Pages

27 August 2019

Blockchain is not a magic bullet for security. Can it be trusted?

Adrien Ogée
Source Link

Up to 10% of global GDP could be stored on blockchains by 2025, according to the World Economic Forum. From product identifiers, medical records to land registries, academic degrees and insurance contracts, blockchain and distributed ledger technologies (DLTs) are already functioning in many sectors.

What blockchain promises is no less than the technological backbone of the 21st century’s renaissance of the social commons, giving back power to the people. In this century more than ever, power comes from data. Blockchain promises to give control of data back to the people. But this requires one element: trust in the technology, trust that it does what it’s supposed to do.

The paradox here is that blockchain removes the need to trust the intermediary – i.e., notaries, insurers and bankers – by requiring us to trust the technology. But how likely are we to trust the technology if it is breached repeatedly?


Imagine the possibilities by 2050 when not 10%, but 50% of global GDP is on blockchain. Beyond the material consequences, what kind of societies will we live in, if we are devoid of trust the technology on which it is founded? It could be argued that if the technology proves too difficult to secure, blockchain will disappear into a digital abyss. But recent history tells us that poor security is no barrier to adoption.

In the famous Bitcoin hack in 2010, while only a happy few had invested in Bitcoin, a vulnerability in the code allowed someone to generate 184 billion bitcoins in one transaction, out of thin air. How? A vulnerability in the code, not in the logic of blockchain. The problem was quickly fixed.

In 2016, someone temporarily seized $75 million out of the DAO, leveraging yet again a vulnerability in the code, that time in a smart contract. Again, the logic of the underlying DLT was intact.

More recently, in 2019, the CEO of a crypto-asset management fund passed away, and with him the credentials to access the cryptocurrencies he was managing, worth over $150 million. Impossible to retrieve. Was blockchain at fault? No, the company failed to implement proper checks and balances to prevent such a scenario. It also turns out that the CEO had stolen the funds before passing.

Blockchain is a new technology and not the simplest one. It could take years for the blockchain community to converge on security standards that will reduce the frequency of breaches. Nevertheless, with the accelerating pace of these disruptions, does blockchain really have years to fix its reputation?
Is blockchain actually safe?

Blockchain as a conceptual technology is safe. That’s what MIT says. But blockchain on paper serves little purpose.

1. As with any technology, security issues arise when developers program requirements into products and services. The lines of code, consensus mechanisms, communication protocols, etc., all have the potential to host vulnerabilities that can be exploited for malicious use. But blockchain at the moment remains a divergent technology: multiple protocols and programming languages are being developed in parallel. As a result, it is difficult for developers to acquire the experience needed to secure their code, while most are under stringent time pressure to deliver.

2. Because blockchain relies heavily on cryptography, the practice of secure communication, it gives many the impression that it’s a self-secured technology. This could not be further from the truth, as blockchains are built on top of communication networks and equipment that need to be secured. Traditional information security challenges apply to blockchain, too. Furthermore, cryptography is, like any other security discipline, a changing field: quantum computers are already expected to break a number of cryptographic algorithms.

3. Third and last, poor security practices around key management, wallet hosting and node patching, among others, all lead to potential security issues that cast a shadow on the technology, when educating system managers and users would solve the grand majority of security issues.

So what can we do today?

1. First, we need to develop the workforce of security-minded blockchain developers. This will require education curricula starting with programming classes in secondary schools, up to university degrees with mandatory blockchain-secure coding courses. At the time of writing, the University of Nicosiain Cyprus is the only university in the world to offer a MSc in blockchain, in particular in digital currencies. These degrees will need to be complemented by recognised blockchain security professional certifications like CBSP, but also with the inclusion of blockchain as a topic in cybersecurity certifications like CISSP.

2. Second, we need to educate users about the security risks they are taking and how to mitigate these effectively at low cost. That will take awareness-raising campaigns and public-private cooperation accompanying people transitioning to blockchain. Permissioned blockchains, albeit somewhat contrary to the original decentralized vision of Satoshi Nakamoto, could well be the smooth transition blockchain needs to prove its worth, just like the 1980s intranets proved the internet’s worth to the world. In that sense, blockchain adoption by industry giants like Facebook, with its cryptocurrency Libra, provide welcome opportunities to educate the public on what it takes to use blockchain, provided there are no breaches. While securing permissioned blockchains may prove easier due to their reduced exposure, conversely, less pressure to do so could lead to digital breaches.

3. Third, we need public and private leaders to understand that blockchain is no silver bullet to security. In other words, we need to demystify blockchain security and make it clear that while the technology offers advantages in terms of availability and integrity, the latter do not improve the quality of the information they hold: garbage in, garbage out. Securely deploying a blockchain solution will require time and integration into the wider security ecosystem, made of traditional networking equipment that requires traditional information security.

For incumbents, that starts with educating boards and the C-suite on what blockchain is and is not, and what are the inherent risks. It will also require CISOs to integrate blockchain into their incident-management plans and procedures, and start considering the impact of decentralised business models in the security domain.

For start-ups, 92% of blockchain projects still fail and have an average lifespan of about 15 months. With such short life cycles, time to market almost always has priority over security: this needs to change, and the best way to do that is through investors, as recommended by the World Economic Forum.

Standards are underway and will undoubtedly help blockchain technology converge, reducing its complexity, a known enemy of security.

But standards alone cannot do much, for humans are still the guardians of technology: we need to build blockchain security skills today. If not, tomorrow won’t be the renaissance, but the epilogue of the social commons.

No comments:

Post a Comment