Blockchain is most commonly considered the foundation for cryptocurrency – the usual form of payment by ransomware demands – because it is a method of recording information that makes it difficult to impossible to change, hack, or cheat records of transactions. It’s a form of “distributed ledger” that records every transaction to every participant’s copy of that ledger. As a result, blockchain holds great potential to provide high levels of security for government agencies, provided they understand that transparency of transactions also is one of its characteristics.
Speaker 1: On behalf of FedInsider and Carahsoft, we would like to welcome you to our mini-series headlines in cybersecurity, which aims to translate the years hot buttons cybersecurity news stories into actionable steps state and local governments can take to protect themselves from attacks and recover when disaster strikes. Today’s podcast brought to you by Chainalysis is focused around blockchain security. Journalist John Breeden will moderate as Mark Canter, Assistant Director at the US Government Accountability Office, and Amanda Wick, Chief of Legal Affairs at Chainalysis. Discuss what blockchain is, how it works, its benefits and drawbacks and how state and local governments can use it in their operations.
John Breeden: And hello, everybody. Thank you for joining us for day four of the headlines in cybersecurity event. I'm John Breeden and I will be moderating what I know will be an interesting and lively discussion about blockchain security, it's a relatively new technology which came to the stage around 2008. In general blockchain is a growing list of records which are called blocks that are linked together using cryptography. It's also sometimes described as trustless, and fully decentralized peer to peer immutable data storage. Today, we will talk about how it works, why it is so powerful and what plans government has for deploying blockchain in their operations. Thankfully, we have two very leading experts in this field to help break everything down for us. So let's meet them and then we can get started. I first wanted to extend a warm welcome to Mark Canter, the Assistant Director for the Government Accountability Office. Mark, it's an honor to have you with us today to talk about the interesting and sometimes misunderstood world of blockchain.
Mark Canter: Thank you for having me. It's a pleasure to be here. Great.
John Breeden: And we're also fortunate to have Amanda Wick, the Chief Legal Affairs with Chainalysis. Amanda, it's, we really appreciate having an expert of your caliber with us to talk today about this critical topic.
Amanda Wick: Super excited to be invited and very excited to talk with state and locals about a topic near and dear to my heart.
John Breeden: Excellent. Well, thank you again, both for being here. I do want to dive into this topic. I know you're both really excited to but you both have such impressive backgrounds. I thought we should maybe take a quick moment to learn about each of you and what you do. So Mark, can you tell us a little bit about your background, and your current responsibilities as the assistant director with the Government Accountability Office?
Mark Canter: Yes, so I lead financial audits related to financial information systems, cyber security and certainly emerging technologies. What we're here to talk about today, with regard to the financial audit, that I do conduct, a lot of the work that I focus on is how data moves inter application or inter system, protection, the controls associated around those financial processes related to financial reporting, as well as for the cyber security audits. Our main focus that I work on is really protecting the confidentiality, integrity and availability of that data.
John Breeden: Excellent. Well, that's, that's great. And it's good that you work on the financial side of things, because we have a whole section, later talking about how blockchain works with Financials. So Mark, one of the things today is that a lot of our guests are tuning in from state and local governments where they can really get a lot of great advantage from blockchain. But it occurs to me that not everyone may be completely familiar with the role of the GAO within the federal government. Could you maybe briefly tell us about your agency and the missions that you perform?
Mark Canter: Yeah, absolutely. GAO is the congressional watchdog. We are an independent, nonpartisan agency that works for Congress and directly with Congress. This year marks actually our 100 year of anniversary of us being in existence. Basically, what we do is examine how taxpayer dollars are spent, with backspace information to help governments save money and work more efficiently, efficiently. Our work is done at the request of congressional committees, or those subcommittees or sexual or statutorily required by public laws or committee reports. Just kind of give you a general nature of the topics. Certainly we've already spoke about financial auditing, but there are certainly other areas that focus on defense, healthcare, energy, Homeland Security, and of course, information technology as well.
John Breeden: Excellent. Well, thank you, Mark. We really appreciate that. So moving over to you, Amanda, we really appreciate you being with us here today. Could you tell us a little bit about your background? I know you get to speak at a lot of different conventions and events and things like that. Tell us a little bit about what you do also as the Chief of Legal Affairs with Chainalysis?
