In this Digital CxO Leadership Insights video, Mike Vizard talks to Concordium CTO Kåre Kjelstrøm about the cybersecurity issues that still need to be addressed when deploying blockchain applications.
Mike Vizard: Hello and welcome to the latest edition of the Digital CxO Leadership Insights series. I’m your host Mike Vizard. Today we’re with Kåre Kjelstrøm, the CTO for Concordium. They are a player in the blockchain space. And we’re going to be talking about all things related to security core. Welcome to the show.
Kåre Kjelstrøm: Good to meet you, Mike. Thank you.
Mike Vizard: People kind of assume that all things blockchain are secure, by definition, because it’s supposedly at least immutable. We’ll see how that turns out in time. But what are some of the security issues that we’re not thinking about when it comes to blockchain? And what should it be be focused on? Because hey, by the end of the day, somebody can gain access to something right?
Kåre Kjelstrøm: Yes, absolutely. So can Concordium has a unique attribute which no other blockchains actually have. And that is, in order to do any kind of transactions on the Concordium blockchain, you have to go through an identity verification process. This is a one off, so you only do it once, but you upload your legal document, like your passport or your driver’s license, and then you do liveness check by you know, doing a selfie video kind of thing. Once this is done, you have a legal identifier which is returned to your wallet. And from then on, whenever you do a transaction, your pseudonym references – your ID is baked into every single transaction on the blockchain. So that allows us to, to basically record who did what, and we’re doing it in such a way that we are actually preserving privacy. So you won’t be – if you run a node on Concordium, and you look at the transactions, you won’t be able to tell who did what – you can see this account transfered this amount of CCDs, which is our native currency to this account, but you can’t actually see who owns the account behind it. However, if law enforcement comes along and says, “Hey, it looks like something illegal has been going on here, we would like to find out who’s behind these transactions,” we can point to a number of companies called anonymity revokers that each hold a fraction of a key and basically tell law enforcement that if you go to these identity revokers and you get a fraction of the keys and put them together, then you can unlock the transaction and reveal the pseudonym that’s baked into the transaction; alongside the pseudonym there is a reference to the identity verifier that’s an external company to Concordium, it’s not Concordia, that does it, but we are partnering with these KYC slash ID companies and they can they go there and and ask that provider to look up the pseudonym, and read who was the person behind it, basically. So that way, you have an infrastructure that can allow for resolution of who did it, but no single person or entity can go and unlock it, right, and Concordium certainly cannot. So that preserves the privacy by also providing accountability.
Mike Vizard: What’s your sense these days of what ultimately will differentiate one blockchain platform from another? Because there’s so many of them out there these days I think people are getting confused.
Kåre Kjelstrøm: I think, so obviously, we’ve seen sort of a first version of blockchain that came along with Bitcoin and a theory on where there’s this whole proof of work, which is being scrutinized these days, because it requires a lot of machinery in order to make the next block, right. You basically have to have a huge pack of machines. And that requires a lot of energy. So there’s all this negative energy consumption; the new breed of blockchains that have come out later on, fix this by providing proof of stake and other kinds of consensus protocols that basically look at how much are you actually invested in running the blockchain? And how much money are you willing to put into the blockchain in order to operate it, and the more money you put in, in this case, the local currency, the larger the chances that you will be able to make the next block. So that incentivizes operators to put machines out there to run the blockchain on behalf of those who originally made it. So that’s kind of the basics. So what I think is that we will see, if you look at the market right now, you have your Bitcoin and you have your Etherium that are the big players. They are like dominating the market dramatically. Right? Bitcoin, of course, is still the biggest one and Etherium is by far the next largest one, and then you have a bunch of smaller ones that come in second. So either I don’t really believe in this whole there was this whole notion of Etherium killers and Bitcoin killers that came up a couple of years ago, I don’t subscribe to that viewpoint. I don’t think that we will be seeing anything that kills anything. In that sense. I think we’ll be seeing more of like, chains that specialize in certain things