IBM, a global leader in technology services spanning hardware, software and cybersecurity, has deployed its considerable cybersecurity SWAT team, X-Force Red, to the growing enterprise blockchain arena. While blockchain as a core technology is resilient by design, wherein the public blockchain underpinning bitcoin transactions has not been hacked at the protocol level since its launch in 2008. Nevertheless, the rapid growth of enterprise blockchain projects will plug this pioneering technology into otherwise vulnerable systems and processes – all prone to human error and the massively interconnected and rapidly evolving cyber risk landscape.
Anticipating $10 billion in enterprise blockchain investments by 2021, IBM, whose commercial quantum computing capabilities could theoretically break blockchain, at once aims to make this critical technology more secure while at the same time bridging the nascent cybersecurity standards in the sector. X-Fore Red’s blockchain testing service will conduct veritable stress and penetration tests at all phases of a blockchain design, implementation and ongoing use. With the number of teachable cybersecurity moments in the blockchain and particularly the cryptocurrency arena, such as the eye-watering QuadrigaCX losses of more than $140 million in crypto assets in Canada, IBM’s offering is not only timely, it is essential for this emerging technology and the maturing industry that surrounds it. Chris Thomas, X-Force Red’s blockchain testing lead, observes that the academic premise for blockchain has been around for nearly 30 years, while the technology has been deployed for a decade with a single use case, namely recording bitcoin transactions. The nascent run of enterprise blockchain adoption and other projects will be hindered if cybersecurity and governance standards do not keep pace.
Comprised of a team of veteran hackers, IBM’s X-Force Red (as the name suggests) is all about donning a red hat and bringing to bear the type of thinking, technologies and exploits, including social engineering, that are the tools of trade of cyber ne’er-do-wells. Critically, with the explosive growth of enterprise blockchain use cases, testing and full-scale deployments, the potential cyber-attack surface and subsurface areas will continue to grow exponentially. This attack surface is not aided by the spread of connected devices, the internet of things (IoT) both large and small, as well as industrial controls, which tend to operate on software systems beyond their patchable life. In many ways, one of the best uses for blockchain is to serve as a ledgering system for machine-to-machine trade, which raises the priority of security design thinking well before new technologies are deployed, especially ones that record with such permanence, traceability and fidelity as blockchain. One faulty input – a la “garbage in, garbage out” variety – and all the investment on emerging “trustless” operating models could be for naught.
“New technologies often play catch-up with security as they emerge through their early adoption phase. If we look at mobile applications, cloud computing and even personal computers – all these innovations needed to adopt policies and techniques for security,” said Charles Henderson, Global Head of IBM X-Force Red. “However, while blockchain is a breakthrough for protecting the integrity of data, that does not mean the technology and connected infrastructure are always protected from attackers, which is why security testing is essential during development and after deployment.” This exercise of cybersecurity maturity and prudence will only increase end user comfort in blockchain technology and drive further investment in the increasingly competitive enterprise blockchain arena, which now boasts of a number of major providers, including IBM, Microsoft and Oracle, which sits astride the world’s deepest repository of commercial databases all begging to be connected in new high-trust, low-friction ways. The advent of a robust cybersecurity offering geared at improve confidence in blockchain from the design to the operational stage is a key signal of the sector’s maturity and expected growth.
One challenge of course, as blockchain and cryptocurrencies move up market, dominated by major players, is the risk that the vibrant startup ecosystem comprised of challengers is effectively priced out from the types of operational, hardware, software, cybersecurity and governance standards that are now emerging. One of the strengths of the blockchain technology wave is not only that the technology is resilient due to its distributed nature. In many ways, the talent pool, albeit a shallow one, that has brought this technological wonder to life is similarly distributed. As major players concentrate their efforts on enterprise blockchain and other pioneering technologies, they would be wise to not build a firewall excluding this community, but rather stand up as central pillars in a distributed world. The broader enterprise adoption becomes and the more it facilitates a plug and play environment where supply chain partners (large and small) can accelerate their trade with larger firms, there will be a net gain for all involved, provided of course security risks and design vulnerabilities are put in check.