當我和世界其他人一起等待第一個比特幣 ETF 獲得批準時，有一件事一直困擾著我：除了包括 Fidelity 和 VanEck 在內的少數例外，幾乎每個現貨比特幣 ETF 的申請人都打算使用 Coinbase 作為其保管人。

David Schwed 是 Halborn 的首席運營官。

作為專注于區塊鏈的網絡安全領導者，這種風險的集中、加密貨幣托管固有的高風險性質以及安全最佳實踐仍在不斷發展的性質讓我猶豫不決。

讓我擔心的并不是 Coinbase 本身。

該公司從未遭受過已知的黑客攻擊，這解釋了為什么如此多的傳統機構信任其專業知識。

然而，不存在不可破解的目標——只要有足夠的時間和資源，任何人和任何人都可能受到損害，這是我在網絡安全和資產管理交叉領域的職業生涯中學到的教訓。

讓我擔心的是資產極端集中于單一托管人。

考慮到加密資產與現金類似的性質，這種情況本身就令人擔憂。

另請參閱：Gary Gensler 的比特幣 ETF 小丑秀

也許是時候重新考慮“合格托管人”的指定了，這是一種監管簽字，其目前的形式不一定能確保基于區塊鏈的風險資產必然（或最好）受到保護。

此外，理想情況下，數字資產托管人應該受到比現在更嚴格的州和聯邦標準、訓練有素的監管機構更多的監督。

如今，大多數合格的托管人都保護股票、債券或數字追蹤的法定余額，所有這些從根本上來說都是合法協議，不能簡單地“竊取”。

但比特幣 [BTC] 與現金和黃金一樣，是所謂的不記名票據。

一次成功的加密貨幣黑客攻擊就像狂野西部的銀行搶劫一樣，一旦落入小偷手中，錢就消失了。

因此，對于加密貨幣托管人來說，只要犯一個錯誤，資產就會完全消失。

我們還知道，全球加密貨幣犯罪的力量是強大且堅定的。

僅舉一個臭名昭著的例子，朝鮮的 Lazarus Group 黑客團隊據信在過去六年中竊取了價值 30 億美元的加密貨幣，而且沒有任何停止的跡象。

預計第一個交易周流入比特幣 ETF 的資金將超過 60 億美元，這使得這些基金成為主要目標。

如果 Coinbase 最終在其數字金庫中存有數百億比特幣，朝鮮可以輕松組織一次價值 5000 萬美元的行動來竊取這些資金，即使這需要多年時間。

像俄羅斯 Cozy Bear/APT29 組織這樣的威脅參與者也可能會發現，隨著這些資金池變得越來越大（可能會更大），追捕機構加密貨幣越來越有吸引力。

This is the level of threat that major banks prepare for. One widespread model of risk management for financial institutions utilizes three layers of oversight. First, the business management layer designs and implements security practices; second, the risk layer oversees and evaluates those practices; and third, the audit layer makes sure that risk mitigation practices are actually effective.

On top of that, a legacy financial institution will have external auditors and external IT oversight, as well as numerous state and federal regulators looking over their shoulders. Many, many eyes will examine every aspect of risk and security.

But these multiple levels of redundancy and nesting failsafes require one deceptively simple thing: headcount.

During my time as global head of digital assets technology at BNY Mellon, the investment bank had roughly 50,000 employees, of whom around 1,000 – or 2% – were in security roles. Coinbase, even after recent expansion, has fewer than 5,000 employees. BitGo, also a qualified custodian certified by the State of New York and other jurisdictions, has only a few hundred.

This is not to impugn the intentions or skill of any of these organizations or their employees. But real oversight requires redundancy that these new institutions may struggle to provide at a level appropriate for securing tens of billions of dollars in bearer instruments.

See also: Bitcoin ETFs: The Bull Case

Before those numbers get even bigger (and more enticing for the bad guys), it is well past time to refine the cybersecurity standards for qualified custodian designation. Right now, the designation accompanies trust or banking licensing, overseen by state and federal regulators. These are financial regulators largely focused on traditional banking, not cybersecurity experts, and certainly not crypto experts. They understandably focus on balance sheets, legal processes, and other financial operations.

But for crypto custodians, those aren’t the only kinds of oversight that matter, or even necessarily the most important. There are no industry-wide standards for cybersecurity and risk management practices by crypto custodians specifically, meaning that “qualified custodian” status isn’t quite as reassuring as it might sound. That exposes not just investors but an entire nascent sector to opaque risk with potentially dire consequences.

The approval of a cast of bitcoin ETFs is just the latest step in the continued integration of digital assets into the financial system. You don’t have to trust crypto partisans on that prediction – just ask Blackrock, a legacy giant that championed the ETF. As these developments continue, regulators truly interested in investor protection will focus on adapting to this new world: one in which rigorous cybersecurity standards are just as important to financial stability as honest disclosures and financial audits.

熱點：etf 比特幣 比特幣威 特幣