Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

Blockchain: One strong link doesn’t make a strong chain

By

(C) Depositphotos / @ filmfoto

I’ve written before about the hype around AI, where there’s lots of potential, a ton of smoke and mirrors, and a few real things.  Blockchain is right there contending for the king of the mountain.  So what’s real, what’s hype, what’s plain dumb, and what isn’t anyone really talking about?

I’m going to assume that you already have a working knowledge of blockchain – that it’s a digital ledger that records transactions in a distributed manner using cryptographic mathematics.  Fundamentally it’s focused on protecting integrity – non-repudiation, with a secondary nod to availability (due to the potential for running on a distributed network).  Confidentiality is always an add-on – you can previously encrypt content on the entries, but blockchain itself doesn’t provide that capability.  Anonymity is a common feature, but again, not a fundamental part of the design.  Blockchain is only one small component in an overall solution – it solves one problem well, but it’s not a magic bean.

There are very real use cases for blockchain.  The most common are cryptocurrencies – bitcoin and so forth.  Just remember that cryptocurrencies use blockchain, but blockchain is not a cryptocurrency.  I’m not a fan of cryptocurrencies as an investment since they fundamentally aren’t tied to any form of goods or services – to be fair, most modern currencies aren’t either, yet ‘full faith and credit of the united states’ is more sound than ‘investor interest in owning it’.  Still, using cryptocurrencies for payments is a practical use case (setting aside speculators) – in particular, I see them replacing traditional wire transfers as a lower cost and more competitive option. But I don’t see blockchain replacing traditional currency anytime soon, as it’s not currently possible to apply nation-state level monetary policy, and particularly changing the supply of money, using a cryptocurrency with a fixed potential.

Using blockchain ledgers for bills of lading has the potential to transform the transit industry and greatly reduce overhead costs.   In a similar fashion, using them to track authentic parts across supply chains to reduce counterfeit parts (and provide instant paperwork for things like airplane repairs), is a transformative capability.  Financial services is the other industry that’s furthest along, where they’re looking at blockchain ledgers for both internal transactions as well as interbank transfers.

The worst use case is for voting.  Blockchain, by itself, only provides a record of a vote.  It does nothing to ensure that the right person voted, or that they only voted once.  It doesn’t provide a voter-verifiable audit trail of how they voted, and relies far too much on fallible software to provide those other services.   The hype is far out of whack with the risk, and that experiment is grossly ill-conceived – there is currently no secure way to vote electronically.  Full stop. As I’ve written before, the only secure method presently available is to validate voter identity against registration, then either provide the person with a paper ballot that they mark and validate, or use an isolated system that prints a paper ballot from user choices that they can validate after printing, and finally use a separate system to tabulate the votes – or worst case, use a hand count of those paper ballots.  That system minimizes the technology involved, and the official record is on durable paper.

But here’s the thing that no one’s really talking about.  What happens if the math breaks?  We’re seeing that with hash functions, and while there’s no real threat to the encryption algorithms today, attacks always get better.  Plus quantum (I probably need another post about that hype) is on the horizon.  That’s the security guy in me, I’m always looking for how things break.  As we do roll out blockchain, are we building in safeguards against a fundamental compromise in the math?  In most cases not.  To be fair, the current processes have vulnerabilities in integrity as well – particularly from an internal conspiracy, and blockchain would make that much more difficult.  But it is something to think about.

In the end, when you hear someone talk breathlessly about blockchain, get out your paper bag and help them stop hyperventilating.  It is being used, and it has solid potential, but only as one component in an overall solution.

Securing the Information Supply Chain

By

© Alain Lacroix | Dreamstime.com

It’s no secret that we’re in the information age and the rise of the CIO to prominence in most organizations reflects that.  Google, Facebook, Amazon (?), are all large companies whose entire business model is based on the flow of information from creators to customers.  So if that’s the new supply chain, can we leverage concepts from the physical world to the virtual?

With physical goods we have centuries long patterns for value flow, risk assessment, and optimization strategies.  Those can include everything from accounting for weather along the transportation route, geopolitical disruption of critical goods, regulatory oversight requirements, and criminal activity – from fraud to hijacking to shrinkage.  Companies that operate in the physical world understand very well how to get from materials to goods to customer to cash.

Yet those same companies often neglect the information supply chain that follows the goods. While this is starting to change, as the interest in using blockchain to track products shows, most organizations are only focusing on sections of the overall business process, leaving gaps for attackers (either murphy or malice) to exploit.  The approach harkens back to the 90’s and early 00’s, to the days of business process re-engineering and enterprise architecture.

We first map out the core business processes – from raw materials, through manufacturing, to delivery to customers, and ultimately to cash to the business.  Once we have those processes identified, at each stage, we identify the critical information assets required as part of the step, and conduct a threat and risk assessment for each one.  We often find that a piece of information that’s critical at one stage of the process (and highly secured there), actually originates much earlier in the workflow where it may not be critical and properly secured.  Likewise, information that’s critical at one stage, may later not be important any longer, yet expensive security practices continue beyond the ‘expiration date’, wasting resources that could be more effectively deployed.  We don’t continue to use armed guards after the semi-trailer is empty.

Of course, records retention policies and regulations, litigation, and audit requirements make extend the lifespan of information beyond it’s useful date, but that’ll all come up as part of this process.  Having a good handle on the information lifecycle allows for defensible destruction policies that are often missing from most organizations.  Have you purged your email recently?

The key here is that all this work then drives cybersecurity policies to a new level of maturity – ensuring that there’s complete coverage and appropriate investment based on business risk.   So for a late new year’s resolution, let’s make sure that we take time from the day-to-day headline-driven work, and work with our business stakeholders and CIO’s to document, assess, and secure, the information supply chain.