Research Summary: A Systematic Literature Review of Blockchain Cyber Security

TLDR

  • Research on blockchain-related cybersecurity is relatively new. The authors of this paper conducted a systematic literature review to evaluate current trends in the cybersecurity applications of blockchains. Literature focused on IoT security (45% of all studies), data sharing and storage (16% of studies), networks (10%), public key infrastructure (7%), and data privacy (7%). Researchers found that most studies were experimental or conceptual and provided little quantitative data with few practical applications. Current research shows that blockchain cybersecurity is rife with unanswered questions and possible security vulnerabilities.
  • Researchers found that blockchains offer no “silver bullet for [current and common] cybersecurity issues,” and cybersecurity professionals should be reminded that blockchains do not enhance individual participants’ security nor eliminate the need to follow other cybersecurity best practices.
  • Blockchain developers must understand how to address and mitigate emerging cybersecurity threats. Blockchain technologies enable a new form of decentralized application that can serve as the foundation for critical elements of internet security infrastructure. As blockchain development continues, academics and practitioners should collaborate in R&D efforts and release open-source software and datasets to remediate issues collectively.

Core Research Question

What are the latest developments in blockchain security, and what research has been done to improve blockchain cyber security?

Citation

Taylor, Paul J., et al. “A Systematic Literature Review of Blockchain Cyber Security.” Digital Communications and Networks, vol. 6, no. 2, 2020, pp. 147–56, https://doi.org/10.1016/j.dcan.2019.01.005.

Background

  • Cybersecurity: The study of how to protect computer operating systems, networks, and data from cyber attacks. Cybersecurity applications and specialists monitor computer systems and mitigate threats when an attack happens.
  • Cyberattacks: A cybersecurity breach that is usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes. Implementing effective cybersecurity measures is particularly challenging because there are more devices than people, and attackers are becoming increasingly innovative. Cyberattacks happen regularly in every industry. Attackers typically employ tactics such as cryptojacking, phishing, ransomware attacks, and extortion to steal cryptocurrency.
  • Trust in code: A common concern in cybersecurity and software development. Open-source repositories like Github, NPM, or Maven, have been fundamental to the development of blockchain code and the open-source development happening in Layer 1 (L1) and Layer 2 (L2) blockchains, but they present vulnerabilities.
  • Artificial Intelligence: Computer systems that are able to perform tasks in a manner similar to human intelligence. This often includes programs such as speech recognition and language translation.
  • Internet of Things (IoT): The interconnection of computing devices. This includes physical objects and hardware that are embedded with sensors, processing ability, and software. IoT devices are able to connect and exchange data with other devices and systems over the internet.
  • Network: A computer network is a set of computers sharing resources. Networks use common communication protocols to communicate with each other.
  • Security: Computer security or cybersecurity refers to the protection of computer systems and information from attack, theft, or unauthorized use.
  • Security defaults: The default configuration settings in the code that are the most secure settings possible, but often not necessarily the most user-friendly.
  • Encryption: Encoding information to secure it in its original form. Encryption helps prevent unauthorized access to information or data.
  • Data privacy: The secure handling of sensitive data, often confidential or personal data, to meet regulatory requirements.
  • Public key infrastructure (PKI): The governance of digital certificates to protect sensitive data. It provides users, devices, and applications with unique digital identities to secure communications from end to end. Blockchain applications in PKI allow users to authenticate their identity with another entity or service so they don’t have to rely on a potentially vulnerable central server.
  • Data storage: Computing processes and technologies used to store data securely and with integrity. This can include the physical protection of hardware containing data as well as the security of the software.
  • Data sharing: The practice of making data available to multiple users. It refers to the exchange, collection or disclosure of data to a user or organization.
  • World Wide Web: The subset of the internet that can be accessed by a web browser.
  • Wifi: Wireless technology used to connect computers and other devices to the internet. Wifi transmits a radio signal to a wifi router which connects to the internet.
  • Domain Name System (DNS): Translates machine readable IP addresses into human readable text. When a user types in a web address, that address is converted into an IP address that the computer reads and accesses the internet location with. Blockchains can effectively host DNS records in a distributed environment to prevent malicious changes and distributed denial of service attacks (DDoS)
  • Malware: A type of software that creates a cybersecurity attack designed to disrupt, damage, or gain unauthorized access to a computer system.
  • Botnet: A computer or group of computers that has been infected with malware under the control of a malicious actor.
  • Distributed Denial of Service (DDoS): A type of cyber attack that targets and attempts to disrupt a server, service or network by flooding it with an overwhelming amount of internet traffic.
  • Sidechain Technology: A separate blockchain that runs in parallel to a main blockchain. The sidechain works in parallel with the main chain, increasing transaction throughput.
  • Snowballing: A research sampling method that involves a primary data source nominating other potential data sources that will be able to participate in research studies.

