Blockchain is a much hyped, emerging technology that promises to make business networks more efficient, reducing transaction times and reducing the risk of error / fraud.

As a founding member of the Linux Foundation Hyperledger project, IBM are serious about open source development of a blockchain fabric for usage within closed, permissioned business networks.  We are also helping our customers in all industries decide which of their transformational activities could benefit from Blockchain technology.

Blockchain

Figure 1: Blockchain Blocks

Could blockchain be a hacker’s dream come true, or just not worth the effort?

I will look at three common hacker motivations, consider how these are typically executed and examine the effect that IBM Blockchain usage has on the chance of success.

Motivation #1 = SNOOP

Hackers love to break into systems and gain access to sensitive information.  They typically do this by either breaching a system’s perimeter defenses, or compromising a person who has access to the information (i.e. social engineering).

On to topic of perimeter breach, blockchain makes no difference.  Success depends on the levels of protection built into the hosting infrastructure.  But modern cyber security thinking is that irrespective of how much is spent on perimeter defenses, a breach will occur at some time.

So assuming the hacker gets in, he’s certain to be interested in accessing transaction information stored on the blockchain.   Fortunately, the user of privacy services in IBM Blockchain makes this very hard.   Transactions and Smart Contracts are encrypted with best-in-class cryptography technology, and the information could only be accessed via the cryptographic keys.

Blockchain solutions will be no better (or worse) in resilience to human centric snooping. Mitigation requires a constant focus on the leadership, culture, process & education aspects of cyber security.  The same applies for Motivations #2 & #3 below – I will not repeat myself!

Motivation #2 = DISRUPT

Hackers like to mess up business networks, for example to prevent the flow of goods across a supply chain by disrupting the supporting information systems.  They may attempt to do this by modifying the underlying blockchain fabric (aka plumbing), corrupting transactions committed to the blockchain or modifying the Smart Contract.

Since the blockchain fabric is open source, surely this makes malicious modification a real possibility?  The opposite has been shown to be the case in mature, open source initiatives such as secure Linux.  The vast multitude and diversity of developers ensure that malicious code modification attempts are quickly spotted, rectified and never make it to verified code releases.

As to malicious modification of the Smart Contracts or transactions on blockchain, this is very difficult.  Each block in the blockchain contains a digital fingerprint (technical term = hash) of the contents of the previous block, rendering modification impossible – a property referred to as “immutability”.  Smart Contracts are also cryptographically protected, and any changes must be validated by all network members – again rendering modification a virtually impossible task for the hacker.

In the event that one network node is compromised – perhaps by human-centric attack, or insider fraud – the replicated nature of Blockchain adds greatly to the overall business network resilience.  Peer to peer sharing of the asset ledger, coupled with agreed transaction validations methods removes single points of failure and ensures that compromise of a business network member would be quickly detected and rectified.

Motivation #3 – DENY

If the hacker can’t disrupt the business network, maybe he can deny the participants access to their critical information systems.  Mitigation approaches here are infrastructure dependent, and protection methods against the many forms of denial of service attack are well documented elsewhere.  Whilst I would argue that Blockchain usage is not the main factor here, the distributed nature of the shared ledger adds to the overall resilience of the business network.

Is it worth it?

Hackers tend to go for the “low hanging fruit” and privacy services embedded in IBM’s Blockchain fabric are likely to deter.  However, secure-by-design has never been more important and a holistic approach to the security of any system – balancing technology with people mitigation techniques – is vital to maintaining business operations through cyber-attack.

blockchain

Figure 2: Holistic Approach – IBM’s Security Framework

Whilst much has been written on bitcoin Blockchain security, and potential vulnerabilities therein this is not the case for the usage of Blockchain in closed, permissioned and trusted business networks.  It is very early days for this new generation of system, but never too early to start thinking about security!

Further Information

  1. IBM Enterprise Security
  2. Blockchain for Government
  3. Blockchain, Where’s my stuff?
  4. Proving Provenance with Blockchain
  5. Blockchain & the bathtub curve of Asset Management
  6. Secure-by-Design

I’m grateful for the help and support of Matt Lucas (@mqmatt) in producing this blog.  I’d much appreciate an active debate on this topic!  Contact me through leaving a comment, twitter or LinkedIn!

Advertisements