Why blockchain isn’t always the answer

Blockchain vendors are touting the technology as a solution to many security (and other) problems. Consider costs and alternatives before jumping on the bandwagon.

Roger A. Grimes May 02nd 2018

I get 10 to 30 pitches a day in my inbox from well-meaning PR people seeking to promote themselves, their clients, or their clients’ products. Out of the few I open and read thoroughly each week, perhaps one or two make me want to find out more. Far fewer make it to my Twitter feed or a column.

The problem with most PR pitches is that they pitch the same thing: cloud, ransomware, and so on. These days the trending catchphrases seem to be artificial intelligence, bitcoin and blockchain. Sometimes, the PR pitch is so fantastical and misaligned with the trendy technical word that it makes me laugh.

Such is the case with the PR pitch shown below.

pr blockchain email Roger Grimes

This pitch “jumps the shark”, with the PR person suggesting that blockchain could have made the recent romaine lettuce or egg e-coli recalls in America more focused. It’s precious. I’ll remember the PR person’s name the rest of my life, but perhaps not for the reasons they would like me to.

Blockchain isn't the right tool for every situation

Every builder, craftsman and hobbyist knows that the right tool can make any difficult situation easier. In the same vein, the same tool is never right for all situations. Blockchain is a great digital invention, which, if applied in the right areas, will change the world.

It is not the right tool for every digital security situation. Yes, blockchain could possibly improve food-borne illness recalls, but at what cost? Would the cost of setting up a national system with every provider, distributor and person involved be worth the effort and expense? Probably not, even with the threat of illness and human life on the line.

A blockchain, at its elementary component, is simply a transaction ledger where every transaction is cryptographically tied to all others. It’s about integrity, not encryption. Defined and applied cryptographic algorithms make it very difficult to forge a transaction in such a way that it could not be easily verified by the involved parties. It’s a simple but revolutionary concept.

In early 2017, the Harvard Business Review suggested that blockchain is a foundational technology and thus "has the potential to create new foundations for our economic and social systems [emphasis mine]." A January 2017 World Economic Forum report predicted that by 2025 10 percent of global GDP will be stored on blockchains or blockchain-related technology. If you don’t know about blockchain, you probably should start to learn about it.

But this doesn’t mean that everything that could have blockchain should have it. Blockchain should only be considered when strong integrity of transactions among a group of people is needed and the cost (including value, time and best use of resources) in a particular protection scenario does not exceed the:

  • Ability to pay for or generate the required protection
  • Cost of another method that can provide the same or more protection
  • Potential likely damaged that could be caused without using it

I might be forgetting something, but these are the key requirements. If these requirements are met, then blockchain might be the solution needed.

Blockchain cost versus benefit

For example, let’s consider blockchain for protecting us against food-borne illnesses. Certainly, saving a human life is worth any amount of money, yes? Turns out, nope. We put price tags on human life all the time in nearly every protection scenario.

We know that driving cars will kill tens of thousands of people each year, but we let people drive dangerous cars, very fast, all the time. We know that if we limited them to 5 mph and made then out of bulky rubber that a lot fewer people would die, but no one would want to drive a car if we could run past them using our human legs. So, society has made a trade-off where we expect a rather large number of accidental deaths each year in exchange for driving our dangerous cars faster. We’re making driving safer all the time, but we will never make it so safe that no one dies. Not worth it.

The question then becomes how much is a human life worth in a particular scenario? We make these decisions all the time.

If we applied it to food-borne illnesses, how much would we pay to stop more people from getting sick and dying from tainted food? The Centers for Disease Control estimates that each year in the U.S., food-borne illness sickens about 48 million people, causing 128,000 hospitalizations and 3,000 deaths. That’s probably more people getting sick and dying from food than you thought. It was for me, but it’s been that way for decades. Despite significantly lower levels of funding to help fight food-related illnesses, the incidence of food-related illnesses is slowly improving.

