This week, the International Telecommunications Union is holding a workshop to see how blockchain technology might be useful as a security tool. It’s a good indicator of the technology’s ongoing success. Eight years after the original bitcoin blockchain emerged, efforts are well under way to push its security benefits into multiple industries. What strengths does it carry, and what challenges will it face, as a next-generation security tool?
We explained basic blockchain operations here. The technology’s biggest security benefit is its ability to cut out the middleman. Instead of transacting via a trusted arbiter, parties get to transact with each other directly, and seal the outcome so that neither can dispute it in the future.
Why is this useful, if trusted third parties promise to do all that work for you? The problem with trusted third parties is that you can’t always trust them. Just look at what happens if your trusted third party happens to be Wells Fargo, or Bank of America, say. Or Deutsche Bank, or Barclays, UBS, Rabobank, and the Royal Bank of Scotland. We could fill an entire article with links like this. You get the picture.
Secure all the things
The second security benefit complements the first; blockchain technology allows participants to “seal” transactions so that they are visible but immutable, which keeps everyone honest. Different implementations use different techniques. Bitcoin chews up the computing power of a small city to preserve its transactions in digital resin. Other techniques include proof of stake. Each has its own technical and economic implications.
No wonder, then, that people are experimenting with blockchains for security reasons. Some, such as the Danish Liberal Alliance and Australia, hope to use it for voting, perhaps misunderstanding some of the bigger security concerns with online votes.
Blockchain technology faces some challenges, though. One of the biggest is block-washing. Whenever a technology comes along, people inevitably apply it to everything. Developers and marketing types alike suddenly shoehorn the technology into every project they can think of, even when it doesn’t fit.
This mad rush to capitalise on new technology fuels the early curve of the Gartner Hype Cycle, leading to an inevitable crash as the technology fails to meet expectations. It’s happening with AI right now, and also with blockchain technology, some argue.
We can see this as the blockchain moves to the cloud. Decentralization was an important characteristic of the original blockchain, but Microsoft’s Project Bletchley runs blockchain middleware and application marketplaces in Azure. IBM does something similar on its Bluemix cloud platform.
All this stuff will be cryptographically protected, of course, but it’s still facilitated by a single trusted party, and in effect turns the blockchain into something else. Marketing types at Microsoft are already playing with the inevitable, depressing moniker “Blockchain as a Service”, which pretty much negates the whole idea of a decentralized, independent network.
Once the tech industry stops being so breathless about the blockchain and the blue chips have reinvented it in their own image, it will face other problems. Standardization is one of them. There are many different approaches to blockchain technology, each claiming its own advantage. It will be important for these to work well together. Standardization efforts are now in the works; The International Organization for Standardization (ISO) already has a committee looking at it.
Good concepts and bad code
The other problem for blockchain technology revolves around software security. Just because blockchain’s underlying concept offers security doesn’t mean that the implementations follow suit. China, which has its own interest in cryptocurrency, recently analysed 25 of the top blockchain-related software projects, and found significant software security flaws in many of them. Most of the software tools related to input validation.
These issues aren’t just theoretical. They’re antithetical to what many blockchain projects are hoping to achieve. Coding flaws in blockchain implementations are serious, and lead to financial losses, such as the $400,000 theft of Zcoins last month.
As blockchain software becomes more sophisticated, the attack surface and scope will expand. A key factor here will be smart contracts. Whereas the original bitcoin blockchain only holds records of digital transactions, more recent efforts have bigger ambitions. Smart contracts are in effect programs designed to run on the blockchain.
Imagine replacing a legal contract with a computer program. Instead of paying a lawyer to govern the contract, all parties can run it independently, and the blockchain makes the program’s output immutable and transparent.
The program checks external conditions and executes its clauses accordingly. Let’s say Bob and Jane both own equal shares in a company. If the share price hits a certain threshold, they get a bonus dividend based on the number and class of their shares. Normally, a lawyer would have to take care of that, charging handsomely for the privilege. A smart contract with access to company funds would do it automatically.
That whole access to company funds thing is a bit scary, though, given that a smart contract is just a computer program, and computer programs have security flaws. The DAO, a company created entirely from smart contracts on the Ethereum blockchain, lost the equivalent of $50m or so last year in Ethereum’s Ether cryptocurrency. An enterprising hacker found a flaw in the smart contract code and flushed it all into another account.
Ethereum had to fork its own blockchain – going back to rewrite history – to get the cash back. Several developers didn’t like that idea, and retained the original Ethereum code, thus creating Ethereum and Ethereum Classic. We wonder if the Coca Cola Company would have approved?
None of this sounds like the basis for a bright, secure future. What it means in practice is that we must get much better programming this stuff before we begin trusting huge swathes of our economy with it or enthusiastically using it to organize the Internet of Things.
Vinay Gupta, one of the original members of the Ethereum team and author of this HBR article on the blockchain’s security promise, has said that we should look to more rigorous disciplines like functional programming to avoid costly screw-ups in the future. The problem is that few people have that rigour. Raise the bar for blockchain coding, and half of the startup projects lining up for their virtual crowdsales would probably disappear.
The blockchain holds promise, but it might have to go through Gartner’s trough of disillusionment before it becomes a major item in the security industry’s toolbox. We might have to keep revising our coding practices, too.