Will blockchain serve as a defense against cybercrime?
I have a sobering statistic to report to you. Sometime last year, at more than US$600 billion, cybercrime surpassed the illegal drug market as a global criminal enterprise. The average cost of a major breach is almost US$4 million, and cybersecurity is a burning technology issue in the C-suite and the board room.
We have to ask ourselves: How are we going to beat this monster?
In another part of the technology landscape, there is a much more benign growth phenomenon. The global blockchain market is estimated to grow at a compound annual growth rate of over 60% per year through 2021. It is finding real traction in financial services, trade, entertainment and a dozen other industries. And some of our most sensitive data is expected to be stored and used on blockchain platforms.
This begs another question: Can blockchain serve as a defense against cyber attacks and cyber criminals?
Blockchain – in its heart, a security solution
Everyone is excited about blockchain because it can create new businesses and reduce costs. But security also runs deep in the DNA of blockchain.
If implemented correctly as part of a layered defense, blockchain-based platforms can provide a number of cybersecurity benefits. In a blockchain, users are identified and authenticated at entry. New data is tagged and timestamped. Data is rapidly distributed across a host of computers, where it is stored, cryptographically fingerprinted and tamper-proofed. Security rules such as access rights or contractual terms can be built into transactions.
Before going further, we need to be clear: blockchain is as good as it is designed to be. As my colleague Aidan Lynch, a senior manager in the EY Cybersecurity practice, says, “To effectively leverage the benefits of blockchain, it is crucial to understand how to securely implement and deploy such platforms in your wider ecosystem.”
So what is blockchain’s role in the future fight against cybercrime?
1. Identity and authentication: At EY, the teams are working on integrating portable identity capabilities, including biometric (facial) identification, into blockchains. Enabled by the decentralized nature of blockchain, this effectively creates passwords that cannot be stolen – and used to steal the most confidential information.
Here is an example where this would have helped had the technology been previously developed. In mid-2017, a financial services firm found that it had been severely breached by hackers using a compromised password. The result was the stealing of personal data from more than 140 million customers – one of the largest breaches in history. A portable identity solution, properly configured through blockchain, could have prevented the breach at the start.
2. Ransomware: If you were one of the 200,000 victims of the WannaCry randsomware attacks of 2017, you came in one morning to see a chilling screen. The WannaCry blackmailer had infected thousands of computers with a cryptoworm that stole and encrypted the host’s sensitive data. They demanded payment in untraceable bitcoin in return for unlocking the data.
Because of a quick response by the “white hats,” who exposed the vulnerabilities to thwart the attacks, payments were limited to several hundred thousand dollars. But in the cruelest irony, many victims did not recover their data even after the ransom was paid.
In a blockchain, data is not stored at a single source. Instead, it is distributed across a network of computers where its protection is further enhanced by a range of cryptographic controls. When confronted by a ransomware demand, the blockchain-enabled CIO would have a strong defense against the extortionist’s attempts.
Of course, the large amounts of enterprise data that is not within this redundant system will have these protections.
3. The attack no one knows about: One of the wickedest attributes of cyber attacks is that the enterprise may not even know it is happening. After it is detected, it may be impossible to know when it started, how long it ran and what data was compromised.
In 2016, a major web service provider belatedly discovered the compromise of more than one billion customer accounts that took place in 2013. This was a period in which customers did not even know they were in danger. It was only with massive digital forensics that they were able to identify the actual accounts that were affected.
In a blockchain environment, transactions are tracked in real-time. Again, assuming proper set up and administration, the defenders would have been more likely to have known about the breach day one, and been able take steps to protect their customers.
4. The distributed denial of service (DDoS) attack: In a DDoS attack, the perpetrators overwhelm target servers with junk data, causing a loss of network bandwidth and the crashing of the system. In 2016, resourceful hackers harnessed thousands of devices – printers, security devices, even baby monitors – to target the domain name provider DYN with a malicious digital overload. This DDoS resulted in loss of service to many internet platforms, commerce sites and media services.
Because blockchain platforms are typically distributed over thousands of nodes, each of which operates independently, this kind of system significantly reduces the impact of a DDoS attack.
Blockchain is not geared to stop all attacks – for example, criminals could still commit the common cybercrime of stealing customer lists and selling them on the dark web. It certainly won’t defend the majority of data that is not stored on blockchain platforms. In addition, the well-financed and resourceful criminal element has a discouraging record of analyzing and overcoming new defenses as they come online.
Clearly, blockchain is not a silver bullet against cybercrime. Nor is it likely to reach sufficient critical mass in the short term to make it an effective defense against current cyber attacks. But in the longer term, blockchain-based platforms present exciting opportunities to reduce the effectiveness of a range of cyber attacks.
Here are my three predictions for the future of blockchain and cybersecurity:
1. Data stored on a blockchain will be safer than data outside a blockchain
The four defenses described above are only a part of the picture – blockchain can provide further protections in authentication and post-breach forensics. But it is the collective defensive power of these applications that may present its greatest strength.
Cybercriminals play the odds. With the internet offering so many targets, when their scrapers and botnets detect a more capable defense, they move on to the next target. This does not mean that a given blockchain is 100% secure – but when implemented correctly, it may be enough to drive the perpetrators to the next crime scene.
2. The breadth of blockchain cyber protection will be important
The blockchain market is projected to reach a value of US$20 billion by the end of 2024. It is projected to be a digital force in financial services, health care and government services. Within those industries, it is well-suited to protect highly valued data – financial assets, personal health records and customer data – that are frequently targeted by cyber criminals and hackers. The breadth of blockchain will generate a commensurate breadth of security – its impact will not be small.
3. The prospect of higher security will drive greater demand for blockchain
I believe cybersecurity is the number one tech issue in C-suites and board rooms. Virtually every enterprise is looking for a way to bolster their defenses – and limit their exposure to loss, lawsuits and regulatory actions.
At EY, the teams are building blockchains that manage everything from audits to trade finance to rights and royalties management for digital games. EY are helping clients to securely design and deploy their own blockchain-based platforms. These have already demonstrated smoother operations, lower cost and lower risk. But as companies begin to realize that it can also protect their most valuable assets, the demand for blockchain will only grow higher.
Cyber-defense is not a one-time event, it is a continually escalating and ever-changing battle. Blockchain platforms and applications will need to continually evolve and be enhanced to out-maneuver potential threats. By its very nature, blockchain can provide a series of potential and effective defenses against cyber criminal activity. While not the complete answer, it is clearly going to be a key part of our defenses in the cyber wars to come.
Originally posted on LinkedIn: https://www.linkedin.com/pulse/blockchain-our-best-defense-against-cybercrime-dave-padmos/
DISCLAIMER: The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organization or its member firms.