Cybersecurity Standard (Layer2 Meetup@Tokyo Sept 20th, 2024)

General
1

16:45-18:15 Cybersecurity Standards Agenda

  1. Cybersecurity Information Sharing Alignment for the Crypto Industry (20 minutes)
  • Presentation of the Cybersecurity Information Sharing Aignment by Takaya
  • How such an alignment can work for the crypto industry and identify what roles should be played in the alignment, leading to a discussion on who will play the roles
  1. Information Sharing and Analysis Center (ISAC) for crypto (10 minutes)
  • Introduction on the establishment of CryptoISAC in the US - what roles do they play?
  • Discuss who and how will play the role of sharing industry-specific information and analysis internationally, not in a specific nation
  1. Responsible Disclosure Practices (40 minutes)
  • Researchers and Security Professionals
    • What does the Bitcoin community do to ensure security?
    • There currently exist "audit firms” that audit, discover and report vulnerabilities especially in smart contracts, and get paid for the services by contracted projects.
      • Who are the “security experts” in these firms?
      • How can we ensure the reliability of these firms?
      • Any incentives for vendors to pay for bug-hunters?
  • CVE Program
    • Who will be responsible for managing the program and list? MITRE?
    • How can we design incentives for vendors to respond to requests for security patches by the CVE Program?
    • Is having a centralized entity that manages them against the ethos of crypto?
    • Any new data format for the CVE record needed?
      • What information is necessary specifically for blockchain and crypto?
  • Standardized Vulnerability Database
    • Does NIST standardize with additional analysis vulnerabilities in the crypto industry? If not, who will be responsible for the task?
  • ISAC
    • Do existing ISACs have enough resources to analyze all of the standardized vulnerability data and share it with vendors? How many security experts do they need to do all they want?
  1. Recent incidents and responses (15 minutes)
  • Discuss the types of vulnerability information that should be prioritized for sharing - smart contract, key management by crypto exchanges, bridge/cross-chain protocol hacking, etc
  1. Next steps (5 minutes)
  • Standardize the framework for cybersecurity information-sharing alignment through ISO
2

Related Documents (Not necessary to read before the session)

Study Report for Ransomeware Reaction

Incident Response of Decentralized Custody; A Case Study

3

It is highly recommended that you all read this slide before the session