Securing Blockchain Beyond Web3
Given the meteoric rise of the technologies that make up the web3 ecosystem, it can be easy to forget that blockchain technology has numerous use-cases and applications outside of cryptocurrencies, NFTs, and the Metaverse.
The truth is that blockchain technology is being used to make a diverse range of industries more scalable, efficient, and secure by introducing practices of decentralization.
It may not seem like it, but blockchain’s role in these sectors is arguably as disruptive as its more headline-grabbing presence in web3. And, just as web3 security technologies and practices are required to protect web3 infrastructure, sectors that use blockchain technology to modernize their industries are having to develop novel security practices themselves. Unsurprisingly, this mission to secure blockchain use beyond web3 can learn a lot from the hard-won lessons of web3 security.
One area in which blockchains are revolutionizing vital infrastructures is healthcare, which has been making use of blockchains to share and store medical data, improve patient care, and streamline medical supply chains around the world.
Recording and accessing a patient’s medical records is a vital part of any modern healthcare system. Yet the existing storage infrastructure in place is notoriously slow and inconvenient, with different institutions using different systems, and the transfer of information between these systems being convoluted.
Storing a patient’s medical records on the blockchain is a paradigm shift in the way that an individual receives medical care by placing the authority and distribution of their personal medical records in their hands.
This not only gives individuals greater control over their personal data, it also streamlines the process of administering care, as doctors and healthcare professionals are able to access and update patient records far more quickly.
One clear use case for these innovations is in the often fraught experience of receiving health care abroad. In situations where traveling patients need to access care in a foreign country, the process can often be slowed down by doctors’ difficulty to access vital information about the patient’s history. Storing patient records securely on the blockchain, and placing the ability to access that data in the hands of the patient, drastically expedites this process. This highlights blockchains’ often overlooked function as a tool for disintermediation, something that makes it highly sought after in many sectors seeking greater efficiency.
Digital identity has been touted as a major technology set to change the ways we provide legal proof of who we are, our qualifications, and our credentials.
Blockchain technology provides an architecture for digital identity that allows the holder to control how their sensitive information is distributed, allowing it to be both easily transferable whilst also highly secure.
With approximately $24 Billion lost to identity fraud in 2021 alone, the need for a secure way of confirming identity is more urgent than ever.
One of the ways that a blockchain-based digital identity does this is by generating a verifiable confirmation of identity that doesn’t disclose the data used to generate these credentials. This then means that attackers can’t replicate the data or use it to pose as someone else.
Digital identity also provides users with a new level of sovereignty over their data, meaning that they would be able to easily track which organizations access their information and control to whom it is distributed.
However, as with any new technology, its resolution of vulnerabilities in the prior art also brings with it novel vulnerabilities of its own. This is why web3 security practices must be applied to digital identity technology.
Indeed, one of the strengths of digital identity on the blockchain comes in how it allows the technology to be audited, yet naturally, this security benefit requires these audits to be made use of. So, just as with any web3 technology, it is vital that digital identity providers submit their technology to regular audits that seek out any potential vulnerabilities in the code. This will create a mutually beneficial system in which, just as web3 security infrastructures secure digital identity, digital identity can offer security to web3.
Beyond this, developing user education around web3 security is also vital so that individuals are not duped into handing over sensitive information as in traditional identity fraud. The concealment of the data used to generate a digital identity will greatly remediate this. However, users may still be tricked into verifying or signing malicious actions like those we see in the phishing attacks that are currently a major challenge for web3 security. Indeed, this is especially true as digital identity will likely have numerous use cases at the intersection of web2 and web3 infrastructures, an area that has proven to be fertile ground for phishing attacks.
Central Bank Digital Currencies
One development that bridges web3 and sectors beyond web3 is Central Bank Digital Currencies (CBDCs) which in many ways are national governments’ answer to stablecoins.
111 countries, representing over 95 percent of global GDP, are exploring CBDCs, from China’s Digital Renminbi to Europe’s Digital Euro.
Depending on the specific architecture they take, CBDCs can address a range of different functionalities, from wholesale CBDCs that facilitate faster and cheaper cross-border payments between banks, to retail CBDCs which would be available to the wider public and would redefine the way governments issue, distribute, and regulate money.
Yet just as the specific architecture of a CBDC defines the kinds of functionalities it addresses, these different architectures bring with them different attack vectors and vulnerabilities, and as a result, have widely different security needs.
In much of the current research around CBDCs, the debate has hit on two key questions: 1: whether to issue a retail or wholesale CBDC ; 2: whether a CBDC will be issued on permissioned or permissionless blockchains. Crucially, these questions are deeply connected, with the specific technologies having significant ramifications for policy, and vice versa.
For example, in a wholesale system that seeks to facilitate cross-border payments between banks, a permissioned or private blockchain is necessary as the infrastructure will need to be closed to the public. However, when considering a retail CBDC open to the general public, the choice between a public or permissioned blockchain has serious implications on the role that CBDC would play. For example, a CBDC issued on a public blockchain would be more akin to physical cash in that it cannot be directly controlled by the issuing body. On the other hand, a CBDC issued on a permissioned blockchain would grant central banks significantly more control over the network, however, this would bring with it huge overheads in setting up infrastructure to manage the network.
Any CBDC will ultimately be the result of a series of trade-offs between the pros and cons of each architecture, a key feature of which will be the different security implications of each.
For example, a CBDC issued on a permissioned system would need to take major steps to defend against its centralization risk, as, if compromised, a hacker could wreak unprecedented damage. On the other hand, a CBDC issued on a public blockchain would entail a relinquishing of control which central banks may feel uneasy about, particularly given the seismic attacks that have occurred against new infrastructures such as cross-chain bridges.
Of course, the world of web3 security has had extensive experience with the vulnerabilities and attack vectors that can arise with both permissioned and permissionless blockchains. As such, the security of any future CBDC issued on a blockchain should take note of the hard-won lessons of web3 security. Regular and thorough smart contract audits would need to be a mainstay of any CBDC’s health, and issuing bodies would undoubtedly also draw on analytics tools such as Skynet and SkyTrace to monitor on-chain activity.
New Frontiers for Web3 Security
Whilst these blockchain use cases are occurring at the margins of web3, given the decentralized and interoperable nature of web3, they will likely become deeply connected to web3 technologies and infrastructures. This is obvious with examples such as CBDCs, yet it also applies to things such as health care infrastructure, as new dApps and smart contracts that originate in web3 will seek to cater to these new sectors.
Because of this, it is inevitable that web3 security will have to expand to encompass these traditional sectors that are making their first steps into blockchain and web3. This will of course require the implementation of the entire web3 security toolkit, yet it will also mean that new technologies and systems will have to be developed to address the new attack vectors and vulnerabilities that arise from this increased interconnectivity. Whilst a significant challenge for the web3 security industry, this is also a huge opportunity to help reduce other forms of crime and make a major contribution to global infrastructures.