Recently, blockchain technology has created a lot of hype as a panacea for all issues related to information security. Blockchain technology provides stronger transactional security than traditional, centralized computing services for secured networked transaction ledger. Centralized databases are the targets of cyberattacks, and if the security of these centralized databases is compromised, they can destabilize the entire system. Blockchain uses distributed ledger technology (DLT) to avoid this. DLT increases cyberresiliency because it creates a situation where there is no single point of contact. In the DLT, an attack on one or a small number of participants does not affect other nodes. Thus, DLT helps to maintain transparency and availability and continue the transactions.
However, blockchain cannot always be a panacea, as blockchain applications do not eliminate the need to follow other cybersecurity best practices.
When using blockchain application, it is important to consider blockchain network governance, transaction validation risk and potential integrity attacks. Also consider if blockchain applications depend on external data or other at-risk resources, as the application code and the environments in which the blockchain technology runs must be checked for cybervulnerabilities.
When designing a blockchain-based cybersecurity solution, it is necessary to examine the vulnerabilities of the end-user environment, the coding and the points at each layer.
This can be better understood by studying the present scenario and using real-life examples that examine the extent of solutions provided by blockchain technology.
Understanding DLT
The transparency of DLT makes it more difficult for cyberattackers to corrupt blockchain using malware or manipulative actions. An advantage of DLT is that the nodes help eliminate the need for third-party intermediaries in the distribution of the data across participant nodes. This is because every participant node keeps and shares a copy of the blockchain. Another advantage of DLT is that endpoint vulnerabilities are addressed in layer 2 (off-chain solutions) in the DLT. Also, security in the DLT is increased because the participants are preselected. Layers of permissions are given by appropriate cryptographic keys.
DLT technology has evolved and its role in the redesign of blockchain has improved scalability and speed. Smart contracts and lightning networks are examples of this. Many varieties of DLT have emerged since the first application of blockchain (e.g., cryptocurrency). The decentralized applications (dApps) that manage money and facilitate voting and governance systems are the best real-time examples of this technology being successful.
Another type of DLT gaining popularity is directed acyclic graph (DAG), often termed blockchain 3.0. DAGs have the same properties as blockchain, as they are still distributed databases based on a peer-to-peer network and a validation mechanism for distributed decision-making. Examples of the still-evolving DAG technology are the IOTA Tangle and Hedera Hashgraph.1 With all the newer developments of blockchain 3.0, such as DAG, the DLT vulnerabilities have been reduced. DLT holds identical copies of ledgers on each node. With this, blockchain application participants (i.e., stakeholders, administrators, operators) can quickly detect attempts to corrupt or modify transactional records. The encryption technologies used by blockchain applications protect individual transactions and the entire ledger. Similarly, the consensus mechanism protects new data blocks by requiring network participants to validate and compare them with past transactions. This mitigates the possibility of an attack to manipulate ledger blocks.2
Using Blockchain for Network Governance
The integrity of blockchain depends on the network governance model and the method used to validate transactions. Various blockchain applications choose different mechanisms. There are many examples of this including proof of stake, proof of elapsed time and proof of provenance. The Hyperledger Fabric project from the Linux foundation uses proof of elapsed time and Byzantine Fault Tolerance methods for this.3
Most blockchain networks rely on a majority consensus to validate transactions, but they are vulnerable if attackers compromise a sufficiently large group of its nodes. For example, bad actors can compromise a public blockchain application by acquiring or controlling at least 51 percent of the consensus power. However, this scenario is unlikely in a robust network with many users. Private blockchains for small private implementations may be more vulnerable. However, the vulnerability here may be disregarded because private blockchain applications typically check participants and support user authentication and other controls to address this risk. The point is that there are good actors and bad actors within the network. Some assume that there are always more good actors than bad actors. With this assumption, it is possible that the bad actors within the network will not be able to control the public blockchain. But theoretically, the idea of 51 percent consensus may become a vulnerability in the future. Similarly, for private blockchains, if a bad actor intrudes the network, they can create havoc. The bad actor in the private blockchain will be detected due to the intrinsic properties of the blockchain, but it may be too late. However, private blockchains are more centralized. For example, Hyperledger has certification authority approvals for any member to participate in the blockchain.4
THE INTEGRITY OF BLOCKCHAIN DEPENDS ON THE NETWORK GOVERNANCE MODEL AND THE METHOD USED TO VALIDATE TRANSACTIONS.
Another example is project Khoka, where the South African Reserve Bank (SARB) established a financial technology (fintech) task force in 2018 to monitor and promote fintech innovation. A task force was created to review SARB’s position on cryptocurrencies, especially regulatory issues concerning cybersecurity, taxation, consumer protection and anti-money laundering (AML), and to scope out a regulatory sandbox and innovation accelerator. The project used private blockchain among the member banks for intrabank cash transactions.5
Blockchain technology depends on communications across a network of nodes. Disrupting node communications or disseminating or accepting false information to confirm fake transactions may compromise the network. Hence, communication across the network of nodes is very important if deploying blockchain for security reasons.
Many participant nodes significantly increase the likelihood of detecting these types of attacks quickly, but legitimate participants would presumably avoid further activities in compromised blockchain networks.
The solution to this could again be private blockchain. Organizations that use private blockchain technology applications and their counsel should then look at a blockchain application’s chosen network governance model, consensus mechanisms and resulting risk. These should be thought about and taken care of at the design and integration level by the solution design architects. At the design level, researchers are working on the synchronous hash functions by way of increasing the output length of the hashes.
