Rethinking Cybersecurity Through Blockchain
Cybersecurity spending has increased exponentially in the past decade, with no signs of slowing. Worldwide, organizations plan to allocate more than $1 trillion between 2017 and 2021 to protect themselves from online threats, according to one industry report.1
Despite that staggering investment, criminal hackers are still exploiting both publicly known and unknown vulnerabilities, and intercepting device, application, and network communications. CB Insights calculated that about 6 billion confidential files were stolen between 2017 and 2018. Other industry research shows that the number and cost of cyberattacks have increased.
These sophisticated assaults often outwit traditional security methods, including authentication, key management, cryptography, and privacy challenges. With a large percentage of employees working from home due to the coronavirus pandemic, vulnerabilities are growing in new ways. So, instead of building more powerful tools, many businesses are rethinking the systems that created these vulnerabilities in the first place.
A new cybersecurity approach
Blockchain offers a different path toward greater security, one that is less traveled and not nearly as hospitable to cybercriminals. This approach reduces vulnerabilities, provides strong encryption, and more effectively verifies data ownership and integrity. It can even eliminate the need for some passwords, which are frequently described as the weakest link in cybersecurity.
The principal advantage of blockchain is its use of a distributed ledger. A dispersed public key infrastructure model reduces many risks associated with centrally stored data by eliminating the most obvious targets. Transactions are recorded across every node in the network, making it difficult for attackers to steal, compromise, or tamper with data, unless a vulnerability exists at the platform level.
Another traditional weakness is eliminated through blockchain’s collaborative consensus algorithm. It can watch for malicious actions, anomalies, and false positives without the need for a central authority. One pair of eyes can be fooled, but not all of them. That strengthens authentication and secures data communications and record management.
Although blockchain contains many nontraditional features, it does take advantage of one of the most important cybersecurity tools: encryption. The distributed ledger can utilize public key infrastructure to secure communication, authenticate devices, validate configuration changes, and discover confidential devices in an internet of things (IoT) ecosystem. Through encryption and digital signatures, a blockchain system can shield connected thermostats, smart doorbells, security cameras, and other vulnerable edge devices. A recent Palo Alto Networks report said that 98% of IoT device traffic was unencrypted and described it as “low-hanging fruit for attackers.”2
Also, this technology can be a weapon against distributed denial-of-service (DDoS) attacks. A blockchain-based domain name system (DNS) — the protocol for directing internet traffic — can remove the single point that allows these attacks to succeed. In 2016, a large portion of the internet went down because of a DDoS attack on the servers of one DNS host.3
Organizations from multinational corporations to governments are clamoring to adopt blockchain-based cybersecurity, viewing it as the next big thing. But it’s not as simple as updating an existing toolkit.
This intertwining of blockchain and cybersecurity is still an evolving approach. Not all research ideas on digital identities, decentralized storage, securing edge devices, and smart contracts align with business needs. Without careful consideration, implementation can become impractical or even impossible. Here are some hurdles that organizations may encounter when considering blockchain as part of their cybersecurity strategy.
In the public blockchain, anyone can see and retrieve data in transactions. That’s a concern for businesses that want to closely control what information is publicly available.
Permissioned blockchain can help mitigate many of those privacy issues. An enterprise blockchain platform can create a permissioned network that allows only trusted parties to participate in or view transactions and to vote on decisions.
Scalability can become a constraint when implementing blockchain, mostly due to block size and response times. In this technology, every node stores, processes, and maintains transactions in a block to ensure security and privacy. But as the number of transactions increases, small and medium-sized businesses struggle to accommodate a growing number of transactions in a block. Those increases can also slow the validation process. With limited computing and storage resources, scalability is at odds with decentralization.
Organizations are still trying to understand how blockchain’s structure and complexity fit within the evolving data privacy, compliance, and regulatory landscape. Europe’s General Data Protection Regulation (GDPR) and similar laws allow individuals to demand that their data be deleted; these laws also create a “right to be forgotten” in certain cases. Since blockchain prevents parties from modifying or deleting data, the technology risks violating government rules.
Some blockchain platforms use a varied ecosystem for their smart contract logic, transaction schemes, and consensus models. Weak interoperability limits scalability. From the developer perspective, roadblocks can also be created from platform misconfiguration, communication mistrust, specification errors in application development, and cross-chain smart contract logic problems.
Thankfully, open protocols, multichain frameworks, and algorithms are taking root in blockchain and mitigating this issue. Business communications organization GS1 has published global standards for blockchain interoperability, and it is working with Microsoft and IBM on incorporating those standards into their enterprise blockchain applications. The Enterprise Ethereum Alliance is also developing business standards.
Blockchain offers several benefits, such as efficiency, optimization, reduced costs, and improved security. However, the technology also introduces new risks into systems when not carefully managed. These risks include:
- Improper key management and access control. Unlike with traditional means, end users are completely responsible for managing their digital assets. Private keys are mapped with user ownership, so unauthorized access or theft of cryptographic keys may lead to a total and irreversible loss.
