In the future, your data may be secured not by some central gatekeeper, but by a vast, distributed set of participants, each holding some or all of it. Blockchain technology is the new frontier of cybersecurity, but it’s also the Wild West of information architecture. What efforts are being made to standardize it?
The blockchain has a short but colourful past. The concept came from Satoshi Nakamoto, the mysterious inventor of bitcoin, whom no one has definitively identified. (S)he released the initial code for the concept in 2009, designed to offer people transparency, privacy, and immutability all at once. That’s a tall order. Here’s how it works in practice.
How the blockchain works
Historically, two people who don’t trust each other but want to transact have done so via a third-party, like a bank or escrow service, which acts as an arbiter for disputes. Bob pays Alice for a product. Alice fails to send the product, arguing that Bob didn’t pay. The bank’s records show that he did, putting Alice at fault.
That’s great, but banks and other middlemen can be slow, expensive, and corrupt. Blockchain technology cuts out the middleman, enabling those who don’t know or trust each other to transact safely.
The blockchain is like a giant ledger recording all transactions, but unlike a bank’s ledger, everyone keeps a copy. This keeps all participants honest because all transactions are transparent. The clever part lies in immutability; the blockchain must be protected so that one person can’t alter their version and make a fraudulent claim.
Public blockchains like bitcoin’s achieve this with cryptography. All transactions taking place in a 10 minute window are cryptographically ‘sealed’ into a page in the distributed ledger, known as a block. The cryptographic code is created by miners. These are network participants who use their computing power to solve a mathematical puzzle known as a proof of work.
Each miner competes for the solution, and the winner is rewarded with some bitcoin. In bitcoin’s case, the code running on everyone’s computer adjusts the difficulty of the puzzle so that the amount of computing power on the network always solves a new puzzle every 10 minutes or so.
Each block’s transactions are still visible, because the cryptographic seal doesn’t scramble them. Instead, it hashes them, creating a digest representing the transactions in that block. If even a single byte changes among those transactions, the digest would be completely different. Consequently, anyone tampering with transactions in the block would have to recalculate a new digest. That’s prohibitively difficult, because they’d have to use an inordinate amount of computing power to do so – at least half of the computing power on the network at the time.
The final beauty of the network is that each block’s digest is included when computing the digest of the next block. In this way, anyone successfully tampering with one block would need to recompute the digests for every succeeding block, which makes transactions more secure over time. It’s an elegant solution, and one that has captured the attention of companies in many sectors, including finance.
Companies are seeing potential in the blockchain for any process that can be made more efficient by cutting out the middleman. They hope to drive new efficiency into everything from syndicated loans to supply chain management.
In many cases, the blockchains they’re proposing are simpler versions of bitcoin’s public blockchain. If you are using blockchains to manage trade settlements on a stock exchange, for example, then all the traders know each other already, and are authorized to trade. That means you don’t need the same compute-intensive proof of work, argue advocates. Instead, these ‘permissioned blockchains’ can use other, more efficient solutions that don’t chew up the electrical consumption of a small city.
Finance companies are already using blockchains in anger. At the end of 2015, NASDAQ launched Linq, a blockchain-based system for processing private securities without cumbersome paper-based certificates. This was significant, because managing private equity has traditionally been a manual process, often involving an overworked lawyer and a spreadsheet. More recently, Guernsey-based private equity firm Northern Trust worked with IBM to create a blockchain that manages private equity for Geneva-based asset manager Unigestion.
There are other use cases for the technology. Storj has introduced a distributed cloud storage solution with it (which should come as comfort to scientists trying to preserve public data from destruction). Companies want to manage the Internet of Things – the ultimate network of distributed, autonomous but connected participants – using it. A company called GuardTime even wants to secure nuclear power stations with it.
Getting on the same page
The danger with blockchain technology, as with all new computing concepts, is that it rapidly morphs. One implementation may not necessarily talk to another. Organizations barely agree on the terminology yet, let alone the technology interfaces.
“How do we as an industry manage to develop and collaborate to develop security standards that will be adopted and facilitate the rollout of new and emerging technologies?” asks Wendy Gross, partner and technology co-chair at legal firm Osler. Quite. Perhaps some common terminology and technique is in order.
The International Telecommunication Union (ITU) is mulling this problem. It will hold a workshop next month – March 2017 – to “identify where ITU-T Study Group 17 (Security) could contribute to further standards collaboration in support of blockchain.”
What might the standard for blockchain security implementations look like? It’s worth noting that IBM Research is a confirmed speaker at the event. It has put its weight behind Hyperledger, a blockchain technology project managed by the Linux Foundation. The Foundation wants Hyperledger to be the Linux of the blockchain, serving as a reference platform for others’ deployments, in the same way that the vanilla Linux kernel is the basis for a variety of distributions. IBM is among the organizations that contributed code to this initiative.
The ITU isn’t the only standards organization looking at this technology. Australia’s standards organization is trying to carve out some interoperability standards for blockchain technology, and it has the ISO’s support.
What about a standard for governance, too?
Such standardization efforts focus largely on technology interfaces, but there may be a case for governance standards, too. Some of the screw ups in the nascent blockchain community have been legendary.
The danger lies largely in smart contracts, a more recent development which enables blockchains to store and run the entire programs, rather than simply keeping digital records. Smart contracts can take the form of self-executing legal agreements made by multiple parties, which don’t have to rely on a central arbiter like a lawyer to oversee them. They have real promise, but a bug in the system can lead to disaster.
For example, the DAO – an entire organization based on smart contracts – lost around $50m last year, shortly after it was formed, thanks to a bug in its smart contract code. The problem led Ethereum, the smart contract-based blockchain on which it was based, to change its own code and create a new version of the ledger to try and get the money back. This created animosity in the Ethereum community, leading to two Ethereums: the new one, and ‘Ethereum Classic’.
How do we stop such things from happening? Microsoft has created a working group for best practice in smart contract design, which is at least a start and may help avoid security problems in blockchain implementations.
A report from the Long Finance consortium also suggests that blockchains themselves may need their own best practices for risk mitigation. As the capabilities of these blockchain implementations become more sophisticated, we need to ensure that the code underpinning them – and the code that they can now themselves run – is itself secure.