Management & legal

Concern about Russian influence over blockchain standards

broken security

As reported earlier, the International Standards Organisation (ISO) is working on a set of standards for blockchain that includes privacy and security. Meetings to discuss potential standards involve delegates from many countries. Yesterday the New York Times reported that at the last meeting in Tokyo, Russia had a delegation of four, three of whom allegedly work for Russia’s F.S.B, the successor to the K.G.B.

The article quoted a delegate as hearing one of the Russians saying “The internet belonged to America. The blockchain will belong to the Russians.” A second delegate remembered a very similar quote. But if Russia had these intentions, would they voice them at an ISO meeting? Or are these comments part of the game?

Cryptography

The concern is that one country could push their preferred cryptographic algorithms to be the standard, potentially creating so-called backdoors to spy on blockchain activity. Cryptographic algorithms are peer-reviewed for many years before adoption. So it’s not likely that some unknown methodology will be adopted. There are also a number of cryptographic standards bodies. One of the better-known ones is the US government’s NIST.

The issue is that any cryptography could have a vulnerability that a small number of people are aware of, but most are not.

In the past, there have been ‘Crypto events’ where previously widely adopted cryptography was found to have a vulnerability.

One of the biggest was the ‘Heartbleed’ bug relating to SSL that secures web traffic. OpenSSL is a widely used package and a requirement to install the popular Apache web server. It introduced a vulnerability in March 2012 that was only noticed and resolved in April 2014.

Just this year the Spectre and Meltdown computer processor vulnerabilities were announced. These were not cryptographic issues but were severe security flaws which allowed unauthorized access to a computer’s memory, revealing what you might have open in other web browser tabs, and more serious than that.

Many people may have been aware of these vulnerabilities for some time. Some of the issues were discussed in other contexts as early as 2002, and more explicitly in January 2017, and vendors were made aware of the problem in June 2017.

The reality is that we could all be using vulnerable software already. It’s vital that the ISO committee on blockchain has representation from many countries, just to ensure diverse input.

UPDATE
It’s public knowledge there’s a Russian version of Ethereum called Masterchain. In a recent video, Amber Baldet spoke about changes the Russians are making – replacing the standard cryptography used in Ethereum. Baldet headed up the development of JP Morgan’s Quorum until recently. She explains more in the video below.

Masterchain are quite open about what they’re doing: