After years of public attention around Bitcoin, its underlying technology—the blockchain—is taking over the discussion with its potential to address fundamental challenges across a number of industries. Proponents discuss blockchain’s potential to revolutionize currency, contracts, ownership verification, and supply chain provenance. But for all the talk about Bitcoin and other financial use cases, blockchain’s most profound application may lie in cybersecurity.
As sensitive data becomes increasingly available – and vulnerable – through cloud computing, mobile, and the Internet of Things, it is no secret that modern security has failed to keep pace with modern technology. High-profile breaches the likes of Sony, Anthem, and the U.S. government have cost hundreds of millions of dollars and compromised the critical information of millions.
These losses are only the tip of the iceberg; despite a rise in cybersecurity spending to an expected $86 billion in 2016, the global cost of cyber attacks is predicted to reach $3 trillion by 2020. While organizations have begun to realize these costs, they continue to apply fundamentally flawed endpoint solutions to increasingly nuanced threats.
The problem is a lack of understanding of the nature of information security, historically classified into three distinct components: confidentiality, integrity, and availability. Traditional solutions, such as encryption, firewalls, and access controls, have focused on ensuring data confidentiality and availability, or that information is restricted to authorized individuals and accessible when needed.
Meanwhile, we have largely overlooked integrity – the absence of compromise – which many presumed to be solved with the invention of Public Key Infrastructure (PKI) four decades ago. Created to securely exchange keys across an insecure channel, PKI was co-opted for digital signatures and verification. Yet today’s industrial-scale networks present a number of challenges that render it an archaic solution.
First, data no longer lives in networks with discrete, hardened perimeters. We not only need to secure data transmission but also data storage. Second, complex key management is impossible to scale across millions of endpoints and devices. And finally, PKI relies heavily on trust anchors that can be easily exploited, such as certificates and human administrators,
So where does this leave us?
The blockchain addresses each of these modern security challenges: the need to secure data across its entire lifetime, at scale across all endpoints, and without relying on a third party. At its core, the blockchain is a tamper-proof ledger of digital events, shared and maintained by multiple parties. Records are added – never removed – via “distributed” participant consensus, removing the need to trust any one party.
Blockchain as a trust anchor consists of two key steps: registration and verification of each system component, from firmware to software to event logs. Component manufacturers register each component by cryptographically incorporating a fingerprint of the component into the blockchain, which afterwards can be used to verify the component’s properties.
Anyone with a copy of this blockchain can later use the signature to verify the integrity of any component at any moment – no keys or administrator credentials necessary. This protection-plus-detection approach turns the security paradigm on its head. Currently, the average dwell time before a breach is discovered is 200 days. With blockchain, discovery is instantaneous.
One particular area in which blockchain has a profound impact is military and defense, where mathematical certainty about the state of sensitive networks is critical. Both Director of National Intelligence James Clapper and National Security Agency Director Adm. Michael Rogers have stated that the manipulation of data, not just theft or deletion, is one of the biggest threats to national security.
Consider when the Stuxnet virus severely crippled Iran’s Natanz nuclear facility in 2011, reportedly wiping out one-fifth of Iran’s nuclear centrifuges. The virus worked by manipulating data, first in the computers inside the facility and then in the PLCs that governed the operations of the centrifuges themselves. Because it disguised its operations, no one realized that the centrifuges were malfunctioning until many of them were destroyed.
Natanz was not connected to the Internet, but how much easier is this attack – and how much more severe the consequences – if assets like nuclear facilities, aircraft, or vehicles are connected to the Internet? A military drone, for instance, has dozens of software components, all of which require continuous monitoring. Multiply these components by tens of thousands of drones, and you cannot afford to search for vulnerabilities.
Blockchain’s security applications extend to every other space, from governance to healthcare. Imagine if regulatory bodies had the means to independently verify the activities of the organizations they are tasked to regulate. Or if every modification, access, and deletion of healthcare records could be verified after the fact, without disclosing the records themselves. Or if, as the Internet of Things reaches 6.8 billion connected devices in 2020, we could verify the integrity of each device component, and how they collect and use data.
It would be naive to believe complete protection of today’s highly complex networks is possible. What we can ensure is complete detection, accountability, and auditability. As Bruce Schneier observes, in the history of security, we try and retrofit security after the fact. In the case of integrity, there will only be an outcry when tragedy occurs – once someone dies from a hacked medical device or a car, for instance – and we now have an opportunity to avoid such instances. The promise of the blockchain lies in its implementation as a security technology optimized for preventing integrity attacks. Its realization is only just beginning.