A major selling point of blockchain is security because of how well it has performed for Bitcoin. The original blockchain — the distributed ledger for Bitcoin — has never been compromised, leading to a rush of financial services firms investing in distributed ledger technology (DLT) to modernize their computing infrastructures.
The DLT hype of the past two years, though, has given way to a more sober, realistic dialogue about the need for sustained development for firms to see a return on their investment in the revolutionary technology in five to ten years. Security, as it happens, is not a done deal.
As air tight as the Bitcoin blockchain has proven to be, it is not directly transferable to the rest of the financial industry. Wrapped up with other requirements, such as auditability, identity management, and know-your-customer compliance, security and data-integrity issues have to be addressed in a bespoke fashion. That takes time, which should give pause for concern, considering that mobile devices and the Internet of Things rolled out faster than did adequate security measures.
“Don’t assume that just because it’s called blockchain, and Bitcoin is so secure, it will be okay,” says Uri Rivner, the head of cyber strategy for BioCatch, who made these points in a February presentation at the RSA Conference, an annual information security event in San Francisco. “The reality is, it’s the Wild West.”
Bitcoin’s blockchain is but one implementation of DLT amid a proliferation of private blockchains.
While Bitcoin’s design is “a revolutionary and elegant solution” to serve the objectives of “a secure, public, peer-to-peer electronic cash system that avoids the need for intermediaries,” it doesn’t solve the needs of the entire financial industry, according to a December white paper by Digital Asset Holdings, a DLT company led by chief executive officer Blythe Masters, a former banker at JPMorgan Chase & Co. Applications for securities clearing and derivatives processing, for example, “call for a very different solution,” the firm said in the paper, as these markets are highly regulated and materially different in terms of transaction volumes.
Bitcoin is public and permissionless, meaning anyone can participate by implicitly buying into the self-governing rules and procedures. Private blockchains need accountability and therefore their own governance, permission management, and security frameworks. The personal privacy and anonymity that are crucial to Bitcoin won’t be acceptable in a private setting.
Bitcoin mining and “proof of work,” the accepted technical process for validating transactions on the public blockchain, are absent in private ones. Corda, a platform created by a team led by blockchain firm R3’s chief technology officer Richard Gendal Brown, addressed privacy and scalability issues by assigning a “notary” to resolve transaction conflicts when they arise.
“There are no perfect solutions in DLT; just trade-offs,” Brown wrote in a January blog. The public blockchain ensures validity through full public broadcast of “pretty much everything that happens,” he wrote, noting that would be “a privacy and scalability disaster” for a private blockchain.
The good news is that DLT players are on the case.
“The first and most fundamental requirement for the application of DLT in regulated financial services is to preserve the privacy of sensitive information stored and coordinated by the DLT,” Digital Asset said in a November paper on its Global Synchronization Log. The firm said the log is designed to provide the same “integrity, privacy, and transparency guarantees found in shared, replicated ledgers.”
Ron Lefferts, a managing partner in the financial services group at IBM Global Business Services, says “security is a critical design point” because trust and reliability are essential to financial networks. Its importance is underscored at the Hyperledger Project, a standards-promoting, blockchain technologies group whose members include IBM, Digital Asset, and R3.
To show how a blockchain can deliver for wholesale finance, Lefferts points to IBM’s partnership with Northern Trust Corp. to provide the technology for private equity administration. There’s been little innovation in the infrastructure supporting private equity in recent years, even as investors seek greater transparency, security, and efficiency, according to a February statement by Northern Trust on the “security-rich” blockchain the firms built for the market. “The participants see only the information they are supposed to see; the regulators can see all,” Lefferts says.
There are other recent blockchain-related innovations. For example, Accenture, which is a Digital Asset shareholder active in the Hyperledger group, in February announced a hardware device for storing digital keys, which are far less secure in a software format.
“For blockchains to work, we need to believe and trust them, which means every participant must agree and anticipate how they will take part in the chain,” says Jon Geater, chief technology officer of Thales e-Security, supplier of the hardware security module. “Unfortunately, innovation and vulnerability very often go hand in hand.”
