EU watchdog tells FS firms to focus on blockchain security risks

EU watchdog tells FS firms to focus on blockchain security risks

Financial services firms rushing to adopt blockchain need to make sure that they address the security challenges associated with the technology, the European Union Agency for Network and Information Security (Enisa) has warned.

Banks around the world are busily testing distributed ledger technology, lured by the promise of efficiency and cost savings in everything from remittances to securities settlements. And a recent World Economic Forum report revealed that over one billion euros has been invested in startups in the area.

In its own report, Enisa says that the technology has some obvious security benefits, including enhanced transaction privacy and the ability to follow an audit trail for agreements. Meanwhile, some principles used in the security of traditional systems and in blockchain, such as key management and encryption, are still largely the same.

However, there are new challenges that the technology brings, like consensus hijacking and smart contract management.

To tackle this, the report offers best practice advice, urging firms to monitor internal activity, automate regulatory compliance, disclose information only to relevant counterparts and authorities, and adopt industry level governance procedures for the updating of ledger implementations over time.

Udo Helmbrecht, executive director, Enisa, says: "Cyber security should be considered as a key element in the Blockchain implementation by financial institutions."

Read the full report:
» Download the document now 1.4 mb (PDF File)

Comments: (1)

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 23 January, 2017, 16:362 likes 2 likes

ENISA warns that "key management and encryption are still largely the same" challemnge with blockchain as traditional security. Well, yes and no. 

Certainly many blockchain pundits overlook key management.  I sifted through twenty-odd blockchain-for-healthcare proposals in the US Dept of Health & Human Service blockchain challenge last year, and attended the two day symposium at NIST headquarters. I was shocked at how few teams looked at key management. I don't just mean private key hygiene in hardware wallets and the like, but the management task of knowing which keys go with which users. See https://www.constellationr.com/blog-news/blockchain-healthcare-and-leading-edge-rd.

And here's the deep problem: blockchain's Proof of Work algorithm was designed so there is no need for key management.  It doesn't matter to the system which key goes with which user, because Bitcoin is electronic cash. Possession of the private key is all that matters.  Famously, you cannot recover lost Bitcoin balances if you lose your key, for there is no administrator. The absence of an administrator makes it necessary to crowd-source the overseeing of all currency movements (to stop Double Spends). That's what Proof of Work "consensus" does - it's the crowd satisfying itself that all spends are OK. 

When you hybridise blockchain, and adfold back in traditional key management and encryption (not to mention persmissions management for private blockchains), you take away the reason for being of the consensus algorithm. Why have crowd-sourced consensus when an administrator has already been able to oversee which key goes with which user?  As your selves: What is the real point of the original public blockchain? 

Consensus in the public blockchains as designed today becomes moot when you have key management. So yes, key management in blockchain technologies is much the same as with traditional security; just beware of where it leaves public blockchain architecture which was designed to expel all administration. Many hybrid blockchains look rather like solar powered race cars retrofitted with petrol engines to make them go faster.