Last November, as election supervisors across the United States scrambled to count and certify the paper ballots at the heart of the American electoral system, several dozen American soldiers and other citizens in remote locations around the world cast their absentee ballots in an unusual way. It was only a small number of ballots, hardly enough to swing an election. Nevertheless, those votes were significant, not for whom they were cast, but for how they were recorded: on a cell phone app using blockchain, the distributed ledger technology developed for cryptocurrency.
The small pilot by West Virginia was met with both hope and skepticism. As technological capabilities have increased, so has the risk of hackers interfering with networked systems, including voting machines. As one expert put it: “Mobile voting is a horrific idea. It’s Internet voting on people’s horribly secured devices, over our horrible networks, to servers that are very difficult to secure without a physical paper record of the vote.” But others, such as West Virginia’s Secretary of State, called it “the wave of the future.”
Besides elections, the number of use cases for blockchain is growing, with companies and government municipalities running pilots despite the detraction from skeptics. These trailblazers range from Walmart, which launched blockchain to ensure the safety of its produce supply chain, to HSBC, using a blockchain platform to settle more $250 billion in forex trades, to the state of Andhra Pradesh in India, where blockchain is used to settle land records and vehicle registrations. A number of hubs around the world are sprouting up to incubate, develop and test blockchain applications. A white paper by two business law professors at Tilburg University argues that blockchain can solve the problems with lack of transparency and equity in shareholder voting and argues for adoption of the technology in European Union legislation.
Security by Design
Blockchain applications streamline and secure the recording and tally of decisions and the tally process by directly recording and storing every transaction. Technically speaking, blockchain offers the anonymity of a digital wallet address as the medium of identity and an auditable, cryptographically secure record that cannot be manipulated through traditional means. These records come with a high degree of confidence due to the inherent integrity in the blockchain design and the fact that the integrity of the record can be demonstrated cryptographically in the event of a dispute. Additional benefit could be derived from the use of the digital wallet in the form of portability, enabling the identification of users even when they move.
As with any cutting-edge technology, there are significant hurdles and risks that must be addressed, and controls and governance must be put in place to mitigate those risks and prevent unintended consequences. When it comes to voting, for example, there is a concern that many local jurisdictions lack the rigorous cybersecurity regimes required for blockchain to be a viable option.
It Comes Down to the Blockchain Platform
While blockchain has some inherent security benefits, the security of the blockchain platform ultimately depends on the people and processes ensuring the security of the devices on which the recorded transaction takes place – sometimes, that’s a cell phone app provided by a third-party, cloud-based vendor.
As such, any use of blockchain requires engineering human error out of the process because, unlike other electronic or paper-based systems, blockchain records are immutable once created. Any uncaught error in the deployed code has the potential to impact the tally of records or expose sensitive personal data (in cases where anonymity matters).
Having a trusted mechanism to establish and protect identity on the blockchain is paramount for ensuring the integrity of the results. While the entry of a vote in the blockchain is protected by strong cryptography and the wallet address does not plainly identify the owner, that address can nevertheless be associated with an individual and could be considered Personally Identifying Information (PII) by many data protection laws.
Perhaps the greatest hurdle to blockchain adoption, however, is not a technical one at all, but rather one of public relations. Most people associate the blockchain platform with the cryptocurrencies that transact on it. Because of the wave of cryptocurrency speculation in 2017 and 2018 and the subsequent loss of value, and the fact that a number of those “tokens” were fraudulent, public confidence in blockchain suffers from some of this negative association with a market frequently perceived as disreputable.
Risk and Change Management Must Not Be Overlooked
While this public relations battle may prove as difficult as any technical challenge, the best way to regain trust in blockchain is with a comprehensive approach, such as the one outlined in Protiviti’s Shared Risk, Shared Gain model, which was designed to help span the gap between a vision for change and its delivery.
More important, any system implementation must undergo a rigorous risk identification and mitigation process. In the specific case of blockchain, that would include the following areas prior to and during the development and design stages:
- Cloud vendor selection or architecture design
- Platform design/architecture assessment (prior to build)
- Security assessment, possibly including penetration testing
- Integration of the new platform with connected systems
- Post-implementation review (Was the platform deployed according to specification?)
Realistically speaking, we are still a long way from blockchain being used across the board, and some industries, such as healthcare, are particularly hamstrung in their ability to experiment due to the high level of regulatory scrutiny over the storing and use of patients’ data. It is also unlikely that we will see blockchain voting on a national level any time soon. Challenges in hardware and software security and identity management will need to be addressed before such adoption is viable. However, the promises are significant, and with sufficient attention paid to lessons learned from public and private experiments already in progress, it is reasonable to expect that blockchain may one day be as indispensable as the Internet today.