Security circles were recently set abuzz by news concerning Russia-based security company Kasperksy Lab and its alleged involvement in the theft by Russian operatives of sensitive files of the National Security Agency (NSA), an intelligence agency of the U.S. Department of Defense. But the words tip and iceberg spring to mind here.
Reports from various news agencies including the Wall Street Journal and the Washington Post account how the leak was caused by an NSA contractor who took classified documents and then stored them on his home computer, which ran Kaspersky security software. More than twenty U.S. agencies have stopped using Kaspersky software since.
The recent controversies around the NSA, which is headquartered in Fort Meade, Maryland, with an estimated $10.8 billion annual budget in 2013, and others have instilled serious doubt in the minds of users regarding the trustworthiness of security providers. These organizations are supposedly neutral and should be protecting customers from malicious actors.
It did not exactly help that the Kaspersky story broke while the Equifax breach fallout is still ongoing.
Cybercrime and cyber security attacks hardly seem to be out of the news these days and the threat is growing globally. Be it a major financial institution - as with JPMorgan in October 2014 with the addresses, names, telephone numbers and emails of a whopping 76 million homes in America compromised - or an individual - nobody would appear immune to malicious and offensive acts targeting computer networks, infrastructures and personal computer devices. Firms clearly must invest to stay resilient.
Gauging the exact size of cybercrime and putting a precise US dollar value on it is nonetheless tricky. But one thing we can be sure about is that the number is big and probably larger than the statistics reveal.
Back in early 2016 a fintech event I attended in London organized by Linedata, a NYSE Euronext-listed IT vendor, a panel that included EY expert Mark Brown discussing cybersecurity, heard that according to some recent figures the global figure for cyber breaches had been put at around $200 billion annually. Or, looking at it from the retail level, $670m in associated costs through theft, lost time loss, identify theft, etc.
For the UK, a Government body for cybercrime had estimated the numbers at around that time ranging from £11 billion to £27 billion per annum for the entire UK and Plc economic impact. However, these numbers only related to a third (34%) of cybercrimes actually being identified within six months of incidents occurring.
More recently, the cost globally of a data breach for enterprises had risen 11% in 2017. According to a study from Kaspersky Lab, which also monitors the landscape, the average cost in 2017 of a data breach in North America was shown to have increased to $1.3 million (2016: $1.2 million) for large enterprises and $117,000 for small and medium-sized enterprises (SMEs).
It should be pointed out that data for this analysis was compiled from a survey of more than 5,000 businesses across thirty countries. A representative sample but there many other companies out there.
For North America, this study found that the incidents having the most severe financial impact in 2017 were:
- Physical loss of devices or media containing data ($2.8 million)
- Incidents affecting IT infrastructure hosted by a third party ($2.2 million)
- Electronic leakage of data ($1.9 million)
- Inappropriate IT resource use by employees ($1.1 million)
- Malware and Viruses ($519,000)
Now, new blockchain platforms are stepping up to address security concerns in the face of recent breaches. Companies like Gladius, based in Maryland, and Confideal have emerged to leverage decentralization to offer platforms that promote trust.
Gladius aims to tackle cyberattacks in new and pioneering ways, while Confideal provides companies access to smart contract development to be used to facilitate transactions securely.
Since these platforms are not controlled by a singular entity, they can help ease the concerns created by a spree of recent breach disclosures. Services built on top of blockchain have the potential to inspire renewed trust due to the transparency built into the technology.
Developments in blockchain have expanded beyond recordkeeping and cryptocurrencies. The integration of smart contract development in blockchain platforms has ushered in a wider set of applications, including cybersecurity.
Gladius is working on a blockchain-based platform that would allow users to rent out their spare bandwidth for resources to power content delivery networks (CDN) and distributed denial-of-service (DDoS) attack mitigation services.
The firm uses blockchain’s distributed network and smart contracts to build what it touts as a comprehensive network capable of delivering accessible web performance and security services. And, the team the venture believes that decentralization will create a “fair and equitable ecosystem.”
“Gladius kills two birds with one stone by utilizing unused resources to build a robust network to make websites load faster and yet still stay strong under network flooding attacks,” asserted Max Niebylski, Gladius CEO and co-founder.
He added: “Typically, more people means less security and certainty. However, Gladius completely flips that paradigm by using numbers to our advantage. And, using the blockchain to create a network of trust enables us to spread sensitive and vital information across the globe while remaining fully encrypted.”
Joseph Steinberg, Gladius security advisor and industry thought leader, commenting said: “Gladius’ innovative use of the blockchain has the potential to dramatically reduce the ability of criminals to execute such attacks, to lower the cost for businesses to mitigate against such attacks should they occur, and to allow consumers and businesses to capitalize on their underutilized bandwidth.”
Other blockchain platforms are also contributing to enhanced security by making business transactions more trustworthy, and make smart contract adoption easier for businesses. Platforms, for example, feature an arbitration mechanism to allow businesses and their customers to settle disputes.
