Rethinking infosec for the Web3 era

First in a two-part series. Read the second part here.

Web3 technology offers a chance to break free from past cybersecurity mistakes — realizing that potential will require investment from passionate, curious, and open-minded information security professionals.

As Web3 continues its meteoric rise, I can’t help but look on with growing concern as an infosec practitioner. Many in the tech industry have neatly concluded that blockchain, cryptocurrencies, and NFTs are scam vectors, ruining the planet and destined to disappear. But the rapid proliferation of these technologies, their adoption by many multinational corporations and a steep rise in the price of Bitcoin — not to mention President Biden’s recent executive order on digital assets — all point to Web3 being more than just a fad.

We in the infosec community shouldn’t act like Web3 Luddites lest we leave people in this Wild West without adequate resources to protect themselves. Crypto hype cycles aside, real opportunities exist to exert early influence over the direction and development of Web3 technologies. Now is the perfect time to reflect on the security failures of the previous incarnation of the internet and to leverage these learnings to create lasting solutions that help regular folks stay safe. No one deserves to get scammed.

From MP3 sharing to blockchain

The first time I witnessed an innovation of decentralization on this scale, the year was 1999, and the technology was Napster.

More recently, “the cloud” emerged as a blockchain-like buzzword. A decade ago, my colleagues and I joked about the meaninglessness of the term: “There is no cloud, just someone else’s computer.”

Today, cloud computing has become something quite a bit bigger than our jeers had predicted. In fact, it’s hard to comprehend the nuances involved in securing cloud technology without specializing in a particular vendor’s platform. Expect the same sort of evolution — from buzzword to bedrock Internet technology — for Web3.

The good news is blockchain, the basis of Web3, provides a unifying foundational fabric that can help address common security issues such as governance, access, integrity, and observability. Blockchain tech allows for creating “trustless” and “permissionless” environments for users to safely transact with one another as they rely on cryptography and highly available, scalable, and battle-tested code.

Infosec isn’t working

We hear of a new high-profile data breach nearly every week, even though companies are spending more than ever on cybersecurity. Meanwhile, infosec innovation has languished compared to other areas of tech (like cloud computing).

Despite the complexity of today’s cybersecurity landscape, we consistently blame people for falling prey to scams, clicking on the wrong links or generally not knowing enough to keep themselves safe online. Our industry wide lack of focus on the human element is linked to a failure to line up vulnerabilities with the risks they pose. Take the recent controversy over Coinbase’s Super Bowl ad, which featured a bouncing QR code. Should people worry about scanning QR codes? We have no consensus on this basic question.

When regular folks ask us for concrete recommendations to stay safe online, we waffle and bleat, “it depends on your threat model.”

Meanwhile, the infosec community has tended to keep valuable cyber threat information hidden behind corporate walled gardens, while continuing to rely on ineffective defenses such as security through obscurity. We formerly described defended networks as M&M’s: hard, crunchy perimeters with soft, melty, vulnerable interiors. These outmoded architectures do not often provide opportunities to implement that Zero Trust approach we’ve all heard so much about.

Centralization of sensitive log data, a core competency of every functional Security Operations Center, creates data governance, compliance, and ethical concerns related to surveillance that only get worse at scale.

Can we enable secure transactions between consenting parties without pitting privacy against safety?

 1_1mKxnLo3k3FkUwgOWFaopw
ETC/Flickr

Enter Web3

Ultimately, it will be much more effective to rely on the underlying defenses of a cryptographically secured, distributed ecosystem such as a blockchain instead of attempting to play threat actor Whack-a-Mole on vulnerable networks using private, centralized surveillance.

Newer, more efficient blockchains that don’t use wasteful consensus mechanisms can alleviate concerns about the energy consumption of systems like Bitcoin. Solana, the 9th largest cryptocurrency by market capitalization, is a carbon neutral blockchain that empowers its developer community to build in security from the start through smart contracts implemented in the Rust programming language. Using Rust eliminates entire classes of security risks, and may be one of the best tools we have to prevent vulnerabilities in code.

There may be no better way to find bugs than to expose interfaces to the general public. When attackers and defenders have access to the same information, it levels the playing field in a way that sharpens focus on prevention instead of response. That would allow our industry to address systemic weaknesses over time.

No blockchains are fully decentralized today. True decentralization remains a lofty goal of many Web3 organizations — few even attempt to explain how such a system could look in practice. However, trustlessness and permissionlessness are still key principles which actively guide system design in Web3 ecosystems. Ideally, the blockchain itself and the smart contracts deployed to it mediate transactions between users — not opaque code on servers answering only to their administrators.

Blockchain can allow us to shift limited security resources away from a user’s underlying hardware and networks by using cryptography to confirm certain ground truths. When we need to know something, we ask the blockchain. Decentralized application (dApp) developers are incentivized to store data on-chain, avoid performing critical computations off-chain and avoid developing access mechanisms involving something other than a person’s wallet. That translates to greater data integrity and more complete observability of inputs, computations, and outputs.

People need greater sovereignty over their data, and ethical developers are interested in minimizing data collection to protect privacy. Web3 can help with these goals by shifting custody of encryption keys to end users, giving people more control over their data. Avoiding taking custody of an individual’s keys provides them the ultimate opportunity to maintain ownership over their identity on the blockchain. Although this differs from how we’ve previously managed enterprise-level networks, we should welcome these new architectures as ways to empower users while reducing organizational risks relating to data collection and access management.

But first, more of us in infosec need to overcome our initial reluctance to explore Web3 technologies. And that starts by recognizing that Web3 users deserve safety, not snark.

Next in the two-part series: A deeper look at the Web3 ecosystem through the lens of an infosec professional.