How can Blockchain improve the IT security ecosystem?
As the world becomes increasingly digitized and we move banking, shopping, media, communication and so many other aspects of daily life online, the associated risks of breaches and manipulation are also reaching record highs.
As devices began to operate without human intervention, they become more vulnerable to hacks because there is no third party to oversee that every device is verified, validated, and secure.
Vaughan Emery, CEO of Atonomi1
Recent incidents such as Equifax, WannaCry, and Petya show how the scale and sophistication of these attacks have increased dramatically2. One of the potential solutions to provide better cyber security is the utilization of blockchain technology. Much has been discussed about the potential of blockchain technology. Banks, insurance companies, health care services, governments and others, have spent a considerable amount of money in this field. Equity funding into blockchain startups increased by 512% between 2014 to 20163 to USD 390 million. In this edition of Thematic Insights we focus on blockchain’s potential as a solution to improve the IT security ecosystem.
Cyber security risks will increase
Cyber security today is becoming a critical aspect of companies, both public and private, as more of the world moves online. In fact, any organization that possesses large amounts of information, especially sensitive information, needs to invest in this space. However, there is still ample room for growth in the cyber security market, because current security technologies so frequently fail to stop the attacks and to protect their clients’ data from being accessed, copied, manipulated or stolen. But also, as technologies advance and become smarter and penetrate our lives more broadly and deeply, the landscape will become more complex and will require significantly more sophisticated security solutions.
According to Lloyd’s of London, a major global cyber-attack could on average trigger a loss of 53 billion British Pounds, and actual losses could reach as high as 121 billion Pounds4 . Rewind back to May 2017; the WannaCry ransomware attack was reported to have infected several hundred thousand computers in 99 countries5. The scale of such an attack and potential economic loss might have exceeded the Lloyd’s estimates.
This attack exposed the fact that current technologies are often not sufficient to defend against today’s sophisticated hacking techniques. As investors this represents an opportunity; better, smarter more effective cyber security solutions would likely sell like proverbial “hot-cakes”. Zion Market Research estimates the cyber security market will grow at an annual growth rate of 9.5% from 2016 through 2021, to exceed USD 180 billion by 2021.
The need for better security will only increase as the digital lifestyle, mobile devices, the internet of things (IoT), autonomous vehicles, to name a few, continue to put more and more personal information onto the internet. With the proliferation of IoT-devices, an unprecedented amount of data is being produced at a rate beyond what we have known. It is estimated that an autonomous vehicle alone will send 25 gigabytes of data to the cloud every hour6. Intel thinks the number is even higher, and estimates that by 2020 the average autonomous car may process 4,000 gigabytes of data per day, equivalent to the amount produced by 2,666 average internet users today7. And this are only the cars.
We also need to consider the increasing adoption of other connected devices, such as smart homes, smart cities, smart phones and wearable healthcare devices. With that much data produced and stored online, the need for data protection and secure IT capabilities will continue to grow. According to Forbes8 there were 1 million cybersecurity job openings in 2016 alone. On the IT job board DICES, average salaries for IT software security engineers are about USD 233,333.
Blockchain as a possible solution
Harvard Business Review (HBR) explains blockchain as essentially a distributed ledger that can record transactions data between parties effectively and in a verifiable permanent way9. This means any organization with vast amount of valuable data could stand to benefit from this technology. We think the rise of blockchain technology has arrived just in time to provide a solution to today’s cyber security flaws and to build a foundation to keep up with the increasing complexity of tomorrow’s digital landscape. The CIA’s “AIC triad” model, designed to guide policies and best practice for information security within an organization, can also be used as a framework to understand the potential of blockchain in cyber security.
The CIA triad model is a generally accepted framework in the field of information security, based on three key principles: Availability, Integrity and Confidentiality (AIC). The primary focus of the model is to ensure that IT security keeps these three aspects in balance10:
- Availability – it is vital to ensure that information is accessible to authorized users at all times and in a timely manner. Hackers may try to deny access to certain users by asking for money, or providing opportunities for business rivals to become popular.