“Prior to the mass adoption of smart contracts, their legal status needs to be assessed in order to choose the appropriate smart contract model suitable for a particular jurisdiction, read a blog post from Confideal, an ecosystem for making fast and safe deals through smart contracts on Ethereum blockchain, which commenced an initial coin offering (ICO) on November 2 that runs until to November 25.
The post added: “To put it simply, code is not law, but smart contracts created on a platform enabling the execution of said contracts and dispute resolution may be one.”
By using blockchain, transaction details are kept both transparent and secure. Blockchain’s decentralized and distributed network also helps businesses to avoid a single point of failure, making it difficult for malicious parties to steal or tamper with business data.
Such services are much needed by users, especially now that threats grow rampant and evolve. For instance, CDN and DDoS mitigation services like those offered by Gladius would now seem crucial to any IT infrastructure.
DDoS attacks can now be easily carried out as malicious actors are able to easily rent botnets, which are capable of bringing down large networks.
Despite the risks created by cybercriminals, cybersecurity was reported this October as remaining a lesser priority in company decisions. SMEs still struggle making investments to protect their infrastructure, particularly due to the costs of adopting industry-grade security.
According to findings from Fortinet’s Global Enterprise Security Survey, which canvassed 1,801 respondents who have responsibility/visibility of IT security across sixteen countries including Australia, Canada, Germany, Korea, the Middle East, Poland, South Africa, the U.S. and UK, almost half (48%) of IT decision makers believe members of the board still do not consider cybersecurity as a top priority.
That said, Kaspersky’s aforementioned study indicated that overall businesses are looking at IT security as more of an investment in 2017. In fact, IT security budgets are up, reaching 18% for enterprises compared to 16% in 2016. And, small businesses with fewer resources were found to be investing more in IT security budgets this year - 14% versus 13% in 2016. But it does not sound too dramatic.
While this study noted that the cost of consultant advice was also up, with businesses allocating 11% of their security budgets in 2017 - up 1% over last year - there was a significant drop in increasing security budgets for new business activities or expansions, with spending declining from 45% in 2016 to 28% in 2017.
By using distributed infrastructure, blockchain security services can lower the barriers to adoption. In the case of Gladius, its decentralized approach allows the market to dictate pricing for the services. This, in turn, it is said creates opportunities for offerings to “truly match needs and budgets” of customers.
Peter Borák, an Advisory partner in EY Slovakia with 25 years’ experience in advisory and audit who has expertise in cybersecurity advisory services, noted in a blockchain presentation in Hong Kong this November that blockchain technologies “can fill the gap” in identity access management (IAM).
And, EY “increasingly” see applications across the supply chain that are suitable for blockchain solutions, said the Slovak, who has a strong focus on collaborative efforts in the cyber advisory space across the Central Eastern European markets - including cyber defense, cyber intelligence and the Internet of Things services.
In terms of how cybersecurity fits in with blockchain solutions, Borák’s presentation (Trust Fabric for Next Generation Digital Agenda) at DECENT’s ‘Unchained’ blockchain (BC) event in China pointed out that in a BC ledger “you are close to 100% sure that your data has integrity (in CEA) and is available.” (Note: CEA stands for Complete, Existing and Accurate).
But on top of that the systems of entities need to ensure confidentiality, integrity and availability.
In EY’s case, the firm has developed a platform and apps to bridge the solution gap, with a platform for IAM and identity data reconciliation as building blocks for blockchain-based applications.
Appeal Of Decentralization
Perhaps most importantly, blockchain’s decentralization makes it an appealing platform for users concerned with the vulnerabilities shown by the large companies that have been impacted. The recent reported breaches serve as grim reminders of how attacks on such organizations can compromise millions of users.
No one really controls a public blockchain, which helps these services avoid the issue of whether or not they are beholden to any particular nation state or those malicious actors.
Transactions in the blockchain can be audited and traced. In addition, public blockchains rely on distributed network to run, thus eliminating a single point of failure. For attackers, it is much more difficult to attack a large number of peers distributed globally as opposed to a centralized data center.
Blockchain’s decentralized approach to cybersecurity can be seen as a fresh take on the issues that the industry faces today. The market could only use more solutions to combat the threats of cyberattacks. And, the use of blockchain may yet address the vulnerabilities and limitations of current security approaches and solutions.
Throwing constant pots of money at the problem and knee-jerk reactions is not the answer. Firms need to sort out their governance, awareness, organizational culture and critically look at the business purpose and processes before they invest in systems to combat cybercrime.
The roster of these new services may be limited for now and of course they face incumbent players in the cybersecurity space. But this only offers further opportunity for other ventures to cover other key areas of cybersecurity. Blockchain also transcends borders and nationalities, which should inspire trust in users. And, with the growth of these new solutions, the industry may yet restore some of the public’s trust they may have lost in the midst of all these issues.