Securing the chain

There is still a misconception that blockchain platforms are inherently secure because the principles of blockchain are founded on cryptography and immutability.

This article was first published by Forbes.com with modifications. I was also the author of that article. Posting on Medium.com because I love the conversation here. Also, my first medium.com post!

It’s no secret now that blockchain is a potential game changer in financial services and many other industries. And you don’t need to look far to find examples of blockchain in use — from cryptocurrency markets in financial services to the supply chain in consumer retailing. Some even see blockchain as a “foundational” technology that, like the Internet, is set to disrupt, enable and change business processing as we know it.

To date, much of the frenzy around blockchain — which, for the purposes of this article, includes cryptocurrency platforms and Distributed Ledger Technologies (DLT) — has centered on its vast, transformative potential across entire industries. Organizations have focused squarely on “how” they can use blockchain for business. Yet, as the technology becomes more widely used and as cyber threats rapidly grow in number and sophistication, cryptocurrency and blockchain businesses should also be asking, “Is blockchain secure and resilient enough?”

Simply put, it can be, but not right out of the box. There is still a misconception that blockchain platforms are inherently secure because the principles of blockchain are founded on cryptography and immutability. It is not, and even a small oversight can have a significant impact.

By analyzing lessons learned from recent examples of incidents and by recasting decades of security and risk management experience, organizations can be better equipped to implement secure and resilient solutions around blockchain and cryptocurrencies. And while an understanding of prior pitfalls and challenges is helpful, a comprehensive framework is also required to identify and respond to security threats and risks — more on this below.

What could go wrong?

In June 2016, $50 million in assets were stolen from a venture capital fund that used blockchain. A vulnerability in the software allowed funds to be siphoned from people’s accounts before the discrepancy was noticed.

In another incident, hackers breached a Hong Kong-based virtual currency exchange and stole millions of dollars in Bitcoin from customer accounts. The breach happened despite a number of security measures that were taken to prevent such attacks.

More recently, $9 million of cryptocurrency was stolen from another Initial Coin Offering (ICO), now a very popular means of funding which may disrupt the venture capital industry.

And very recently, $0.5b of cryptocurrency was stolen from an exchange in one of the largest cryptocurrency incidents. (A quick google search on Sep 10, 2018 came up with at least 5 other major hacks in just 2018 with multi-million dollar losses)

Add to these examples the fact that a large number of blockchain implementations are a significant departure from the well understood, peer reviewed, decentralized, publicly accessible distributed network that is Bitcoin, the most popular blockchain implementation to date.

All of this illustrates the need for businesses and users to take a more comprehensive view of the threats and risks.

Is blockchain fundamentally flawed?

No, the underlying foundation and architecture is not fundamentally flawed. In the case of the DAO incident particularly, there has been much debate around whether the network should permit the ability to rewrite history through a “hard fork”. On the one hand, those who lost their investment would be very happy, but on the other hand, the rules of the network would have been bent for a particular scenario and would have set a dangerous precedent for the future. Regardless of the solution chosen, the underlying architecture functioned as it was expected to.

Technical aspects of these incidents, including the potential impact on immutability of a blockchain have been widely covered by blockchain blogs and major newspapers. Given the underlying architecture and foundation can still be considered reliable, the focus instead needs to be on how organizations can take a more business centric approach to building blockchain solutions that are secure and resilient.

What are some of the known threats and risks?

Since blockchain is meant to hold value or currency in a digital format, blockchain platforms provide a significantly more attractive attack surface for hackers. A full listing of threats and risks for a platform is a project of it’s own for a later date. Here are some examples below

Cryptographic key theft. The cryptographic private key to a blockchain network is like the key to a bank safe. An attacker could gain access to one of these private keys and make fraudulent transactions, including fund withdrawals.

Consensus overrides. Blockchain networks are powerful because they are meant to use consensus-driven decision making rather than rely on one centralized entity. A large group of attackers could access the platform and create a fake “consensus” among users on a particular transaction that only benefits themselves. Although at the mercy of public networks in many cases, organizations can take useful monitoring and response measures to respond to threats to the consensus model.

Anonymity. Members of a public blockchain can make it very difficult to find those transacting on it, including any malicious attackers.

Poor implementation. Blockchain is still in its infancy, and, as with any emerging technology, lack of rigor can create vulnerabilities in the implementation of solutions, particularly in the software code (e.g., smart contracts, exchange wallets) that services the blockchain.

Blockchain technology and security framework

The underlying foundation and architecture of blockchain have been repeatedly examined by industry participants. These are not fundamentally flawed, but, there are lessons to be learned from known blockchain incidents as well as those from other traditional and emerging technologies to make sure your blockchain solution is secure and resilient. The following framework, with sample practices, can help accomplish this:

Applying the framework

Blockchain is here to stay

Blockchain is here to stay. But, with the increasingly attractive attack surface that blockchain platforms offer, security and resilience will become primary to driving adoption and even steer use cases in the future.

See also KPMG’s report more examples of blockchain security practices. Thank you to the KPMG Crypto and Blockchain teams for the thought leadership you bring to clients every day. Special thanks also to the Crypto and Blockchain communities for encouraging to write, share and learn by getting feedback.