A blog about Blockchain technology

Blockchain Cybersecurity

Blockchain technology presents many promising opportunities to accelerate digital transformation and reshape how organizations around the world, including governments, address operational challenges. Policymakers are in the early stages of understanding blockchain and its potential use cases in regulated sectors, whether in financial services, healthcare, transportation, or retail and manufacturing. Microsoft has been part of this journey through blockchain deployments built on our Azure services, including Digital Identity ID2020, Project Ubin (with the Monetary Authority of Singapore and the Association of Banks in Singapore), and MiFID II Data Reconciliation (with UBS, Barclays, Credit Suisse and others). No technology is immune from cyberattacks, and identifying and understanding risk is a critical step in deploying blockchain securely.
Security in Blockchain Networks
One of blockchain’s benefits is its inherent resiliency to cyber-attack. While not immune to all forms of cyber risk, blockchain’s unique structure provides cybersecurity capabilities not present in traditional ledgers and other legacy technologies.
  • The distributed architecture of a blockchain increases the resiliency of the overall network from being exposed to compromise from a single access point or point of failure.
  • Consensus mechanisms improve the overall robustness and integrity of shared ledgers, because consensus among network participants is a prerequisite to validating new blocks of data, and mitigates the possibility that a hacker or one or more compromised network participants can corrupt or manipulate the ledger.
  • Blockchains also provide participants with enhanced transparency, making it much more difficult to corrupt blockchains through malware or manipulative actions. And blockchains may contain multiple layers of security, both at the network level and installed at the level of each individual participant.
  • Finally, blockchains hosted on a cloud platform, such as Microsoft Azure, feature even greater cybersecurity protections due to the platform’s access controls and many other protections.
Despite the many cybersecurity benefits inherent in blockchains, the technology, like any other, is subject to cybersecurity risks, including those resulting from human errors. Human errors may include software coding errors and errors that derive from the flaws in participants’ information security practices. Blockchain technologies also are susceptible to identity-based attacks in which cybercriminals corrupt the consensus mechanism employed by a particular blockchain by gaining control over a majority of the blockchain’s nodes. Mitigating these risks requires prudent cyber risk management practices.
Two Types of Blockchain
A number of important structural considerations should be taken into account when constructing cybersecurity programs for blockchains. Records added to a blockchain generally are immutable. Immutability prevents tampering and creates an auditable record, but may require a special programming adjustment to restore a blockchain’s integrity if fraudulent or malicious transactions are introduced into a blockchain. Blockchain participants’ roles and responsibilities also require a thoughtful governance structure in order to achieve an effective balance of access and security.

There are two broad types of blockchains: public and permissioned blockchains. Public blockchains, such as the Bitcoin blockchain or the Ethereum public blockchain, permit any person with the technological capability to access and view the ledger, propose the addition of new blocks to the ledger, and validate transactions by following established protocols. Anyone who installs certain software is generally granted access and can participate in transactions using the blockchain. The consensus mechanisms used in public blockchains to create trust among participants who do not know each other include, but are not limited to: (a) proof-of-work, which uses a system of rewards to induce constructive behavior by requiring users to compete for the right to publish the next block by solving computationally intensive puzzles; and (b) proof-of-stake, which uses a system of penalties and the amount that a user has at risk in the blockchain to determine rights to publish new blocks. While public blockchains have an administrative governance structure, they generally operate without any central authority.

Permissioned blockchains limit access to the ledger to certain known or trusted parties who generally must participate using their true identities. Permissioned blockchains may be developed by a single party (private blockchain) or by a consortium of companies, such as a group of banks, with similar interests (consortium-based blockchain). Permissioned blockchains rely upon a governance structure to control access, apply and enforce rules, and respond to incidents, including cyber threats. Because there is some degree of trust between participants, permissioned blockchains generally use less complicated or computationally intensive consensus mechanisms. A proof-of-authority consensus model, for example, may allow participating nodes to publish new blocks at will or on a rotating basis, subject to verification of participation rights. Permissioned blockchains can incorporate traditional security features, such as access controls managed through a cloud platform, as well as security features that are customized to the particular blockchain.

