The subject of security is a massive and diverse field. Blockchain is such a fundamental game-changer for secure systems that covering each individual use case is virtually impossible. That said, it’s important that we have the discussion on how blockchain provides a fundamental paradigm shift in security today, as the gains to be made from these improvements will benefit everyone in the years to come. So, if you don’t mind, I’d like to take a crack at it…
What Is Security?
Human brains are amazing pieces of hardware. They take in information, process it, and adjust outputs regularly to keep the person alive and working in a positive direction (well, most of the time). When you really think about it, though, the entire process of human cognition can be reduced to one core principle: reduce uncertainty.
Security is typically about feeling secure more than it is about being secure. Some people get nervous walking in a strange neighborhood at night, but more often than not, they aren’t under any threat. Nonetheless, they grip their phone and keep their head down. When they make it out to a place they’re more familiar with, their tension drops, and they feel secure again. That doesn’t mean they’re more safe as they could still get mugged, but they feel better because they’re no longer dealing with the uncertainty.
I’ve spoken to quite a few security experts over the years, and many of them have the same attitude about security: a lot of it is theatre. Sure there’s the basics such as closing unused ports, restrict physical access, have proper permissions controls in place, etc., but almost every emergency they encounter was something they didn’t predict. It’s not their fault, often. How could they predict that their operating system vendor would leave a blatant security hole? The best they can do is rely on a quick patch, but what if the patch system itself is part of the problem? Security is sometimes less about mitigating uncertainty as much as it is about mitigating the feeling of uncertainty. There’s nothing wrong with that, either. Them’s the breaks, as they say. Just do the best you can, log everything, document what you’re doing, and cover your ass (CYA). That’s the best you can do…
…or is it?
Certainty in an Uncertain World
Insecurity is rooted in uncertainty, therefore, it logically follows that true security would require true certainty. So what is true certainty? Let’s wax philosophical and operate under the idea that you can never really know anything for certain. If that’s the case, then most everything we know and believe is built upon some set of assumptions. Certainty would be when our assumptions are never shown to be false in our lifetime and are always considered true by others.
So what kinds of things could benefit from some true certainty? Well network routing, for one. If you send something to someone, it would be great to ensure it gets there. This goes a bit farther to email addresses. If you send an email to someone, how do you know that request isn’t being manipulated before it gets to your mail server? There’s local virus scanners, but let’s say your definitions become compromised somehow, how can you detect that let alone fix it?
And all that’s nice, but let’s take this a bit further and look at the very data we own. How are your files stored? If your hard drive crashes, did you back them up? Can you be certain those backups are accessible? What if your backups are in NYC and you are in Shanghai… can you still get them? Should you even be able to?
Wouldn’t it be great if all of this, and more, could be stored in a decentralized manner?
- What if your files were just nodes on a larger network that everyone’s hard drive takes part in and shares globally, but only you can unlock and read?
- What if all computer viruses were logged and reported and validated by various teams worldwide in an open database to detect and block locally without worry if the definitions were tampered with?
- What if your identity could move from system to system without the need for third party verification and all access controls could be tied to your unique identifier without the need for a central public host to command that access?
- What if you could verify the authenticity of a patch by checking a global registry of the patch directly from the source without the fear that this check itself has been tampered with?
What if I told you that blockchain has shown that it can provide these things, and we’ve already begun testing such systems as proof of concepts?
The Security Consensus Provides
Many claim that blockchain provides this true certainty, but let me dash that idea right away. Blockchain and consensus networks change the definition of certainty… or at least they shift the problem around. Blockchain provides a consensus system for information, specifically transaction ledgers. It does not guarantee that the consensus is correct. However, it does make things so incredibly difficult to manipulate and de-incentivizes the manipulation so much, that it is extremely implausible that an attack targets you or your organization specifically as it would be a poor use of such power.
If consensus is being manipulated, there’s bigger problems than your network. This is true today in a similar way with the IANA Root Servers. Nobody questions whether it’s wise to use DNS routing if the root servers are points of network-wide failure because if the root servers are knocked out, the world’s being impacted and you likely can’t operate with anyone else anyway.
In other words, there is security in agreement; there is certainty in consensus.
Let’s take the example of the virus definition logging. Assuming it’s on a consensus network, someone can post a virus definition, an address to the associated files, and a team of validators can execute the virus (even on various systems) and validate that the virus posted is, in fact, a virus and that the definition is a comprehensive means of exacting this virus. When the validators achieve majority success, the definition is marked as valid. These validators do not own a central authority, though they may be assigned as authoritative validators or elected into the network (by group consensus, perhaps). It is in this network’s best interest to provide good results, so the validators work as teams to publish their work and are duly incentivised for their labor. If their solutions are bad, their incentives are penalized by the consumers. Consumers would have to generate a majority (or a minority of some type) to penalize the validators, so unless a large volume of virus definition consumers are compromised, the validators may receive penalties only when they haven’t done proper due diligence. With this, balance is achieved.
Use Cases Aren’t the Problem
Every use case of blockchain technology you’ve heard of benefits from consensus in some way. The important concept to get from this article isn’t that blockchain improves security only in new systems; blockchain improves security in existing systems. File storage, replication, location diversity, data uptime, identity validation, authentication, and access control all benefit from blockchain technology immediately. Right now the world needs more development in building blockchain solutions in-general. It is my personal hope that blockchain-based security solutions will begin to appear in the next few years and usher in a new era where security products with consensus-based certainty are the standard.
I hope this helps someone!
Interested to find out more about the basics behind this topic? Sign up for Animal Ventures’ Udemy course on Blockchain Technology.