Will blockchain be the saviour of cybersecurity?
24 July 2017 |
Have you heard of BlockChain? Do you really understand what it means? I understood what it meant in theory but have to say it was a bit foggy when it came to practical applications of blockchain. It does take a few mental leaps to understand the full extent of it but bear with us while we explain...
The first thing to know about BlockChain is that it is a distributed technology. Imagine an excel sheet that everyone has a copy of and a master sheet that everyone can update. Everytime the master sheet is updated, it tallies with the records the local version has and if found to not match. alarm bells go off. So, in effect, a daisy chain of small parcels of information that get recorded and sealed but can be opened up in case of conflict or to reiterate facts.
Joe Pinder, Director of Product Strategy, CTO office, Gemalto thinks, quite interestingly, that BlockChain came around to solve the problem of trust. "Fundamental question on its creation is- what is the problem that BlockChain is trying to solve? And the answer is that it is trying to solve the problem of transacting with someone I don't trust. In the past, trusted intermediaries, security certificates etc were used but those solutions have not been found to be water-tight. BlockChain answers questions differently and rather than going to a single authority, it looks at the consensus; it looks at the collective picture of what the world is.
"The next question once you understand blockchain is to ask: would it be easier to create a centralised system where it is a question of putting all the eggs in one basket and then guarding the keys. But that approach doesn't work in IoT and supply chain management. If and when you think of cyber security tools, you have accountability, audit-ability and the ability to put an overlay on solutions that come through, encryption then does a good job but when applied to blockchain, you quickly realise that the current cyber security template doesn't evoke confidentiality.
"The main deliverables from deploying blockchain can be condensed to some specific functions. Integrity and distribution potential are some of the main factors. Every box in the chain is signed and available across the entire network so information is not just available but also believable. By also bringing in a high level of accountability and audit-ability- so it is know who is signing the blocks (audit) and based on the way it works, it is solving 4 of 5 cybersecurity problems! In fact, its credentials are so strong that it can be used to apply and fix DDoS attacks!"
BlockChain has a huge impact in, firstly, how finance and payment services can inherently evoke trust in actors as well as in supply chain management and IoT. In supply chain, it is all about the physical and there are two values that blockchain provides. First is provenance, so there is an easy answer to the 'where did item came from? Health tech businesses are already enamoured with blockchain and a business that creates and supplies replacement knees is seeing rich returns. They are trying to make sure that just before the doctor puts the artificial knee in, the business is sure that the product going in is one from them and not a cheap alternative. This is where blockchain truly shines. Think of it in terms of a supply chain: the knee comes off the production line, handed over to a shipping agent who then gives it to a global shipping agent from where it gets sent through to a reseller and then ends up with a distributor. If you have a centralised model, there will be disagreements and there can be vested interest in manipulating data but if you have blockchain in place, no-one will be able to manipulate the data. It just lends itself to strong accountability, exactly what bigger players in the supply chain market are looking for.
Second value that comes with blockchain is accountability.
It is in the world of IoT and automotive that you see how it leads to heightened sense of accountability in all involved. Bosch is a partner in trusted IoT alliance and they have identified that in 2nd hand cars, it can help sort the problem of odometer fixing. They have created a system where periodically they record distance so prospective 2nd hand car buyers can verify that the distance is correct. It can also simplify the car rental market so a rental business can provide access to use a car for a certain amount of time that you have paid for . So cars can access data and insurance companies can access it too to hedge liability. Within a few years, we can also see scenarios where rental cars can shut down once the rental period is over.
Will Quantum computing lead to the demise of cybersecurity as we know it?
The idea behind quantum computing rendering cyber security, as we know it, obsolete is both scary and exciting. Again, the gist is that at some point in the future, when we create a quantum computer that we have know how to do theoretically since the 1970s and once the theoreticall/practical bias is dealt with, you will have the ability to ask a question (what is the key to this encrypted key) and the answer will fall out of the problem. However, when you think of RSA and securing the confidentiality of data, then it creates a big problem for the whole security community. However, someone is going to make it soon!
"When it comes back to blockchain, I would like to remind you that we talked about 4/5 of principals of cyber security being tackled by blockchain. The 5th element is not a natural fit into that environment because it is all to do with confidentiality.
"Quantum computing is also, all about confidentiality and ability to decode secret messages. When we dig deeper into how blockchain uses cryptography, it is mainly about hashing functions and one-way signatures that prove that the data hasn't changed. Now, when you take that and apply it to a quantum computing background, you find that it doesn't work well in those particular environments, in practical even with a quantum computing to implement is difficult. Often people lump both together because it is easy to dismiss both as never never land tech and that's what it is about.