Amanda Wick: Yeah, no, I appreciate Here's a question and I will say like Mark is clearly the data person. I am on the other end of the spectrum in that I am a lawyer who spent about a decade as a federal prosecutor for the Department of Justice. I worked in three US Attorney's Offices prior to coming to what we call main justice in DC, where I worked in the Money Laundering and Asset Recovery section in the criminal division. And then I did a detail at FinCEN. Because of some of my work in crypto money laundering. I went to FinCEN to work in their policy division where I got to work on strategic policy initiatives involving cryptocurrency and human trafficking. And while I was there, the person who held my position previously, Mike Mosier, he had left to become Ken Blancos number two at FinCEN. And some folks sent me this job and said, Hey, you should really consider this because it kind of sounds right up your alley. And I hadn't been thinking about leaving the government. But when I saw the job description, I was like, Well, if I was never going to leave, it would be for this amazing role. I went from being a crypto money laundering prosecutor to somebody who helps agents and prosecutors, and regulators deal with crypto all around the world. And it's an amazing opportunity.
John Breeden: And quite an amazing background you have. So your company Chainalysis, as part of what you guys do you work directly with blockchain technology. Can you maybe tell us a little bit about Chainalysis and what you do and how that works?
Amanda Wick: Sure. So we you know, our company has a saying that we build trust in blockchains. And one of the ways in which we do that is frankly, by de-anonymizing them. When I started prosecuting crypto cases back in 2012. One of the difficulties back then was there wasn't a lot of visibility into the blockchains, it was a lot of transactional data, with a very will say, like, not easy way of kind of identifying the who's who of who was doing what on the blockchain. And my company Chainalysis, very early on became kind of the experts in data analysis. And by building kind of best in class data, they've been able to analyze that and distill it into something that allows investigators and regulators to have enough visibility into the blockchain to be able to do investigations and do compliance to basically make blockchains and especially cryptocurrencies, a viable alternative and new asset class.
John Breeden: Wow, that's really interesting. And maybe to help our audience visualize what Chainalysis does, maybe could you maybe give us an example of like, a project that Chainalysis would have worked on or would have helped out with?
Amanda Wick: Sure. So I'm, I'm really careful about that. Just because we do work with a lot of governments, and we generally don't discuss kind of that work without permission. I highly recommend people go to our website Chainalysis.com, we have a lot of use cases where we have worked with government partners who have allowed us to kind of disclose additional details. But at a very, very high level, what we do is, we basically cluster addresses and then attribute them. And then whether it's our software that the government uses to conduct investigations or regulators who use it for compliance. Or we also have internal investigators who also serve as search support and we do some of the most complex cryptocurrency tracing and analysis done in the world today. But we basically give governments and regulators the ability to deal with crypto at that level. So whether it's law enforcement, tracking a darknet vendor and trying to figure out you know, who's selling dope on a darknet or looking, you know, hunting down administrators and shutting down darknet marketplaces, to you know, assisting cryptocurrency exchanges to stay compliant with their regulators are helping regulators with how to kind of, you know, assess and supervise the exchanges that we serve as this incredible kind of hub of kind of all things cryptocurrency and blockchain because of our software and our capabilities.
John Breeden: Excellent. Well, thank you so much. We appreciate that, Amanda, thank you both for sharing your impressive backgrounds. So as you all know, many of our audience members today are tuning in from state and local governments where blockchain could potentially do a lot of good. So we'll see if we can offer them some good advice and information on today's show. I figured the best way to begin with blockchain is to level set the situation. So almost everyone is heard about blockchain, but it's not very well understood at this point. So let's begin by talking about what it is that kind of IT support that it requires and how it can be applied to finance and other government applications, then we can dive into some of the potential government uses and finally, blockchain security concerns because there are some that I think people need to be aware of. So Mark, let's start with you on this one. I know you've studied blockchain for many years. Could you describe for our audience based on what you've learned? What is blockchain and how does it work?
Mark Canter: Sure. So blockchains are really just a growing list of transactions that are cryptographically linked together. So each time a new transaction or an event occurs, it is linked together with a previous transaction. Think of it this way, you know, if I give you $1, that passage of me presenting $1 to you is then cryptographically signed. So that, you know, there is a sense of integrity from each transaction that is incrementally built to that $1. So that, you know, 10 times down, or 10 times that dollar is passed to the next person down the line and so forth. You can link all the way back to the original time when essentially $1 would have been created. That's kind of a more example of what we commonly see and Bitcoin but it really also applies to really any sort of distributed ledger technology such as like what you might see internally in an accounting system or some other types of blockchains, procurement and whatnot. So really, what blockchain provides that that sense of integrity of all the data and all the transactions that have occurred previously, up to the current point.
John Breeden: That was as good a description as I think I've ever heard, Mark, so thank you so much for going over that with us. So Amanda, adding on to what Mark said, Why does the design of blockchain help to make it secure? So what happens if someone wants to, for example, change a record in that in that chain that Mark was describing? How would that process work and why would it be rejected if that change is an authorized?
