Opening Statement of Commissioner Christy Goldsmith Romero at the Technology Advisory Committee on DeFi, Responsible Artificial Intelligence, Cloud Technology & Cyber Resilience
March 22, 2023
With our nation at the cusp of exciting and challenging technological innovations, it will take a broad representation of stakeholder perspectives to build a safe financial system that harnesses the best of emerging technology while protecting customers and financial stability.< span> As the Commission and others make policy decisions on next generation technology, it is critical that we have a foundational understanding of the technology, and the specific implications for finance and law. For that reason, we have assembled Technology Advisory Committee members who are well-respected experts in the fields of cybersecurity, artificial intelligence, electronic trading, blockchain technology, and digital assets.
For many on the Committee, this will be your first time working with the CFTC, and our mission to promote market integrity, resilience and vibrancy, which includes instituting the safeguards that make responsible innovation possible. We can greatly benefit from your expertise in determining how to ensure our markets are resilient to increasingly-sophisticated cyber attacks, to ensure that any development of digital assets protects customers and market integrity, and to consider how emerging technologies, like artificial intelligence and cloud technology, can be responsibly developed, deployed, and used.
I am exceptionally pleased to introduce TAC’s Chair Carole House from Terranet Ventures, who many of you know from her work at the White House National Security Council as the Director for Cybersecurity and Secure Digital Innovation. Among her many other accomplishments, Chair House was instrumental in authoring the Executive Order on Ensuring Responsible Development of Digital Assets. I am also very pleased to introduce Vice Chair Ari Redbord who is well known for his service at the Department of Justice, Treasury Department, and now at the blockchain intelligence company TRM Labs. I also want to recognize and give thanks to the TAC Designated Federal Officer Tony Biagiolo, Joe Cisewski and Phil Raimondi in my office, and the CFTC staff.
Responsible Artificial Intelligence (AI)
Today we have a panel on responsible AI.
In the context of financial markets, responsible AI involves using AI technologies to improve the efficiency, accuracy, and transparency of financial systems while also ensuring that these technologies are designed and deployed in a way that aligns with the interests of all stakeholders, including investors, customers, and regulators. One key aspect of responsible AI in financial markets is ensuring that AI algorithms are transparent and explainable. This means that the logic and decision-making processes behind AI-driven investment strategies and risk strategies must be easily understandable and auditable by humans. It also means that the data used to train these algorithms must be diverse, unbiased, and representative of the populations they serve.
Another important aspect of responsible AI in financial markets is ensuring that AI technologies are used in a way that minimizes the potential for harm to individuals and communities. This includes guarding against fraud and market manipulation, protecting personal and financial data privacy, and ensuring that AI algorithms do not reinforce or exacerbate existing inequalities and biases in the financial system. Overall, responsible AI in financial markets involves balancing the potential benefits of AI technologies with the need for ethical and transparent decision-making, regulatory compliance, and social responsibility.
Now, I have a confession: That explanation was written word-for-word by ChapGPT, and it seems pretty spot on.
AI is being increasingly employed by exchanges, financial institutions, and throughout our financial system. Today, we are pleased to hear from experts in responsible development, deployment and use of AI. We will hear presentations from Alan Mislove, the Assistant Director for Data and Democracy of the White House Office of Science and Technology Policy, who will present on the Blueprint for an AI Bill of Rights, and from TAC member, IBM fellow, and IBM AI Ethics Global Leader Francesca Rossi.[1] We will also hear about AI-enabled cyber attacks from TAC member Tim Gallagher, Managing Director in the Cyber Risk practice at Kroll, who has a 20 year distinguished career with the Federal Bureau of Investigation that included serving as the Special Agent in Charge (SAC) of the Criminal and Cyber Division in the Washington, D.C. field office and as SAC in Newark, New Jersey.
Decentralized Finance (DeFi)
We look forward to TAC’s deep dive on the rapidly growing decentralized finance (“DeFi”) ecosystem. As regulators and Congress make policy decisions related to DeFi, it is important to have a common foundation in understanding how DeFi works, how decentralized exchanges, DEXs, or other DeFi protocols, differ from centralized exchanges, for example, what indicators of decentralization may be, and how to assess the implications for finance and law.
While DeFi may hold the promise of avoiding some of the vulnerabilities of centralized exchanges, and may hold the possibility for making our financial system more accessible and inclusive, DeFi presents unique challenges, which we will hear about today. One is the foundational issue of accountability. Some say that accountability rests in code, protocols, and smart contracts, or in evolving governance structures. However, organizations may also have varying degrees and areas of centralization that can lead to accountability.
I also hope that industry and regulators alike can agree on the need to prevent illicit finance from money laundering, terrorist financing, and sanctions evasion. This is where the issues of digital identity in the DeFi ecosystem, and beyond, come into play. And there are concerns about cyber vulnerabilities.
Today we are pleased to hear about the DeFi landscape, indicators and issues related to decentralization, digital identity, privacy and unhosted wallets, and exploits and continuing vulnerabilities in crypto markets. We will hear presentations from TAC members, including Chair House, Vice Chair Redbord, Nikos Andrikogiannopoulos, the founder and CEO of Metrika, Jill Gunter, Chief Strategy Officer of Espresso Systems, Michael Shaulov, the founder and CEO of Fireblocks, and Dan Guido, the founder and CEO of Trail of Bits. These voices are expert and experienced; builders and founders focused on blockchain analytics, digital asset and smart contract security, and the frontier of digital identity and privacy.
