Blockchain for Cyber Defense: Will It Be As Good As You Think? @ DEF CON 2020 Blockchain Village (August 8, 2020)

1. /51
BLOCKCHAIN FOR CYBER DEFENSE:
WILL IT BE AS GOOD AS YOU THINK?
Suhyeon Lee
Korea Univ. /
ROKA
Seungjoo Kim
Korea Univ.
This research was supported by the MSIT(Ministry of Science and ICT), Korea, under the
ITRC(Information Technology Research Center) support program(IITP-2020-2015-0-
00403)supervised by the IITP(Institute for Information &communications Technology Planning
&Evaluation

2. /51
Suhyeon Lee
Ph.D Student in Korea University
Captain in ROKA
Suhyeon Lee ( ) is a Ph.D student in Korea
university. I have 3 years experience as a researcher
in Agency for Defense Development.
As a security researcher, I am interested in network
security, cyber defense, and blockchain
• Cryblock 2019 @ IEEE Infocom speaker
“Countering Block Withholding Attack Efficiently”
• Cryblock 2020 @ ACM Mobicom speaker
“Proof-of-Stake at Stake: Predatory, Destructive Attack on
PoS Cryptocurrencies”
I like to get groundbreaking ideas from philosophy.
My favorite philosophers: Derrida, Nietzsche,
Foucault, Wittgenstein, etc.
orion-alpha at korea.ac.kr
2

3. /51
Seungjoo Kim
Professor in Korea University
Seungjoo Kim is a professor of School of Cybersecurity
in Korea University from 2011.
In addition to being a professor, he is positioning a head
of SANE(Security Assessment aNd Engineering) Lab, an
adviser of undergraduate hacking club 'CyKor', a
founder/advisory director of an international security &
hacking conference 'SECUINSIDE'. Since 2018, he has
been a review board member of Black Hat Asia.
His main research areas focus on trustworthy system
development methodology such as secure SDLC, RMF,
Common Criteria, CMVP, and blockchain etc. He is a
corresponding author.
skim71 at korea.ac.kr
3

4. /51
TOPICS
What is blockchain for cyber
defense
Challenges for blockchain in cyber
defense
Related military projects and
analysis
Takeaway
4

5. /51
TARGETS
Someone interested in blockchain
Someone interested in cyber
defense
Someone interested in how
blockchain can be hacked
Someone needs fresh ideas
→ It will be fun to know about blockchain
→ It will be fun to know about cyber defense perspectives
Someone who needs fresh ideas
5

6. /51
Blockchain for Cyber Defense, what is it?
6

7. /51
Blockchain, maybe you know
Hash-chained
Blocks
Distributed
Network
Decentralized
Consensus
Scalability
Security Decentralization
Features Trilemma
7

8. /51
Cyber Defense,
maybe you don’t know
8

9. /51
Cyber Defense, maybe you don’t know
Cyber security Information security
Threats to
information-
based assets
Threats using ICT Rossouw Von Solms and Johan Van Niekerk. From
information security to cyber security. computers &
security, 38:97–102, 2013 9

10. /51
Cyber Defense, maybe you don’t know
Cyber security Information security
National security
(or defense)
Cyber defense
Narrowly military defense
Widely national security
10

11. /51
Cyber Defense, maybe you don’t know
11

12. /51
Cyber Defense, maybe you don’t know
2007 Cyber attack
to Estonia
2010 Stuxnet to Iranian
nuclear facilities
2015 BlackEnergy to Ukranian
power gird
Therefore nation countries need cybersecurity technologies
12

13. /51
Blockchain looks secure, reliable
Single point of failure
Any Minority attacks
DDoS
13

14. /51
Blockchain looks secure, reliable
“Defense systems require high
security and high reliability…”
“It’s unhackable”
“Okay, then Defense needs it!”
14

15. /51
Related Projects - Preview
• Military Encrypted Messaging App Built on Blockchain
• Blockchain Supply Chain Enhancement for Trusted and Assured FPGA and ASICs
• Decentralized Key Management using Blockchain
• Army Innovation Network -Information System
• Provenance Using Blockchain on Disconnected Networks
• Navy's Approved Multi-Factor Authentication for Personal Mobile Devices
• Supporting Continuity of Operations (COOP) through Resilient Blockchain Frameworks
• Chinese soldiers reward system using cryptocurrency for good performance
• Blockchain-based system to record intelligence in Australia
• Blockchain to help secure aerospace and defense (A&D) supply chains
• French Military Police Record on Tezos Blockchain
• South Korean Military's Blockchain-Based Digital IDentification (DID)
…… and so on
15