Amanda Wick: This is a good question because it kind of gets to the value of blockchain and the immutability of it. And as a former prosecutor, I tell people, like, you know, I prosecuted bank cases where the internal Ledger was an Excel spreadsheet, and all it took was one person having a hidden cell to be able to change that ledger. Whereas as Mark kind of mentioned, when you have a lot of different computers, usually in a decentralized network, it's very difficult to actually change the block, they all have to agree on it. And the process of changing it, especially once a block has been agreed upon and confirmed, is actually incredibly difficult. And if you want to kind of deep dive on this, I highly recommend kind of googling the difference between Ethereum and Ethereum, Classic after the DAO hack, because that was an example where an entire cryptocurrency basically had to decide kind of like, what do we do? Do we, in fact, like change the block, or what do we do about this transaction? And there was actually something called a hard fork, where they ended up making two different cryptocurrencies to address that. And the immutability of the blockchain was a large issue in that debate. So the security of it is that because it's so difficult to change what's on the block, once you've confirmed that it is actually incredibly secure. So it's actually very difficult to change a record in the blockchain, which is one of the reasons why it is so amenable to finance.
John Breeden: Excellent, no, thank you for that description. And So Amanda, your firm analyzes blockchain now, so. So what kinds of things do you look for? And what do you prove in terms of the blockchain? I mean, are you verifying that the blockchain is secure or just trying to identify who's part of the blockchain? Or what is it that you do? And why is that valuable for the people that are that need to rely on blockchain?
Amanda Wick: Yeah, so we actually look at a lot of different blockchains we look at Bitcoin we look at ERC 20 tokens, and there's different types of blockchains we obviously look at the largely visible ones. We also look at kind of anonymity, enhanced cryptocurrencies or less visible blockchains, like Nero. But we aren't actually doing the proof of the blockchain. So if you were to look at how blockchains are created, kind of going back to Mark's initial explanation, we're talking about a decentralized network of nodes, or like in cryptocurrency, we would we would call them miners, like the people who are actually doing the cryptography that confirms the transactions and verifies the blocks. And then once they're verified, and they're publicly basically announced or distributed on the blockchain, and they become visible on the blockchain, then we review that data, digest it, analyze it, and then using kind of our analytics and heuristics say, okay, based on that seen these public addresses, do we know who that addresses that sent money from this address to that address? And then what analytics can we do on that data? But we are not, quote verifying that chain, the nodes in each individual blockchain network are right. So if you're a Bitcoin node, or if you're running something on another blockchain, it's those members of the network that are confirming the blocks and verifying the transactions.
John Breeden: No, that makes a lot of sense. And I think that helps to kind of understand the situation of what blockchain is and how it works. So I appreciate that. So it sounds like we have encryption involved in blockchain as well as increasingly larger chains over time. So I want to talk about some of the IT requirements to run a blockchain. So Amanda, as far as the technology involved in blockchain, what kind of IP systems or backbone needs to happen in order to support it? I mean, is this something that pretty much always has to run in the cloud?
Amanda Wick: So first off, I will say, if you are asking the lawyer for it, security advice, you are in dangerous waters. I do not profess to be the tech expert. So I tread very carefully here. To add to that there's a lot of approaches and computer languages that one could use to construct a blockchain from a series of network computers. That would be very hard to answer that I know that there are pretty popular programming languages used to develop blockchains. You know, I think solidity is probably the one that we hear the most of, because it's the only programming languages for writing Ethereum based smart contracts. But I would definitely punt that to mark if he has better recommendations in terms of IP system backbones.
John Breeden: Absolutely. Mark, why don't you tell us your thoughts on that question?
Mark Canter: Yes. So it can be done in a multitude of ways. And it really depends on how large of a blockchain infrastructure you're looking to do. I mean, certainly, a lot of everyone always understands the publicly available once the Bitcoin, Ethereum, and various other crypto style currencies. But when you get into things that would be more manageable for the government level, or anything that would be private to an entity, those requirements tend to be stripped down a lot more so that you could run it in the cloud. So there are several cloud providers that do support cryptocurrency or distributed ledger technologies that could be advantageous for your organization. Or you could run it internally, there are quite a few blockchains have open source, you know, code that that can be enhanced or developed for your individual platform. But it really just depends on what the individual agency's requirements are depends on what those ultimate requirements for the IT infrastructure will be.
John Breeden: And then are there ways once you've established the chain, are there ways to keep it more manageable by like, maybe limiting the number of people that can add to the chain or something like that to kind of keep the chains more manageable over time? Or is that not a consideration that you need to take into account?
