Naoris Protocol is the Decentralized CyberSecurity Mesh that protects devices across the digital world from cyber threats and associated risks while enforcing CyberSecurity standards backed by everyone.
The protocol increases cybersecurity levels across every sector of the economy by converting any network's infrastructure into nodes. This secures the baseline by decentralizing the transfer of data and reducing single points of failure. Centralized databases are susceptible to hacking and potential exploits by hackers. A single point of failure is critical for decentralized databases, whereas a distributed database network is comparatively more secure than a centralized database management system.
Vested Interest Disclosure: The author is an independent contributor publishing via our
Ishan Pandey: Hi David, welcome to our series “Behind the Startup.” Please tell us about yourself and the story behind Naoris Protocol?
David Carvalho: Hi Ishan, thank you so much for inviting me to this wonderful initiative. I am the Founder, CEO and Chief Scientist for Naoris Protocol, the first Distributed AI and Blockchain-based CyberSecurity Mesh solution that had the backing since the very beginning of the Former Chairman of the NATO/OTAN Intelligence committee. I have been an ethical hacker for over 20 years and the youngest Global CISO in the EU, advising the several Nation States and Critical Infrastructures on critical matters of Cyber-war, Cyber-terrorism and Cyber-espionage. I have been in the crypto space since 2009 as a miner and early adopter of POS/POW-based projects and since 2013 as an investor. I’m also involved in several initiatives and cybersecurity-related innovations in Academia with various Universities in the EU and research in the areas of Blockchain and Cyber.
Some years ago in Oslo, Norway, we attended a private high-level meeting, where the former Chairman of NATO/OTAN Intelligence Committee Kjell Grandhagen was present, among other important people in the space, and an idea was floated that perhaps the way forward would be to use blockchains and smart contracts to do CyberSecurity better. Kjell instantly understood the importance and possibility of using Blockchain to help solve one of the biggest problems in technology.
Here’s Kjell Grandhagen’s quote - “The centralized model where the hacking of a single device that could compromise an entire network is categorically flawed. This needs to change. We don’t need to play a better game against cyber-criminals. We need to play a different game. With Naoris Protocol, there is no single point of failure, central database, or middleman that can potentially be a source for leaked or compromised data. Naoris Protocol uses consensual Blockchain technology that links network devices “as blocks on a chain” so that no single end-point or terminal exists in a silo.
In 2018, Naoris Protocol was conceived as an R&D project to research how Blockchain, AI, and data science advancements can provide an alternative approach to traditional cybersecurity with various universities and other organizations. Since then, we have been researching companies and regulators in critical spaces, and it’s clear they want to mitigate more risks than they can with centralized tools.
Naoris Protocol has been the winner or finalist in numerous top innovation and company accelerators since 2018, when Naoris was an R&D project that started to deep-validate the concept, its ideation, technology, and use cases.
Since that time, Naoris Protocol has matured heavily and completed successfully with honours a number of highly regarded and hyper-validated accelerators in real-world settings and has achieved deployments and proof of concepts in highly regulated spaces and critical environments with various multibillion-dollar companies in the areas of Highly Regulated International Banking, Healthcare, Critical Industry/OT and Smart Cities.
Ishan Pandey: Please tell us a little bit about Naoris Protocol and the Distributed Proof of Security (dPoSec)?
David Carvalho: Naoris Protocol’s utility use case is too critical to operate on a general-purpose blockchain or consensus mechanism as we know it. A complete separation or air gap from general-purpose chains is required to meet best-practice and cyber operational design in order to maintain current and future assurance of our non-negotiable cybersecurity principles.
Naoris Protocol’s dPoSec consensus is uniquely poised to deal with such environments across the internet to enable network devices to serve as cyber secure validators within a Decentralized CyberSecurity Mesh. It’s also a defaulted secure baseline for an extended trusted defence approach. All validators under it create a distributed blockchain-based security environment focusing on network growth, wider adoption, and network effect. Every device will continually validate every other device bringing trust to all devices, and securing the baseline layer is good through consensus. This also helps to reduce risk from all other aspects of the network and operational processes in a P2P format.
Every device acts as a watchdog for every other device, making them act in synchronous harmony. Therefore, this will create a distributed supercomputer of trust. Core drivers for dPoSec:
Core use case is Security & Trust
Use case is too critical to be on a general-purpose blockchain
Typical L2s are focused on smart contracts data and regular monetary transactions
Complete separation from general chains because of cybersecurity principals
The Naoris Protocol software daemon embedded on each device requires a direct blockchain connection because of the core critical use case (no third parties)
Must be separated to not inherit existing risks or TPS problems
David Carvalho: The failure of risk management will often result in systematic failure. The executive team has to understand the risks, credit cycles, macroeconomic factors like inflation, and the volatile crypto markets and have prepared mitigation strategies. Many financial mechanisms with high rewards structures are unsustainable in the long term, but these solutions are beautiful to the public.
Ishan Pandey: Web3 will return ownership of data to the user, unlike traditional web companies that use your data for their ulterior motives. According to you, how can Web3 leverage this situation in terms of promoting data privacy?
David Carvalho: I think we are not quite there yet, as there is the missing element of trust that should fundamentally connect the web2 and web3 infrastructure. Even as we build web3, by default, Web3 inherits the weaknesses and vulnerabilities of Web2, which is what Naoris Protocol is addressing. We see the missing link and predict that new technologies will emerge to connect the two. Web3 companies need to prioritise security by design principles, including privacy, implementing best practices like security pen testing, audits, and cybersecurity as an Olympic minimum. This is the only way to increase the potential of widespread adoption of web3.
