< Back

Share |

How secure is blockchain?

Depending on who you listen to, blockchain technology is going to be the source of a new, more secure Internet (IPFS as a replacement for http), revolutionise the banking industry (secure identity communication and smart contracts, drastically reducing the need for intermediaries and back office function), create guaranteed ledgers of property, or is overhyped and actually has a number of serious flaws before it can do any of the above. Although the building blocks of blockchain technology have been around for many years, application of those building blocks into blockchain technology and then building application layers on top of that technology is still in its early days. It may ultimately achieve all, or none, of the above.

March 2016

One area which has attracted more limited commentary, at least in comparison to projects such as Ethereum, Everledger and the potential for revolutionising asset ownership ledgers, is cybersecurity. This is now starting to change, although it is still difficult to see how far the technology will ultimately go to changing this area. Cybersecurity remains, if not an intractable problem for business, a very difficult one. Businesses and governments are spending ever more on cybersecurity, but are still playing catch-up and some would say are struggling not to fall even further behind their attackers.

There are a number of applications of blockchain technology which make it of particular interest to the information security world. Intelligent, well-crafting phishing attacks are still one of the most successful routes for attackers to get into an organisation's IT infrastructure. A significant number of such attacks use emails which look as though they come from a trusted source, but in fact don't. Identity verification and management is, therefore, of significant interest, and there are a now a number of companies which seek to use elements of blockchain technology to allow users to create tamper-proof digital identities. This has the potential to significantly reduce the effectiveness of phishing attacks. Of course, it doesn't prevent an attacker from accessing a third party whose information security may not be as good as yours, and using their email address to send emails from that 'tamper-proof' identity, so it would only be solving part of the problem.

The data management chain for most businesses is now highly complex. Rarely do organisations hold all of their own data without outsourcing or sub-contracting some part of the management or processing of that data. While this may bring business efficiencies, it also gives the IT security team an additional headache as it tries to ensure that data remains secure in the hands of those third parties. This is particularly an issue in the financial sector where regulators typically impose stringent security standards in relation to IT outsourcing, and for businesses which are data controllers of personal data. The General Data Protection Regulation will bring these obligations into even starker focus when it comes into force in early 2018, as fines for data breaches will then be millions or tens of millions of Euros.

How secure is blockchain?

This makes projects like Enigma, developed at MIT, of particular interest. Enigma is based on blockchain technology and is designed to be a "decentralised computation platform with guaranteed privacy". According to the Enigma white paper, it is a peer to peer network enabling different parties to jointly store and run computations on data while keeping the data itself completely private, using an optimised version of secure, multi-party computation. An external blockchain is used as the controller of the network, managing access control, identities, and acting as a tamper-proof log of events. The potential benefits of this type of technology are substantial; organisations can potentially outsource processing of data on an entirely private basis, thereby eliminating (or at least substantially decreasing) a number of the risks associated with the data management chain.

The tamper-proof properties of blockchain are also of interest. Another key element of information security is the integrity of data, and there have already been a number of cyberattacks where the attackers have not deleted data, or even necessarily stolen it, but have altered data within an organisation's systems, with perhaps the most famous example being the Stuxnet malware which caused very substantial physical damage to Iran's nuclear programme. The potential applications are obvious; altering data in a rival's research programme; amending financial records; amending health data and holding an organisation to ransom so that the correct original data is only returned if the ransom is paid, to name but a few. Data can also be vulnerable to an insider within an organisation seeking to commit fraud or to hide errors. The fact that blockchain technology can be used to verify data and create an unalterable record within a ledger, and, consequently, substantially limit these risks, will be of significant interest to many businesses. It does, however, need to be balanced with the fact that often a business needs to amend data for entirely legitimate purposes (and indeed is sometimes legally obliged to do so). Its use is, therefore, likely to be restricted to certain types of data which need to be immutable.

While a decentralised approach clearly has some advantages from a security perspective, it does not remove entirely the possibility of data being altered. At the Black Hat Asia conference in March 2015, Interpol demonstrated a proof of concept of software which could become malware which allowed, in effect, the subversion of the blockchain underlying Bitcoin. This uses the ability to introduce data unrelated to transactions into the blockchain. Researchers from the University of Newcastle have also introduced a botnet command and control mechanism to send messages to bots on the Bitcoin network. These are early demonstrations of potential vulnerabilities, and the extent to which they can impact on an entire blockchain is not yet clear. What they do demonstrate, however, is that while blockchain technology may provide new ways of enhancing information security, those improvements will be another tool in a business' armoury rather than providing a solution to the problem.

If you have any questions on this article please contact us.

How secure is blockchain?
Paul Glass

Paul looks at the impact of blockchain on cybersecurity.

"While blockchain technology may provide new ways of enhancing information security, those improvements will be another tool in a business' armoury rather than providing a solution to the problem."