Summary

  • Blockchain technology and cryptographic-based distributed ledgers enable trusted transactions between untrusted participants in a network. This allows practitioners, developers, and researchers to use the technology as the foundation for critical elements of internet security infrastructure.
  • To understand the interplay between blockchain and cybersecurity, this study conducts a Systematic Literature Review (SLR) of current blockchain applications to solve cybersecurity issues in various fields. Currently, there are very few SLRs. Most recent SLRs did not address cybersecurity and blockchain generally. This is the primary motivation of the authors for the study.
  • The researchers reviewed 30 primary studies from an initial retrieval of 742 primary studies. Studies included practical security solutions that displayed innovative techniques to solve security challenges in data security, mutability, and authentication of users.
  • Blockchain research on cybersecurity was found to be objectively new and focuses primarily on the security of IoT devices (45% of all studies), data sharing and storage (16% of studies), networks (account for 10%), public key infrastructure (7%), and data privacy (7%).
  • Their findings show that research for blockchain cybersecurity in IoT technologies is expanding and in-depth, but still lacks practical solutions. The authors believe this may be due to the increase in the use of IoT devices in homes, military, healthcare, and the increased demand for IoT security solutions after IoT devices have become a security threat, for example as botnet nodes in a DDoS attack.
  • The researchers call for a community-driven approach for practitioners and academics to collaborate on developments in blockchain cybersecurity. They suggest both parties enable public data sets and actively engage in research results on either side. The Bitcoin and Ethereum ecosystems can benefit from this approach.

Method

  • This paper used an SLR approach that can be summarized in three steps.
  • First, they query a selection of primary studies by keywords (“blockchain” OR “block-chain” OR “distributed ledger”) AND (“cyber security” OR “cybersecurity” OR “cyber-security”)
  • Then, results were filtered through inclusion/exclusion criteria.
  • Inclusion and Exclusion criteria were conducted to ensure its relevance to blockchain applications and academic rigor. The criteria is summarized in the table below:

|501x283.99147568686857

  • Finally, authors ran primary sources through a snowballing process that was conducted until no further papers meeting the inclusion criteria were detected.
  • Researchers addressed data quality for signs of research bias and validity of the data. They performed this through a quality assessment process that all selected studies were subjected to.

Results

  • The researchers identified nine themes: IoT (45%), Data Storage and Sharing (16%), Networks (10%), Public Key Infrastructure (7%), Data Privacy (7%), Web (3%), Wi-Fi (3%), Domain Name System (6%), and Malware (3%).
  • Note that Data Storage and Sharing consists of papers focused on peer-to-peer sharing, encrypted data storage, and searching. Networks focused on virtual machines, networking, and virtual network management.
  • Of the 30 papers included in the study, the technical solutions presented called for changes at a system’s infrastructure level, reorganizing network architecture, or moving to a blockchain from a centralized server. Papers often have experimental or conceptual solutions that present practical concerns for the effectiveness of a blockchain solution over conventional and current security. Studies with the most practical and “ready-to-deploy” solutions were those that were tested on the Ethereum or Bitcoin platforms. Regardless of the ideas presented, the authors found that blockchain technology offers no “silver bullet for cybersecurity issues.” This is important to note, as there is a significant buzz in the blockchain ecosystem about its ability to offer security against common cyber security threats.