- Unintended forks and chain split attacks. During the smart contracts upgrade process, there is a chance that some nodes may not support the changes made during the consensus phase. That can lead to a new chain splitting from the old and introduce blockchain-specific risks, such as replay, double spend, and 51% attacks. In those cases, unauthorized parties could block, reverse, or repeat transactions.
- Inadequate encryption scheme selection and insecure operations. Transmitting or storing sensitive data using cryptographic algorithms isn’t enough to protect against man-in-the-middle attacks. A number of factors could make blockchain vulnerable to this type of intrusion, including inadequate encryption, weak or incorrect keys, key management errors, incorrect cryptographic implementation, or improper verification of digital signatures or certificates.
- Application programming interface (API) integration. Third parties are required for API integration, whether it’s a private or public blockchain. That leads to trust issues and unintentional leakage of sensitive data.
Even with potential barriers, the combination of blockchain and cybersecurity has intrigued executives and technology experts. In a 2019 Infosys research report, one-third of respondents cited blockchain use in developing security solutions as a top cybersecurity trend.4 It tied for third among all topics and ranked even higher than increased demand for cybersecurity jobs.
Here are some of the factors that make blockchain promising and ways it should be managed:
- Data protection and privacy. The technology provides selective access to transactions and information in the distributed ledger with minimal governance. Also, blockchain doesn’t give cyberattackers traditional data protection targets and the ability to undercut privacy challenges. Overall, that makes it harder to access or modify information in blockchain ecosystems.
- Smart contract security. Blockchain components like smart contracts, applications, APIs, digital assets, and wallets must be tested for access control, authentication, data security, and business logic validation. This provides greater confidence among participants in the permissioned chains.
- Public key infrastructure management. Asymmetric cryptographic keys and digital signatures are core aspects of blockchain security. In its implementation, the public key defines the digital identity to node participants. However, the private key authorizes the actions, including securely encrypting, signing, and verifying transactions. Asymmetric cryptography in blockchain provides benefits similar to those of traditional encrypted transactions.
Even with these advantages, companies should continue following security best practices, such as rate limitations, encrypting sensitive configuration files, and weeding out vulnerabilities in the development process. The authors of a related 2019 World Economic Forum paper warned about blockchain’s hype and its “exaggerated security expectations.”5
“Many have believed its cryptographic foundation to be the ultimate answer to security,” according to the paper. “As a result, they have failed to implement the security controls required for trust in a blockchain to emerge.” The technology is perceived as either inherently insecure or unhackable, the authors wrote, while the “truth lies somewhere in the middle.”
Although usage is still limited, this intertwining of blockchain and cybersecurity isn’t happening only at the fringes. It’s already seen as an important tool in places where security is paramount.
The U.S. government’s Defense Advanced Research Projects Agency is experimenting with the use of blockchain to create a more secure platform for transmitting messages and processing transactions. This is part of the agency’s efforts to create an unhackable code for the U.S. Department of Defense (DOD). The technology immediately flags attempts to tamper with data and even provides intelligence on the attacker.
The DOD’s 2019 Digital Modernization Strategy report described blockchain as a way to “not only reduce the probability of compromise, but also impose significantly greater costs on an adversary to achieve it.” The U.S. military is already moving in that direction by contracting with blockchain-based data platform provider Fluree.6
Government officials in India announced last year that they were creating a national plan to implement blockchain for several uses, including cybersecurity. And the Saudi Arabian government and GE Ventures have invested in the startup Xage, which is using blockchain to boost cybersecurity in industrial IoT devices, according to CB Insights.
The use of blockchain to enhance cybersecurity has been gaining traction worldwide. However, the recent economic and logistics disruptions caused by the COVID-19 pandemic provide enterprises fresh incentives to find innovative solutions.7
Businesses now seek greater visibility and security from their networks and supply chains, even as the economy heads toward recession.8 Digitization and resilience are imperative in a more difficult and unpredictable world. Companies want to combine security and visibility with privacy and good governance. For many companies, the answers will be found in blockchain.
1Global Cybersecurity Spending Predicted To Exceed $1 Trillion From 2017-2021, Steve Morgan, June 10, 2019, Cybercrime Magazine.
22020 Unit 42 IoT Threat Report, Palo Alto Networks.
3Massive Internet Outage Could Be a Sign of Things to Come, Jamie Condliffe, Oct. 21, 2016, MIT Technology Review.
4Assuring Digital-trust — Infosys, 2019, Infosys Knowledge Institute.
5Inclusive Deployment of Blockchain for Supply Chains Part 5 – A Framework for Blockchain Cybersecurity — World Economic Forum, Adrien Ogée, Soichi Furuya, and Nadia Hewett, December 2019, World Economic Forum.
6Air Force Selects Fluree’s Data Management Platform to Support Secure, Distributed Global Communications for the Department of Defense, Feb. 6, 2020, Fluree, AFWERX.
7Supply chains have been upended. Here’s how to make them more resilient, Rebecca Liao and Ziyang Fan, April 6, 2020, World Economic Forum.
8COVID-19 injecting uncertainty into a shaky world economy, Samad Masood and Isaac LaBauve, March 2020, Infosys Insights.