Cyber Resilience
We also look forward to the panel focusing on promoting cyber resilience to protect our national security, economic prosperity, privacy, and even our way of life. In an increasingly complex threat landscape, including from hostile state actors tied to Russia, China, Iran and North Korea, promoting cyber resilience is critical. The White House, in its National Cybersecurity Strategy (“Strategy”), defined resilience as a state “where cyber incidents and errors have little widespread or lasting impact.”[2] The Strategy states, “A single person’s momentary lapse in judgment, use of an outdated password, or errant click on a suspicious link should not have national security consequences.”[3]
Cyber resilience requires planning and preparedness so that organizations are cybersecure by design.
Cyber resilience requires governance and attention from not only the Chief Information Security Officer’s (CISO) office but also the rest of the C-Suite.
Cyber resilience requires reducing vulnerabilities internally (such as zero day or n-day vulnerabilities)[4] and externally with supply chain and other third-party vendors.
Cyber Resilience by Design: Today we will hear from Kevin Stine, Chief of the Applied Cybersecurity Division of The National Institute of Standards and Technology’s (“NIST”) about NIST’s Cybersecurity Framework that has been widely used by companies to design their cybersecurity. Executive Order 14028 Improving the Nation’s Cybersecurity (“EO”) directs NIST to issue guidance “identifying practices that enhance the security of the software supply chain.”[5] I look forward to hearing about those efforts, given our highly integrated and interdependent financial system and plethora of service providers—many with their own service providers—a system that can quickly spread cyber attacks across the financial sector.[6] I also note that the EO envisions the Federal Government leading by example through a “Zero Trust Architecture” for federal networks.[7] Some of our registered entities have moved to a zero trust framework, moving away from a perimeter defense framework.
Cyber Incident Response: TAC member Todd Conklin, who serves as the Deputy Assistant Secretary for Cybersecurity and Critical Infrastructure Protection at the Department of Treasury, will present on cyber incident response. DAS Conklin will discuss lessons learned from the recent ransomware attack on ION Markets, which impacted derivatives markets.
Cloud Technology: With greater use of cloud-based technology within companies and their third-party service providers, we are pleased to hear Deputy Assistant Secretary Conklin’s presentation today about the financial sector’s use of cloud services.[8] In February, Treasury released a report on the potential benefits and challenges associated with the increasing trend of financial sector firms adopting cloud services technology.[9] Treasury’s report cites to a 2021 ABA survey that found that more than 90 percent of surveyed banks maintained some data, applications or operations in the cloud.[10] Treasury’s report also found that “large investment advisors, investment companies, and broker-dealers are adopting cloud computing services,” and that technology service providers that provide core banking and trading software services to financial institutions also are turning to cloud services.[11] In the derivatives markets, some critical infrastructure, like our largest exchanges and clearinghouses, are considering migrations to the cloud.
I am pleased that these federal agencies are here to present because coordination among federal regulators and harmonization of federal requirements is crucial to cyber resilience. We are more resilient when we work together both within the government, and with the private sector. The goal of the White House in recently announcing its National Cybersecurity Strategy is a “defensible, resilient digital ecosystem where it is costlier to attack systems than defend them, where sensitive or private information is secure and protected, and where neither incidents nor errors cascade into catastrophic, systemic consequences.” If we can achieve those goals, we will be shifting our nation to cyber offense, while keeping our cyber defense strong.
I am honored to sponsor this tremendous group on the Technology Advisory Committee, and I thank you for your public service.
[1] White House Office of Science and Technology Policy, Blueprint for an AI Bill of Rights (Oct. 4, 2022), Blueprint for an AI Bill of Rights | OSTP | The White House.
[2] White House, Biden-Harris Administration Announces National Cybersecurity Strategy (March 2, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/.
[3] Id (Discussing rebalancing the responsibility to defend cyberspace by asking more of the most capable and best-positioned actors to make our digital ecosystem secure and resilient.).
[4] For example, the National Cybersecurity Strategy discusses, “Too often, we are layering new functionality and technology onto already intricate and brittle systems at the expense of security and resilience.” See Id.
[5] Executive Order 14028 of May 12, 2021, Improving the Nation’s Cybersecurity, 86 Fed. Reg. 26633, https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ (“The term “software” includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.”).
[6] See Department of Treasury, The Financial Services Sector’s Adoption of Cloud Services, (Feb. 8, 2023), https://home.treasury.gov/news/press-releases/jy1252 (This includes through what is known as “nth party” dependencies, that create indirect dependencies for financial firms.).
[7] See Id (“Zero trust is a security model that assumes threats exist inside and outside of network boundaries, continuously scans for anomalous or malicious activity, and limits access to only what is necessary to perform required jobs and protect data in real-time.”). E.O. 14028 also discusses the Federal government’s movement to secure cloud services.
[8] Department of Treasury, The Financial Services Sector’s Adoption of Cloud Services, (Feb. 8, 2023), https://home.treasury.gov/news/press-releases/jy1252 (“Cloud computing is a substantial proportion of the worldwide IT market, consisting of hardware, software, data centers, networking, and numerous other products and services. According to Gartner, a technological research and consulting firm, public cloud services [available to the general public] spending grew from $220 billion in 2016 to $411 billion in 2021, and it is estimated to reach nearly $600 billion in 2023. Surveys of Chief Information Officers (CIOs) confirm that a substantial and growing proportion of IT spending at enterprise organizations is dedicated to public cloud services. One recent survey indicates 72 percent of CIO respondents expect their organization to increase their public cloud spending over next year, while 49 percent expect to increase their private cloud and on-premises spending.”).
[9] See Id.
[10] See Id.
[11] See Id.
-CFTC-