It’s a simple question with a perhaps not so simple answer. One of the problems with the mainstream understanding of blockchain is that it is still synonymous with cryptocurrencies like Bitcoin or Ethereum. In a recent senate hearing which took place on the 11th of October this year, Professor Nouriel Roubini, also known as Dr Doom for his accurate prediction of the 2008 global financial crash, explained how Bitcoin was the “mother of all bubbles” and went on to describe blockchain as “the most over-hyped, useless tech in history”.
We won’t take issue with his assessment of Bitcoin. However, he is tarring blockchain with the cryptocurrency brush. While it is difficult to argue that it’s not overhyped, we can certainly argue with his assertion that it’s a useless technology.
However, its starting point as the enabler for Bitcoin means that the layman’s trust in the technology is lacking. Nevertheless, mainstream tech companies are putting their best minds onto blockchain and its applications. As a result, we are discovering many new use cases for the technology. The starting point may have been cryptocurrency, but the future of blockchain rests in thousands of other applications that require self-regulating, secure ledgers. From monitoring access to secure buildings through to keeping records for bullion delivery companies, blockchain will have an important role to play.
But here’s the thing. Blockchain is a self-regulating ledger that serves to guarantee the authenticity of transactions without the need for a central authority or body to ratify that authenticity. For this to work, people must trust the technology. A major impediment to that trust is the question, “Can the integrity of blockchain be compromised? Or, can blockchain itself be hacked?”
We already know that access to a blockchain can be cheated. If someone’s Bitcoin wallet gets hacked or compromised, the recipient can spend their money, and this will be recorded in and facilitated by the blockchain. However, in such cases, the blockchain itself has not been compromised. In fact, it has done its job. It has recorded a criminal transaction. The e-wallet theft is no different from a pickpocket stealing a physical wallet. The beauty of a blockchain is that it can be developed to make criminals more traceable. Even though the blockchain that underpins Bitcoin offers anonymity to people conducting transactions, that’s just a function of the blockchain itself. With reputable vendors such as IBM and McAfee getting behind blockchain, we can expect accountability and traceability to actually be improved and enhanced going forward.
Back to the key question of whether blockchain can be hacked. The current official answer to that questions is, “theoretically it is possible, but so far it has not happened yet”.
Here are some of the theoretical ways that experts believe a blockchain can be breached:
• A 51% Attack, where a single party attempts to take ownership of the majority of nodes in a blockchain so that they can maliciously control transactions.
• A Routing Attack. Blockchains are designed to be distributed, but according to research conducted by ETH Zurich, 60% of all blockchain traffic globally flows through just three ISPs. If criminals could compromise these ISPs (e.g. by bribing the staff) it would be possible to intercept and corrupt network data flowing between major nodes on a blockchain.
• Taking Advantage of Implementation Complexity. Blockchain technology is complex and new. That means it can be prone to error. The maths that is used to create the algorithms that secure the blockchain is sound, however, unless you are a maths professor, you are unlikely to be able to test that for yourself. In effect, we come back to human trust. Do you trust the people that developed the blockchain you are using?
• DDoS. If you know anything about cybersecurity, you will have heard of a DDOS attack. It’s one of the oldest cyber-attack techniques around. It’s simple to instigate, and blockchains are not immune from its effects. Essentially, enormous amounts of network traffic are directed at your network with the aim of bringing it down. Such attacks can be directed at a blockchain network. If successful, the blockchain goes down. While money may not be stolen, transactions stop, and cybercriminals may even demand ransom in return for not targeting you again.
So, while blockchains are secure by design, nothing is impenetrable, and security policy and measures do not disappear with blockchain.
As with all technologies, as they mature it becomes easier to trust them. As trusted technology companies begin developing and integrate these technologies into their own offerings, the risks associated with adopting them goes down.
As an example, Kaspersky Lab is a global leader in security that is backing blockchain technology to help make applications even more secure. It would be remiss not to point out that trust in Kaspersky has been questioned by the federal government in the US. However, in this part of the world, a vast number of companies entrust their cybersecurity defences to Kaspersky, and the security vendor’s reputation remains very strong.
Yeo Siang Tion, Kaspersky’s General Manager for Southeast Asia, explained, “Early this year, Kaspersky Lab joined the Enterprise Ethereum Alliance, the world’s largest blockchain initiative. The move will bring a new level of development in blockchain technology-based security solutions. One of the initiatives is Polys, a secure online voting system backed by transparent crypto algorithms. The system makes sure that all transactions are registered, stored and counted in blockchain. Ethereum based, Polys can make sure the network’s participants can verify the accuracy of voting execution.”
The point we draw from this is that if a security company is using blockchain to make systems even more secure, that gives a level of confidence in the veracity of the technology itself.
