Are Blockchains redefining cybersecurity or do they pose more security challenges than they solve? Sooraj Shah investigates
Many have compared the seismic impact the internet has had on the world with the potential effect blockchain will have over the next decade. The same has been said about cloud computing, artificial intelligence and numerous other IT buzzwords and should therefore be taken with a pinch of salt.
Indeed, Blockchain’s very own senior vice-president of growth, Liana M. Douillet Guzman, tells Infosecurity that she “doesn’t think blockchain is a panacea.”
However, it is clearly an area which is likely to see growth in the coming years. One report, by Grand View Research, suggests that the blockchain marketplace will grow to almost $7.74bn in value by 2024.
So What Exactly Is It?
“Blockchains are transaction networks. A blockchain is a globally replicated, secure database. You can think of it as an immutable, permanent and secure spreadsheet in the cloud which de-risks liability thanks to its distributed nature,” Guzman explains.
“If one of these nodes goes offline, the rest of the network can continue to confirm transactions without skipping a beat”, she adds, before emphasizing that the only blockchain protocol in widespread use today (Bitcoin) has been running every day for eight years without a major interruption.
However, there are numerous other blockchain trials ongoing. For example, international shipping company Maersk is working with IBM on a project which would help to manage the global supply chain and track the paper trail of tens of millions of shipping containers across the world. Charity Save the Children UK wants to create a ‘humanitarian passport’ using blockchain and retailer Walmart is using blockchain in China to track the supply chain record of food to improve health and safety standards.
The technology seems to be on every large organization’s radar, particularly those in the financial services space. Metro Bank, the UK’s newest retail bank, is keeping tabs on developments in the technology, its chief technology officer David Young tells Infosecurity, with security seen as the key benefit of the technology.
Yet John Palfreyman, director of blockchain at IBM’s cloud division, emphasizes that the blockchain structure itself isn’t any more or less secure than any other technological structure. For him, the main attraction towards blockchain is the applications that it enables, rather than the security benefits it may have.
"The code which supports Blockchain is relatively new and largely untested"
There Are Security Benefits
As cybersecurity becomes a focal point for businesses, many IT departments will be looking at if − and how − blockchain can help them to beef up security.
Dr Joao Ferreira, a cybersecurity expert at Teeside University in the UK, states that there are two key benefits, the first of which is the immutability of data.
“It is impossible in theory to tamper with the data; you can’t just change a record in the blockchain because it’s a hash chain structure that is distributed. Many attacks occur because of the criminals’ ability to change information, blockchain can be used to prevent that from happening”, he says.
Blockchain uses a consensus algorithm and therefore any changes need to be verified by the network, and this comes at a cost.
“There is a cost to make a change, so any attack on a service based on blockchain becomes more difficult because it will be more expensive if there is a cost associated with changing that information”, he says.
The second IT security benefit is a lower risk of being impacted by DDoS because the attack surface is distributed rather than centralized.
Combining the difficulty of changing data to the distributed nature of blockchain gives businesses a more resilient backbone to rely on.
“It means that even if a criminal takes my copy of the blockchain down, I may lose the services but everyone else can still use it”, Ferreira states, thereby nullifying the threat of DDoS.
As blockchain is a decentralized system, it has an advantage over existing trust architectures that have a single point of failure such as Certificate Authorities (CA) and DNS providers, Garrett Bekker, principal analyst at IT advisory firm 451 Research, explains.
“We’ve seen CAs that have been compromised and also what can happen when a DNS provider goes down, as with the impact of the recent Mirai botnet attack on Dyn; I suspect blockchain could deal better with this, and also simplify the use of public key infrastructure (PKI) by eliminating dependence on a CA as the single anchor of trust”, he says.
Blockchain Versus IoT
There is one organization that is hoping that blockchain can be used to solve one of the biggest headaches for the IT industry at present – securing the Internet of Things (IoT).
The Isle of Man government is working with members of the blockchain community on an experiment to see if the technology can keep IoT devices from being hacked.
“We want to prove that by adding a layer around that device, that any data that comes out of it can immediately be hashed into the mesh [network] that surrounds it”, Brian Donegan, head of operations, fintech and development at the Isle of Man government, tells Infosecurity.
“If this can be demonstrated unequivocally, then you can do it to the next device it is connected to and so on – using blockchain repeatedly to get to a situation where you end up with networks of devices that have blockchain armory around them”, he adds.
Donegan’s team is still several months away from being able to report back its findings on the trial.
"Many attacks occur because of the criminals’ ability to change information, blockchain can be used to prevent that from happening”
With Great Power Comes Great Responsibility
The law has always struggled to keep pace with developments in technology, and those that are providing the blockchain technology and services to organizations will need to be wary of who owns the risk, and how it is transferred.
“They need to make sure they understand the pressure that customers are under from a regulatory perspective and do everything they can to alleviate that risk; the worst situation is for organizations to not be able to move forward with new technology because the providers can’t give them assurance about the technology”, says Luke Scanlon, senior technology lawyer at Pinsent Masons.
This is important because there are risks associated with blockchain. As Dr Ferreira emphasizes, there is “no system that is 100% secure.”
He gives some examples of security issues that blockchain-related technology could run into – such as the theft of Bitcoin from cryptowallets. He says a key danger with blockchain – like many other technologies – is the human aspect.
“The cryptowallet means you have some files that encode your address and your balance. If you lose that, you lose your identity and your money and all of your cryptocurrency. If we expect users to manage their cryptowallets there could be many problems because it is easy to exploit people with social engineering”, Dr Ferreira states.
However, even those humans behind the technology can be at fault for security breaches.
Last year, a smart contract called DAO, based on Etherium (a blockchain technology) was hacked, leading to $50m being taken from a virtual hedge fund. Dr Ferreira explains that it is incredibly easy to make little mistakes in writing smart contracts, and that attackers are ready to pounce
on vulnerabilities.
“[In the DAO case], they hired very good people, professional programmers, but it still had a bug and an attacker was able to benefit from it”, he says.
It’s also worth bearing in mind that some of these benefits of blockchain – such as anonymity – can be used against organizations, as criminals seek to hide illegal transactions such as ransomware payments. Using blockchain-based identities to control access to services would give users comfort in knowing that their data is pseudo-anonymized, but if the blockchain was breached and the data was exposed, the company in question would face irreparable reputational damage. The more sophisticated the technology, the bigger the potential of a disaster.
The Future of Blockchain and Cybersecurity
It is the implementation stage where blockchain and cybersecurity really intersect; if a blockchain is incorrectly implemented, it opens up huge risks to the organization and to its partners.
According to Florian Malecki of IT security company SonicWall, the technology is not yet secure or mature enough to quell concerns around security and inspire wider adoption.
“The code which supports blockchain is relatively new and largely untested against the full potential of the global hacker community and at present there is no way to know what bugs remain and how large the resulting vulnerabilities are”, he says.
For Karl Hoods, chief information officer of Save the Children UK, blockchain isn’t redefining cybersecurity but is an enabling platform for it.
By combining it with existing IT security practices, it offers increased security. As organizations develop
their understanding of how to implement the technology, it is likely that it will solve many more security challenges than it poses.