So, millions of people are getting sick and thousands of people are dying each year, and we’ve only slowly done something about it. Surely, all of us would be glad to pay something more to make it less likely to get sick from food. But what is that number? Would society be willing to pay double for our food to make it significantly less likely to get sick? Triple? Quadruple?

The answer is they probably wouldn’t even accept it rising 25 percent. Ask a farmer. The world goes crazy when food prices increase even a little bit. Implementing blockchain would be a multi-billion-dollar effort, if not a trillion-dollar effort.

To adequately track food the way it would need to be tracked, within a centralized blockchain system, would require that every piece of harvesting equipment, farm, aggregator, transporter, and store buyer get in on the effort. They would all need new computer systems and new software. Many of those legs of our farming system don’t use computers or at least computers in away that blockchain can suddenly be introduced.

The quicker and easier question: Is blockchain really needed to provide an adequate level of protection? Certainly, the food chain can benefit from it, but does it need the strong and relatively expensive level provided by blockchain? Or would a regular national database be enough? Would restoring the larger funding levels that used to exist at the state level and in the CDC be enough?

It probably would.

The problem with today’s food supply tracking isn’t that we don’t have enough integrity in our food tracking databases. It’s that we don’t have much of them at all, contiguous across the whole creation and distribution chain. It isn’t like we have a swarm of producers and distributors going into the existing databases and changing entries to avoid blame and potential prosecution.

The problem is we don’t have the systems we need to do basic food tracking across the entire system, and we don’t have enough investigators to go after offenders. Even if you put blockchain into the food system perfectly, it would probably not result in fewer people getting sick, at least not until you address the funding issues.

Applying blockchain to other security mechanisms

I’ve almost embarrassed myself. I’ve spent a lot of words talking about the prevention of food-borne illnesses when I really meant to cover how anyone should approach a computer security scenario, as I covered the requirements above. After first figuring out if the security solution could really fix a problem (because most solutions do not adequately solve the problems their sales people claim), the second most important question is if it’s really needed and at what cost.

Let’s apply my thinking to RFID-blocking wallets. RFID-blocking wallets are supposed to protect you against rogue thieves who can sniff your credit card sitting in your unprotected wallet. RFID-protection providing vendors want to convince you that you need the protection because it’s possible for the crime to be committed.

If you look up at my requirements, the likelihood of the crime occurring is important. So far, there has never been a documented cases of RFID crime being committed that would have been stopped by a protected wallet. That makes the cost of anything beyond $0 an unwise investment.

Another example: Social engineering is heavily involved in most corporate data breaches. According to the 2018 Verizon Data Breach Investigations Report, 93 percent of all data breaches involved social engineering. This isn’t adware. It isn’t a malware program popping up on someone’s desktop and getting removed by antivirus software before it does something. It’s a reportable data breach that resulted in a forensic investigation, and likely a very large capital and resource response outlay. So, whatever you do to put down that very likely threat can probably be justified. You just have to decide how much to spend and what to spend it on (e.g., gateway filters, data leak prevention, education, and other tools).

Last example. Should you use traditional firewalls? Firewalls allow networks or hosts to block predefined or unauthorized network attempts. For decades they have proven their mettle and value. Today, the attacks that traditional firewalls would stop are a very, very small percentage.

Traditional firewalls are only needed to protect against unpatched or misconfigured systems. If you don’t have that problem, then perhaps you don’t need traditional firewalls. I know many very, very large organizations, with some of the largest inbound internet traffic imaginable, that no longer use firewalls. The firewalls were slowing down their overall traffic too much and didn’t provide enough value.

This is all to say, just because a security mechanism could make your more secure, it doesn’t mean it’s the right tool. It could be that implementing the tool could be too expensive or it could be that the threat it faces really doesn’t exist (at least not yet). Life is a series of security evaluations, and as in the case of food-borne illness or fast cars, we often learn to live with very serious potential consequences because we don’t like the cost of complete security.

The PR person who sent me the blockchain/food borne illness made me laugh, and I sent an email saying so. Luckily, they took my reply in stride, and we struck up a new relationship. So, in that sense, the PR person may have achieved what they had hoped.