Mark Canter: What see with everything, you really need to consider what your requirements are in building and developing the chain, if you're looking at it from, you know, a monetary value, or you're looking at it from a contract management value, or, you know, what is its intended purpose really derives what the overall requirements from personnel to support the chain to IT infrastructure? Those are really all the concerns? And really, what is what it is going to be? Or what are your objectives and how you're reducing risk in the long run, those all types of things go into really, you know, setting up, you know, the practicality of whatever the chain may be, especially like modernization and legacy computing, how can they take advantage of the chain? Or, you know, is it something that we're trying to move away from, and this is a new technology that really can enhance those control environments, I think those are really all a lot of considerations that we need to build into when just kind of constructing visualizing, you know, get those objectives, get those requirements going forward as an organization would move forward into developing more of the private or distributed ledger technology type of blockchains.
John Breeden: Now, that makes a lot of sense. Thank you. So one of the areas that you both kind of mentioned is that blockchain can find a good home is in finance, it seems almost tailored to a financial type of transaction and protecting that. So Mark, how is blockchain used in terms of financial transactions? And should agencies that deploy it pay special attention to any specific areas or things like in finance, they often talk about segregation of duties and things like that, is that something that should be considered as well if you're thinking about adding blockchain to a financial application within your agency?
Mark Canter: Yes, absolutely. The great news in this is a lot of financial management teams, you know, are really in tune with the with the applications that they use. So they're very familiar with a lot of processes like internal controls and how that goes into to reducing risk to the overall environment. But now they're really come to an interesting shift is there's more of an increased control in from the IT professionals that how they manage the chain and how they manage the systems that support the blockchain, the distributed ledger technologies within the agency. So they really need a place, close and special attention and how are they monitoring those administrators, the users of the applications to make sure that you know everything is running as it should be, essentially, you know, so a lot of it really focuses on you know, what is our designed with a lot of these applications and how do we limit access to the people that are required to do their duties. Segregation of Duties certainly plays in there. And you know, we can really even extend that to, you know, processes as they change within the technologies such as, you know, yearly upgrades to whatever it may be such as like the tax code that may change, how do those processes get managed, and ultimately affect the chain? So really just understanding our configuration management into the overall kind of application structure, if you will?
John Breeden: No, that makes sense. And Mark, I'm just curious, do you see blockchain as something that you can use at the GAO specifically?
Mark Canter: Well, any environment, you know, if you're looking at it from a perspective of financial management, if you're looking at it from contract management, there's various different ways that any entity can use it that most places, you know, every organization is going to buy something, you can really build it into any of those processes. It really plays into or the fundamentals of, you know, how do we integrate it into our overall structure is really ultimately the question and what reliance of these technologies can we adhere to make our processes more efficient?
John Breeden: That makes a lot of sense. Thank you so much. So Amanda, I'm guessing that in your role here with Chainalysis now and also probably somebody who wrote before, as a prosecutor, you probably saw blockchain used a lot in finance. Why do you think blockchain is growing in the financial realm? And is it better than the way that financial transactions are traditionally managed?
Amanda Wick: Yeah, so one of that's a great question. I think one of the things that we've seen is the growth of blockchain as part of the growth of cryptocurrency and those two things are not the same. So blockchain technology is sometimes clumped with cryptocurrency. The cryptocurrency is kind of like almost the byproduct of what comes off when people maintain blockchains. And so there are blockchain technologies that don't involve cryptocurrency. Cryptocurrency just tends to be a byproduct of blockchains. But cryptocurrency as an alternative asset class has been huge in finance. Part of that is because we saw people who wanted to find an alternative investment vehicle, right, like almost kind of like, you know, digital gold or something to that effect. And then we've also seen it as a payment system and competing with that, but largely because of the immutable nature of the blockchain that has made it really popular.
John Breeden: That makes a lot of sense. And then, you know, is blockchain completely secure? I know you mentioned, Amanda, that blockchain and Bitcoin are different. But on the news recently, with the Colonial Pipeline attack, you know, the news story that I saw was that the FBI was able to somehow hack the blockchain that supported that cryptocurrency and actually get most of the money for that ransom back. And as I understand it, it was pretty big news. Because, you know, maybe what the FBI did was unique. But does that mean that there is some method for breaking a blockchains security because most people think it's pretty much unbreakable?
Amanda Wick: I actually did hear that after the fact. And it was interesting to read that in the news, because that that is not what happened, the FBI was not actually able to hack the blockchain, that that's not a thing they didn't like, obviously, like there's nothing that was publicly disclosed about that. And it's very difficult to see, but from some of the things that were publicly released, those of us that used to be prosecutors, like there are very alternative explanations for what happens if we can definitively say that FBI did not hack the blockchain. But the nature of that, like, I think people get very concerned about technology that they don't understand. And the takeaway there is, it is very important to understand how this works. So that you know, kind of like what is real news? And then what is people kind of speculating about what is happening, but there was no FBI hack of the blockchain of in that situation.