In general, solution architects must consider various risk management strategies when designing blockchain applications, as with any new technology. They should conduct thorough upfront due diligence, negotiate contractual protections with other participants apart from implementing continuous monitoring for security incidents and consider obtaining appropriate cyberinsurance, if available.
Coding bugs have been the main cause of the vulnerabilities that have been exploited time and again by the hackers in blockchain-based smart contract projects. Experienced developers and continuous project audits can be used to avoid these types of errors.
External Data Dependency
Any practical blockchain application functions based on the information it receives about real-world events. For example, a simple payment transaction within a financial institution requires information exchange or complex applications such as managing a supply chain and cross-border transactions settlements such as an ERP system or interbank global financial transactions. Each of these requires information from external data, which involve multitechnology interactions and data transfers using various modes. These external data sources can create potential risk that stakeholders must address. The idea is that multiple technologies and databases might be involved and, therefore, the data are moving through various tunnels—blockchain being one of them. Hence, such transactions require end-to-end security, and using only blockchain will not serve the purpose.
THE UNIQUE PROPERTIES OF QUANTUM PARTICLES TO EFFICIENTLY PERFORM COMPUTING TASKS MAY MAKE CURRENT ENCRYPTION TECHNIQUES MUCH LESS SECURE.
External data sources fall outside of a blockchain application’s network consensus validation mechanisms. Blockchain networks and stakeholders in the end-to-end transactions must take steps to monitor and ensure data reliability because these elements may be more susceptible to tampering or other malicious actions. Hackers may be able to compromise a project at this layer.
Blockchain Cybervulnerabilities
When discussing the use of blockchain technology for cybersecurity, it is important to understand that blockchain applications are like any other computer system. They can be vulnerable to software coding errors, which can introduce cyberrisk.
Coding errors occur where network protocols try to implement some novel functionalities and potential vulnerabilities for them are yet to be detected.
Blockchain technology is dependent on encryption algorithms. Present encryption techniques are generally reliable, but as computing techniques evolve, the present encryption may become vulnerable to attack. Emerging technologies, especially quantum computing, may be considered as an example.
The unique properties of quantum particles to efficiently perform computing tasks may make current encryption techniques much less secure.
Blockchain applications also run on general purpose operating systems and platforms. These can be subject to known hardware and software vulnerabilities. Therefore, when deploying blockchain as a cybersecurity measure, organizations should treat these environments like their other critical business computing resources. They should follow generally accepted cybersecurity practices on the blockchain applications.
Identifying and managing known vulnerabilities is a core element of any reasonable cybersecurity program.
As previously mentioned, users interact with the system in a blockchain application, which can often be a gateway for cyberattacks. The best example of this is cryptocurrency thefts. These involve exploiting vulnerabilities in connected systems. Thus, end-user vulnerabilities may enable attackers to infiltrate and compromise even the most secure private blockchains by impersonating authorized users.
Conclusion
Blockchain has intrinsic features of immutability, transparency and DLT, which can help solve current cybersecurity issues. These blockchain features help manage the confidentiality, integrity and availability of information. Blockchain is being used in various applications to reduce distributed denial-of-service (DDoS) attacks. Transparency is achieved by recording each change in the data in the blocks. However, any blockchain application does not work in a silo; it uses the operating systems like other applications. It also works in a layer system with front-end application programming interfaces (APIs) and backend database systems. It is necessary to consider the vulnerabilities at all these layers.
Blockchain may be immune to attack, but when designing any application, one must consider the security of the environment in which it works and the layers and the intersection between them and the underlying security. Using blockchain does not mean that all present security protocols can be abandoned and security can depend fully on the intrinsic features of blockchain. Blockchain coding bugs can create vulnerabilities, and intrinsic threats and vulnerabilities of the APIs and their interaction can also pose security problems.
Endnotes
1 Perlman, L.; Security Aspects of Distributed
Ledger Technologies, International
Telecommunication Union, November 2019,
http://www.itu.int/en/ITU-T/extcoop/figisymposium/Documents/Security%20Aspects%20of%20Distributed%20Ledger%20Technologies.pdf
2 Benjamin, N.; “Blockchain and Cybersecurity,”
Bits N’ Blocks, 2 June 2019, http://bitsnblocks.co/blockchain-and-cyber-security-go-together-blockchain-based-applications-in-cyber-security-can-become-the-backbone-of-security/
3 Hyperledger, Hyperledger Architecture, Volume
1: Introduction to Hyperledger Business
Blockchain Design Philosophy and Consensus,
2017, http://www.hyperledger.org/wp-content/uploads/2017/08/Hyperledger_Arch_WG_Paper_1_Consensus.pdf
4 Butcher, J. R.; Steptoe and Johnson LLP; C. M.
Blakey; Paul Hastings LLP; “Cybersecurity Tech
Basics: Blockchain Technology Cyber Risks and
Issues: Overview,” Practical Law, 2019,
http://www.steptoe.com/images/content/1/8/v2/189187/Cybersecurity-Tech-Basics-Blockchain-Technology-Cyber-Risks-and.pdf
5 South African Reserve Bank, “Fintech,”
http://www.resbank.co.za/en/home/quick-links/fintech
Neeraj Benjamin
Has worked with telecom multinational organizations for more than two decades in various management and consulting positions. He is a certified auditor for information security (ISMS), business continuity (BCMS), quality (QMS) and personal information (PIMS) management systems with BSI. He is also a blockchain consultant and advisor with blockchain start-ups. He has written several articles on blockchain technology that are available at http://www.bitsnblocks.co. Benjamin has also created blockchain basic learning courses on several online education portals and has written white papers on blockchain applications.