A2/AD for Everybody: Crypto-Based Cyber-Resilience

Why blockchain technologies can create the most effective cyber-security mechanisms

At the end of the second decade of the 21st century, the annual cost of cyberattacks has reached trillions of US dollars. Expenditures on cybersecurity are measured in the hundreds of billions of US dollars per year. It is a lucrative market. But the situation continues to worsen. Current approaches are ineffective and bound to fail unless we apply principles and use tools from blockchain technologies.

Until then, more and more businesses, cities, hospitals, utilities, and government agencies will remain under siege. As they experience ransomware, data theft, and compromised control systems, cybersecurity becomes a dominating theme for corporations, political entities, the military. This directly or indirectly affects even us as individuals.

Emerging technologies and our own behavior aggravate the situation. We are adding billions of new devices and sensors with negligible or non-existing security. And we install apps and use services that often explicitly trade access to personal and business data for them being offered for “free.” This opens back and front doors for phishing, theft, and manipulation.

Bad? It has barely begun!

But it has barely begun. As we connect everything, computing and data storage capabilities keep expanding one million-fold within the next couple of decades and accelerate communication speeds thousands of times via 5G and beyond. These exponential developments are additive. They mean that the numbers and the severity of cyber-attacks will likely grow exponentially, also.

Traditional solutions center on more tools, education, trying to close every hole, secure each endpoint, and surveil and control the actions of every person. They use artificial intelligence, public-private information sharing, and strengthen prosecutorial capabilities and powers. But this is an uphill battle that hardly can be won. We have pursued such approaches for decades, and the situation is getting worse and not better.

Even if that were not so, the sheer numbers and complexity of the challenge require traditional defenses to use extensive centralized surveillance and delegate defensive mechanisms to autonomous controls by artificial intelligence (AI).

Traditional cyber-defenses are unlikely to succeed in a fully digitized complex environment involving tens and hundreds of billions of devices and “liquid” borders.

The result would be one single globally connected vast and complex system subjected to total surveillance and controlled by autonomous AI agents, to thwart off attacks that also use AI to find a weakness in any one of the myriads of devices. Such defenses subjugate individuals to totalitarian-style surveillance and remove human controls. And still, they are highly unlikely to succeed in a dynamic and complex environment.

The nature of cyberdefense needs to adjust, on a systemic level. We need to change our basic strategies and reverse the economic ground rules.

Systemic Answers: Cyber-Resilience

Effective cybersecurity strategies in an increasingly complex environment must re-design digital infrastructure, decentralize it, and harden defenses of its individual components. This builds resilience and organizational adaptability. It establishes Anti-Access/Area-Denial (A2/AD) capabilities for data, communications, and control systems while balancing privacy, anonymity, and transparency.

Tactics must leverage key elements of blockchain and crypto-technologies to leverage these fields’ practical experience in establishing adaptive, self-organizing, and responsive networks in trustless environments. They use peer-to-peer (P2P), (pseudo-) anonymity, (pseudo-) transparency, encryption, and distributed security facilitated and enforced by crypto-economics.

A smart implementation of the above generates a long list of benefits. Crypto-based cybersecurity can establish systemic advantages and turn around the economics from overwhelmingly favoring attackers to vastly disadvantaging them. Economics can make the current free-for-all cyberattacks unsustainable. We can achieve this without centralized control and mass surveillance, at relatively low cost. Transparency and distributed security can keep and, in many ways, even strengthen internal controls and law enforcement capabilities.

They enable us to protect corporate systems, institute a more effective and privacy-enhanced Internet platform and a secure mechanism for the Internet of Things (IoT). Even as organizational models for businesses and communities change in a completely digitized world, this shelters humans and builds trust in the integrity and functioning of institutions.

Organism-Like Adaptability: A2/AD for Devices, Data, and Humans

Complex systems distribute power in a non-linear fashion. Cause and effect are not clearly attributable and become mathematically impossible to calculate. Linearity, hierarchy, and rigidity become the enemy of success. Effective cyber-defenses must therefore neither rely on rigid hierarchies nor try to micro-manage and control uncountable numbers of individual devices.

They secure networks by distributing power and control across many nodes, connecting these to eliminate single points of failure, and letting them self-organize operations and security via effective consensus rules. This creates an organism-like adaptability to the actions of other actors, including people and devices. We can see comparable resilience in action when we throw a baseball at a net rather than a glass pane.

On the level of IoT, it has become a platitude to say that security needs to be baked into devices. To achieve that requires to tackle and secure the way in which devices do what they are designed for: collect, store, process, and communicate data. Such an approach must establish a layer of distributed consensus-based control, at a minimum over shared infrastructure and if possible, also covering individually owned sub-components, i.e. personal devices.

It means A2/AD for each and every one of us. Distributed self-organizing networks systemically protect the state of devices and encrypted data. It focuses on defense, securing our data, our transactions, and our control systems from anybody, including centralized controls or on the level of a society even from police powers.

Cyber-A2/AD breaks up data and infrastructure into smaller units and elements that are individually protected via distributed consensus and access mechanisms. This reduces attack surfaces and limits potential gains for attackers.