John Breeden: Oh, great. Well, thank you for clearing that up for us. Yeah, that was definitely that was how it was reported. So appreciate that. All right. Well, thank you both for explaining how blockchain works and some of the considerations that agencies should explore when deciding to start their own blockchain program. Now, let's talk about the practical uses of blockchain in government, you know, probably outside of cryptocurrency. So Mark, let's start with you on this one. I know you have given this question a lot of thought, I know you've studied blockchain over many years, you and I were talking a little bit before the show. Could you maybe give us a hypothetical situation, especially as it applies to state and local governments, where a blockchain program could really shine to give our audience something to think about in terms of where they can bring it into their own state and local governments?
Mark Canter: Yes, such a great question on this one, because I think it's one of those misunderstood technologies. You know, we often talk about it from the public, you know, the Bitcoins again, but really, how can we use it into our entity you know, if you will, so really anything that hasn't Natural data flow where life cycles such as like contracts, you know, at the local level, you can think about it from a property records. And then you know, if even extended into, like permits, tax records, just to name a few, it can be implemented using blockchain or distributed ledger technologies. So each of these instruments really have a have a beginning. And some of them such as contract management will have to have a natural end. But in theory, what you're doing is building on to any sort of a piece of data, you know, like a property, you know, those permits, those grants bills or anything else like that, that really could be linked together to ensure that these types of events actually did occur within the property. And you know, often let's think about it from property records that may be hundreds of years old, can now be extended into what happened to those old property records, digitizing those, and now really continuing to build on that chain so that if anyone were to go look at something, they can really have some level of assurance that these events actually did occur into a blockchain at a state and local level where those records are necessary to do whatever the function may be. So that might be some very good use case scenarios, property records, we talked about tax, car records, or any type of business records even can really be extended to how these type of events could occur, that that really could be beneficial for state and local governments. And really, you know, when we talk about any of these type of chains, we're really talking to make sure that the integrity of the data is what matters the most to people.
John Breeden: Yeah, no, those are really good examples, I can see where that would be really useful. Because not only would you be able to store the information about you know what happened to a certain property over the years or something like that, or even a vehicle I guess, but also you can the people that are accessing it, you know, informationally can be assured that the information that's contained in that blockchain is correct, and hasn't been altered from the point that, that it's been put into the chain.
Mark Canter: That's exactly correct. Yeah. And you can really even. I know Amanda is an attorney, you can really build that onto legal documents that are registered at the local courthouse. So you know, there's various different types of components that you can continue that extension every time a brief is filed from a case, again, getting back to the natural data flow, the beginning points of anything that may be filed at county state level could really be introduced into the blockchain.
John Breeden: Oh, I'm sorry, Amanda. I was just gonna ask you, I said Mark had some great examples. But what about you? Did you have any, any of your own to contribute?
Amanda Wick: I did, I will say Mark stole all of the good ones. So it's really hard to add on to that. But I will say like, one of the things that we don't really think about is like, especially if you think of the concept of like title insurance, right? Like we pay people thousands of dollars to basically go and kind of sit in like a little county records office and say like, Okay, well, who owns this property before this. And imagine if instead of state and local government digitize this, put it on a blockchain, they could see their residents thousands of dollars by essentially negating the need for the title industry. And part of the conversation here that's a little difficult is, a lot of times people don't want to ask how do we do this better? Because the reality is, is that as we digitalize things, and as we computerized things, we eliminate the need for some industries and some people and the truth is, is this may completely eliminate title insurance. And so there are people that are using this for transportation industry that's already happening when you're looking at ships that are kind of carrying thousands of cargo containers, and how to log those. So like Mark made tons of good examples. I would say a state and local government is kind of only limited in its imagination, but anywhere where there's like a record of transactional history, where you're trying to basically prove something's provenance or its origin. Mark makes fantastic points like people should be thinking about, there's a better way to establish like the provenance of this data.
John Breeden: Excellent. Well, thank you, Amanda. Appreciate your thoughts on that. So from what Mark and Amanda are saying, it sounds to me like blockchain could be a real silver bullet for a lot of applications. But there are also some security considerations as well. I'd like to go over those for the audience. So Mark, it sounds like the blockchain itself, and the technology behind it is pretty secure. But is there a danger in confusing the integrity of the chain with the accuracy of the chain?
