Before the blockchain: 4 questions to answer
Connecting state and local government leaders
Agencies must be able to answer some logistic questions about their blockchain applications, one DHS Science & Technology Directorate official advises.
For the past couple of years, the Department of Homeland Security’s Science and Technology Directorate has worked with startups to identify the benefits and limitations of blockchain technology. Anil John, a program manager in the Cyber Security Division at S&T, spoke about his work to understand how the technology can help agencies at a June 25 meeting of the Information Security and Privacy Advisory Board.
First off, blockchain may not be the best tool to solve agency security or transaction problems.
“Eighty to 90 percent of use cases being targeted for blockchain don’t require a blockchain, which is massively problematic,” John said. “We came up with significant trial and error heuristic process that we use internally and in our operations to decide if blockchain is the right solution.”
If blockchain does look a practical solution, agencies face a number of logistical questions:
- In a process involving multiple organizations will there be a problem dedicating one particular entity to be a central repository if information needs to be changed?
- Will any type of personally identifiable data or medical information be kept on the blockchain? John said no such data should be kept on the chain because “cryptographic ciphers” that encrypt blockchain networks can eventually be hacked.
- Will the application be on a public or permissioned blockchain? “Government use cases are more suited for [a] private permissioned blockchain simply because it is based on regulatory and contractual requirements,” John advised.
- How will encryption keys be managed? Distributed key management, which requires a public and private key pair, only complicates matters further. “How are you distributing those keys? Revoking those keys? Reissuing them at scale?” John asked. “There is a lot of magical thinking in this area.” S&T is asking the National Institute of Standards and Technology for help in making multi-party key management work for government agencies.
To answer some of these questions, S&T is looking into the confidentiality, integrity, selective disclosure and anonymity aspects of different blockchain implementations. John said each blockchain framework has different degrees of support for each of these qualities.
Investigating details around confidentiality and integrity should be the starting point for agencies looking to explore blockchain's potential, according to John. “This is a rapidly evolving space and you need to first understand what your needs are before mapping to a blockchain itself.”
Investigating confidentiality and integrity becomes particularly important as more vendors start offering solutions in the blockchain space. At this time, John said there is no consistency or interoperability at the data level of different blockchain implementations, which concerns him.
“Any large enterprise including government and private sector does have the luxury of rip and replacing existing investments [in technology,]” John said. “Every single blockchain vendor is trying to lock you into a proprietary data format right now.”
S&T is supporting the World Wide Web Consortium’s standardization process for Decentralized Identifiers and the Verifiable Claims Data Model to provide some stability on global specifications for blockchain.
When it comes to smart contracts, John said the technology is not mature enough to be used as a general purpose engine. Blockchain would make sense only for letters of credit and escrow agreements, where specific inputs trigger specific outputs, he said.
Regardless of all of these challenges, S&T still sees significant potential for development.
“We should all work together to build innovation on top of a big framework rather than chasing bright and shiny objects,” John said.