Blockchain Takes Away a Cybercriminal's Greatest Edge

From last October's famous internet outage to the more recent data breach at credit reporting agency Equifax, there's a common denominator across most major security incidents we've seen lately: the targets were centralized services.

Centralized architectures—which account for most of today's internet services—concentrate data, hardware, and other vital resources in a small number of physical and virtual servers. This structure burdens Amazon, Google, Microsoft, and other large public cloud companies hosting large numbers of critical websites and services with the heavy responsibility of securing all of these resources and keeping them running in the face of an ever-evolving threat landscape. The same architecture leaves the users no other choice than to trust platforms such as Facebook and Google with some of their most sensitive data. For businesses, this often means leaving critical functionality in the hands of third-party web services. Meanwhile, it makes it easier for cybercriminals to compromise these services by giving them a fixed target that is easier to reach and more difficult for endpoint protection services to secure.

Many experts and organizations believe that decentralizing vital services will make them more resilient against cyberattacks. Blockchain, the decentralized technology that ushered in the era of cryptocurrencies, has already begun to re-shape the digital landscape. Blockchain and cybersecurity intersect in a multitude of ways. There are a number of innovative companies and projects that are using blockchain to combat everything from distributed denial of service (DDoS) attacks to data security.

Why Blockchain?

In a nutshell, blockchain is a distributed ledger of transactions. It is a database that exists on thousands of computers at once rather than being secluded and, more importantly, centralized on a single server or cluster of servers. A reasonable number of nodes (meaning the computers and virtual servers that make up a blockchain network) have to verify and confirm every new record before it is appended to the blockchain and replicated across the entire network. Hence, every node in a blockchain maintains an identical version of the transaction database.

Blockchains are also immutable and transparent. The ledger's immutability means that, in an online world where everything is editable, a blockchain is unchanging. The network's transparency also ensures a distributed trust, which means no single entity can own and manipulate the database. This characteristic is key to blockchain's cybersecurity value. By removing the single points of failure from which today's services suffer and that hackers love to exploit, blockchain changes the rules of the game.

Keeping Websites Up and Running

Last year, several famous websites were taken offline through DDoS attacks. DDoS involves flooding the servers of a target website or service with bogus requests coming from malware-infected computers until they can no longer handle the traffic and are forced to shut down. DDoS attacks continue to grow in size and number. They are becoming easier to stage thanks to an increasing number of insecure Internet of Things (IoT) devices being swept up into powerful botnets such as Mirai, which perpetrated the historic Dyn DDoS.

DDoS remains a favorite weapon in the cybercriminal arsenal as a tool for extortion, revenge, censorship, and damaging competition. Currently, the battle plan to withstand a DDoS attack is allocating more compute resources to prevent overloaded servers. This is a measure that costs both web hosting services and their clients huge sums of money.

"Websites by themselves have a single point of failure, [the one server], and current DDoS protection solutions and content delivery networks (CDNs) are not highly distributed," said Alex Godwin, co-founder of Gladius, a blockchain-based CDN and DDoS mitigation service. "Moreover, if one of those services experiences interruptions, a very large number of websites will be taken offline."

We saw that level of widespread service disruption earlier this year, when a global failure in Amazon Web Services disrupted access to thousands of high-traffic apps and websites. Gladius fights DDoS attacks by never giving attackers a single target to hit. In Gladius, website resources aren't stored on a single data center or on a limited number of centralized data centers. Instead, they exist on a large, distributed network of computers that are scattered across the world. When a user sends a request to a website, the request is directed to the closest node hosting its contents. A blockchain keeps track of where the resources are stored to transparently track where resources are located and to prevent malicious nodes from entering the network.

"Blockchain allows websites to get a content node [or multiple] on every single ISP without the complex contractual agreements they would otherwise have to go through," Godwin said. "It also allows a much larger scale, where the infrastructure that facilitates these connections [the blockchain] is essentially invulnerable to attacks."

Anyone can share their computer's free disk space and bandwidth with the Gladius network and be rewarded with cryptocurrency tokens for their contribution. The incentive will encourage more users to join the platform and create more content-hosting nodes in every locale. Businesses will also benefit from this model. A more distributed hosting network will reduce web hosting costs by raising the cost for DDoS attacks, because attackers will have to spread their firepower across a very large number of targets.

Preventing Critical Infrastructure Compromise

Websites are not the only targets of DDoS attacks. In fact, the most devastating DDoS attack in history was staged against Dyn, a provider of domain name system (DNS) services, on October 21, 2016. DNS services are like phone books for the internet. When an application such as a browser or messaging app tries to connect to a service, a DNS server resolves the requested domain name and translates it to the according internet address. After Dyn's DNS servers started failing under the load of the massive DDoS attack perpetrated by the Mirai botnet that October day, millions of users across the US and Europe lost access to popular websites such as Twitter, PayPal, and Netflix.