Mark Canter: Yeah, that's a great question. Because I think oftentimes, when we talk about integrity, we really focus on really the accuracy and completeness of the data. And while it's true that you can think of the chain as being complete, how do you have assurance of the accuracy of the data and really, that what I'm referring to is when data is being entered into the chain such as a block is just one piece of computer information. But how do I actually know that whomever entered it in the first time entered it that information correctly? So that really speaks at the input? Or at the accuracy level? Such as? How do I know that the street address is correct? Amanda gave a great example about titles and title insurance. How do I know that that information was done correctly? These are the real concerns, you know, with having information on the blockchain that we often may misconstrue? Well, because it's in the blockchain that must mean it's accurate. Well, there still has a certain level of reliance on a person to type it in correctly the first time. That's kind of the challenge that we need to understand and how do we move past that to ensure that the data is always going to be accurate, and that something doesn't need to be adjusted or updated later to make sure that the blockchain is reliable? Because ultimately, that's really what we want to get at is the reliability of these distributed ledgers?
John Breeden: Yeah, no, that's a really interesting point. Because I suppose if you put misinformation or bad information into the blockchain, then suddenly the chain is has integrity, the chain is still secure, but what you're protecting is the misinformation that you put into the chain to begin with.
Mark Canter: Yep, that's absolutely correct. So you really have to consider all those different functions of you know, who's putting a data entry, you know, when you're building these types of applications?
John Breeden: Yeah, it makes sense. Great. So Amanda, are there any other considerations that you think are important when putting together a blockchain for a state and local governments? What should they anything should be top of mind for them in terms of putting together an accurate chain? And Mark talked about making sure that your processes for adding to the chain are correct? And that you're putting good information in there? Are there anything else based on your experience that people should be thinking about?
Amanda Wick: Yeah, so I mean, I think blockchain security is critical as is like overall cybersecurity, right. So I'm definitely not in a position to recommend one security application over another. But I would emphasize the importance of cybersecurity in this area, especially given one of the primary objectives of a blockchain application is to provide a secure, transparent, immutable copy of transactional records like my like Mark talked about, right. And so if those records were compromised, or shown not to be secure, or somehow corrupted, which made them unreliable, then the purpose of your blockchain would be defeated. And so I think you can't have a conversation about like moving into this technology without having a general conversation about overall cybersecurity. And given the work that we do in ransomware. I would also just like say that what we're seeing kind of overall, especially is a lack of kind of overall cybersecurity just kind of generally, which is why we tend to see state and local governments kind of hit with ransomware attacks. So as kind of like a preliminary conversation, it's kind of like you can't really move into blockchain security, until you've had the conversation of overall cybersecurity, and it's something that state and local governments really need to be looking at. We've seen hospital shutdown, we've seen entire city shut down. Cybersecurity is kind of a critical infrastructure issue right now, in addition to blockchain just generally.
John Breeden: That makes a lot of sense. And Mark, to get into a little bit more of a technical question for you, you talked about making sure that the blockchain was accurate in terms of what the humans users are doing to it. But does blockchain also have other things that are contributing to it like, I've heard that elements like data from systems processes, and things like that get added to the blockchain over time. And so do those also have to be monitored in some way to ensure that they are accurate?
Mark Canter: Again, definitely, the problem that we end up running into is a lot of any person that's running a financial management system understands that there are certain types of things that happen automatically depreciation, penalties and interest. These are all types of systematic functions that really would happen at the, you know, underneath the hood, so to speak, I always like to use the, you know, the, the visibility of what a person might do. But then there's also the visibility of what a systems or a system as administrator may see, or the Application Programmers may do as part of these functions. So, again, getting back to the under the hood example of penalties and interest, how do I know that the programmer programmed a 5% interest and made sure that's accurate? How do I know that it kicked off every month or every day or compounded that interest according to the laws and statutes? So these were all kinds of examples that may happen automatically, that we really need to be aware of when we're designing these types of processes that go into the chain that may be unseen to the direct user or whomever may be working with the data directly. So When we started looking at those configuration, I know Amanda started speaking about, you know, the underlying technologies in cybersecurity, really understanding those control processes, whether it be at the systems or at the application level that really drive these types of technologies into any given environment.
John Breeden: Now, that makes a lot of sense. Amanda, do you? Also, in your experience, have you also seen, I mean, this is kind of looking at your experience. But since you've done prosecutions and things like that, so it seems like you can eventually you can kind of figure out like, who contributed to the blockchain and things like that. But are you also or should agencies also sort of look at kind of the human side of things like, who has access to be able to change the blockchain, especially in the financial systems? I assume that would be you know, there'd be only a limited number of people that could add to the records and things like that.