16. /51
Will it be as good as
you think?
16

17. /51
Let’s go to the battleground
17

18. /51
What is waiting for us in the battleground?
War is the realm of uncertainty; three quarters of
the factors on which action in war is based are
wrapped in a fog of greater or lesser uncertainty. A
sensitive and discriminating judgment is called for; a
skilled intelligence to scent out the truth.
Carl von Clausewitz
@realClausewitz
18

19. /51
Can be more miserable
Mountain to go (expectation)
19

20. /51
Can be more miserable
Where are
Trees?
They burnt down
a year ago
Mountain
20

21. /51
Let’s assume you got an order to apply
Blockchain in Cyber Defense
“Adopt the blockchain Technology
and secure our networks”
“Aye Aye Sir!”
(There are trusted networks…)
21

22. /51
We encounter 3 challenges
Challenge 1:: Air-gapped Networks
Challenge 2:: Forced Dynamic Environment
Challenge 3:: Resource Shortage
22

23. /51
Challenge 1:: Air-gapped Networks
Software-based air-gap
Hardware-based air-gap
True air-gap
23

24. /51
Challenge 1:: Air-gapped Networks
Single point of failure
24

25. /51
Challenge 1:: Air-gapped Networks
1/N 1/N 1/N
They are partitioned, and decentralization is not effective
25

26. /51
Challenge 1:: Air-gapped Networks
→ Because of the air-gapped structure
of defense network, it may be hard to
adopt blockchain
26

27. /51
Challenge 2:: Forced Dynamic Environment
Wherever the military goes, communication must always exist.
27

28. /51
Challenge 2:: Forced Dynamic Environment
28

29. /51
Challenge 2:: Forced Dynamic Environment
29

30. /51
Challenge 2:: Forced Dynamic Environment
- Case : Sudden expansion
Total nodes: 8
Acceptable faulty nodes : (8-1)/3 = 2
Total nodes: 36
Acceptable faulty nodes : (36-1)/3 = 12
Too easy to make consensus!
The majority becomes the minority.
That is, now, your minority can make the consensus
30

31. /51
Challenge 2:: Forced Dynamic Environment
- Case : Sudden shrinkage
Total nodes: 8
Acceptable faulty nodes : (8-1)/3 = 3
Nearly impossible to make
consensus!
Total nodes: 36
Acceptable faulty nodes : (36-1)/3 = 11
The minority becomes the majority.
That is, now, your majority can’t make the consensus
31

32. /51
Challenge 2:: Forced Dynamic Environment
- Case : Bombing & Partitioning
Total nodes: 18
Acceptable faulty
nodes : (18-1)/3 = 5
Total nodes: 36
Acceptable faulty nodes : (36-1)/3 = 12
Total nodes: 18
Acceptable faulty
nodes : (18-1)/3 = 5
There’s no majority anymore. Furthermore…. 32

33. /51
Challenge 2:: Forced Dynamic Environment
- Case : Bombing & Partitioning
Total nodes: 18
Acceptable faulty
nodes : (18-1)/3 = 5
Total nodes: 36
Acceptable faulty nodes : (36-1)/3 = 12
Total nodes: 18
Acceptable faulty
nodes : (18-1)/3 = 5
Consistency?
Furthermore, we will meet a fork problem. But we can’t just choose one. 33

34. /51
Challenge 2:: Forced Dynamic Environment
In more extreme situations,
→ Assumptions can be easily broken.
→ Weaknesses can be easily revealed.
→ Especially, deterministic consensus mechanisms
that CAN NOT guarantee liveness are….
34

35. /51
Challenge 3:: Resource Shortage
▪ The first problem is resource consumption.
Blockchain’s other name is “state replication system”
Influence on “Mission critical functions” should be checked
35

36. /51
Challenge 3:: Resource Shortage
▪ The first problem is resource consumption.
▪ The second problem is that solving resource
consumption is not easy.
Speed
Our ultimate goal in acquisitions should be
to deliver capability to the warfighter more
rapidly, but unfortunatelytoday it takes too
long to develop and field our systems.
-DEBORAHLEE JAMES,
SECRETARY OF THE AIR FORCE
Bureaucratic acquisition process
36

