I’ve been thinking of a few quotes I’ve seen recently after the Ethereum Classic 51% hack that was reported on January 6:
- “There's no roadmap for it. Nobody is held accountable for security problems with it.”
- "Are its users lemmings collectively jumping off of the cliff of reliable, well-engineered commercial software?"
- “It’s a solution waiting for a problem.”
- “It’s splintered. It has different distributions. It’s too complex to run for most people.”
- “It’s only free if your time has no value.”
- “You would not get a high grade for such a design”
- “It’ll never reach mainstream adoption.”
Of course, these quotes – some of them from well-known tech leaders – are about Linux. And you thought they were about blockchain, right? Gotcha! You see, it its early days, Linux was seen as a strange little curiosity – or threat – that could really impact your career. Back in the day, recommending it could have meant a halt to your career.
I’ve noticed that with this latest Ethereum Classic hack, a lot of the same things said about Linux are often said about blockchain. Some folks are saying it even more often, given the fairly dire news about Ethereum Classic and the ramifications for other cryptocurrencies. This event has caused quite a stir, as is often the case when an emerging technology gets humbled.
The Ethereum Classic issue is part of a long-standing issue and another in a long line of victims of neglect. Ethereum Classic has lower-priority interest than its other platforms. It's my theory that organizations fall victim to low funding once they are of secondary interest to their owners or become a distressed asset. But when you have a big name or brand, you can't afford to skimp on any part of your brand.
With Ethereum Classic successfully attacked, does this mean blockchain’s 15 minutes of fame have expired? Not likely. It’s all part of an inevitable correction – and even reaction – that happens when an emerging (and also over-hyped) technology starts down the rocky path toward mass adoption.
The Gartner Hype Cycle
It’s pretty easy to get onto the “it’s not all that” bandwagon regarding any new technology. For example, check out the reaction folks have had about self-driving cars. Early last year, we saw quite a counter-reaction about them when a self-driving Uber car accidentally killed a pedestrian. Just this week, we saw how the news media bought into a faked self-driving car accident in Las Vegas. It was a PR stunt, but, I think one of the interesting things to learn is that a lot of folks are kind of poised to pop the bubble of any emerging technology.
Part of this is because it’s a natural reaction to what Gartner calls the hype cycle. Gartner uses this cycle to describe how any new technology experiences a sort of adoption/reaction curve.
At first, the technology experiences an almost immediate peak of massively hyped, outsized expectations. Then, it is followed by an almost-immediate drop, where the technology crashes into the trough of disillusionment. Then, as the technology is actually adopted, reactions fall away, and the technology is, in many cases, put to work.
Gartner tracks this curve quite well, and even creates a nice little image so you can see where any given technology is in the hype cycle. Blockchain has been traveling along quite nicely and is now in the trough of disillusionment, at least in the popular mind. The Ethereum Classic hack pretty much is the signature event that put blockchain there.
Skepticism About Emerging Technology Is Not New
But with blockchain as well as self-driving cars, it doesn’t help that these technologies are often seen threatening to replace workers. It’s pretty easy to find people getting snarky about the technology.
I can’t help but think of Secure Sockets Layer (SSL) and how its early versions were easily hackable, leaving millions in a cybersecurity lurch. That’s why Transport Layer Security (TLS) was developed as an SSL replacement. Heartbleed (2012) and Shellshock (2014) were a nice one-two punch to SSL/TLS, open source and Linux. Yet we’re using all of these things today more than ever, though in updated form. Linux continues its domination of the web and the cloud. Companies including Microsoft, Cisco, Oracle and IBM continue to use it as a foundational technology. TLS is a bedrock technology used in hundreds of millions of web browsers, virtual private networks (VPNs) and network connections.
I can’t help but think of other former emerging technologies. Secure Shell (SSH), for example, has endured many fatal flaws that allowed attackers to trivially “own” unpatched SSH servers. Did this kill SSH? If so, someone should let Microsoft know – they’ve (finally) adopted SSH as the de facto way to remotely manage servers.
My point? No one seriously suggested dumping SSL just because its implementation ran into a fatal flaw or two. The fundamental premise was valid and secure. It was just time to regroup, fix a few things and move on.
In spite of setbacks that any emerging technology will have, blockchain continues to make its expected impact. Gartner continues to see blockchain as a major trend for 2019 and beyond. MIT Review feels that blockchain will become normalized in 2019 (I would have written rationalized). Organizations such as Walmart, Tesco and Amazon are using it for smart contacts and supply chain.
Making Blockchain More Secure
After working closely with CompTIA’s Blockchain Advisory Council and other committees, I’ve concluded that the organizations that do well will follow the principles and procedures outlined in the following documents:
In addition to the above white papers, we’ve been having deep conversations with blockchain implementation specialists. At RSA 2018, I discussed blockchain with more than 100 cybersecurity experts, and we outlined several concerns, many of which have been borne out by the Ethereum Classic attack.
Finally, I spoke with two blockchain implementation experts from Dell and Microsoft during one of our IT Pro Webinars in 2018.
I’m certain that we’ll see quite a few more setbacks, stutter-steps and missteps as companies continue to implement public and blockchain solutions. We’ll also see more brilliant uses of it as things move forward.
One thing is for sure: The folks who get blockchain going properly will do so using properly trained technologists, and properly informed management. They’ll follow time-honored security procedures and many of the same solid IT management principles that allow companies to compete, as well as compute, securely. As long as they pay attention to the details and avoid hype-based thinking, they’ll be able to transform their companies as securely as possible.
If you’re interested in learning more, CCN.com offers a nice summary of its findings. Once you’ve read it, ask yourself a question: Does this really mean the end of blockchain, or is this just a problem with its implementation? And, also ask yourself, what can I do to learn more about properly implementing blockchain in the future?
Validate the skills needed to secure blockchain with the cybersecurity certifications along the CompTIA Cybersecurity Career Pathway.