Amanda Wick: So that's a really good question. I think I would take it even back a step further and happy to have like, Mark's input here. But one of the things that we did see early on in government before there were kind of like processes, procedures, rules, you had agents and agencies that we're kind of like figuring out as they win. And as a result, there were some high profile cases where agents unfortunately, stole crypto, like from cases that they were working on. And that was like, partially because people didn't even know necessarily, like, while they were kind of like, you know, running and gunning, so to speak, what was happening, how this worked, what were the backdoors. And so like, you know, one bad apple was kind of able to make a lot of others look bad. But when you're talking about the security systems, to the extent that you can, at the beginning, really try to put in those security protocols, who has access to what who's going to, you know, be able to look at the system and control the blockchains. And I think Mark touched on this earlier, you really can't be proactive enough in having processes and procedures beforehand envision to protect things to kind of prevent worst case scenarios, as opposed to waiting, and then finding out on the backend that something happens and trying to clean up. And generally in the government, it's hard because you're giving you know, you're asked to do more with less. But to the extent that you're working on an initiative like this, the more that you can have those processes and procedures in control at the beginning for data protection and security, the better.
John Breeden: No, wow, you guys are both really giving me a lot to think about with blockchain. So you can't just put it in place and everything's secure. There's a lot more to consider. And I appreciate you all helping to explain that for our audience today. So Mark, we talked a lot about the security of the data going into the blockchain. But another area that I want to ask you about in terms of the agencies that are thinking about setting up blockchain is actually the process of extracting that data back out, it seems to me that someone might be able to change or manipulate the data during the extraction process. So is that another point where blockchain needs to be especially protected?
Mark Canter: Yes, absolutely. You know, I think Amanda's example was a perfect example from, you know, how spreadsheets can have hidden cells. And, you know, when we looked at blockchains, we're really looking at once the data, you know, we talked about it from the systemic processes of what the systems or the application is doing. But now, how are we building whatever it is for our reports, right. And so when we get data out of a blockchain, how do we ensure that the data is transposed with some level of accuracy? How are we utilizing that information? And again, is it something that's going into another systems process or another application further on down, and then we start really losing some of that integrity of the blockchain itself? So we really have to pay close consideration how that data is being moved? Is it summary level? Or is it very detailed, that it's being relied upon to make for the decision makers later on, you know, through the use of multiple multitude of systems that, you know, would be after the blockchain? So a lot of those considerations really have to be in play. And really, again, getting back to the cybersecurity aspect of it, how can things be changed? How can system administrators that may have access to the data, be able to manipulate the data after it's left the blockchain or any of those interfaces, designs, that really needs to be strong and protected, and, you know, confident that the data that's being relied upon by other systems down the road, you know, have at least the same level of protection, and especially when we start getting into things like jumping back even further, about combining multitude of systems, like for example, a state and local government where you may have property records in one database, permits and another and your financial management in a third system. Now we can start drawing all those together, but that increases the challenge to make sure all of that data As it's coming out of the blockchain is consistent is accurate and has integrity around everything.
John Breeden: No, that makes a lot of sense. And I appreciate you mark actually kind of really drilling this down and making some specific use cases for our state and local people who are listening today. Along those lines, I kind of wanted to expand on one of the examples you gave earlier, which was, what about the security controls that might be needed? If let's say a system, a blockchain system is deployed by a state like an overall state, but then it allows individual counties to contribute to it in some way? I'm sure we'd like maybe with a property chain property records, maybe that would be where individual counties would need to contribute to it, but it's a state run program? Do you need to have special security controls in place in an environment like that?
Mark Canter: So, it's a very interesting question, because it really relies on how the controls and how the policies and procedures are set up from a state or local governments do they have similar structures, whether it be at the cybersecurity level, or even how their application development and deployment is concerned how they're getting a releases out to the different components. You know, to understand this, we also take a look at the blockchain or distributed ledger technology in different nodes. So what a note is, is really a repository at one agency and a repository at the other think of it is more or less two different systems that are essentially talking together to ensure the integrity of the chain, the entire chain that is that has been developed. But underlying that, again, getting back to the cybersecurity concerns does agency A and agency B have a similar structure for the relying of those cybersecurity controls within their individual agencies. Now, some agencies may extend, you know, at a state level to a municipality, those types of concerns may be different than if each agency is set up in turn, or their own internal kind of policies and structures, then we get into how the system administrators can update at agency A, can that information, be transposed over to agency B's blockchain if they're working on a on a node together to two nodes simultaneously, keeping the information integrity. But these are all concerns that we really need to work through when we're designing the system.
John Breeden: That's what I was just thinking it sounds like a lot of the a lot of these considerations, you need to have them top of mind that it seems like a lot of them can be worked out at the beginning, when you're putting the system in place. It's definitely something you want to think about. Because you don't want to be in a situation where agency A and agency B aren't working together perfectly after you've already deployed your blockchain.
