Digital trust hasn’t delivered. In fact, digital trust, blockchains, even Zero Trust – which is a concept, not a product – turned out to be less than trustworthy. The reason? We couldn’t get humans out of the equation. What we got was more complexity, less understanding and centralization instead of the expected democratization – more power in fewer hands.
Crypto and blockchain were expected to liberate the world from an ancient financial system controlled by governments and big banks. Unbreakable, transparent digital trust would eliminate the need for expensive and slow proxies – trusted middlemen like banks, agents, brokers. The age of do-it-yourself financial was imminent – and a vast improvement: Fast, cheap, transparent, reliable, unbreakable. Chains of digital, perfect trust void of (unreliable) humans.
Similar thinking found a welcoming market in cyber security. Zero trust was the obvious solution. Get the weak links (people) out of the equation and we’re all set. It worked in the sense that security improved – for some, but didn’t deliver the big time revolution the experts and pundits promised.
What happened? What did we miss? What went wrong? What have we learned? The answers are surprisingly simple: We underestimated the role of people: After all, people trust people (and institutions/companies) more easily than we trust technology and mechanisms we don’t understand. We also underestimated the nature of people: When we don’t understand, we go to those who do – the experts. Introducing digital trust sounds great but most of us don’t understand it and look for help from someone who does. Meaning we just moved our trust from one set of experts to another. A new set of brokers.
And finally, we underestimated the complexity of and the resources required to build a (more or less universal) digital trust infrastructure. For example, the original blockchain delivered perfect digital trust, but didn’t scale. The simplified variants (many of which are in commercial use today) fixed the problem in various ways – and introduced big holes in the perfect security. Fancy presentations focused on the ‘look how simple it is’ and ignored the resource factor, assuming that big Internet resources are somehow free. They were – sometimes, but never for long – as we’ve has noticed while drowning in digital advertising – or monthly charges.
So – instead of simplifying life, eliminating borders, reducing cost and a lot more, often summarized as ‘democratizing the world’, we ended up transferring trust to a new set of people and a new set of ‘institutions’: Global mega companies. So big, so rich, so powerful and so out of control. The exact opposite of the initial ideas and intentions. Improvement? No way. The world is in many ways worse off than ever. The old system was badly outdated but governed by checks and balances that enabled controlled (and controllable) trust. The replacement has better mechanisms, is (potentially) much faster but out of control and not trustworthy.
On the security front Zero Trust failed in a different but still similar way. The concept of Zero Trust as defined by Google’s engineers was (and is) brilliant and works great – in confined environments. Zero trust has improved cyber security regimes in many ways, most of them out of sight. Smart mechanisms and new thinking eliminated weaknesses, exposures and dependencies in networks and datacenters all over the world. How can such an apparent success become a disaster? Just give it to the marketing people. Not a new experience by any means, but an interesting one nevertheless.
When the marketing departments in big and small cyber security companies discovered Zero Trust they saw a catchy term with a trustworthy (!) reference – Google. So they redefined the term and started pushing Zero Trust products, claiming to have ‘productized’ the concept. Pure BS, but they got away with it for quite some time, pushing messages like ‘with this product platform, you eliminate people and thus exposure – zero trust gives you perfect security’ – or something to that effect. Hogwash to real security experts, but they got away with it for many years – until the customers figured out the obvious: You still need trustworthy people to install, manage and control the mechanisms. Or – even simpler: You cannot get people out for the equation. Believing that you can, means you don’t understand the issues, the threats and the challenges. That’s bad for security and cyber defences.
One would think that the world had learned from these (ongoing) experiences, but it doesn’t look that way. These days we’re heading – head over heel – into a new nightmare with large language models (LLMs), aka AI or ChatBots. These impressive tools (totally out of control, but that’s a different story) are being hyped as the next wave of technological development, and may be just that, but guess what: They’re controlled by a few large global companies – simply because creating and running them requires BIG resources – as interestingly discussed by Clive Thompson in this article on Medium.com. Yes, you can create a Large Language Model – a mini-ChatGPT – on a RaspberryPi with impressive capabilities, but it’s very much a ‘mini’ compared to the big ones. Useful and important, but the big ones own the attention, the market and – ironically in this context – the trust.
Apologies for the digression, and here’s the point: We don’t seem to learn. Or maybe the forgetting curve is becoming steeper. Even worse – we’re forgetting to think, reflect. So eager to not miss a bandwagon that we jump on it because everyone else seem to be doing it, not because we made a conscious decision.
My main point though is about trust, what we (hopefully) have learned when we tried to replace ‘people-trust’ with ‘digital trust’ and failed. It wasn’t that digital trust and/or zero trust are bad things, but because they’re different. They’re augmentative, not fundamental. They’re important but they don’t replace people-trust. We need both, and people-trust is fundamental.
The takeaway is something we knew, but seemingly ignored or forgot: Trust is the foundation of any society – from couples and families to corporations and countries and international organizations. Some trust can be ‘outsourced’ (delegated, automated) to mechanisms, procedures, systems, technology etc., which enables complex societies to function. But in order to evolve and prosper, a society of any size must accommodate accountability, responsibility, respect and trust – people-trust.
Remembering that, zero trust, digital trust and all kinds of augmentative technologies will be enablers, some times revolutionary forces.