Blockchains excel in CIA and deliver CIAC

The traditional approach to crypto-security considers the “CIA” security triad of confidentiality, integrity, and availability of data. Almost by definition, blockchain technologies can achieve this better than other solutions.

Blockchain technologies deliver data confidentiality, because they operate in what often is called a “trustless” environment. Details about nodes or peers do not need to be known. Rather, their behavior matters, having to follow mathematical and transparent rules. The major public blockchains have built-in pseudo-anonymity. This inherently is more confidential than sharing all identifiable information with one single bank, hospital, or the government as intermediaries. We can apply the same concept to networks of devices on the IoT and to corporate information technology (IT) infrastructure.

Blockchain technologies ensure integrity, because the immutability of the blockchain and its transparency protects facts. They immediately recognize changes to states or data and react via consensus mechanisms. An attacker can only overcome the structural integrity built into a blockchain by compromising a sufficient majority of nodes. Even then, changing the historical state requires tremendous computing power and time while being immediately recognizable. This is the opposite of traditional IT environments, where the stealthy compromising of one single “node” can result in total control of a network and the theft of all its data.

Defense!

Blockchain technologies guarantee data and system availability. Blockchains, particularly large public blockchains, have 100% up-time and can be accessed anytime from anywhere.

In a time of near-complete surveillance, big data, and artificial intelligence, though, traditional CIA is not enough anymore. Today, it also must consider the control layer and algorithms that analyze, evaluate and filter massive amounts of data, and then present the results to humans for attention or decision-making. The triad becomes a “C2IA” quad: confidentiality, control, integrity, and availability of data.

The term “control” does not put any individual person, role, or device in charge. Rather, blockchain’s decentralized and distributed governance eliminates single points of control, access — and therefore also attacks. Traditional systems control centrally, creating single points of attack and ever-sweeter honeypots.

The Blockchain and Crypto-Tech Cyber-Resilience Toolset

Our crypto-tech toolset has five key capabilities. They align well with the strategic requirements for a cyber-resilient system. Blockchains use:

1. Peer-to-Peer (P2P) transactions built around devices while centered on humans.
2. Pseudo-Anonymity as an insulating layer that abstracts the levels of transactions from details of the actors. We do not need to know specifics about people or the devices they are using. What counts is whether they follow the rules, which cryptographic tools can enforce and verify.
3. Blockchain-based distributed ledgers that can immutably store transaction records and provide transparency when needed (therefore: pseudo-transparency). We can conduct forensic analyses, and we can trace and verify transactions and states as required.
4. Encryption of communication and data in transit, at rest, and during access, as well as to ensure the integrity of the chain. Advanced concepts like S4 (Shamir’s Secret Sharing Scheme), PRE (proxy re-encryption), and FHE (fully homomorphic encryption) can protect data and establish group-governed distributed access mechanisms to data and control systems.
5. Crypto-economics with logically controlled group consensus and threshold mechanisms, and token-based economics to secure self-organizing networks while keeping them working efficiently.

Using the above toolset can result in genuine resilience on a systemic level. New models of shared security and distributed and localized infrastructure mimic the self-organizing (“organic”) adaptability found in nature. Two aspects are particularly promising, even more so when combined.

The breaking up of centralized infrastructure networks into overlapping functional and localized networks (e.g., electrical micro-grids instead of national grids, or specialized IoT device networks) makes it more difficult to harm critical infrastructure of society as a whole. And cryptographically-secured and threshold-based access controls that leverage distributed consensus mechanisms, combined with distributed and decentralized data storage, eliminate single points of failure on a technical level.

Cyber-Security Beyond Traditional Environments

Distributed security goes beyond protecting traditional IT environments. In the middle of the 21st century, clear delineations are not possible anymore. Organizations are fluid. They cross borders, and the humans making them up constantly move. Attacks often use and exploit data and behavioral patterns observed and recorded through near-total surveillance and sharing via voluntarily installed trojans (or spyware) only thinly disguised as chat (WhatsApp, Messenger), social media (Facebook, Instagram), and other applications (Google, games).

“It’s a fact that the Internet companies know more about [us] than any intelligence agency ever could or should know. […] [This is] truly dangerous and a major threat to democracy.”

Sir David Ormand (former Director GCHQ)

The ”environments“ to be protected can then be defined as the entirety of devices and data that individual humans, or groups of people, interact with. Conceptually, it does not matter much whether this is in the service of individuals or of social groupings, including corporations.

For corporations, traditional environments consist of servers, personal computers and other end points. Their employees and contractors also use other devices, personally (phone, computer, wearables), shared in households (TVs, smart assistants, kitchen equipment, cameras, door locks, cars), procured to provide services (labs, doctors, dentists, governments), and shared as part of smart infrastructure (autonomous driving, utilities).

Many of these devices “follow” a person through their daily lives. They sense and automatically collect data, generate data on our behalf, or interact as control systems with linked or ad-hoc connected external sensors to perform actions on our behalf.

All need to be considered. Boundaries break down between corporate IT, the IoT, households, personal devices, and public infrastructure. Centralized controls cannot protect us with the liquid complexities and high numbers involved. It is time for cybersecurity to learn from blockchains and crypto-technologies.