Page 14 - Cybersecurity
P. 14

S14 | MONDAY, JUNE 5, 2017 | Cybersecurity
| NYLJ.COM
Blockchain
« Continued from page S7
or smart contracts shielded from outside parties.
Blockchain’s Cybersecurity Potential
Taking advantage of blockchain’s decen- tralized, immutable nature, what kinds of blockchain-related cybersecurity applications are possible? Currently, developers are testing applications concerning:
• Information Integrity: Malware can bur- row secretly into a network; in some cases, companies may not discover an intrusion for months. Researchers are developing protec- tions by leveraging blockchain’s immutable ledger to stop data tampering and detect if network data has been accessed or modified.
• User Verification: Beyond being used to detect any manipulation of data, blockchain may one day also be used to verify users’ identities and indicate proof of ownership of physical and digital assets (i.e., “smart property”) to facilitate safe and transparent transactions and deter identity theft.
• DDoS Avoidance: Blockchain’s distrib- uted nature could one day be an alternative to the centralized HTTP structure that is prone to distributed denial of service attacks that overwhelm websites and Internet providers.
• Cyberthreat Sharing: The Cybersecurity Information Sharing Act of 2015 created an infrastructure for companies to share cyber threat data with the government. In the pri- vate sector, there are numerous industry- specific Information Sharing and Analysis Organizations (ISAOs). Some believe that blockchain’s peer-to-peer platform and con- fidentiality features could spur more compa- nies to share cyberthreat intelligence over a secure network.
• IoT Security: Given the growth of Inter- net-connected devices and the attendant data security concerns, some have proposed a Ledger of Things that would purportedly help to organize, secure and share the automated collection of data from billions of devices.
‘On Chain’ Cybersecurity Concerns
Is blockchain impervious to breach? It may be. The key security vulnerabilities associ- ated with blockchain appear to actually be in technology ancillary to blockchain but not the blockchain itself (e.g., digital wallets, smart contracts). The most notable cybersecurity incident associated with the blockchain, the Ethereum “DAO hack,” was not actually a breach or hack at all, but the exploitation of a bug in a “smart contract” running on the Ethereum blockchain platform. The DAO, a crowdfunded decentralized investment fund, collectively vote on what to invest in and store and transfer their funds on Ethereum in the form of Ether. In May 2016, hackers found a vulnerability in the smart contract program- ming and conducted a “recursive call” attack that allowed a transfer of 3.6M Ether (around $50 million)—the exploit allowed the attacker to repeatedly cash out shares into a sepa- rate account before the system determined a user’s account was zero. In response, the DAO participants agreed to a system reset/ rollback—a hard fork to the Ethereum pro- tocol that essentially rewound their private blockchain to a point before the hack. The solution enabled the return of funds, but was criticized as undermining the fundamental, irreversible nature of the blockchain.
Hacking a permissionless blockchain plat- form is typically impossible from a compu- tational resource standpoint, but within a permissioned system, the intrusion into the account of a single entity could have serious impacts, depending on the architecture of
the system. Thus, companies placing digital assets on chain should be mindful of certain security issues, including:
• Key Management: Private keys should be securely maintained, according to best practices, to prevent loss from damaged drives or cybertheft, including the use of key recovery and storage systems. Generally speaking, credentials are stored in a secure offline device and companies must establish access protocols.
• Wallet Management: Many noteworthy Bitcoin hacks have involved digital wallets, which are software for the sending and receiv- ing of Bitcoin (or other digital assets). Com- panies should be certain that digital wallet applications have undergone security testing and should consider multi-signature wallets that require multiple users to authorize a transaction.
• Code Review: Writing code for smart contracts can be more challenging than pre- viously thought, making code review of new applications and smart contracts essential (e.g., bug fixes and patches, security testing, and best development practices).
• Operational Contingencies: In a permis- sioned blockchain, participants must agree to operating rules and procedures to block unwanted transactions or freeze a participant engaged in suspicious activity, as well as how members will counteract fraudulent transac- tions such as the DAO hack.
Looking Ahead: Regulatory Environment
Ultimately, in developing blockchain- related cybersecurity applications, devel- opers will have to balance confidentiality and traceability, along with maintaining a secure network, all within the current legal and regulatory environment. From a legal standpoint, it remains unclear how tokens and other forms of digital assets fit under
current regulatory structures or whether the regulations regarding the design, holding and transfer of digital assets need to be reengi- neered to accommodate new technologies, such as when Arizona recently passed HB 2417, a law legitimizing blockchain signatures and smart contracts in certain UCC-related transactions. From a compliance perspective, many have also asked how blockchain records and verified identity procedures will satisfy audit and record keeping requirements for Know Your Customer or anti-money launder- ing laws. Moreover, it is uncertain how block- chain records will mesh with existing data security requirements under federal statutes such as GLB or HIPAA, industry requirements such as the PCI Data Security Standards, or state data security regulations such as the Massachusetts Data Security regulation (201 CMR 17.00), New York’s Department of Finance cybersecurity regulation, or the host of state data breach notification laws. For example, is data stored on the block- chain, by definition, protected by “reason- able” security measures that satisfy state or federal requirements? As another example, state breach notification laws are triggered after unauthorized “acquisition” or “access” of “personal information,” which typically includes an individual’s name in combina- tion with other sensitive data elements—of course, such laws typically exclude personal information that is encrypted (and where the encryption key was not acquired). In the end, notification may depend on the nature of the breach and whether a user’s private key was accessed or whether a particular blockchain’s cryptography was broken.
Thus, beyond the technology challenges facing blockchain, legal uncertainties are also present. Yet, with the host of benefits for digi- tal commerce and the potential for its use in the next generation of cybersecurity protec- tions, blockchain is certainly worth the wait.
To get started, visit VerdictSearch.com or contact the VerdictSearch Research Team at 1-800-445-6823
Too many questions, not enough time.
Not enough hours in the day? Let us help.
Research On Call has a team of research professionals on call, ready to help you get the precise information you need to get an edge over the competition.
Same day rush service is available.


































































































   12   13   14   15   16