Research for a proposal to design and implement a Polkadot Network security framework by Talaria
TL;DR
( This text is a synthesis of the whole project document, you can find the whole version - 20+ pages here)
In the current political status of the Polkadot network and governance discussions and challenges that the current system has, our proposal to the Decentralized Futures program aims to conduct thorough, comprehensive and analytical research (both academic and empirical) to facilitate the introduction of a governance system - a security governance framework - with the concrete objective to reduce the overall risk for Polkadot, its participants and its operations. The character of this research is novel and innovative, being one of the first research combining cybersecurity and digital governance on DAOs.
Decentralized doesn’t mean structureless: introducing and implementing political entity/ies that can help to provide direction, strategy, guidelines, resource management and other benefits while having implemented on chain its mechanisms and checks and balances to be transparent and accountable will elevate the overall security of the Polkadot Ecosystem - at all its levels.
This research will help in collecting information and insights to achieve the implementation of the mentioned framework from sources like OpenGov itself, OSINT techniques, published papers, interviews with active actors in the Polkadot ecosystem and external agents, other governance frameworks both in web3 or traditional decision making systems but also participative activities like workshops or discussion panels, to ensure an open and effective feedback loop between researchers and community informing a robust and scientific methodology. The possible outcome of not implementing this framework as conclusion of the research, is considered also as a positive result of the project.
As a desired side effect, the research aims to increase awareness about the overall security posture (beyond the code) of the ecosystem as whole. This awareness can help individuals, projects and the ecosystem to improve their security posture.
After the conclusion of the project, the Polkadot ecosystem will have at hand an entire and comprehensive collection of datasets, transcripted and analyzed interviews, results of workshops and other engagement processes and, finally, an actionable proposal or set of proposals that could inform ecosystem members the possible and/or potential entities and technical implementation for this security framework. These materials can at any point be used to inform further innovation in governance in the Polkadot ecosystem.
Summarizing, the lack of open source research or development on security centered thematic DAOs structures and their implementation, and the potential use case for a security framework for the Polkadot ecosystem, points to a gap that this project aims to fill: In a world where digital governance is on the rise, how can cybersecurity become a strategic issue?
This is a proposal by InĂŞs and Daniel, ex-Parity Security Team members. You can find us in matrix at: @ines.nw:matrix.org and @wabkebab:matrix.org
Problem Identification
- There is no overall conversation within the Polkadot network participants about cybersecurity or overall threats to the ecosystem (individual or collective), outside security concerns of the protocol and code itself.
- As security has not been identified as a crucial support function for the space, there is a lack of prioritization in resources. Projects focus on delivering but not always in delivering securely.
- Although widely adopted, digital governance is in its infancy, and there is a lack of research on cybersecurity focused governance structures.
Further, the following points - consider them as an interconnected mesh of concepts connected by links of different weight, instead of a list - are specific information security governance (and some overall governance and meta-security ones) challenges faced by the Polkadot network:
- Lack of strategic overview: Some business functions, security included, have no general roadmap, milestones, direction or guidance for Polkadot network next steps or evolution.
- Fog of War and streetlight effect: As there is no high level collective vision, security initiatives work down-up with limited scope and reach and no optimization of synergies. There is not an identified pool of missions or tasks to advance the ecosystem in a certain direction or approach.
- Need to Know approach vs infinite game paradigm challenge: Confronted challenge between the safeguard of critical interdependent security information of the project(s) and the underlying context of an open-ended ecosystem ( no known players, no known rules, infinite timeframe). This key point will become more crucial with the planned future developments of Polkadot.
- Short-effect approach: Some actions tend to be temporal patches instead of a long time strategy.
- There is no governance without administration: Reduced pan-project information sources create difficulties in priority identification, decision making and impact of previous proposals.
- Common funding, collective exposure: Treasury funded projects have no security requirements.
- Bounties are trapped in chicken-egg paradoxes: In general, Bounties work over specific areas of concern, but do not have specific tasks or missions (to identify tasks it is needed to have an overall vision).
- Bounties are closed decision spaces: Introduced to provide agility on decision making on their specific areas of concern, they lack the necessary checks and balances - beyond technical, on their design - to avoid power concentration, with the risk of introducing factors like malfeasance, patronage networks or favoritism. Bounties are sovereign.
- No Security Culture: Little security information or culture between voters - even key voters. Participative OpenGov voting system extends decision power over every proposal to every voter, but this could become an issue as voters could lack understanding or information on what they are voting on.
- The Tragedy of the Commons: Little accountability on voters regarding their decisions when dealing with a common and mission critical shared pool of financial resources and worldwide prestige on the web3 sphere.
- Everyone is fighting their own war: Transversal initiatives are very few.
Our proposed solution
Through listening to the community, analyzing the technical possibilities in the ecosystem, consulting with experts and academic research, the project aims at:
- Facilitating a set up for a decentralized, transparent security governance framework and its on-chain governing mechanisms that is resilient, robust, sustainable, inclusive and representative of the ecosystem. This body’s (or bodies’) function could include, but not be limited to:
- Compile a list of security practices in a workable format that ensures that all projects in the ecosystem can follow the same security standards at a minimum
- Define gradual thresholds adequate to risk assessment of each project, effectively creating a collaborative security culture in the ecosystem that will allow smaller projects to profit from larger project’s experience and elevate the whole security status of the ecosystem as a whole.