37. /51
What can you do?
▪ PoW…. We can’t waste energy
▪ PoS…. We don’t have coins
Let’s go to the private style → PBFT style
Challenge 3:: Resource Shortage
37

38. /51
What can you do?
▪ PoW…. We can’t waste energy
▪ PoS…. We don’t have coins
Let’s go to the private style → PBFT style
⇒ But not flexible & Goto Challenge 2 again!
Challenge 3:: Resource Shortage
38

39. /51
Challenge 3:: Resource Shortage
→ Mission is always first.
However, due to the military environment,
support is not so timely and sufficient.
39

40. /51
Related Projects
• Data Integrity*
• Supply Chain Management
• Internet-of-Things
• Communications
• Identification & Authentication
Total 42
14 (33%)
12 (29%)
8 (19%)
11 (26%)
5 (12%)
* Projects only concerned to data integrity
- One project can belong to multiple categories
40

41. /51
Related Projects
[Caution]
•About related projects, detailed information
about many real military projects are
classified
•Our comments are based on limited
information
41

42. /51
Related Projects
• Data Integrity
- French military police records on Tezos
- US DoD project “Sharing of defense research,
development, testing, and evaluation - Data
distribution using blockchain”
- US DoD project “Provenance using blockchain on
disconnected networks”
42

43. /51
Related Projects
•Supply Chain Management
-US DoD project “Blockchain supply
chain enhancement for trusted and
assured FPGA and ASICs”
Blockchain on supply chain management is
also actively researched for efficiency not
only for security
43

44. /51
Related Projects
• Internet-of-Things
- US DHS project “Combining blockchain
technology with critical infrastructure”
It’s sensors and cameras that protect the integrity and
authenticity of critical infrastructure. Blockchain projects
on IoT may suffer from Challenge #3, Resource Shortage.
44

45. /51
Related Projects
• Communications
- US DARPA project “Building an encrypted
msg system based on blockchain technology”
If it is related to messages in tactical networks,
Challenge #2, Forced Dynamic Environments and
Challenge #3, Resource Shortage should be considered.
45

46. /51
Related Projects
• Identification & Authentication
- US DHS project “Decentralized key
management using blockchain”
- South Korea project “blockchain-based DID”
46

47. /51
Related Projects
• Military Encrypted Messaging App Built on Blockchain
• Blockchain Supply Chain Enhancement for Trusted and Assured FPGA and ASICs
• Decentralized Key Management using Blockchain
• Army Innovation Network -Information System
• Provenance Using Blockchain on Disconnected Networks
• Navy's Approved Multi-Factor Authentication for Personal Mobile Devices
• Supporting Continuity of Operations (COOP) through Resilient Blockchain Frameworks
• Chinese soldiers reward system using cryptocurrency for good performance
• Blockchain-based system to record intelligence in Australia
• Blockchain to help secure aerospace and defense (A&D) supply chains
• French Military Police Record on Tezos Blockchain
• South Korean Military's Blockchain-Based Digital IDentification (DID)
…… and so on
47

48. /51
Related Projects
1. General purpose
2. Domain-specific purposes
“Something interesting”
48

49. /51
Then, Alternatives?
Hash-chained
Blocks
Distributed
Network
Decentralized
Consensus
Features
We don’t need to choose a perfect blockchain structure
49

50. /51
Takeaway
- Cyber defense makes more challenges and
requirements for blockchain.
• Air-gaps, Sudden expansion, shrinkage, partitioning..
- Blockchain’s resource consumption can be a
problem, but defense environments are not flexible
to assign more enough resources.
- We don’t need to cling to blockchain if it’s not adaptable.
Otherwise, it will bring more issues.
50

51. /51
Get in Touch
We welcome any questions and discussions
Suhyeon Lee
orion-alpha at korea.ac.kr
Seungjoo Kim
skim71 at korea.ac.kr
51

52. /51
Thank you
Suhyeon Lee
Korea Univ. /
ROKA
Seungjoo Kim
Korea Univ.
This research was supported by the MSIT(Ministry of Science and ICT), Korea, under the
ITRC(Information Technology Research Center) support program(IITP-2020-2015-0-
00403)supervised by the IITP(Institute for Information &communications Technology Planning
&Evaluation