Aside from DDoS attacks, DNS services are also vulnerable to other types of malicious activities. Governments that censor the internet control local caches of DNS records and manipulate them to block access to websites or to redirect users to malicious versions of websites.

"It would be no exaggeration to say that DNS is the weak link of the internet, exploited by rogue ISPs, censors, and hackers to create an unreliable web," wrote blockchain expert Philip Saunders in a blog post shortly after the Dyn attack.

Blockchains provide alternative ways to store DNS records that will not fail under excess of requests. Saunders laid out the blueprint for such a system in his project Nebulis, which he calls a "distributed, blank-slate DNS." In Nebulis, DNS records are registered on the Ethereum blockchain. As the blockchain exists across a large number of nodes at the same time, the DNS system is inherently far more resilient to DDoS attacks.

Blockchain also solves the problem of data ownership. Only the entity that truly owns a domain has permission to update and manipulate its associated records. This prevents censorship and domain poisoning. Businesses can rest assured that they are the only ones determining the destination of requests to their domains.

Nebulis isn't the only project thinking along these lines. Namecoin, another blockchain organization, is creating .bit, a decentralized top-level domain (TLD) maintained on the Bitcoin blockchain, where it can't be censored or compromised by evil actors.

"With the Ethereum Blockchain, you read straight from your own copy without imposing costs on the network. This has great potential for lifting a great deal of pressure from the physical backbone of the internet," Saunders said. "It also means we can do away with many of the redundancies of the traditional DNS and come up with something which is much better."

Protecting Sensitive Data

Equifax lost hold of financial and personal data belonging to more than 145 million US consumers because it failed to install software updates and to encrypt data stored on its servers. These are two very basic practices that every organization should adopt. Yahoo's failure to protect its network resulted in the data of more than three billion users finding their way into the hands of cybercriminals.

These are just two of the many cases where users have found themselves bearing the brunt of data breaches. Presently, users have to surrender huge amounts of their data to internet companies to use their services. These companies often fail miserably at upholding their duties to protect that information. Blockchain may offer a solution that both mitigates user data risks and takes pressure off of businesses when it comes to sensitive data security.

Many experts believe that internet apps shouldn't hoard user data, and distributed ledgers such as blockchain can help users maintain ownership of their data in a secure and reliable way. In a world where these kinds of mass breaches and data leaks are commonplace for businesses and users alike, distributed and secure data ownership is one of the most promising features of blockchain. Many projects are exploiting this potential to turn internet apps on their head.

One of the interesting projects in the space is Pillar, a vision for a personal data locker that uses blockchain to store digital assets. Such assets include health records, cryptocurrencies, contact lists, credit records, and documents. Only the owner has access to the data stored in the Pillar wallet, and they can specify with which apps they want to share it. The wallet will come with a smart, artificial intelligence (AI) assistant that will help users manage their data.

Blockstack is a startup that's using blockchain to create a "new internet for decentralized apps where users own their data." Users access the Blockstack network and its apps through its proprietary browser. In Blockstack, there are no centralized database servers holding massive amounts of user data. Blockstack users have a blockchain-based profile, which they take with them to every app they access. App data is encrypted with user-owned keys and stored in a back end of the user's choosing. This kind of data siloing and decentralized app functionality represents a major security improvement, both for users and for the app providers that have struggled to protect the data they collect.

Other projects target specific internet apps. Storj is the blockchain equivalent of Google Drive . It replaces centralized servers with a distributed network of computers sharing their free disk space for file storage. A blockchain keeps track of which users are participating in the network and where files are stored. Users who share their resources with the network are paid in cryptocurrency tokens for their contribution.

By removing centralized servers and data stores, blockchain-based apps and services take away the main element that has given cybercriminals the edge in recent years. Faced with decentralized blockchain infrastructure, hackers will no longer be able to bring down an entire system or gain access to a treasure trove of information by compromising a single server. They will have to hit thousands of targets to carry out an attack, which is a costly and theoretically impossible feat.

As a nascent technology, blockchain will have to overcome many technical and economic hurdles before it can gain mass adoption and rival the power of cloud services that dominate the internet. But when it does, it will place companies in a better position to protect their business and customers from cyberattacks and security incidents. An old saying among cybersecurity experts is, "We need to get it right every time; hackers only need to get it right once." Maybe blockchain will one day invalidate that rule.

This article originally appeared on PCMag.com.