  • The results suggested several trends in blockchain cybersecurity emerging in the three most prominent themes.
  • IoT Research looks at the authentication of devices to an IoT network and of users to devices and the secure deployment of firmware through peer-to-peer updates.
  • Data storage and Sharing research looks at ensuring cloud data remains resistant to unauthorized changes, searching and secure storage of data in hash lists, and verifying the data exchange from end-to-end within a transaction.
  • Network Security research looks at illustrations of how blockchain technologies allow for critical authentication data to be stored in a decentralized manner.
  • The study found primary sources concluded that IoT devices, which are typically designed hardware-lite and require little power, could benefit from new protocol solutions such as: Proof-of-Possession (IoTChain) – which defines that a user has a cryptographic key; Proof-of-Credibility – which achieves consensus by assigning a credibility score to nodes; or a hybrid of Proof-of-Work (PoW) and Proof-of-Credibility protocols.

Discussion and Key Takeaways

  • Blockchain for IoT security: Further research should discuss the systematic adoption of blockchain in IoT systems. Research needs quantifiable guidelines and tools.
  • Blockchain for AI data security: Researchers should explore blockchain technology for the protection of artificial intelligence (AI) data in Business-to-Business (B2B) and Machine-to-Machine (M2M) environments. Ensuring the security of AI data increases the credibility and reliability of the data. Therefore increasing the trustworthiness of the outputs produced.
  • Sidechain Security: the authors found two fundamental questions that should be answered about sidechains: How do sidechains establish security defaults to prevent attacks? And, how can blockchain customers be assured of the integrity and confidentiality of their data through sidechains?
  • Releasing open-source software and datasets and engaging with the community: Gaps in blockchain cybersecurity knowledge and research remain between academia and the developer community. The paper calls on academic researchers to release more open-source data sets, applications, and tools to be engaged by industry.

Implications and Follow-ups

  • The paper suggests that the use of blockchain technologies for cybersecurity is understudied. Even with the extensive work in the decentralized financial (DeFi) sector, there is not enough research about the potential benefits to cybersecurity. The recent Wormhole attack should give DeFi users a renewed sense of the importance of cybersecurity in blockchain technology.
  • Researchers lack empirical studies and available data sets to conduct blockchain cybersecurity tests. Studies in this paper were largely conceptual and lacked practical application. This is a testament to the speed of blockchain development. The technology needs critical study and testing to find applicable use cases, solving real-world problems, and addressing cybersecurity issues.
  • Bitcoin and Ethereum are cited as potential test grounds for blockchain cybersecurity issues. The authors suggest that these ecosystems should consider targeted efforts to engage with cybersecurity professionals and academics, given the pace of development in their ecosystems. Furthermore, the authors note that blockchains have an advantage in securing against DDoS attacks. Industries, where DDoS attacks are frequent, may benefit from the decentralized nature of blockchain to enhance their cybersecurity.
  • The authors present four research areas for follow-up work: 1.) Assessing network latency, power consumption, and data packet flows of blockchain-based IoT networks; 2.) Review of various ways in which Ethereum and/or permissionless/permissioned blockchain platforms have been or can be used to develop innovative cyber security solutions; 3.) Architectural design of a forensics-friendly cryptocurrency to facilitate lawful investigation of suspicious cryptocurrency transactions such as those used in cyber criminal activities; 4.) Design of blockchain-based solutions for time and delay-sensitive applications.

