Blockchain in government: Are we ready for prime time?
- By Lloyd Mitchell
- Jan 03, 2018
Largely because of the resurgence of interest in Bitcoin, blockchain has become a headline buzzword in the last year, prompting organizations to jump on the bandwagon without fully understanding either the technology or the security risks.
Even the government is voicing support for blockchain implementations. "With artificial intelligence and blockchain, the [federal government] is exploring a whole range of forward-leaning capabilities that might be helpful to government,” Margie Graves, acting federal CIO at the Office of Management and Budget, told the audience at the Data Transparency 2017 conference.
This optimism is consistent with findings from an IBM survey of almost a year ago. Some 200 government leaders in 16 countries were asked about potential blockchain applications. Ninety percent planned to invest in the technology in 2018, for applications ranging from financial transaction management, to asset management, to regulatory compliance. Blockchain was seen especially disruptive for public- and private-sector contract management, according to the survey.
But it’s possible that enthusiasm for the technology may be outpacing its practicality. Back in February 2017, a blog from the analyst firm Gartner predicted that 90 percent of "enterprise blockchain projects launched in 2015 will fail" within two years. Among the reasons cited were that blockchain was just not quite ready for prime time, even though some companies have been marketing it as a mature technology.
Only the Bitcoin stack and Ethereum platform are actually proven, Gartner said, warning CIOs that most blockchain platforms have 24 months or more experimenting to do, especially where open source technology also is at play.
As more experiments are conducted, organizations interested in blockchain technology would do well to understand its security issues – especially in the creation and storage of cryptographic keys that are vital to making the technology viable for government use.
What is blockchain?
Although blockchain is often discussed in the context of Bitcoin, it is in fact a stand-alone technology that secures distributed transactional data.
A blockchain is a distributed ledger technology, preserving a continuous chain of records or “blocks,” each of which is timestamped and linked to previous blocks. Cryptography verifies all records, or transactions, which can be anything from data to code or smart contracts. These transactions are digitally signed with an asset owner’s public/private key pair, and once the transaction is recorded, it can’t be altered.
Blockchain can be used to secure much more than financial transactions. Blockchain use cases include the sharing of medical records, processing internet of things transactions and record keeping -- all of which are extremely important to the government’s current and future IT initiatives.
What makes the technology appealing compared to traditional security approaches is that blockchain doesn’t need centralized control. Trust is distributed among all members in the blockchain. Transactions are decentralized and verified by the blockchain database itself in the distributed ledger.
Blockchain is particularly interesting because of the way the technology secures identity and data. Consider these two areas:
Identity of things. In today’s global economy, maintaining a secure product supply chain is increasingly important. Government agencies must be able to trace the products they use to authentic manufacturing locations, to make sure they aren’t using counterfeit or grey market products. The blockchain cryptographically binds products to an identity at manufacturing and creates a ledger containing information about device permissions, approved usage and deployment and manufacturing or firmware revisions.
Network data storage. Stored data, which frequently contains an agency’s most valuable information, is often vulnerable to compromise. Agencies must ensure their data is tamper-proof. A blockchain log/ledger can attest to the integrity of this data. Before agencies put all their eggs in the blockchain basket, however, it’s important to make sure the technology is as secure as it’s made out to be.
Securing the secure
Blockchain is touted as an inherently secure solution, but there are a few underlying weak spots that could benefit from an extra layer of security.
Securing access to the blockchain. By assigning digital identities, also known as certificates, to both the people and the devices that use permissioned blockchains, agencies can ensure that the identities of all members are known.
Securing core blockchain technologies. As its security foundation, the blockchain network uses public-key cryptography. That makes the secure generation, use and storage of cryptographic keys critical to the overall security of the technology. Hardware security modules can secure the cryptographic keys and identities in a hardware root of trust that can’t be tampered with.
Securing communications across the blockchain network. Hardware security modules can also generate and securely store cryptographic keys used in Transport Layer Security and Secure Sockets Layer network connections. Both of these protocols help manage authentication and exchange messages, which secures the integrity of the blockchain transactions.
There’s little doubt that blockchain technology will be gaining ground quickly in federal IT. Before it’s ready, however, we all must make sure that the security of the technology is up to the hype that surrounds it.
Lloyd Mitchell is president of Thales Trusted Cyber Technologies.