Blockchain, the distributed-ledger technology behind cryptocurrencies including Bitcoin, is changing the concept of online security so profoundly that it will revolutionize the way we use the Internet, says Alex Tapscott, coauthor of Blockchain Revolution.
Rather than an "internet of information," the online world will become an "internet of transactions," in which security and authentication methods based on blockchain allow the automatic, secure exchange of information and money and the execution of contracts—without a bank, credit card company, or other intermediary to confirm identities and handle the money, said Tapscott. The lead author of Blockchain Revolution is his father, Don Tapscott, author of a long list of future-shaping analyses of the potential for new technology, including The Digital Economy (1994) and Paradigm Shift (1993).
Blockchain allows identities to be confirmed and things of value, such as contracts or units of cryptocurrency, to be identified with records that can be easily audited to ensure they're authentic. Because of this, its influence will extend far beyond the market for Bitcoin, where it started, or the financial services markets, which are undergoing dramatic changes due to blockchain and cryptocurrencies, Tapscott said. Tamper-proof public databases that can confirm a document's authenticity without a notary involved, and the ability to avoid having to use and reconcile transactions through intermediaries, could save banks $20 billion per year by 2022, according to a recent report from the venture capital analyst arm of international banking conglomerate Santander.
"On the Internet, when I send information, I'm not sending the actual document, I'm sending a copy of that document," Tapscott told Business Insights. "Generally that's fine; it's one of the benefits of email, for example, to copy and forward information. When you talk about money or financial assets, however, it's important to know, when I give you twenty dollars, that you have it and I don't. Sending copies is great for collaborating or communicating, but it has limited utility when it comes to business or transactions."
Though it may have an early and dramatic impact on financial services and the defensibility of transactions online, expanding blockchain to allow it to secure documents and other digital assets presents a raft of operational problems for CISOs. This is more due to weaknesses in the way such assets are handled than due to specific flaws in blockchain, say security analysts.
Distributed ledger, simpler transactions
Blockchain is best understood as a "distributed ledger" that secures transactions on its own by creating and including the entire transaction history of a unit of cryptocurrency along with the file that represents the cryptocurrency itself. Transactions are recorded in "blocks" of data that are linked irrevocably to one another in linear, chronological order, just like a bank statement. The blocks are stored and validated by a peer-to-peer network of participating machines—not a central authority whose certifications could be faked, or that could slow the performance of applications using the system by forcing all transactions to pass through a single point.
Blockchain—the core technology behind the Bitcoin cryptocurrency—allows the creation of "coins" that are simply a chain of digital signatures. Those signatures form a proof-of-work that is verified by a very large number of computers in a peer-to-peer network set up to cross-check the consistency of the chain of signatures. The longest chain of those signatures could come only from the largest number of devices participating in the network, according to a description in the 2009 white paper that launched both the blockchain and Bitcoin phenomena.
Eliminating the need for a third party to verify the authenticity of all parties and process the transactions can eliminate the friction—and significantly reduce the costs—in commercial exchange systems. This allows almost instantaneous transactions, with reduced settlement risk because a trusted history of every transaction is publicly available. The result is a process resistant to tampering, according to "The Fintech 2.0 Paper: Rebooting Financial Services," published in June 2015 by Santander InnoVentures.
The only way the longest chain could be attached to the wrong "coin" would be if an attacker subverted more than 50 percent of the machines in the network. The world-changing part of the equation is that the "coin" being verified doesn't have to be a unit of currency. The proof-of-work can be attached to contracts, pieces of software, transactions based on real currencies rather than cryptocurrencies, or just about anything else. "Almost any intangible document or asset can be expressed in code, which can be programmed into or referenced by a distributed ledger," according to the Santander paper.
Transforming transactions
Blockchain-enabled contracts could eliminate much of the transactional work of lawyers and financial services firms. The application of blockchain technology could improve everything from the digital rights management functions around digital movies, music, and books to authentication of digital signatures. Blockchain-enabled contracts could eliminate much of the transactional work of lawyers and financial services firms.
