.png)
Ten years ago, the Satoshi’s Bitcoin whitepaper, and three years ago with the release 'Blockchain 2.0' Ethereum, Blockchain development and enterprise applications accelerated exponential. The promise of Blockchain's disruption, with a potential for businesses to realize additional $176 billion in value from Blockchain innovation by 2025, growing to more than $3.1 trillion by 2030, is fascinating.
For features and advantages of DLT (Distributed Ledger Technology) such as Blockchain, please read my previous article.
Blockchain technology will likely revolutionize the way we live and work. It has the potential to give us greater control over our healthcare and well-being, provide greater insight into the origins and quality of the food we eat and the products we buy, financial transactions will execute faster and be simultaneously more transparent and private, and business will be conducted with greater efficiency and less risk.
There are however criteria to highlight for companies aiming to improve efficiency and security in business value chains, and Blockchain is not the solution for everything!
Cybersecurity in general is becoming increasingly complex, and with Blockchain being one potential 'stack' of the IT infrastructure, it is important to understand its level of implementation and security advantages.
Despite of Blockchain technology having proven to be highly tamper-resistant, there are security challenges primarily with potential vulnerabilities within Blockchain applications (Dapps), platforms, marketplaces, exchanges, wallets, hardware-interfaces and API layers are still critical. These applications are often of centralised nature, and only build partially in a distributed or decentralised manner as one component of the new IT stack, hence can be attract like legacy applications connected to the internet. These 'ENDPOINT VULNERABILITIES' and 'ECOSYSTEM / THIRD-PARTY' risks remain until security is baked into the entire architecture.
Security measures should be implemented at each layer with a risk-based approach. This will build-up the cyber resilience of the platform against attacks from foreseeable vectors.
Cybersecurity Challenges in Relation to DTL:
Key Management
Private keys are the direct means of authorizing activities from an account, which in the event they get accessed by an adversary, will compromise any wallets or assets secured by these keys. The methodology of the attacks seeking to gain unauthorized access to a system via stolen credentials remains fundamentally the same in traditional IT security and also within the Blockchain system - try to capture information, phishing, plant malware and/or use social engineering to steal the private keys from the user’s machine. An attacker who obtained encryption keys to a dataset would be able to read the underlying data.
Unlike with traditional systems, where before a server administrator was capable of tracking attempts to break into a customer or user account, the malicious users can keep trying limitlessly to decrypt or try to reproduce a private key out of encrypted data from a given ledger. With Blockchain, there is no way of knowing this is happening until after the hacker has succeeded.
Best example on is wallet management. It represents the process and technology used with which a wallet software operates with the keys assigned to it. The wallet software would need to protect the keys from being accessed without authorization, in both cases while stored, but also while in operation with the software.
Cryptography
Most Blockchain implementations rely on the cryptographically generated public and private keys to operate. Usually, the user generates the private and public keys using software, such as the Blockchain client software, or another available software. It has already been shown, that some programs are generating keys that have been identified to be weak.
Distributed Ledger Technology & Cybersecurity
Quantum computing can also threaten the premise of asymmetric cryptography. Though it does not represent an immediate threat, it should be certainly taken into consideration for a future-proof solution.
Privacy
In a permissionless ledger, all counterparties are able to download the ledger, which implies that they might be able to explore the entire history of transactions, including those to which they were not members of. The “right to be forgotten” where information needs to be removed from a ledger is challenging to implement. Usually, many counterparties have the data from the ledger, and it would be difficult to prove that all data has been deleted. There is even a possibility that a smart contract might be able to leak information on what is being processed.
Code review
The revision of protocols, methods, and codebase of popular implementations of distributed ledgers remains with the possibility implement fraudulent code from the very start.
Smart contracts are essentially programs that run on the distributed ledger. They are prone to any faults associated with code. As with any software, the more complex a smart contract is, the more prone to software errors it will be.
Consensus hijack
In decentralized, permissionless networks, where consensus is formed through majority, taking control of a large enough portion of participating clients (51% Attack) could allow an attacker to tamper the validation process, to process certain transactions, to re-use an asset which has already been spent, or the possibility to validate transactions and direct the flow of transactions in the ledger.
Interoperability
Using different distributed ledgers will very likely bring the need of data sharing between them. Exchanging data will require translation of formats and protocols, which currently are in very early stages.
Anti-fraud and Anti-Money Laundering Tools
The lack of tools to combat illegal activity such as money laundering which makes it currently impossible to block these types of transactions in advance. The decentralized chain design also means that it is not possible to simply revert previous actions.
The use of a distributed ledger implies that data is shared between all counterparties on the network. On one side this could potentially have a negative impact on the confidentiality; while on the other, it has a positive impact on availability with many nodes participating in the Blockchain, making it more robust and resilient.
Sources: European Union Agency for Network and Information Security (ENISA), Accenture, Gartner, IWS FinTech
#IWSFinTech consults on and develops disruptive technologies such as FinTech or Blockchain (project management/product). IWS FinTech focuses on next-generation technologies that will impact lives in the next decade.
Partner with the world’s leading corporates to support start-ups / SMEs through co-development and co-creation. At the same time, our corporate partners are able to inject new technologies and innovations into their existing businesses.
IWS develops proprietary software products; and consults your company or start-up on development through
1) Guidance on corporate structure, equity planning, business model, product-market fit, marketing, branding, finance, legal, pitch deck, valuation, capital raise planning, media training,
2) Mentoring through our network of successful entrepreneurs, industry, finance, and investor relations experts, and
3) Resources such as facilities support, market expansion & landing, business partners, government & academia resources, investor relations, media relations, accounting & legal services, etc.