Applicability

  • As developers create a decentralized web infrastructure (web3), blockchains need to address cybersecurity concerns unique to public decentralized architecture. Permissioned blockchains will be easier to secure against attacks than globally distributed networks like Bitcoin and Ethereum. Distributed nodes, with different personal security measures and understandings of security, will create unique challenges for collective public governance and open-source developers. Both groups should be aware of basic cybersecurity literacy.
  • Although the authors did not touch on new developments in hardware and software that may affect security, new inventions present an issue for security professionals as hackers may have new opportunities to expose security inefficiencies. For example, faster download speeds may encourage cyber crimes. Blockchains will not be siloed from larger issues in the cybersecurity field.
9 Likes

As a starting point for discussion:

The Cloud Security Alliance (CSA) recently published their Blockchain Cyber Security Report. It’s farily comprehensive from industry but is focused on blockchain and distributed ledger technologies for cloud security. I think this is an important connection to make with what established industry is focused on vs what is happening on new innovation fronts and in web3.

Published February 2022: BlockchainDLTRiskandSecurityConsiderations022822.pdf (3.3 MB)

The authors of the research paper call for more collaboration between academics and practicioners. I’m interested to see how current cyber secuity professionals can bring institutional knowledge to blockchains in line with a vision towards decentralized internet infastructure (which I believe truly remains the goals of the developments happening here).

“Some blockchain technologies use X.509 certificates to create encapsulated digital identities that could control permissions over resources and access to data in the cloud. In addition, blockchain’s immutability property ensures that data blocks have not been altered thus reducing fraud, data manipulation and data destruction risks…[but] The rising frequency of Distributed Ledger Technology (DLT) platform hacks, exploits and scams imperils confidence in blockchain technology’s ability to serve as the foundation for cloud security.”

Questions to consider:

  1. What have dev teams not addressed that seasoned cyber professionals and academics would ask them to consider?
  2. Projects like Helium & FOAM might be enhanced from robust cyber security. Elaborate on why they would.
  3. What are some unique security features and challenges to blockchain technologies?

I would love to hear researcher’s thoughts on these fronts. Especailly in context with what cyber security professionals might be thinking about blockchain & DLT.

2 Likes

Thank you very much for this fantastic summary! This specific issue is very relevant to me for a few reasons, but the biggest reason being I am currently attempting to execute a qualitative study on the perspectives of decision-makers concerning their sources of information relative to cybersecurity strategy and implementation.

  1. Did the authors make any commentary or notation about case studies that reinforced these observations?

  2. Were there any suggestions concerning Proof of Possession or Credibility relative to integrated frameworks that might utilize more than one type of protocol to supplement gaps in chain-of custody?

  3. Did the authors indicate “why” the studies that were deployed on Ethereum or Bitcoin were “the most practical”? This observation seems to be politically charged, but there may be data that supports this framing and I am wondering if you saw anywhere that would support this statement beyond being a value judgment from the authors?

1 Like

Quoting the original study:

More than simply becoming popular, [blockchain] has made a lasting impact on the world. … The value of a trustless, decentralized ledger that carries historic immutability has been recognized by … industries looking to apply the core concepts to existing business processes. … Most notably, there is an emerging trend beyond cryptocurrency payments: the blockchain could enable a new breed of decentralized applications without intermediaries and serve as the foundation for key elements of Internet security infrastructures.

Note the conditional statement, “the blockchain could enable a new breed of decentralized applications…”

We’re talking about the possibility of using blockchain as “the foundation for key elements of Internet security infrastructures,” and yet as the study itself acknowledges, blockchain technology has already “been commercially adopted [and] has influenced world currency markets.”

Now, it seems to me that “world currency markets” deserve to be treated with at least the same level of maximal scientific precision as anything else truly important. Would we put humans on a rocket to Mars based on technology as provisional and unproven as that which (as @valeriespina points out) just suffered the second biggest DeFi attack in history?

Before becoming fixated on the (no doubt worthwhile) minutiae of this study, I think it’s important to step back and ask a higher level foundational question.

Whose aims are being served by the precipitous rush to adopt a technology for purposes that it has clearly not been proven for? Is the global financial market a bunch of tipsy cows drunk on fermented berries? Is it mass hysteria over a Dutch tulip bubble? Or have specific firms—like Wormhole, which just chose to sacrifice $326M to make one of its stakeholders whole—calculated that the risks are tolerable to get “first-mover advantage”? And in either case, is this any way to run a business?