Mark Canter: Right, because then then the challenge is how do we get it to where we need to be? What happens if is always a tough scenario for an auditor understand of, you know, strengthening those controls, it's, it's much easier when you start with a high level of security in that chain, and then be able to add the enhancements.
John Breeden: No, it makes sense. So, Amanda, for our state and local guests here today who are looking into blockchain as a way to improve some of their operations. Do you have any advice for them as to where they can get started? I mean, we talked about a lot of technical things today. And it can seem, I would think, like almost like a giant mountain to climb. But do you have any idea of like where they can get a nice jump into this technology? Or what they can do to sort of get their feet in the water a little bit?
Amanda Wick: That's a great question to end on. And I'm careful when I say the word advice as a lawyer, because obviously, this isn't legal advice. But if somebody was asking me kind of like where they would start, I think the first thing I would do is something that Mark alluded to, which is basically clarify the problem that you're trying to solve that you think blockchain could address. Right? It's really important to spend time on defining and refining your requirements, because that time will be well spent. There is nothing worse than when agencies go out and purchase technology. And leaders say, well, that was a solution that went looking for a problem, right. And we have all seen those initiatives. Not everything needs blockchain technology. But some things are very well suited for blockchain applications. And it's really important to spend the time figuring out which is which, the next thing I would probably do is, see if anybody else out there has tried it, and identify who may have already solved the same or similar problem. Like you know, in the government, we always joked, find a go by, right? I would try to find their lessons learned what worked, what didn't why. And in doing that, you'll want to take note of how they leverage the blockchain, what provider and applications they utilize, what tradeoffs were considered, including costs. And having said that, if you're the first talk to experts in industry, we can help you brainstorm things that you might need to consider understanding that it'll probably be a little theoretical, but all you can do is try and figure it out but not doing anything at all. What we see unfortunately, a lot of times in government might be worse than trying and then having to make course corrections later. And to that point, I think the last thing I would say is put out a request for a proposal and see what solutions market providers have to offer. industry members can really help you do that, like my company puts out white papers and other educational materials to try to help state local and federal governments, right, like develop this and understand kind of like, you don't know what you don't know what let us help you address some of these problems. So don't hesitate to reach out and have those conversations. And in different, you could use some helpful input because there is tons of information out there. But there's also lots of us who are out here who are ready and willing to help.
John Breeden: Excellent. Well, thank you, Amanda. Very, very good. Final thoughts. I appreciate that. So Mark, it looks like you might get the last word today. For us. I know you've studied blockchain quite a bit and even looked into using it internally at GAO. Given everything that you've learned about blockchain. Do you think that it has a future in government service? Is it really useful and flexible enough that it can be deployed in a wide array of applications for government agencies, at all levels, and especially for state and local governments?
Mark Canter: Yeah, just like Amanda said, the real challenge is to make sure it works within your individual agency. You know, part of the problems that you see is, just like Amanda said, Are you chasing, you know, something after something that may not be useful, but I think we've given off quite a few examples of where, you know, some practicality makes sense into an individual agency, but also do the benefits outweigh the cost? Those are types of scenarios that we really want to look at, when we're implementing these type of strategies and moving forward, especially, you know, in the sense of modernization of our systems and infrastructure, really, to be responsive to the needs of our constituents and taxpayers or, or whatnot. So those are all just very generic considerations that we need to we need to work through. And then certainly looking at it from the longevity, do we have the appetite to support something like this do our IT people are they qualified to manage these type of environments, and really build our skill sets into those into those areas that we can really have some longevity and make some very good use out of distributed ledger technologies and blockchains. But I'd also like to say, you know, GAO, we published quite a few reports on it, our latest report was on taxation and the use of blockchains. You know, for those purposes, you know, really got into that level of detail about describing, you know what a blockchain is, especially at the government level. But we're certainly have quite a few more reports coming. And those might be good examples to really get, you know, the thought process working about how it can be used in any given agency.
John Breeden: That's great advice and pointing out that the GAO actually has reports that are available now that talk about blockchain, I think would be real helpful. So for our audience, make sure you check that out. And I wanted to thank Mark and Amanda very much for being with us here today. All their insights made this an amazingly productive session focused on a very critical and extremely complicated topic. I learned a lot about blockchain today, and I'm sure audience did as well. So thank you both, again for being here.
Speaker 1: Thanks for listening. If you'd like more information on how Carahsoft or Chainalysis can assist your state or local government agency, please visit www.carahsoft.com or email us at Chainalysis@carahsoft.com. Thanks again for listening and have a great day.