In 1999, Harvard Law professor Lawrence Lessig wrote in Code and Other Laws of Cyberspace that code is law. His writing nearly two decades ago was inspired by the US Digital Millennium Copyright Act (DMCA), but in reviewing his work today as we sit on the cusp of a blockchain revolution, it’s easy to see it as nothing short of prescient.
Smart contracts are simply computer code that is designed to automatically negotiate, verify, and/or enforce contractual terms; so quite literally, the code is the contractual “law” that dictates behaviors. The intersection of smart contracts and other burgeoning technologies can be quite profound. For example, if you were looking to lease an apartment, you could identify the terms around which you would accept a lease. A software agent could search a housing marketplace for monthly rent, deposits, apartment features and other criteria. The apartment complex could similarly advertise its conditions and apartment features.
When a match is made, you could automatically accept the terms and conditions and enter into a contract. A software “key” could be issued to your smartphone that grants you access to the apartment via a Bluetooth-and IoT-enabled lock. Further, if you fail to meet the terms of the lease (such as missing a payment), the smart contract could trigger a lock to disable access for you. This kind of hyper-efficiency can accelerate marketplaces everywhere.
The confidentiality and availability implications of such a configuration are legion, but I want to focus on integrity for this post. The convenience and risk with smart contracts has a lot to do with the automatic commitment. So long as you are able to articulate your criteria sufficiently and completely, then there should be no concerns. However, anyone who has spent any time at all doing software development knows that complete business requirements prior to the start of a project is a rare occurrence. As a result, it is incumbent on risk professionals to ensure that any smart contract vehicle has been reviewed by all the stakeholders (especially attorneys) to ensure their requirements are properly codified.
But after that, how do we ensure that the code pushed out into the marketplace is what was approved by the stakeholders? We would not want to find out that despite having stakeholder reviews and approvals in place, the contract to which we are bound is not what was agreed upon. Software- and hardware-based integrity checking methods must be employed to ensure end-to-end consistency of the contract code.
Lastly, when combined with IoT technology like in the above example, one must be sure of the terms and conditions in the code, and that they are consistent with the enforcement actions being taken. Residents would not want to find themselves locked out of their apartment despite having met all the requirements of occupancy. Technology is not infallible, and human overrides will be necessary to ensure customer service levels are in line with business goals.
Smart contracts will undoubtedly usher in an era of highly efficient marketplaces enabled by code that meets the conditions of both parties. Such technology can reduce sourcing costs for firms and increase the reach of many smaller organizations. Surely the risk of not participating in these marketplaces outweighs any concerns, yet as risk professionals, it is incumbent upon us to ensure that our firms have controls in place to successfully mitigate risk to acceptable levels, and pave the way for game-changing impacts that smart contracts will bring to our marketplaces.
Author’s note: Jack Freund, Ph.D., CISA, CISM, CRISC, is Sr. Manager, Cyber Risk Framework for TIAA, member of the CRISC Certification Working Group, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, and IAPP Fellow of Information Privacy.