2 Likes

Ralph, all of these observations and questions are what ultimately led me to start working at SCRF. On the one hand, you’re absolutely right about every single observation. On the other hand, the market will continue to move whether it is ethical to move or not. These questions need to be asked, and these philosophical frameworks need to be examined; unfortunately, that will not prevent the market from continuing to experiment with real-world capital and real-world people. It is the unfortunate reality of this market that makes SCRF even more valuable as a place to have these types of examinations and hopefully create dialogues to further the conversation.

I would love to hear people’s responses to Ralph’s set of questions, as those specific set of questions are some of the most pressing and simultaneously most unaddressed issues that need to be unpacked.

2 Likes

@Larry_Bates Thanks Larry, I like the idea that airing these ideas makes SCRF more valuable. Gives us something to live for. :)

Of course you’re right that this is what happens, and I’m sure this “unfortunate reality” is not for mere mortals to question, but I think I’ll question it anyway. Why exactly will the market continue to be allowed to experiment with real people’s money and real people’s lives, without any regard for ethics? It seems so… unethical.

One obvious answer is “this is our way of life.” That was my father’s expression for the dog-eat-dog world we live in. He said it many times, and yet if I had ever said in reply, “You realize you’re talking about capitalism, right?” he would have been shocked.

Another obvious answer is that anything that can be technically done will be done, regardless of the economic arrangement you live under (which makes this explanation “not ideological”), and regardless of how good an idea it is. This might be called the “humans are builders and builders will build” theory.

What’s yours?

2 Likes

I think you’ve come to a specific point where it ceases to be abstract and becomes a much more tangible conversation:

Where/why/how are the legal boundaries within the market; as there ARE in fact limits and limitations on what a business can/can’t do.

Where is the perimeter between unregulated territory, a regulatory sandbox, and regulation?

In that construct, we can start to delineate where the regulation ends and where regulatory observation with the freedom to experiment begins in contrast to the completely unregulated operations that seem to be doing legitimate business in the public without having a clear jurisdiction for their operations.

Even down to this conversation defaulting to the assessment from the American perspective, but due to our both being American. Surely all cultures do not have the same predisposition towards exploiting all market avenues with no regard to ethics, so that framing is defaulting to the American example. In that regard, it would be debatable whether American cybersecurity culture is a good model for the world and in that regard it makes the examination of cybersecurity literature that is only published in English inherently based in this cultural paradigm.

Is the English language itself limiting our capacity to discuss these concepts outside of the framework of accepting western capitalism as “default” and everything else as “other”?

I would assert that this conversation has many relevant aspects that result in an inherently politically charged landscape that also necessitates deconstruction of the cause of the political tension before the actual issue can be addressed.

The conversation began with examining cybersecurity studies only to get to the question of whether the studies are examining practices that are even ethical to be happening, with the studies not necessarily raising that question. Is it possible to deconstruct the speed of unethical business/academic practices? A system that depends upon those things would argue it’s impossible; on the other hand, I would assert that ethics are a relatively new invention in western recorded history if we look at ethics and empathy as tools instead of naturally occurring states.

With all that said, even SCRF had to initially stay away from the ethics discussion because it is so heated and heavily theoretical that it was agreed upon in the first six months or so that the forum was not yet established enough for a discussion like that to potentially take over every topic. Ethics are a hot-button issue for a reason. It’s very difficult to come to an agreement upon a shared set of ethics that go beyond a few values.

So to bring it full circle: Is it “ethical”?

Whose ethics?

2 Likes

Of course I agree about the relativism of ethics across cultures, or even within a single culture (“situational ethics”). I’m not disowning its importance, but I do want to point out that ethics per se was your own contribution to the conversation. My original complaint was with the strangely unscientific application of technology to weighty human concerns like global currency markets. And I still think that’s significant.

