Given the recent cyberattacks on critical infrastructure around the world such as the Christmas 2016 power outage in Ukraine, which left more than 200,000 people in the dark, the task of protecting vital systems and networks has become an issue of pressing global importance.
Meeting that challenge requires improving digital security standards and practices across all industries. It also demands investing in the newest and most promising technologies such as blockchains.
Though Bitcoin gets most of the press, the technology undergirding it – blockchains – has the potential to transform business, and maybe even revolutionize cybersecurity.
A blockchain is simply an online ledger, e.g., a distributed database of who owns what. The database is separated into transactions, called blocks. Once a new block is added to the chain, the data in the block cannot be changed, the digital equivalent of etching a Bitcoin transaction in stone.
From making businesses more efficient to recording property deeds to securing medical devices, a range of huge organizations are investigating in new ways to deploy blockchain technology. Startups in the space have attracted more than $1 billion in funding. Even the Defense Advanced Research Projects Agency, the Pentagon's experimental brain trust, is researching blockchain technology to "create an unhackable messaging system."
But to date, relatively few firms are exploring the application of blockchain technology to help safeguard critical infrastructure. That needs to change, both on the part of US business leaders and policymakers.
One example of this kind of innovation is already underway. The cybersecurity firm Guardtime uses blockchain technology to secure Britain’s power grid, including its nuclear power plants and flood defenses. Guardtime uses blockchain technology known as Keyless Signature Infrastructure (KSI) to detect “unauthorized changes in software configurations [by] ... providing a complete chain of the history of the data that is generated and transmitted.”
Estonia is also using Guardtime's approach and looking into ways blockchains can authenticate marriage records and health data. US critical infrastructure operators and policymakers could learn from Estonia’s experimentation, while understanding the limitations of the technology.
The anonymous developer known as Satoshi Nakamoto outlined the protocol that leveraged peer-to-peer technology to create Bitcoin. It's a deceptively simple innovation that "set off a spark that has excited, terrified, or otherwise captured the imagination of the computing world and has spread like wildfire." Netscape cocreator Marc Andreessen called the innovation “the distributed trust network that the internet always needed and never had.”
Indeed, blockchains have the potential to, according to the Economist, “transform how people and businesses cooperate.” Such an outcome is by no means predetermined with an array of technological, economic, political, and governance issues to be overcome.
Undoubtedly, there is significant hype associated with blockchains, and they will be improperly deployed in some scenarios where a more traditional ledger might be suitable. However, in security, there is frequently a need for an authentic log of data, transactions, and records. If the authenticity of such records is mutable by a few authorities, then there is concern that targeted foul play can lead to untrustworthy records. Alternately, in some scenarios there are few clear authorities that should be trusted to establish authenticity – and those authorities may not themselves have mutual trust – meaning that a more grassroots approach is necessary.
Still, the promise of this technology, especially in the context of enhancing cybersecurity in critical infrastructure systems, deserves our sustained attention. In other words, a sustainable blockchain edifice will not be built overnight, it will take ongoing attention by numerous stakeholders – including policymakers – over a period of years, perhaps decades. But by starting now, block-by-block, we can build trust in an age that has to date been defined by increasing cyber insecurity.
Scott Shackelford is an associate professor of business law and ethics at the Indiana University Kelley School of Business, as well as director of the Ostrom Workshop Program on Cybersecurity and Internet Governance, and Cybersecurity Program Chair of IU’s MS in Cybersecurity Risk Management. He is also a research fellow at the Harvard Kennedy School.
Steven Myers is an associate professor in the Department of Computer Science in the School of Informatics and Computing at Indiana University, where he is also the School's Security Programs Director, and a member of the Center for Applied Cybersecurity.
The full article on which this essay is based, “Block-by-Block: Leveraging the Power of Blockchain Technology to Build Trust and Promote Cyber Peace” is forthcoming in the Yale Journal of Law and Technology.