Ishan Pandey: What are your views on the bankruptcy filing for Voyager Digital?
David Carvalho: Voyager Digital suffered through the 3AC liquidation. Crypto is still considered a precarious investment because most people, whether they are retail investors or CEOs / executives of companies, tend to follow the hype and clever marketing. Risk analysis and proper due diligence have been missing in the space. These things are changing as the market matures. All we can do is learn from our mistakes and create safer validated environments moving forward for investors and early adopters while understanding that only innovations are valuable, not me-too approaches.
Ishan Pandey: Cyber attacks are becoming more and more commonplace, motivated by the nefarious desire to exploit a vulnerability or breach in a system or person of any business or organisation. What are your thoughts on the current predicament of the crypto ecosystem pursuant to rampant cybersecurity breaches?
David Carvalho: Very frankly, what’s driving this sort of cyber risk higher is that the threat actors are just very aware that web3 is cryptographically resilient, so it makes no sense to attack there (while it is possible, it’s harder), but its soft underbelly lies in three main areas that are single points of failure and allow an immediate check-mate.
1 - The systems where Web3 runs that are all Web2;
2 - The complexity of their infrastructure (Multiple clouds, multiple servers, multiple operating systems, a huge amount of web2 processes and services that support them); and
3 - The lax assurance of trust and security standards of processes around them in a Web2 environment.
The complexity and risks of underlying systems that are serving the Web3 content are astounding, be it Layer 1,2,3 or Bridges or Oracles, Relays, Wallets etc. These Web2 Systems that are in the cloud or that are local servers that can have an infinitude of vulnerabilities that the threat actors look for and want to exploit to have access to the infrastructure can be leveraged to take control of Web3 processes or environments (Be it by subverting accesses through malicious code or exploiting a vulnerability that allows the attacker to launch a malicious smart contract that wipes the wallets of a project stealing hundreds of millions from a supposedly trusted device or other methods like exploiting the lack of a patch at the operating system level that led to stealing of private keys (A web2 based attack that led to a Web3 disaster of 100m Plus on Harmony Protocol just on the 24th of June)), are all real and, the fact of the matter is, the attacker knows that every single system under a Web2 scheme is a Single Point of Failure to the whole Web3 service and infrastructure and he will exploit this fact.
Using Web3 to do security in Web2 is the way cryptographically in Web3 there is no check-mate. This is what Naoris Protocol does and enforces. So, if the threat actor subverts one system, he can move laterally and initiate the ‘KILL CHAIN’ against the whole infrastructure of systems and what they serve - a bridge or a protocol or are allowed to launch smart contracts with keys stored on these devices, services and processes that support the Bridge or the Layer 1 etc.
All these risks and vulnerabilities are inherited into Web3 and the threat actors understand that smart contracts online are basically close to clear text code that is live and that is asked to be pen-tested live as well, so in high criticality areas in web 2 world, like banks, national infrastructure, etc normally there are certain standards and processes that enforced within the software development life cycle that enforce security, that allow for the discovery for example of code vulnerabilities before the code is posted for production. Also, traditional development means have built-in obfuscation techniques that smart contracts don’t possess as the code is available to anyone to review and operate from and while this is advantageous for trust reasons, it’s not as good for security reasons as it offers a high opportunity for attackers to abuse certain mistakes or bugs in the code leading to potentially millions being lost.
This is not the fault of the space is a byproduct of a booming space and a space that needs certain standards to be adopted and enforced. The problem is not the defy space or the blockchain areas in the general direction. The problem is the lack of enforceable process that exists and the lack of decentralized consensus-based enforcement tools to do this properly within the current dev process. Naoris Protocol enforces across the whole infrastructure under a dedicated cyber-trust-based consensus that only secure systems can push code and only safe code can be pushed. Anything else is reported to the network owners as risky under consensus and blocked. The more devices on the network, the more resilient to such threats it becomes, instead of becoming riskier.
Ishan Pandey: Beanstalk Farms, a decentralized finance project, was hit by one of the biggest flash-loan scams, driving its price down. From a regulatory standpoint, what changes need to be introduced within the DeFi space to curb such events in the future?
David Carvalho: The technology will always be faster than the regulator's capabilities to catch up and understand it. There are many Web3 initiatives which try to provide a deeper review and due diligence for projects, founders, and teams. I fully support these activities and believe this is the way to go forward until we see stricter regulations around crypto projects. There should be a Moodys of trust for Defi projects and any large companies to increase verifiable and provable transparency. The Naoris Protocol can allow regulators to ensure that projects are following their SLA`s and are doing best practices in standardisation and best practices as defined by regulators without having to send in a yearly auditor.
David Carvalho: The blockchain provides trust between all participants, allowing everyone to view the changes and history of transactions, thus diminishing the need for a middle man. Humanity is moving fully into a further decentralized way of living, using an enormous number of devices and sharing data without physical contact or needing to be in place to transact.
I will take the risk and predict that we will use blockchain more in payments, e-commerce, the car industry, shipping, robotics, critical infrastructure, healthcare, smart cities, government technology, regulatory spaces, borders, identity, mobile devices and even in defence command and control as the need for an all-encompassing security paradigm based on P2P across disparate networks increases drastically. Smart devices/IOT are being adopted in higher and higher numbers without any controls and demands for data privacy and provable ownership gain traction.
If well developed and deployed, blockchain technology innovations are poised to create a safer digital space for everyone while establishing trust between people and machines where there was none possible before while making them active participants under consensus, rewarding the whole ecosystem.
Don’t forget to like and share the story!