IBM Wants You to Know Blockchain Can Go Wrong

As enterprise blockchains inch closer to live launches, a group of cybersecurity experts within IBM is out to make sure clients take every step to keep their new investments secure.

Adewale Omoniyi, a senior managing consultant in the biometrics and cybersecurity for IBM Global Business Services, is one such professional, and on Wednesday, he sought to get the word out about his team and its mission at an event hosted by tech educator Decoded.

There, Omoniyi gave a broad overview of how his team has worked with dozens of IBM's enterprise clients, all of whom are building distributed ledgers with Hyperledger's suite of codebases.

Most notably, he discussed emerging best practices for what he sees as a coming generation of business tools that will sit on top of the technology, sparing no detail about why he believes controls must be built into smart contracts and "on-chain" versus "off-chain" design considerations.

Already, Omoniyi said he has worked on building blockchain-based cybersecurity assurance applications for use cases such as supply chain and digital identity, and what he's learned is that just because blockchains are difficult to hack, this doesn't mean they can't be compromised.

"Fundamentally, we keep saying that blockchain isn't a panacea," he said, adding:

"Security is often always an afterthought, but because of the foundational basis of the technology, there needs to be a depth of defense and building controls in every layer of the application."

No Fort Knox

Both Omoniyi and the host of the event, Amadeus Stevenson, CTO of Decoded, mentioned several of the hacks that have happened involving the technology to date, albeit with a heavy focus on cryptocurrencies.

From Mt. Gox to The DAO hack, to the Parity frozen funds, to a BitPay executive getting phished, the session saw discussion of how many layers of complexity there are in blockchain systems, and how it would be easy to overlook one of the other.

"There isn't a one size fits all. It's not just about using one tool, but multiple layers," Omoniyi said.

For instance, one of tools the IBM team uses is threat modeling, where enterprises are asked to consider who a would-be hacker would be and why they'd want to exploit the system.

On top of that, the team scans smart contracts and blockchain endpoints, applies traditional cybersecurity hygiene to this new industry, shapes key management strategies and perhaps most importantly, continues to monitor systems even after they've passed security assessments.

In conversation with CoinDesk after the event, Omoniyi said:

"You're never going to build a Fort Knox, but [all those processes] give you a fighting chance to build better defenses."

And, according to Omoniyi, these security discussions with enterprise clients are typically not hard conversations, since the security of their customer's data is of utmost importance. In this way, those clients are usually happy to amend their processes based on the suggestions made by the team.

"With enterprises, we're talking about real assets, real credentials," Omoniyi said. "This isn't proofs-of-concept and it's not cryptocurrencies; enterprises take [security] more seriously because they're working with really sensitive information."

Profound use cases

Having said that, Omoniyi and his team have yet to find a serious exploit in the enterprise-grade distributed ledgers they have assessed so far. But, he admits, it's early days.

And thinking about enterprise blockchains going live, and any potential hack that could result, Omoniyi worries that if security controls aren't built into these systems now and continuously monitored, a hack could stall the huge potential blockchain provides.

Omoniyi kept bringing it back to that potential, striking an optimistic tone about the profound use cases for the tech.

He pointed to the collaboration between IBM and a handful of food suppliers, including Walmart, to test a blockchain for more quickly pinpointing the source of a food-borne illness.

Stevenson had also previously mentioned Walmart's blockchain work, saying that the employees were able to identify where a food product came from in about 2.5 seconds – down from six days before its history was tracked on a blockchain.

In this way, Omoniyi said, food suppliers could save lives by determining exactly where a tainted product came from. They can also cut down on waste, since being able to track exactly where a food product came from would mean they wouldn't have to throw out the same food products from other suppliers.

Wrapping up his excitement for the technology, Omoniyi said:

"Change is constant. You can't fear technology."

Decoded event image via Bailey Reutzel