- Designing a system of incentives to make progress towards a more secure ecosystem sustainable, for example by integrating the raising of security standards in the attribution of grants and funds from the treasury, with the overall objective of to converge projects to a less exposed status.
- Identifying more immediate, non-structural gaps in the security landscape and ensuring the most adequate solutions to close those gaps.
- Establish processes to manage ecosystem-level resources (tools, processes, persons) to elevate the security posture of the ecosystem.
- Increase the debate and overall conversation related to security practices in different levels, in order to achieve an improved security culture in the space that will benefit the network, projects and participants alike.
- Increase the governance-related resources the Polkadot ecosystem has to evaluate current and desired governance models.
Project Goals
After the conclusion of the project, the Polkadot ecosystem will:
- a final actionable report that could be used to inform a proposal (or series of proposals) to be amended, ratified, technically implemented on existing code or as a guide to develop the technical implementation needed, voted on and finally, enacted.
- increased awareness at an individual, project and ecosystem level of its current status, threats, risks and exposures, in a holistic approach. Nevertheless, sensitive information will be protected to avoid adversarial attacks leveraging the research.
- possess a wider and valuable open source and research community input on a specific topic involving governance and information security.
Specifically, it will produce the following deliverables:
- Simple website with all documentation of the project
- Research methods description for future reference
- Periodical project status reports at events, followed by discussions both offline and online ( townhalls, … )
- All auxiliar material produced, like templates, quizzes, workshop support material, etc
- In person engagement events as discussion panels, keynotes and workshops about the topic.
- Regular forum posts providing info and updates about milestones
- Code in GitHub for any tool that might be needed to gather data
- Final actionable report with political and technical outcome proposal
(All published content and data will be released on open licenses and/or open workable formats.)
For achieving these deliverables, data driven research, consultation of academic texts and other texts, interviews with internal and external agents, live engagement workshops and discussions panels and other robust methodologies from the social sciences will be used.
The scope of the reach of the information security framework is to be decided by the active actors and participants, but as the authors of these lines could imagine it, this framework could change the way many participants (projects or individuals) interact with the network and their own projects, the community, the technology, the treasury and the referenda system and with other ecosystem members or entities. How it will change it and its relation with the existing governance model (OpenGov) is to be discovered and determined during the research.
On a technical level, a successful implementation of this framework over the already existing Collectives Pallet can also lead other business functions to express interest in developing their own particular framework and/or be influenced by the results of this project.
In the same vein, other Polkadot ecosystem players have identified the need for academic governance research.
Who benefits from this project?
Our audience is multilayered and spans over different populations:
- Governance and security related agents in the Ecosystem
- Polkadot Ecosystem and its projects
- Governance and Security interested researchers
- Open Source Community / Anyone else interested in the topic
This research can complement some existing projects (both in the areas of interest governance and in security) that are not the same but that can positively overlap in some topics:
- OpenGov.Watch
- Polkadot Assurance Legion
- Parity Security Posts on Polkadot Forum.
Our research project collects information and insights for the ecosystem participants (including the projects named before) to help to implement a governance system in the specific area of the security discipline. During the research, frequent contact and insights will be shared with OpenGov.Watch, PAL, Parity Security Team and other agents for a positive exchange for all projects involved.
Project’s Aftermath
After completion, if the ecosystem requires so, the research team can evolve from an facilitator/researcher position to a more active participating actor, with the task of taking over the administrative duties of drafting up the necessary proposal(s) to implement the agreed project into the network and oversee the process of putting it up for a referendum, possibly including driving the discussion on the topic; and, should the proposal go through, further advice and support the community to establish the security governance framework and establish its first mandate.
As this stage is optional and dependent on the result of the research, it would be funded by treasury proposals.
Who are we, and why do we want to go forward with this?
Inês Nascimento Wellnitz is a scientist, a facilitator and a polymath. After studying Theoretical Physics and Politics and being active in several international student’s groups, she dedicated herself to co-founding an international organization that designs and hosts simulations for students in the area of politics, active citizenship and democracy-building in close cooperation with the European Union. After that she acted as an communications and intercultural support specialist in several areas, up until she entered the blockchain industry. Her first job in the space led her to fall in love with the human side of security and the role it plays in the self-agency of every internet user, which in turn led her to study the subject in depth. She was Security Culture and Awareness Lead at Parity for 5 months up until November 2023.
Daniel Artamendi is computer scientist, security expert and cultural agent with special focus on the intersections of technology with other disciplines. He has extensive experience dated to the early days of the open software/hardware communities of Processing or Arduino. He has worked in major contemporary art institutions in Spain, before moving to Germany to work in technology. Last 3 years, he was the Head of IT at the Security Team in Parity Technologies. Most of his professional career has been in non-profit institutions. Lives and works in Berlin.
Our role is to act as facilitators: we don’t have the answers, we have some questions that will bring more questions. Our task is to study, observe, inquire internal and external actors and gather insights about the topic, instead of building a one-sided proposal to be discussed on dispersed channels like the Polkadot network forum and Element channel one-post-at-a-time. We aim to build this research with the scientific rigor of methods developed in the social sciences, with the transparency of the open source philosophy, and the suicidal courage needed to explore new territories.
We would like to thank everyone that has provided us early feedback ( or are in the way to) like Otar and Raul, Vince, Serhan, Valery ( PAL), Matej, Dan Davis, Kirill and many others. We are excited to know what you think about our idea, and can’t wait to get your feedback on it!