Blockchain Security Is A People Problem

Blockchain was hailed by some as a ‘truth engine’ but, according to Melanie Jones, Product Director for cybersecurity portfolios, there is already a spanner in the works and those with the skills to protect valuable data are finding themselves in one of the world’s most sought after professions. 

If there is one thing we know about human nature it is that if something is presented to us as unbreakable, unhackable, unsinkable or inedible, there is always someone with the aptitude and mendacity to crack it. So, it goes with blockchain. Blockchain’s immutability is built into its peer-to-peer nodular transparency. In theory, the decentralised system, distributed across its network of users/nodes, should be impossible to compromise as any attempts to alter the data would be instantly recognisable and investigated by the pool of node owners (active users who validate transactions are also known as miners). Blockchain’s universal adoption as an open ledger by the cryptocurrency markets, sadly, has already proved that – despite its sophisticated software – the open ledger is open to compromise. Since 2014 over $1.4 billion worth of crypto currency has been stolen from exchanges by hackers. Some of the targets include popular crypto trading brands such as Coincheck, MT Gox and BitGrail. Unsurprisingly, it is not the software letting the side down – it is us. By design, blockchain cannot be hacked, but its weakness is often at the point where its systems connect with the real world in software or applications.

 

For example, ‘hot wallets’ are vulnerable to hackers. These wallets function like a digital ATM machine – they are internet-connected applications that store cryptographic keys (needed to access cryptocurrencies). Wallets operated by cryptocurrency exchanges like MT Gox and Coincheck have become the location for 21st century bank robberies. Cryptocurrency exchanges are increasingly claiming to store their customers money in “cold” wallets – on storage devices disconnected from the internet, but as recently as January this year, $500 million was taken in cryptocurrency from the Japan-based company, Coincheck. 

The nodes can also be compromised from within, either by a hacker taking over a node, or a legitimate node owner working against the interests of the system. Emin Gün Sirer along with his colleagues at Cornell University have shown that what they call a ‘selfish miner’ can subvert a blockchain from within – even with less than the crucial 51% mining power of the other miners. Also known as a majority attack, a 51% attack occurs when a malicious miner gains control of over 50% of the blockchain network’s hashrate, enabling them to reverse transactions, halt payments, or prevent new transactions from being confirmed. A 51% attack is not easy to pull off, requiring a sizeable amount of computing and therefore a large amount of electricity to accomplish. The construction of data mining factories in places like China, built near dams to benefit from cheap electricity, could become the Achilles Heel of blockchain.

Smart Contracts, computer programmes that can automate actions/transactions, are also at risk of compromise. Over $80 million was stolen in ether (Etherium’s cryptocurrency) from the Decentralized Autonomous Organization (DAO) in 2016. The blockchain-based investment fund was forced to reverse engineer the money back by creating a ‘new history’ to replace the money. Not great.

So how can companies apply the cybersecurity lessons we’ve learned to ensure that blockchain delivers on its promise of a secure decentralised public record? To fight fire with firewalls, businesses are going to need to skill up. Cybercrime has become mainstream and it’s no longer mainly small-time crooks or isolated hackers causing chaos for dark web kudos. Organised criminals have spotted the potential rewards and, as well as targeting cryptocurrency in the modern-day equivalent of a bank heist, they are now hacking for data – which is a currency all of its own. Data is what drives everything and it’s what the hacker wants because they can sell it or threaten to share it, blackmailing the organisation for financial gain. Organised hackers are starting to think strategically beyond phishing and pillaging bank accounts. As we’re seeing played out in our newsfeeds, criminals – and unscrupulous political operatives – are also taking advantage of blockchain’s system vulnerabilities at the international level.

New approaches and skills are urgently needed to counter this evolving cyber-criminal landscape. Job descriptions are being updated and expanded to source individuals with experience and know-how from law enforcement and intelligence to technology, coding and analytics. According to the latest global information security workforce study from ISC, there could be up to 1.8 million information security-related roles unfilled worldwide by 2022. In Europe, the shortfall is projected to be about 350,000, with the UK’s share of unfilled cyber security jobs expected to be around 100,000.

We are doing our bit. Next month, in association with the UK government’s new apprenticeship programme, GK Apprenticeships and Qufaro will be launching the Level 4 Cybersecurity Apprenticeship at Bletchley Park – the world-renowned home of British cryptography triumphs.

In today’s connected, cloud-based society, the Internet of Things means your central heating system is as much at risk of a cyberattack as your laptop. The next generation of codebreakers will be coming to Bletchley Park with a different enemy in mind: the widespread threat of invaders who can access our banks and businesses from the tiniest ‘chink’ in our cyber defences. Much as we’d all love the utopian idealism of blockchain to be the ‘golden symmetry’ of the internet, it is far more likely that the resourcefulness and know how of individual cybersecurity professionals is what’s going to keep us safe – not just from organised crime but human nature.