Blockchain is becoming key for global trade - but is that a gift for hackers?

In 2017, hundreds of companies fell victim to a ransomware attack called NotPetya. Maersk and FedEx saw their global operations disrupted for weeks and suffered hundreds of millions of dollars in losses. While ports and freight forwarders are turning to new technologies, NotPetya was also a stark reminder that cybersecurity is difficult to retrofit: it must be embedded from the beginning.

Blockchain and distributed ledger technologies have the potential to allow for unprecedented efficiency and transparency, optimizing operations much beyond what the current ecosystem of central databases and paper-driven bills of lading could ever achieve.

However, all technologies exhibit weaknesses and vulnerabilities depending on how organizations use them. Everything from the combustion engine and atomic energy to computers and social networks have been leveraged for purposes other than they were originally intended. Blockchain is no different: its weaknesses and vulnerabilities will be leveraged for a variety of interests. Not all of them will be legitimate.

Question the past to trust the future

Blockchain is, in short, a system to record transactions. For centuries, in the absence of a better way, we have created trust intermediaries to keep such records intact: banks, notaries, customs, and more. Blockchain’s promise is to replace these trust intermediaries with technology: in other words, to replace human trust with digital trust.

Trust historically stems from predictability: we trust our neighbours because we can predict their behaviour thanks to our laws and customs. We trust our planes because we can predict how they will act in the sky thanks to safety protocols and third-party certification. In the digital world, digital trust also comes from predictability: for us to trust blockchain, we will need to predict its behaviour, to ensure that it does only what it is supposed to. We enforce this through cybersecurity.

Blockchain has been hyped beyond reason in the past decade, and from a cybersecurity standpoint many have claimed its cryptographic foundation to be the ultimate guarantee. On the other side, early adopters whose fortunes have vanished in cryptocurrency hacks and heists have publicly questioned the same foundation. As the technology matures and this polarization fades away, what remains?

For now, confusion.

Most organizations in the supply chain industry and beyond are still focusing the bulk of their efforts trying to understand the technology.

Despite the confusion, businesses are starting to use blockchain to track and trace goods from salmon to diamonds. But can owners and users, from ocean carriers to importers, trust the technology? And do they?

Trust the past to question the future

Security is a fascinating discipline, particularly when looking at new technologies: outsmarting attackers is a subtle mix of innovative solutions and historic principles that stood the test of time.

Blockchain is an innovation of the Fourth Industrial Revolution that builds upon technologies of the Third: the security of the underlying infrastructure, the internet, just cannot be taken for granted. Securing blockchain starts with traditional information security. At its root are concepts such as defence-in-depth, invented in the 17th century by French military architect Vauban, or the CIA triad, confidentiality, integrity and availability, already used by Julius Caesar in his time.

For instance, looking at distributed ledgers and consensus mechanisms through the lens of the CIA triad, one realizes that blockchain is intended to protect integrity, first and foremost. The distributed approach makes it much harder for attackers to tamper with information undetected. Given the number of intermediaries in global supply chains and the potential for theft and fraud, it is no surprise the industry is turning to blockchain.

But when it comes to confidentiality and availability, blockchain can lag behind other technologies. It is absolutely not recommended to store sensitive information on blockchain for instance. Data availability and real-timeliness will also depend on the blockchain type: an in-theatre supply chain system for the military may not use the same blockchain type as a postal mail service.

Determining what risks owners and users face when using a particular blockchain is hence key to setting the right expectations, and in turn to fostering predictability and trust.

It is also key to economic prosperity, and this is precisely why the World Economic Forum and Hitachi, together with a number of public and private supply chain actors, have published a Framework for Blockchain Cybersecurity. As the fifth white paper in a series dedicated to the Inclusive Deployment of Blockchain for Supply Chains, it sheds light on the building blocks required for a secure deployment of blockchain.

Deploying blockchain in confidence

“As blockchain gradually innerves global supply chains, we identified the need to accompany organizations interested in deploying blockchain with confidence. Building on vital insights from World Economic Forum events, meetings and research, findings showed an important concern at all levels of organizations about what blockchain technology means for security. As with any emerging technology, parties worry about the vulnerabilities that nascent blockchain technology presents, especially as blockchain is still poorly understood,” said Nadia Hewett, Project Lead Blockchain and DLT at the World Economic Forum.

“For the last 18 months we have co-defined the key essentials on blockchain deployment, from consortia governance to digital identity, interoperability, tax issues, and security," said Hiromitsu Kato, General Manager, Center for Technology Innovation – Systems Engineering, Research & Development Group, Hitachi, Ltd.

"We view security as a precondition to blockchain: without it, digital trust cannot be enforced and the technology may fail to be adopted, or worse, be adopted despite security flaws."

The latest white paper of the series introduces a 10-step secure deployment framework, along with a blockchain security risk management process. Given the level of technological maturity at this moment in time, the most important, but most difficult, step is probably the first: getting the right people.

Indeed, the shortage of blockchain skills is high given the demand, and the same goes for cybersecurity skills: labour supply at the intersection of both is considerably low. While our white paper will help leaders ask the right questions, the blockchain security industry needs much more support to be in a position to answer them.

Blockchain has plenty of potential: in the supply chain industry alone, distributed ledger technologies are expected to represent close to $10 billion by 2025, up from $93 million in 2017. If we look at the past to build our future, if we embed security into blockchain from the onset, if we train engineers and educate board members, blockchain will unlock hidden value from global supply chains, and deliver on its promise to be the economic engine of the 21st century.