From a cybersecurity perspective, both public and permissioned blockchains have certain favorable attributes, including distribution of the ledger, encryption, and a consensus mechanism. Blockchains rely on encryption deployed at several different points in the network. First, participant access rights are managed by employing public/private key encryption. Second, the transactional data within a block is encrypted using cryptographic hashes. Third, blocks of data are linked in chronological order in a blockchain using a cryptographic hash function that securely ties each block to the previous and subsequent blocks. Thus, any attempt to alter data within a block would change the hash values. Cryptographic hashing prevents data within a block from being changed without altering the history of all linked or chained blocks of data. Thus, would-be attackers targeting a particular transaction would need to change the entire blockchain as a result of this form of encryption.

Protect your Blockchain
As we have already identified before, the features of blockchain networks provide for a number of capabilities in mitigating cybersecurity risks and detecting, preventing, and combating the types of cyber-attacks that are often directed at financial institutions.
  • Distributed architecture. The distributed architecture of a permissioned blockchain is an advantage that can deter or minimize the effect of cyberattacks. A distributed network structure provides inherent operational resilience because there is no single point of failure.
  • Consensus validation mechanism. A consensus mechanism provides a continuous check on the integrity of past transactions identified on the ledger and on the integrity of new blocks of data.
  • Encryption. Participant access rights are secured through asymmetric key cryptography or public/private key encryption. The linked lists or blocks are also encrypted by a combination of cryptographic hashing and digital signatures.
  • Transparency. the transparency of a blockchain among participants makes it more challenging for hackers to place malware in the network to collect information and to transmit it covertly to another database managed by the hacker.

Risks still exist:
  • External data sources and endpoint risk. Blockchains are only as secure as the information they ingest and consume. Off-chain legacy systems may provide transactional data from which the representational data stored on a blockchain is constructed. Importing such off-chain legacy system data may represent an endpoint risk. Cryptlets represent the connection between on-chain data and the external world, still maintaining the necessary integrity of the blockchain network.
  • Identity-based attacks. Attacks could be employed to take over a majority of the nodes in a network and undermine the consensus validation and distributed architecture protections of a network. This risk can be mitigated using a trusted multi-tenant cloud-based directory and identity management service that certifies the identities of persons.
  • Quantum computing. A longer-term risk that is gaining attention among observers is the possibility of quantum computing-based attacks that leverage enhanced computational power to weaken or compromise existing cryptographic algorithms used in existing IT systems and in blockchains. Adapt and upgrade security protocols as necessary to ensure the success and viability of the network.
There is also a hidden risk that the nature of a new emerging technology naturally brings to the market. Although many companies operating in the blockchain business are led by seasoned industry veterans, blockchain developers are frequently start-up firms. Regardless of a company size or the experience of its personnel, all blockchain developers, particularly those developing solutions for the financial services industry, must conduct their design and development activities at a high level of sophistication relative to security threats. All developers should incorporate the principles of the Security Development Life Cycle (“SDLC”) or “security-by-design” and internalize those principles into its culture. The use of “hardened libraries” and other controls for securing code and software-related information and testing is critical. In addition, all blockchain coding should undergo and pass QA testing that satisfies the SDLC standards, including testing of all application security controls as part of an application security verification process, to identify and fix bugs, as well as security testing, before rollout.

As cyber threats continue to evolve in complexity and intensity, emerging technologies such as blockchains can contribute to combat cybersecurity risk and adequately protect consumers’ information and the integrity of the global IT system. As we have seen in this post, blockchains offer significant cybersecurity capabilities, share some of the same cyber risks that affect other IT systems, and have unique characteristics, all of which merit further evaluation by regulators and industry.

Go Back