that are good for certain things. There’s already this, this notion of blockchains that can be built, where you can basically pick and choose and build your own blockchain – that’s sort of in that direction. And then others like us, for instance, have a unique selling proposition right? We have – we’ve gone down the path of having this ID baked into the core blockchain layer on the protocol layer because we believe firmly that if you want the existing world of finance to take blockchain seriously and move into that world and actually build a business on a blockchain, you need to build it in such a way that they can comply with regulation. And that’s certainly possible if you have something like this built into the core layers, right? Whereas it’s much more difficult if you have to add it on as an afterthought, and someone can still go under the hood and change data, and things like that. So that’s, that’s what we were coming at. And then of course, then the next thing becomes, how easy is it to use what’s the amount of, of stuff that’s available in the ecosystem? Do you have a defined landscape, for instance – that’s interesting. For us define means regulated define – right? And we’re basically catering to this world where you can build define, but with ID in mind, in order for that to work, we have to build more than what I just explained. So what we’re doing right now is we’re augmenting the Concordium wallet with the ability to hold any kind of ID information, not only your legal identifier, but also your money relation, your membership of the local chess club, and, you know, maybe your loyalty card with, with your favorite airline, or whatever it could be. And once you have all of this, and you have the infrastructure to build the apps that can that can somehow ask questions about it. Now you can do interesting stuff. So what we’re doing is basically allowing you to build decentralized applications that can ask questions of a user’s wallet, and the user can then decide whether or not to answer those questions. So for instance, if I needed to know whether you were older than 18, in order to sell you a bottle of whiskey, I would, I could have a website that asked that question of your Concordium wallet. So when you go to the page, and you say, “Hey, buy that bottle of whiskey,” you know, your wallet would pop up a question that says correspondence shop wants to know, if you are older than 18, would you like to solicit this answer back to correspondence shop? The answer, by the way, would be yes. And then you click yes. And then you know, I get the the answer in a zero knowledge proof, which I can then verify cryptographically that it’s actually valid and you are older than 18. And that proof was based off of an attribute generated by your passport, which was issued by this and that state. So if I trust in that, that line of of trust, well, then, you know, I believe that you’re 18. And I can store that alongside the purchase order in my database. And then when someone comes and says, “Hey, you’ve been selling whiskey to minors,” I can basically point out that I haven’t and I have proof of all of this. So that goes a long way in establishing trust. And you can imagine so many other use cases, like, where do you come from? And do we have like a diamond membership of this particular airline or whatever it could be?
Mike Vizard: Do you think organizations will wind up therefore having multiple blockchain platforms that they’re using for purposes, and they will depend on the use case?
Kåre Kjelstrøm: I think of blockchains as infrastructure. And I think that what we’ll see is more of blockchains providing certain facilities. So for instance, what we’re looking to do right now is we’re looking to build the Concordium solution as a service to others. So imagine, you know, this identity as a service based on our blockchain offering; you can certainly build your applications directly on our blockchain. But you can also, if you want Etherium, maybe leverage the identity in Concordium, and this whole identity wallet to to add, you know, regulatory compliant aspects to your existing define application that you already have running on Ethereum and you don’t want to change that, but you really wanted that extra layer. Right? So that’s how I think we’ll see, at least that’s part of the answer. I might also be wrong about that, you know, but there might actually be someone who all of a sudden gets ahead of the game and outpaced this theory or something else, and becomes the next bigger thing. But I think, you know, it’s an ecosystem of many chains. And I think we’ll see in the future that these chains will have unique traits that you might want to use maybe as a layer too from another chain, or maybe as a portion of a bigger application when all of it is decentralize; where you’re using the blockchain for certain aspects of your application.
Mike Vizard: Do you think they will consume that all as a cloud service or will some people want to build and deploy the blockchain platform themselves?
