A recent Senate memo released this week offered a peek into the US government’s efforts to leverage blockchain technology, with security as a core focus. The memo was drafted for a roundtable aimed at exploring the “Continuity of Senate Operations and Remote Voting in Times of Crisis.”

It outlines COVID-19’s impact on the ability of the Senate to congregate and vote on new and upcoming legislation, forcing Congress to rethink its operations as in-person meetings become obsolete.

Join Hub Security’s CPO Ido Helshtock online this Thursday, May 14th to discuss Secure Remote Access in time of COVID-19 on OurCrowd webinar Cybersecurity and Insecurity.

According to the memo, any solution worth exploring will have to prove its authentication and encryption abilities. As blockchain, or distributed ledger technology, offers both transparency and encryption as benefits, it is being explored as an ideal solution.

It noted, “With its encrypted distributed ledger, blockchain can both transmit a vote securely and also verify the correct vote. Some have argued that these attributes make blockchain useful for electronic voting broadly. Blockchain can provide a secure and transparent environment for transactions and a tamper-free electronic record of all the votes.”

In fact, blockchain voting has already been creating waves and changing elections. Overseas military from West Virginia, USA for example can already vote in their local elections using just their mobile phones. A combination of encryption and blockchain registry then tallies their votes. 

Other countries like Brazil, Denmark, South Korea, and Switzerland have also already begun looking into ways blockchain voting can be used. But by far, Estonia is leading the way. Their citizens each hold unique ID cards that allow them to vote on the blockchain both quickly and securely.

Despite the many benefits, the Senate still has reservations regarding the use of blockchain –– as it should. The biggest concern outlined in the memo is that the network supporting the voting infrastructure could fall into the wrong hands. Since the Senate is a relatively small entity, any blockchain network used must be able to eliminate the threat of a 51% attack.

A federal government report released in 2019 on secure online voting concluded that blockchain had not yet succeeded in resolving key security issues inherent in any internet-based voting system. The recently released memo cited similar concerns, such as “…possible vulnerabilities from cryptographic flaws and software bugs.”

Many startups including Votem, Voatz, Follow My Vote, Boulé, Democracy Earth and Agora have already begun developing and promoting blockchain-based voting systems. Many of them believe blockchain could be as big a deal in voting as advocates expect it to be in shipping, money transfers, and property records.

But technology and security experts alike seem to think otherwise. “We range from being skeptical to very skeptical about it,” said Maurice Turner, senior technologist at the Center for Democracy and Technology.

But one promising solution could come from somewhere unexpected –– the cryptosphere. Cryptocurrencies like Bitcoin have seen their fair share of hacking attempts, with millions already exploited by hacking entities that lurk on the dark web.

Hub Security, a Tel-Aviv based cybersecurity firm, is now looking to share their cryptographic technology with the Senate, and the rest of the world. Their promise: a military-grade, highly-secure voting environment for both citizens and parliamentary members alike. 

Designed for FIPS 140-2 level 4 certification, Hub’s miniHSM device would allow voters to participate in the electoral process while remaining 100% isolated from local network connections. The HSM’s unique cryptographic architecture eliminates any cyber and privacy threats from the internet, home computer or mobile device, making blockchain voting for the first time a viable option.

Whether the future of voting remains paper-based or takes on a new evolution of cryptography, elections must go on and both citizens and congressional leaders must continue to explore solutions for maintaining the engine of democracy during COVID-19 –– our voting systems.

With the blockchain industry’s value estimated to hit $23B by 2023, it’s hard to keep track of the amount of blockchain-based solutions launching each month. As the industry grows though, so does its risks. While the security features inherent in blockchains make DLT resistant to attack, they do not make it immune. In fact, DLT technology is subject to a number of issues that centralized databases are not.

The growing list of blockchain technology providers who have become victims of malicious hacks and attacks is starting to make many wonder if blockchain is really as secure as it’s made out to be. While industry experts continue to remind the public that DLT technology is eons beyond current data security solutions, many still believe companies should take extra precautions when safeguarding their data –– especially on the cloud.

As more governmental, industrial, and commercial sectors adopt the use of blockchain and DLT-based technology, there’s a growing need for discussion. Below are some points to consider which also serve as a means to raise awareness of the risks still associated with the use of blockchain and Distributed Ledger Technology.

Blockchain Security Risks

1. Endpoint Vulnerabilities

One of the most common points of vulnerability with DLT technology is actually outside of the blockchain. Endpoint vulnerabilities are critical because of where they take place: at the time and place humans and blockchains meet. Simply put, an endpoint could be anywhere an individual is using to access sensitive data such as the computer of a bank employee.

Since most hackers know there’s no use in attempting to guess a user’s keys, they spend a lot of time trying to steal them. The best chance of obtaining keys is to attack the weakest point in the entire system, a personal computer or mobile device.

The process of accessing the blockchain in order to receive that data is what makes endpoints so vulnerable. Endpoints provide malicious attackers the opportunity they need to get nasty code in or out. Once a device is exploited, hackers can piggyback off the credentials of high-access users in order to do the most amount of damage.

2. Vendors

As DLT adoption continues to grow, many look to new solutions to provide them with the security and protection DLT technology promises. But while many new products continue to grow, it also creates another security vertical of great concern: vendor risks. Often, companies looking to deploy 3rd-party blockchain apps and platforms are not aware of the security risks associated with faulty and exposed vendors.

It’s not uncommon for vendor solutions to have limited focus on security measures with weak security controls on their own systems, flawed code, and even personnel vulnerabilities that can easily expose their clients’ blockchain credentials to unauthorized users. This threat is especially relevant when discussing products that involve the use of smart contracts. Since an organization’s entire operation and policies can be housed as a smart contract on a blockchain, a vulnerability of this magnitude has the potential to be catastrophic.

3. Untested Code

While Bitcoin has been around awhile, blockchain technology is still considered highly experimental. While we still don’t know the full scale of what’s possible ––– security experts can agree on one thing: every new blockchain product that leverages DLT technology must undergo vigorous testing before being released to the public. While some DLT projects are tempted to launch their half-heartedly tested code on live blockchains, the cyber risks can be damaging and long-lasting.

As new technologies enter the market, developers are incentivized to be first or early with the release of applications, often at the risk of deploying insufficiently tested code on live blockchains. Given the decentralized model of many blockchain solutions, the risks are often greater due to the irreversibility of the technology.

4. The On-ramp 

The on-ramp of digital assets is one of the most critically exposed points in the development of a blockchain-based solution. More specifically, how are the assets and information securely signed on to a blockchain? This all comes down to the private keys used to sign and encrypt blockchain transactions. If someone gets ahold of the keys, the entire downstream blockchain-based solution is corrupted.

Not only is protecting these keys critical but also ensuring they’re used safely, e.g. not exposed by software when used to sign a transaction. Additionally, the process of approval for using the keys must be protected –– otherwise, someone can hack or impersonate an approver and sign a malicious transaction. And of course, this element of your blockchain solution needs to be considered from the start, or else it will likely prevent or slow down a successful transition into production.

Looking Forward

Adopting new technologies always comes with the fear of the unknown. While blockchain-based solutions continue to provide customers with high levels of security and transparency, the onus falls on product designers to begin considering security from day one. From design to development, every step in the product development cycle is crucial to ensuring products are safe, reliable and secure for consumer use.