"So I would 100 times bet on blockchain over quantum computing. The latter is fascinating from a pure physics perspective but the question of practical implementation hasn't yet been answered by people and it may be 5 or 25 years arriving so until then it is science fiction. As we apply it to IoT and cyber security, I would take a robust solution today over a not-yet-practical one tomorrow.
Cybersecurity application: could blockchain stop malware etc?
In an environment when you have webcams or video recorders that are connected to a network, normally speaking they connect to a video server. But when under attack, they attach to a different location. This act is by itself anomalous. It shows the characteristics and signs that it is attacking other cameras to get a broader foothold in the network. But the assertion that it is acting out of the norm comes from your ability to know what is normal. When you have many cams, it becomes a distributed network and a smart test will have the opportunity to say: as the blockchain what it is doing. So before it crosses the internet even, you can start taking security counter measures and push it right out to the network edge.
As for DDoS attacks, the core concept of DDoS attacks is to saturate a internet IP. Now, superimpose a blockchain environment on top of it - from an availability perspective, it will be more resilient to such attacks. Many different nodes can shunt traffic around and ultimately out of the system.
The argument against blockchain...
Andy Herrington, Head of Cyber Professional Services at Fujitsu says: “It is important to understand that no software or piece of technology is absolutely immune to issues and blockchain is still an emerging, albeit important and dynamic technology with new innovations emerging rapidly. For blockchain, one of the key problems is its dependence on new programming code which makes it difficult to identify flaws before they’ve been exploited. In addition, much investment has been made in meeting current regulatory and compliance frameworks based upon more traditional ‘ledger’ methods."
While this is interesting by itself, others think that the march of quantum computing is the resource worth investing in. Jeremy Swinfen-Green, Head of training at TEISS felt that while blockchain technologies currently offer some very interesting uses in cyber security, those uses may be short lived. The advent of commercially viable quantum computing, which may well be closer than many people think, could blow holes in the encryption used by blockchains. That could spell the end for Bitcoin for instance. "The problems caused to the global financial industry by quantum computing would be far more significant than the demise of blockchain because many of the encryption systems currently used by banks would no longer be viable."
And what else can blockchain be applied to?
Luke Turvey, Security Consultant for Pen Test Partners thinks the real use of blockchain is actually in making the vastly insecure world of IoT more secure: "IoT devices are notoriously insecure and can provide an easy stepping point onto the network, however, blockchain could be used to secure the subnets that numerous IoT devices will populate.
"A typical scenario will see IoT devices like smart lightbulbs, remote access blinds, kettles and toasters deployed in a business environment. These will be administered by an IoT controller that creates a sub-network of IoT gear. Each of these IoT devices will have a private key with their public key set into the Blockchain. The IoT controller will constantly query the Blockchain for which IoT devices should be on the network. If a rogue attacker gets into the IoT network via Wi-Fi or an Ethernet port, they would not be able to access these devices. Why? Because the attacker’s machine will not have a public/private key pair in the Blockchain, therefore the IoT controller would block the connection from the attacker’s computer.
"With more thinking, the IoT devices could actually be the miners and this would require a lot less resource to run the Blockchain network. Miners are the security of the Blockchain and each miner has a copy of the ledger which is forever being updated with every transaction. Security comes from the amount of users on the network able to provide this ledger. For an attacker to circumvent the Blockchain security here, they’d have to compromise 51% of the miner nodes or add enough nodes to the mining network in order to add the attacker computer key into the Blockchain.
The principles of blockchain are being explored by British startup Object Tech which has just signed an agreement with the Dubai government to launch the world’s first ‘biometric border’.
The pilot project allows passengers travelling to Dubai to step off the plane and walk straight to baggage reclaim – without having to stop at passport control. Instead, passengers will walk through a short tunnel in which a three dimensional scan of a person’s face is able to instantly check them into the country from an entirely digital passport.
The biometric border system creates an entirely digital passport for each individual, with the passport holding data currently stored on chips in existing e-passports. However, the digital passport will also be able to include other data sets like fingerprints, iris scans and facial recognition data. The end product, a result of advances in LIDAR technology, is a system able to recognise passengers in record times without them even needing to stop walking.
Ultimately, truly understanding BlockChain requires taking a mental leap but it is important to remember that it is all about infrastructure solution that solves problems.