Kåre Kjelstrøm: I think, well, so it depends, again, blockchains are many things right? You have the public permissionless blockchains, which is what Concordium is. So we don’t own the physical nodes that run all of the software. We own some of them. And it’s not permissioned. So we don’t control it. So it’s not like a conglomerate, right? Anyone can just download the software and be running. But there’s also the permission private blockchains. So it really depends on what your use cases are. I think – I firmly believe that companies want to protect their IP. So if you have a company that’s in existence right now, like a Web2 application, that’s something – there’s a lot of information you will never out there, because that would be dangerous to you, in sort of a very competitive environment, you don’t want to give away the the gold of your business, which is your data typically. But there might be some things that you want to put out there, right? And there are some things that you want to build on a blockchain that can help you with certain aspects of your business. So a blockchain gives you the ability to write data that is publicly available, which anyone can verify was written at a given point in time. And you can even put an identity to it if you want to and say that, hey, I actually, you can prove that you own something, right? I actually wrote this particular piece of information about this particular thing. And this particular thing that I wrote it about has not been changed ever since. So like contracts, for instance, and digital signatures can be put on a blockchain. Blockchain is not very useful for large data anyway, right? They’re really useful for this kind of storing proofs about stuff, and, and tagging information about like logs and historical transactions, things that happened, and going back in time and showing that this actually happened. So that’s where I think the blockchain fits in as an infrastructure component; we will still see large databases in the cloud, we’ll still see these huge, huge databases of information. I, in my previous career, I was working at Uber, in the storage group – I was wanting portions of this storage systems, then one of the things we built in my group was a horizontally scalable, no SQL database. Today, this database hosts exabytes of data. It basically hosts around 80% of all of Google’s data, it’s highly distributed, runs across multiple data centers, it’s always up. And it stores things like trip information, monetary information, all kinds of stuff. Will all of that data ever be available outside? Probably not? Right? There’s a lot of that that’s the core gold for Uber. But things like, “Hey, you know, I’m your driver, let me prove to you that I am actually that driver, or I’m your writer; let me prove to you that I am actually that person,” is an interesting use case. There’s also the whole monetary situation for companies like Uber – they have an internal economy, right? There’s this notion of Uber credits, that might as well be a currency running on a blockchain. And if you take it outside of Uber, you might all of a sudden find new use cases for it. It could take a life on its own; it could have like a value, you could buy and sell it maybe and all of a sudden, it could be used in other settings that we didn’t even envision. I don’t think they want to do that. But those are options, right? Those are ways that you can do it. So I mean, that’s how I’m thinking about – as blockchains as an enabler for certain new emerging things that you can certainly do what you weren’t able to do before.
Mike Vizard: So it almost sounds like there’s a lot of new use cases that previously we could not have even attempted, but we’re not getting rid of these high performance OLTP transaction databases anytime soon. So with that in mind, do you think that people understand where blockchain fits in? For that matter, we hear a lot about the buzzword Web3 these days. So blockchain is considered an enabler for that. So what’s your take on Web3? And what kinds of applications are we going to see?
Kåre Kjelstrøm: So I think Web3 is more of like a marketing buzzword and anything Web2 is not going to go away and be replaced by Web3. So if anyone feels that way, it doesn’t make sense in my mind. What I think, it’s just like saying that just because we’ve got mobile phones, you know, the webpages are going to go away and no one will ever use a computer anymore to go on the internet, right? When we got mobile phones, that was an enabler, it enabled a lot of things like Uber, for instance. Uber would not have been possible before mobile phones. Because of that, there’s like tons of things you can now do. And ride sharing became a thing and a concept. And so many other companies sprung up that started doing this when the proof of concept was out there. And it was shown that this is actually a thing; you can just have your mobile device, you can click a button, you can get a ride, and you can go anywhere. That’s way more convenient than calling a taxi firm in a new country. And you don’t even know where you are, right? Like all of these. These things don’t even know who to call and who to trust. I think you’ll see the same thing for blockchain and Web3. And I think we’re in the early days. We’re kind of just like in the beginning of the 2000s or 1997, or something like that. Just after the World Wide Web had become a thing. Initially, we just had web pages, then someone came up with the idea that maybe we should make ecommerce a thing and you could start buying