To use my example of space exploration: Send up a rocket that explodes and vaporizes some astronauts and your space program goes on hold until you can demonstrate that your O-rings are fixed. But regularly lose hundreds of millions of dollars to DeFi hacks and nobody says a word about your technology being garbage.

Why are we so relaxed about playing fast and loose with other people’s money, unless the point is to steal it?

2 Likes

My original response was trying to assert that this particular market will move “whether it is ethical or not” in the context of it being framed as “capitalism”. This is where defaulting to american/western capitalism is what I was actually trying to get at, but had to use the framing of “whose ethics” to contextualize why the conversation is defaulting to a particular culture of market movement that disregards ethics, and by proxy disregards scientific practices that are rooted in preserving ethical experimentation.

I think the question “Why are we so relaxed about playing fast and loose with other people’s money, unless the point is to steal it?” is inherently defaulting to the american/western capitalist perspective when that is not the only motivating force in the space. The issue becomes whether the non-western capitalist frameworks can exist in the same space without becoming exploited in the western capitalist paradigm to then say “who is ‘we’ in the statement about playing fast and loose with other people’s money”?

I wasn’t actually trying to bring “ethics” into the conversation for the philosophical debate of “ethics” so much as articulate that this conversation inherently defaults to a framework that will exist with a market that moves whether the moves are ethical or not.

I think in your examples, it’s hard to articulate whether you’re talking about American political theater or problems that are inherent to operating in an innovative space. I would think it is the former, rather than the latter, which is why I started to try to contextualize “whose” framing we are using throughout this conversation. I believe specifically “American” and “Western” businesses are comfortable playing fast and loose with other people’s money. I’m not sure that particular paradigm is true globally. That is what I was trying to express with the question “whose ethics?” not literally “whose ethics”. It is a hard discussion to have in text.

In other words: Does the fact that the study excluded non-English papers inherently make this conversation default to a western-capitalist framework which guides the business, scientific, and ethical practices thus shaping the trajectory of the conversation?

“One obvious answer is ‘this is our way of life.’ That was my father’s expression for the dog-eat-dog world we live in. He said it many times, and yet if I had ever said in reply, ‘You realize you’re talking about capitalism, right?’ he would have been shocked.”

“Did the conversation ever have the capacity to escape this particular paradigm because the original literature review excluded non-english papers,” was the effective goal of the original question. I am NOT trying to derail the thread, as this is a serious question that I am concerned with as an academic and practitioner. This question is constantly something that concerns me. In being able to speak French, I have worked in France and in in post-colonial French speaking countries. They have a different approach and are more about mutually beneficial outcomes. That is not to say it’s because of absolutely noble reasoning, but the business culture that you see in American DeFi does not actually represent even the majority of the development; it’s just the most visible in America.

I worked with KfW bank in Germany to help them develop one of their real estate products, and even at that level of commercial development the rhetoric and willingness to take risk with other people’s money was just not present in the same way that you find in specifically American DeFi culture.

1 Like

Very interesting Research. Thanks for summarizing this @valeriespina.

It seems that the researchers only considered primary studies published up to early 2018, and have assumed that paper in 2018 would surpass that of 2017. They were also bullish about the application of blockchain and subsequently the number of new papers that fits under their criteria.

As we have arrived at 2022, is there an easy way to figure out to what degree the boom had played out? What does Fig.2 after we take into account the most recent data?

The same goes for the main conclusions of the paper: Do they still hold after nearly 4 years since? What is different and what do you find most unexpected or interesting? :slightly_smiling_face:

4 Likes

Fair points.

Even if I was trying to think about “an innovative space” I was undoubtedly thinking also about “American political theater.” This isn’t simply explained by my being provincial. :wink: It’s that America is the 800 pound non-benign hegemon.

Again, I accept this point on faith, and hope you’re right. China is the country I would look at first, and indeed they do seem to be putting the brakes on “free enterprise,” much to America’s disappointment.

I have no trouble accepting this premise.

Glad to hear this.

2 Likes