The application of blockchain technology could also enable authentication tight enough to protect home security systems from being hacked; let self-driving cars trade data, allowing them to pass one another without crashing; or help Internet of Things (IoT) devices communicate securely and reliably with service providers, manufacturers, or one another, according to a 2015 Scientific American analysis.
That paper predicts that blockchain technology will come into common use in areas far beyond the cryptocurrency and financial services markets, in which it has become a primary disruptive influence. "We believe the blockchain is the foundation of the next generation of the Internet," Tapscott told HPE Business Insights. And the change has begun.
"We saw a lot of early adopters in 2013; in 2014, leading-edge financial services companies had jumped on board. By the end of 2015, all the major banks had announced support. 2016, we expect, will be the year of the enterprise, when blockchain goes mainstream outside of financial services," Tapscott said. "Already, PWC, HPE, and a lot of other companies have begun looking at it as a solution to non-obvious problems—data liquidity, storage, and other architectural issues affecting enterprises."
The challenges of blockchain
That's not to say blockchain doesn't have its problems. Irrevocably linking the identity of one party in a transaction to records in a publicly accessible distributed ledger, for example, raises serious privacy concerns, according to a 2016 report from Deloitte. The findings go into great depth on the workings of blockchain networks, authentication methods, and use cases.
Blockchain isn't a perfect fit for enterprise architectures, either, the report said. The network as a whole makes transactions more efficient by eliminating centralized processing, but individual nodes perform the same tasks as every other node. That duplication of effort raises questions about the potential for blockchain applications to be built to operate at large scale, and also takes control over assets secured using distributed ledgers out of the hands of a central authority, according to analysis by British law firm Taylor Wessing. A single Bitcoin transaction costs about $6.00 in hardware and electricity, for example, and takes approximately 10 minutes to achieve consensus approval of a transaction, testers for Deloitte and Touche LLP told CSO in April.
Using distributed ledgers as security between organizations might make sense, but could also be overkill for some. Transactions that remain internal to one organization, or are private exchanges between two organizations, may do better with traditional methods of authentication, according to analysts quoted in CSO. The complexities of an individual company's records-management infrastructure, security requirements, and authentication standards will all have to be resolved and integrated before blockchain can operate comfortably within standard IT infrastructures, even if blockchain's own internal security is flawless, they said.
Door is locked, but who gets the key?
External issues, more than the security and integrity of a single document, are likely to pose greater problems. Using distributed authentication does make it more difficult to hack a particular asset, but gives a standards-setting agency or cryptography vendor far more power over the status and security of digital assets than most hierarchical corporate organizations allow, Taylor Wessing's report said.
There are few known vulnerabilities to blockchain, but a 2015 demonstration by Interpol showing malware subverting the blockchain underlying Bitcoin does raise questions about how unhackable distributed ledgers really are. Employing blockchain as the encryption mechanism used by ransomware to deny the owner access to critical data could make that threat even more severe, the Taylor Wessing report concluded.
Because blockchain makes it possible to build rules describing how data must be handled into the same encrypted container protecting the data, it could make compliance with federal financial reporting regulations faster and more automatic. "Smart contracts" that focus on rules for parties involved in the deal—and aren't flexible or up-to-date enough to satisfy the compliance requirements of each party—on the other hand, could cause trouble for everyone involved, according to experts quoted by TechTarget's Search Compliance.
Interest in the challenges and promise of blockchain prompted the International Organization of Securities Commissions (IOSCO) to look into the implications of the technology at a meeting in early 2016, at which it set some best practices, but said more investigation into regulation and operational practice would be required as blockchain use expands in scope and breadth of application.
Blockchain: Good for enterprise, but use caution
Tapscott says CISOs and other IT and business leaders wondering how blockchain might challenge and improve their organizations should take a strategic look at the technology. "How could this enable you as a CISO or CTO to do things that were previously very difficult to do?" he asks. "Think about what you always wanted to accomplish and couldn't."
Familiarity with the technology will take IT leaders much further than simply researching blockchain in the abstract, he says. "The best way to get started is through personal use. That's a precondition for understanding," he says. "Go get a Bitcoin wallet, trade around for fun, and understand how secure it is."
This post was originally published on Business Insights.
Image source: Flickr
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.