Blockchain is not just about cryptocurrencies anymore. The blockchain adoption rate is growing extremely fast—expanding its footprint globally across multiple industries and economic sectors. A recent IDC report projects a 73.2% worldwide compound annual growth rate (CAGR) between 2017 and 2022 for spending on blockchain solutions. This translates to a global rise in blockchain spending from USD $1.5 billion in 2018 to $11.7 billion in 2022. Within Asia Pacific (outside of Japan) blockchain growth will maintain pace with the rest of the world at 72.6% CAGR. Japan, however, is expected to lead the entire world in blockchain spending, forecasted at a 108.7% CAGR.
The financial industry ranks as the main market for implementing blockchain technology, with the transportation/logistics industry following a close second. It’s important to note that financial services firms are deploying blockchain to support mainstream sovereign currency processes—not the controversial cryptocurrency transactions that initially thrust blockchain into the spotlight. Worldwide blockchain spending growth among professional services and process manufacturing businesses is also experiencing an increase.
The Asia Pacific region has become a hotbed of innovative blockchain applications. As the sidebar details, blockchain-based projects are piloting or already in production in government, electric utility, supply chain security, and environmental use cases. The drastic spike in blockchain spending predicted in Asia Pacific also indicates that there are no signs of these use cases dwindling in the foreseeable future. However, as more industries in Asia Pacific and Japan adopt blockchain, it’s crucial that security leaders implement processes to secure new blockchain projects.
Blockchain Security Risk Factors
Every new technology has its risks, and blockchain is no exception. Even the earliest blockchain deployments stimulated the creative juices of cybersecurity adversaries. As blockchains grow in economic importance, they will undoubtedly become more attractive targets for cybersecurity interference.
To start, there are a number of blockchain and distributed ledger technology (DLT) vulnerabilities that we need to be aware—ones that will impact how we deploy and where we apply blockchain:
· Consensus Hijack. In decentralized, permission-less networks, where consensus is formed through majority assent, taking control of a large enough portion of participating clients could allow an attacker to tamper with the validation process.
· DDoS Attack. Due to the distributed nature of blockchain ledgers, they are potentially vulnerable to spam-based distributed denial of service (DDoS) attacks. Even when these attacks do not completely close off access to a blockchain, they can increase processing latencies, as the nodes will be busy checking the validity of the fraudulent transactions.
· Sidechain Vulnerabilities. These can afflict the gateways used to transfer assets and messages between parent and sidechains through two-way pegging. Here, if an initial “locking” transaction is later considered invalid, then subsequent proxy transactions would also be affected.
· Smart Contracts. These are automated transaction programs that run on distributed ledgers that typically feature business logic such as self-executing insurance policies and financial futures contracts. This makes them subject to coding errors, often related to the specialized programming languages used to formulate smart contracts. In particular, this phenomenon has been observed in Etherium blockchain smart contracts written using the “Serpent” or “Solidity” object-oriented languages.
· Private Blockchain Vulnerabilities. Some enterprises have implemented private blockchains using existing network infrastructure, cloud-based services, and user access privilege. This configuration helps protect them from external interference. From the adversary’s point of view, discovering the existence of a private blockchain can intensify their motivation to break in. After all, their thinking goes, there must be something valuable there if they have a safe like that to protect it.
Building in Security by Design
Despite the hype and exuberance currently animating the blockchain conversation, for the cybersecurity professional, blockchains are just another enterprise asset to protect from adversary interference. Fortunately, at the technology’s current stage of evolution, almost every blockchain project is a greenfield project. This offers application designers the opportunity to build security into the project at the beginning of its development cycle.
Treating security as a primary design goal of a blockchain project makes it possible to conduct a structured analysis of security requirements and investment priorities. Phases in this process include:
· Identify Your Crown Jewels. What’s at stake in the blockchain initiative? What would motivate an attacker?
· Survey the Attack Surface. What are the potential points of attack and failure across all expanses of your network?
· Protect Against Known Threats. Define threat intelligence requirements, and specify processes and technologies to ward off known threats.
· Identify and Detect Unknown Threats. Access sources of pertinent threat intelligence, and use findings to inform and adjust blocking and preemptive measures.
· Rapidly Address Vulnerabilities, Exploits, and Breaches. Time is of the essence for all kinds of response and remediation actions. Not only does time give an attacker expanded opportunity to explore and exploit your resources, but it can be very embarrassing to have to explain to the world why it took weeks/months/years for your organization to discover and shut down a damaging breach.
· Continuously Reassess, Adjust, and Improve the Security Posture. The defense never rests because attackers don’t either.
While many benefits exist from blockchain technology, much remains to be done from a cybersecurity point of view. As experience with blockchain technology increases, IT and cybersecurity professionals will undoubtedly encounter some additional unpleasant surprises along the way. That said, cybersecurity professionals would do well by extending proven fabric-based approaches to building security into blockchain-based initiatives in their early planning and design phases.
Fortinet has been thinking a lot about the cybersecurity implications of digital transformation (DX), of which blockchain is a part. The Fortinet “Security Transformation Requires a Security Fabric” white paper is a good place to start to better understand how to implement cybersecurity in this new DX-driven world. There’s no doubt that blockchain has a great future ahead of it. Beyond the considerable merits of the technology itself, we have the advantage of entering the blockchain era with much greater awareness of cybersecurity risk factors facing any new technology megatrend. Forewarned is forearmed, as the old saying goes.
Six Representative Asia-Pacific Blockchain Projects
1. Energy-Blockchain Labs is working on a carbon emissions tracking blockchain that could be linked to emissions offsets and carbon trading markets in China.
2. IBM and Wal-Mart are collaborating with China’s Blockchain Food Safety Alliance to track foodstuff distribution and supply chains.
3. The city of Freemantle, Australia has adopted blockchain to manage a smart solar electricity and water heating generation and distribution infrastructure to respond to dynamic demand and environmental conditions.
4. A consortium of palm oil industry companies across Southeast Asia is deploying blockchain to support a sustainable “no-deforestation, no peat, no exploitation” (NDPE) production and supply chain for this important plant oil product.
5. The City of Taipei is combing blockchain and Internet of Things (IoT) technologies to support multiple e-government initiatives including a smart citizen ID card and a wallet-format pollution/weather status display card.
6. Japan’s Ministry of Internal Affairs and Communications is piloting a blockchain-based system to automate government purchasing and other transactions.