A company that is already actively offering blockchain-based solutions is IBM. Kevin Khaw is IBM Malaysia’s lead for cloud and blockchain. Kevin was able to succinctly explain the inherent security of blockchain technology. “To secure a blockchain, it’s important to know that blockchain isn’t a database but a network. On a blockchain network, all the members (or nodes) must confirm and agree to participate on this network to make sure that all transactions are valid. Once this consensus is reached, the transactions are recorded permanently, prohibiting users and system administrators from deleting records at any time.“
On top of its decentralised and immutable nature, data on the blockchain is protected by cryptography. Cryptography is a unique set of private keys, like a digital signature, that’s attached to transactions. The signatures are secure and attempts to change an entry without peer approval would invalidate it. If something does go wrong, all members of the network will be notified. The inherent transparency of the blockchain stops immediate issues from becoming bigger problems. Any change or alteration to items in the blockchain must be made at the original source and require approval from all nodes.
But Kevin also acknowledges that the technology is far from bulletproof, and that security of the entire blockchain ecosystem is not 100% fool proof. “Vulnerabilities in the entire blockchain could potentially emerge from outside the network – at last mile endpoints such as personal computers or mobile devices. The onus is on the user be responsible and safeguard the access credentials to the blockchain. Private blockchain is just as susceptible to threats, especially from insiders.”
He continued, “A blockchain network is only as secure as its infrastructure. Known vulnerabilities in the infrastructure can be manipulated by those with ill intent within the organisation. Therefore, additional security measures must be taken underneath the blockchain stack to prevent internal and external attacks.”
This view is endorsed by Ian Yip, McAfee‘s CTO for the Asia Pacific region. Ian points to the fact that as with almost every other technology we use, the weakest link that cybercriminals tend to target is people. He explains, “In most cases, consumers are the most vulnerable targets. In its Blockchain Threat Report, McAfee has observed how attackers have adapted well-established techniques to target consumers and businesses using blockchain, capitalising on insecure user behaviour to execute phishing or malware-based attacks.”
Listening to what Yip has to say, McAfee is taking a more conservative stance towards blockchain. While they acknowledge the potential of the technology, we would summarise Ian’s views as ‘proceed with caution’. He shed a little light on the practicality and realities of the theoretical breaches we highlighted earlier. “While blockchains have yet to be successfully compromised on a large scale, decisionmakers need to recognise that the same level of security is not extended to applications hosted on the technology. One popular example is cryptocurrency exchanges, which have seen high profile hacks in Japan and South Korea in recent months involving millions, likely driven by soaring cryptocurrency valuations.
Attacks on smaller blockchains are also not unheard of. For instance, a 51% attack involves an individual or group working to control the majority of a blockchain’s processing power, a move that enables them to tamper with transaction data, leading to the potential for fraud. With this approach, attackers can essentially overwrite smaller blockchains with as little as $500 worth of resources.”
It’s not just the technology companies that are recommending caution here. David Mahdi, a senior director at analyst firm Gartner, offered the following warning, “Myths surrounding blockchain and its built-in security has caused many to underestimate the value of applying basic security protocols to their blockchain.”
David also outlined some high-level best practices for companies that are looking to implement blockchain “Organisations need to first familiarise themselves with the risks, benefits and limitations of blockchain before they implement it. When choosing a vendor, organisations should be cautious of overoptimistic claims and evaluate the technical security aspects of the blockchain platforms. Once they have identified their vendors and familiarised themselves with all the risks of blockchain, they should consider leveraging a multi-layered blockchain security model to ensure that risks are clear on business and technical levels.”
For David, from a planning perspective, it’s not a matter of “if” – it’s more a matter of “when”. Companies “need to expect that critical security events may occur, and ensure they have preparedness and incident response plans in place to address them during the blockchain lifecycle.”
Even though arguably overhyped, blockchain is an exciting technology. It really can offer a very robust immutable ledger that has even been expanded to track and govern contractual transactions. The technology is here to stay, and the use cases will grow. However, for every blockchain that goes into commercial use, strong security policy will have to be implemented to ensure its ongoing veracity.
McAfee’s Ian Yip encapsulates the current outlook perfectly when he advises, “Unless there is a compelling reason to use an emerging technology such as blockchain, organisations should proceed with caution and take a measured approach that balances the risks introduced with the needs of the business.”
It’s a simple advice, but the best advice usually is simple.
Ultimately, blockchain is a technology that stores valuable data, and this fact leads to one other – people will try to hack blockchain.
If you don’t develop a security strategy around your implementation, you may be the one with the dubious honour of being the first recorded high-profile hacked blockchain.