Given the increasing frequency of cyberattacks, financial regulators identify cybersecurity as one of the most pressing risks to the financial services industry. Moreover, due to the interconnectedness of the global financial system, a cyberattack at one bank may affect other banks and financial institutions.
These considerations apply with equal force to permissioned blockchains, which rely on ongoing interconnections. As the financial services industry explores the use of permissioned blockchains—which limit access to a particular ledger to certain known or trusted parties in a consortium—to enhance services and operations, industry participants should recognize and take into account a number of cybersecurity capabilities—as well as risks—relating to this technology.
1. Blockchain’s Advantages…
One of blockchain’s benefits is its inherent resiliency in mitigating cyber risks and attacks, particularly those directed at financial institutions. While not immune to all forms of cyber risk, blockchain’s unique structure provides cybersecurity capabilities not present in other legacy technologies. The following are some of the technology’s advantages in combating cyber risk:
- The distributed architecture of a blockchain increases the resiliency of the overall network from being exposed to compromise from a single access point or point of failure.
- Consensus mechanisms—a key feature of blockchains—improve the overall robustness and integrity of shared ledgers, because consensus among network participants is a prerequisite to validating new blocks of data and mitigates the possibility that a hacker or one or more compromised network participants can corrupt or manipulate a particular ledger.
- Blockchains also provide participants with enhanced transparency, making it much more difficult to corrupt blockchains through malware or manipulative actions. Moreover, blockchains may contain multiple layers of security—both at the network level and installed at the level of each individual participant.
- Finally, blockchains hosted on a cloud platform, such as Microsoft Azure, feature even greater cybersecurity protections due to the platform’s access controls and many other protections.
2. … And Risks
Despite the many cybersecurity benefits inherent in blockchains, this technology, like any other, remains subject to inherent cybersecurity risks that require thoughtful and proactive risk management. Many of these risks involve a human element, such as maintaining the confidentiality, integrity, and availability of private keys; human coding errors that can introduce cybersecurity risk from off-chain applications; unsecure data that can be ingested from external sources; identity-based attacks intended to corrupt a blockchain’s consensus mechanism; and advanced threats that can corrupt the decision-making processes of the blockchain.
Therefore, a robust cybersecurity program remains vital to protecting the network and participating organizations from cyber threats, particularly as hackers develop more knowledge about permissioned blockchains and their vulnerabilities.
A number of important structural considerations should be taken into account when constructing cybersecurity programs for blockchains. For instance, records added to a blockchain generally are immutable. This immutability prevents tampering and creates an auditable record, but may require a special programming adjustment to restore a blockchain’s integrity if fraudulent or malicious transactions are introduced into the ledger. Additionally, blockchain participants’ roles and responsibilities require a thoughtful governance structure to achieve an effective balance of access and security.
3. Need for an Effective Framework
When considering the public policy tools to enhance the security of blockchains, cybersecurity principles and controls from existing laws, regulations, and industry guidance remain critical components to an effective cybersecurity program for blockchain deployments. Indeed, most cloud service providers, particularly those that support the financial services industry, should already have these controls in place.
Microsoft and the Chamber of Digital Commerce recently released a white paper, Advancing Blockchain Cybersecurity: Technical and Policy Considerations for the Financial Services Industry, to deepen the cybersecurity policy dialogue among blockchain technology providers, such as Microsoft, and financial services organizations using blockchain and their regulators.
While it is encouraging for financial institutions that the guidelines and regulations that are familiar for cybersecurity are just as relevant for blockchain, the process of applying those standards will require new multi-stakeholder approaches for industry and government.
4. Next Steps
Moreover, the effectiveness of these existing rules—which were not designed for blockchain technology specifically—are often broad enough to cover this new technology. With this in mind, we argued that the following recommendations for policymakers and industry participants provide a framework for a smart and coordinated approach to promoting the development of secure blockchain applications through workable cybersecurity standards.
- Apply a Tailored Version of the NIST Cybersecurity framework to permissioned blockchain activities. Financial Services Industry participants should optimize the framework for permissioned blockchains by shifting the focus from organization or enterprise-level cybersecurity to network-level cybersecurity.
- Encourage regulator-industry dialogue, including through regulatory sandboxes. For regulators to understand cybersecurity risk in permissioned blockchains, they first must have a detailed understanding of the technologies and how they operate. Industry participants can help provide this understanding by maintaining an open dialogue with regulators regarding permissioned blockchains, their opportunities, and their risks.
- Encourage policymakers to acknowledge the unique cybersecurity benefits of blockchain technologies. While blockchain technologies are continuing to evolve for an expanding range of applications and industries, policymakers should be attuned to these technologies’ unique benefits, including cybersecurity benefits.
- Foster harmonization across cybersecurity standards applied to permissioned blockchains. Convening interagency councils and public-private governing bodies is a helpful step to making sure that cybersecurity guidance applicable to blockchain technology is consistent and does not impede innovation.
5. Protecting Customers’ Information
The financial services industry stands to benefit tremendously from the growth of blockchain given the technology’s many financial services applications. As cyber threats to the industry continue to evolve in complexity and intensity, emerging technologies, such as permissioned blockchains, can contribute to the important goals of reducing cybersecurity risk and adequately protecting consumers’ financial information and the integrity of the global financial system.
Permissioned blockchains offer significant cybersecurity capabilities, share some of the same cyber risks that affect other IT systems, and have unique characteristics, all of which merit further consideration and evaluation by governments and industry.