising from fulfilling checkboxes to appease investors and growth initiatives have often taken the focus away from end-to-end security due to complications in time and budget.
The fragmentation and difficulty navigating the thousands of cybersecurity products and hundreds of cybersecurity services have made it even more of a challenge and discouraging element for projects to focus on proper cybersecurity. Resonance’s platform has made it an initiative to end this pain point for good, by offering easy-to-use, effortless, and aggregated cybersecurity measures for all scenarios. We’re here for the long run, and we won’t stop until the standardisation of true end-to-end cybersecurity is achieved.
****
Stay up to date:
Subscribe to our newsletter using this link – we won’t spam!