stuff. And companies like Amazon, for instance, sprung up and saw this as an opportunity and have today become like a giant in the space selling everything, not just books. So I think we’ll see the same thing for blockchain, which we’re very much in the early days and much of it has been I think, the whole blockchain space seems to have been creating, making it harder on itself in many ways, right? Because blockchain is a permissionless public thing where it – You can’t even see the transactions and who’s done that allows for illegal activities to happen, which has happened quite a lot, right? And that has created like this bad rap. So we have to first of all, we have to take away the kind of bad rep. And we have to make it more mainstream and more attractive for existing businesses to move over. And we’re hoping that by providing the infrastructure with the ID, that will be pointing us in the right direction. So I think that’s what you’ll see. Once you have that, you’ll start seeing these new use cases where you can actually see what is it that blockchain can be used for that I can’t just do with a regular database – like creating customer loyalty across multiple companies, for instance, because I have a loyalty card that I can carry around. And you want new economies – there’s a whole thing about tokenization, right? We’ve seen again, NF Ts and the first versions of those with for apes and other pictures took off like crazy, and people have bought these and made a lot of money on them, and some lost a lot. But it wasn’t really a real thing. It was just blockchain doing stuff for the blockchain; it becomes real when you start tokenizing cars, right? Which we’re working with an automaker at this point, to build a game with tokenization in place. And once you start doing that, once you say, “Hey, I can actually compose my own car using these components. I own them as NF Ts. And hey, guess what, I can actually build the cars where they can actually order it. So it looks exactly like the the NFT component that I made, and it’s in this universe. And hey, I can also race against one of the race drivers here and actually race my real track and talk to the guy in my my concept car that I came up with,” then it starts becoming a thing that hasn’t existed before. And it’s like an emerging thing, right? Just like with the cell phone, that suddenly the smartphone and it came out, it created all of this emerging technology that also you could do things that weren’t really possible before. Right? Internet, the same thing. So I’m thinking that if you think about blockchain that way, it that’s the fact that you can store public information or information publicly, that can be verified, and there is non repudiation involved, you can’t really deny that you ever wrote it. And then that just opens up for so many use cases where stuff was hidden before and as a result never used or, or used in the wrong way. We just need to crack it.
Mike Vizard: Do you think the bad guys are watching all this? And will these be high value targets in the future?
Kåre Kjelstrøm: Absolutely. I think that never goes away. Right? And in any space, there are always the good players and the bad players, and it’ll always be a back and forth between those two things – it will always be a catch up game as well. And so for someone like us, who are catering to building this trust base, where you can trust the identity for us, it’s of course important that the security is extremely high. Same thing also goes for other blockchains, like everyone using this has to build with security in mind. I mean, one of the ways we have approached this is by spending a lot of time researching the core components of the blockchain; we’ve worked together with the University of Aarhus in Denmark and the University of Eth in Zurich, since 2017, on all of the core components of our blockchain, so everything is built on science. And we’ve taken great care to actually implement the exact things that were designed and proven. As we’ve been been iterating on Concordium and the component blockchain. I think another thing that is to that end, right, because the blockchain space has been so hyped. There’s also a lot of chains out there that haven’t been built that way. Some of them are less scientific, some might even just had been built by, you know, opportunists in a basement somewhere and then launched these great marketing projects. You can’t promise, you can’t really tell on the Internet, whether something was built by, you know, it’s high quality or not, because sometimes it just looks great, but it isn’t necessarily. So I think that in this current state that we’re in right now, we’re in some kind of crypto winter, we will see a lot of these projects fail, which is for the greater good, to be honest, right? We get rid of all the stuff that isn’t really built very strongly and all of the scam platforms that are out there. And hopefully, the space will be be recognized as something that’s worth building on because of that. And because we’re seeing these platforms, with regulation in mind coming out there like ours.
Mike Vizard: Awesome, Kåre. Thanks for sharing your knowledge and insights.
Kåre Kjelstrøm: Thank you so much, Mike. It was a pleasure.
Mike Vizard: All right. And thank you all for watching this latest episode of the Digital CxO Leadership Insights series. You can find it on the Digital CxO website along with all our other episodes. We invite you to check them out. And once again, thank you for spending some time with us. Take care. Appreciate it.