- Integrity refers to the ability to ensure that data is an accurate and unchanged representation of the original secure information. Potential hackers may attempt to change important data before sending it to the intended recipient.
- Confidentiality is the ability to hide information from those people unauthorized to view it. Cryptography and encryption are common examples of attempts to ensure confidentiality of data transferred from one end to another end.
Based on the CIA triad model, how can blockchain technology improve the IT security ecosystem?
IT security is becoming one of the largest potential applications for blockchain technology. In a previous edition of Thematic Insights (May 201711), we explored the basics of blockchain, its features, benefits and potential business applications. Here, we focus specifically on the security features of blockchain technology and explain how organizations may benefit from blockchain technology and maintain the three pillars of the CIA triad model in balance.
- Availability: Blockchain’s decentralized, peer-to-peer communication structure, means there is no single point of failure, and this decreases the chance of an IP-based DDoS12 attack being effective. Thanks to the distributed nature of blockchain technology, all nodes within the blockchain network maintain a full copy of the ledger at all times. Thus organizations are able to retire any of the nodes which have been breached in an attack and continue to operate business as usual with the data stored across all the other nodes. In IT terms this is often known as “resilience”.
- Integrity: Blockchain uses built-in data encryption, “hash comparison” and “multiple hashing” capabilities to ensure that the integrity of the system data is maintained at each step: from transit, to rest and storage. The decentralized nature of the system makes it very challenging to change any piece of data across the entire system, giving Blockchain “tamper proof” recording of every transaction which passes through the ledger, be it a “transaction” of cash, assets, or personal health data, etc.. Every transaction is added to the blockchain ledger and can be traced back to a specific time and date and to the parties involved. The recent breach of CoinCheck, a bitcoin wallet13 and exchange service based in Japan, provides a good illustration of this tamper proof recording capability. In January 2018 CoinCheck was hacked and approximately 500 million NEM tokens (a peer-to-peer cryptocurrency) with an approximate value of USD 500 million disappeared. The stolen coins were traced back to each account and wallet as each transaction was stored within the blockchain network. As a consequence, these wallets were successfully identified and the exchanges were instructed not to accept coins from these wallets. What allowed the hack in the first place was the fact that the private keys were not securely stored14, but what it proves is blockchain’s ability to trace back each transaction ever recorded within the network.
- Confidentiality: Blockchain can improve confidentiality in two ways: First the ability to set up a closed network, known as private or permissioned blockchain network, is a way to implement security access controls at the application level. Establishing a closed network within relevant parties reduces the likelihood of data being accessed by undesirable participants from beyond the network perimeter. Second, blockchain’s “public key infrastructure” (PKI) feature allows companies to authenticate and authorize parties and encrypt their communications. This encryption reduces the risk of data disclosure. This means even if hackers are able to access a network, they may not be able to read or “decrypt” the information. Transactional data in transit are also protected by this encryption function, which means only the intended party can read the information via their private key, thus guaranteeing confidentiality.
As governments, businesses and individuals move online, new challenges, opportunities, and business and life-style processes are being created. We believe the high and increasing level of dependency on the internet, cloud, and more broadly digital technologies today is also creating security gaps for hackers to exploit.
Cyber-attacks are also becoming more complex and sophisticated as technological capabilities advance and as many of them are better funded today than ever before. Attackers can steal valuable data, such as the case with Equifax resulting in the leaks of personal credit information. They can prevent us from accessing our favorite websites, such as when in October 2016 services from Twitter, Netflix, and Spotify were temporarily affected.
As we move into the IoT-age, we think it is certain that more and more internet vulnerabilities in the cyber space will be revealed in the coming years, creating an attractive market opportunity for blockchain technologies as a cyber security solution. As the technology itself matures, we think there will be a broad number of investment opportunities aimed to develop better, faster, and more personalized IT security solutions.
As long-term oriented investors, we believe that IT security as well as blockchain technologies and more broadly speaking security and safety in general are compelling long term secular growth themes for patient investors. We also believe that we are still in the early innings of these structural growth trends. Based on these convictions, we are shareholders of a number of companies which are providing innovative solutions and technologies.