Cyber 6 MIN Read
May 5th, 2022
Blockchain is something that’s been around for a while, yet it’s understandable if you’re not totally familiar with it or even sure of what it is in the first place. It was first introduced in the Bitcoin Whitepaper as a novel way of taking modern public key cryptography, which is the way we protect communications and data transfer, and innovating a new way to leverage the native hash functions of blockchain, which mathematically encode information in a way that is nearly impossible to reverse engineer without holding a key. Essentially, a blockchain is a shared, immutable recording of transactions. It’s a method of organizing information in a way in which each “block” of new information is predicated on the previous block’s hash. Most often associated with cryptocurrency, there are applications for blockchain and its principles across many industries, including the federal government. Below I’ve broken down five things for federal agencies to know about blockchain.
“Most often associated with cryptocurrency, there are applications for blockchain and its principles across many industries, including the federal government.”
Any workflow in business typically has steps performed, tracks who completes those steps, and a series of verifications by an independent party, but all the information is held in a database, sometimes with different parts of the workflow in multiple databases with limited access and transparency for security reasons. In a blockchain, everyone in a workflow shares the same database at the metadata layer, which can point participants to off-chain databases if they are needed. Together, they’re creating a co-located system of record to log steps in a process and verifying that they were the one performing a task. As a result, blockchain participants are collectively creating a constantly up-to-date database that doesn’t require maintenance by a third-party. Instead, you have this consensus-based orchestration of a canonical process with lots of participants. A great example of this is when data quality and highly secure storage are important, such as if an agency needs multiple parties to first approve that specific documents are correct and appropriate, track those approvals in an auditable and permissioned way, and then store those documents immutably for future reference. This happens frequently in judicial and investigative programs, such as where the FBI may need to prove evidence chain-of-custody when building a case.
Smart contracts are programs that can be stored on a blockchain and programmed to automatically run when certain conditions are met. A lot of basic process functions can be nested in a smart contract – in a database world, this would be akin to a stored procedure. Eventually, the evolution of the smart contract architecture will lean out middleware and create better business processes, making them leaner in both cost and in implementation. The idea of having leaner processes can result in all sorts of operational efficiencies and savings for organizations of all types.
Anytime there is a process, people working through that process, and an exchange of information, there is inherent risk. When a stored contract is set to run automatically once predetermined conditions are met, you remove all the human error risk associated with that function. Automation on the blockchain identifies when the conditions are met, and atomically executes steps in the process as a result upheld by the integrity of the consensus to ensure only the digital signatures of the contract execute the automation. In a similar vein as microservices, components of smart contracts can be highly reusable and reduce duplication, including the aforementioned calls to off-chain data sources via “oracles” (essentially API’s which bring real-world data to the smart contract so that it can be triggered when a threshold is met). An example of this is in shipping sensitive medicines, where IIoT data (industrial internet of things) from temperature, humidity, and geospatial sensors feeds data to the smart contract: once the shipment arrives at a certain coordinate, if no violations of pre-agreed shipping parameters occurred, the smart contract can release funds which had been sitting in verifiable escrow to the sender. All this automation is both transparent from the outset, removes the need for third parties (e.g. escrow-holders), and reduces overall manual labor in processes.
Organizations that leverage blockchain to streamline existing processes can transform entire, task-based departments and enable humans to focus on higher value work. Blockchain has introduced us to the concept of decentralized autonomous organizations, or DAOs. On one end of the spectrum, agencies can use DAOs to absorb entire functions and deliver better, faster services; on the other end, they can simply take an existing process and co-locate just a few aspects of it on a blockchain and test its impact. Chain-of-custody in hardware asset management is important to many agencies, and once a process and system of IoT devices, scanning and transferring is implemented, can lead to much faster audits and easier accountability.
For all its virtues, there are instances where blockchain is not a fit. And there’s a reason. Blockchain, because it’s predicated on consensus and sharing information that builds on prior information, creates a natural immutable retention of that information. From a privacy standpoint, that can be problematic. We’re still early in the blockchain era and there’s a lot of discovery around how certain personally identifiable information, or PII data, lives on the blockchain and where and how in the stack it can be securely stored. Despite the security attributes of blockchain, we should never assume any system is impenetrable. There are a variety of architectures for handling sensitive information rather than storing it as a single file in a block. It can be "sharded," or sliced into fragments with various (duplicated) pieces being stored in a distributed way and only able to be reconstituted by a unique identifier and a secret key. Or, we can use more contemporary methods, such as maintaining the sensitive data in a well-protected consolidated database where the pointer to that database is kept in hashed (encoded) format on the blockchain. In the latter case, this leverages blockchain for tracking state changes to the underlying information for audit and security purposes, but allows for editing and erasure of that data in cases where it is warranted (such erasure could not occur if it is embedded in a block; in this case, it could only be superseded by a more recent block indicating updates).
As agencies explore blockchain and what it can offer, my advice would be to take a crawl-walk-run approach. Co-locate a few aspects of an existing system of records and use a blockchain-style approach to continually add onto it to understand the network effect and what blockchain can do for you. Don't try to solve everything in your first project.
Blockchain is new and exciting technology. Rather than be mystified or intimidated by it, just start.