Infosec pros impatiently waiting for viable blockchain solutions want to know: Are we there yet?
If CISOs and security engineers sound like impatient kids in the back seat of the car on long road trip, it’s not surprising. The decade-long boom in bitcoin and its rival cryptocurrencies have made the underlying technology--blockchain – increasingly attractive to a breach-rattled and besieged cybersecurity community. The attraction: a trusted mechanism for trusted transactions that promise to make traditional attacks on cryptography computationally infeasible.
With the promise of better cyber defense comes big budgets, attractive to information security teams struggling in the arms race with online gangsters, state actors and swarms of up-and-coming script kiddies testing their hacking skills. This time, the money is coming from IT or risk budgets and from organizations looking to streamline and secure business-to-business commerce while cutting out pricey third parties who traditionally help make markets, certify deals and validate transactions and contracts.
The result is that there is no single blockchain, but a series of industry-specific, purpose-built e-commerce platforms that build on blockchain basics. The National Institute of Standards and Technology (NIST) Blockchain Technology Overview, published in October, stated that despite variations and technological improvements, “most blockchains use some common core concepts.”
It is too early to know whether the NIST blockchain overview will have the same staying power as the NIST definition of cloud computing, which has been a benchmark for public cloud vendor offerings, contracts and certifications for industry professionals. But the NIST statement is seen by many infosec pros as a key milestone in blockchain acceptance.
“The release of the NIST Blockchain Technology Overview is an indication that blockchain is going to have a significant impact on our economy,” says CISO John Johnson. “All industries are at least investigating how blockchain can add value,” says Johnson, a member of the IEEE Blockchain Initiative. “Blockchain can help reduce supply chain complexity and add visibility and transparency that doesn’t exist today.”
Lisa Kearney, founder and CEO at the Women Cybersecurity Society, agrees that the NIST publication will serve as a green light for many businesses and organizations.
“I believe NIST IS trying to educate the industry and business about blockchain – what it is and isn’t,” Kearney says. “They’re attempting to clear the air so people/businesses don’t get sucked into the hype of it all without understanding what it is and its limitations.” The biggest obstacle, she says, are a lack of rules and regulations governing its deployment and usage.
In the absence of such regulatory frameworks, businesses and industry consortia are forging ahead with bespoke blockchains that promise near-term, dramatic advances on secure transactions and blockchain-enabled “smart” contracts.
Amid this flux, the NIST publication will likely serve as a reference point as business and organizations evaluate a series of blockchain-based commercial offerings, such as the TradeLens effort by IBM and the shipping giant Maersk. TradeLens offers blockchain as the means to secure transactions between multiple entities in globe-spanning networks of ships, port authorities and governments. By moving those transactions to a public ledger, the essence of blockchain and virtual currencies that rely upon it, TradeLens is an effort to guarantee an accurate and secure accounting of the flow of goods and funds. The 2017 ransomware attack that paralyzed Maersk’s Electronic Data Interchange (EDI) system would not have been effective against blockchain.
The TradeLens announcement was one of the largest of several industry-specific blockchain efforts with near-term commercial impact. While many are still on the drawing board, more are in the offing.
There is emerging consensus that blockchain technology is still immature,” says Avivah Litan, vice president and distinguished analyst at Gartner Inc. “However it can revolutionize business and society once the technology is scalable technically and from an operating model point of view. Much work is progressing on the scalability front, and we are seeing early signs of good success.”
As examples of growing momentum, Litan sites the IBM Food Trust. In this application, blockchain is proposed to provide an immutable, collectively shared record of the provenance of food among suppliers and purchasers.
For companies that are – literally-down the food chain, the IBM Food Trust may become the main or even only way to maintain existing relationships, thanks to the alliance between IBM and major agribusiness players. IBM has also proposed blockchain to validate medications to combat counterfeit pharmaceuticals in Africa. IBM’s boldest proposal so far is IBM Blockchain World Wire, a global payments network aimed at allowing financial institutions to sidestep traditional correspondent banking. Such efforts could reconfigure supply chains and finance. Cisco estimates that the global blockchain market at $10 billion by 2121 with the equivalent of 10 percent of world GDP stored “on chain” by 2027.
“We are on the verge of mainstream adoption as is evidenced in the prevalence of companies incorporating these technologies,” says Jenny Balliet, chief engagement officer at Chicago Blockchain Project, pointing to recent announcements from Deloitte, Fidelity, Northern Trust, Goldman Sachs, Facebook, Walmart, Barclays, JPMorgan Chase, and Major League Baseball (MLB).
Blockchain entrepreneurs see plenty of opportunity for targeted implementations, for businesses and government entities, says Yo Kwon, CEO of Hosho, which focuses on smart contract audits and related contract issues. “There are already existing use cases from proving the integrity of marriage licenses for county clerks to providing a system by which network data can be collected in a more efficient and accurate method than ever previously deployed,” Kown says. Such modest blockchain implementations could be the model for an embrace of the technology outside big-name announcements that have garnered the most attention, he says, if developers overcome blockchain’s usability issues.
“There needs to be an abstraction from the complexity built that allows users with no prior knowledge of blockchain technology to benefit from its use,” Kwon says. “This has been done in individual instances, but not yet on a wide scale.”
That’s especially the case in the health care industry, says Edward Bukstel, CEO at Clinical Blockchain in Philadelphia, a startup focused on using blockchain to organize, share, and secure patient health records. “One of the biggest issue is the culture and implementation side,” he said. “Even if someone would come up with amazing application, built on a blockchain, in the electronic health record side, we have an installed base of legacy systems.”
Whether the blockchain initiative remains with established enterprises rolling out industry-oriented blockchains or venture capital-backed startups, key hurdles remain to be overcome, says John Johnson. These include speed, scalability, usability, cost and lock-in to a particular blockchain platform. Blockchain he continues, “is not yet ubiquitous, standardized and trivial to use.”
Even businesses making big investments into blockchain must overcome big issues, says Gartner’s Litan, including confidentiality, standards, governance, risk assurance and availability.
As for election security – a widely hoped-for blockchain use case – the world will have to wait, Litan says.
“Though very promising for securing elections, there are too many hurdles to overcome, such as voter registration and on-boarding, that make that use case more realistic in five years or more as opposed to the next three years,” she says.
The NIST blockchain document, while a largely sympathetic technical overview, also sounds a cautionary note. “There are issues that must be considered such as how to deal with malicious users, how controls are applied, and the limitations of the implementations,” the authors write.
The effort to solve such problems is bound to exacerbate the cybersecurity labor shortage as demand for top tier cryptographers and software engineers gets even greater. That’s one more reason why the widely shared aim of greater diversity in the ranks of security pros has to be turned into active efforts by business and government, says Greg Shannon, a member of the board of directors for Women in Cybersecurity.
“In a homogeneous environment, you start to make assumptions about trust,” says Shannon, who is chief scientist for the CERT division at Carnegie Mellon University. In blockchain-based global supply chains, “diversity of perspective is important,” he says.
For now, developing blockchain expertise remains largely a learn-by-doing affair. “There is a great deal of misinformation, which pervades the space.” says Balliet of the Chicago Blockchain Project. “We need to clarify and educate.”