Cybersecurity Risks in Achieving UN SDG 16.9 with Blockchain Technology

The United Nations (UN) Sustainable Development Goal (SDG) 16.9 aims to provide legal identity for all, including birth registration, by 2030. This ambitious target underscores the critical importance of identity in accessing a wide array of services and rights, from voting to healthcare. As we harness technology to realize this goal, blockchain emerges as a promising solution (1) for its ability to offer secure, decentralized, and tamper-proof ledgers. However, the integration of personally identifiable information (PII), personal health information (PHI), and other significant life events into a blockchain ledger brings to the forefront significant cyber risks that must be addressed.

Blockchain technology offers a revolutionary approach to managing digital identities, ensuring that every individual on the planet has a unique, unfalsifiable, and secure identity. By leveraging blockchain, we can create a system where all forms of PII and PHI are securely encrypted and stored, making them accessible only to authorized individuals and entities. This could dramatically reduce identity theft, fraud, and unauthorized access to personal information.

Using blockchain to manage sensitive data introduces complex cybersecurity challenges. While blockchain itself is highly secure due to its decentralized nature and cryptographic hash functions, the endpoints interacting with the blockchain, such as user devices and applications, remain vulnerable to hacking, phishing, and other forms of cyber-attacks. This vulnerability could lead to unauthorized access to the blockchain ledger, risking the exposure of sensitive personal information.

Second and maybe more importantly, blockchain data is permanent. It therefore presents a double-edged sword. Using blockchain to record EVERY event in your life ensures that once an event is recorded, it cannot be altered or deleted. This means it is an immutable history of an individual’s life events. This immutability raises concerns regarding the right to be forgotten. One may accurately suspect every individual has made choices they’d rather forget. This is not feasible with a blockchain-based digital ID. In Europe, the right to be forgotten is enshrined in data protection regulations like the General Data Protection Regulation (GDPR). Modifying or deleting personal data from a blockchain, once entered, is inherently difficult, if not impossible. This poses significant privacy concerns.

The concentration of vast amounts of PII and PHI in a single ledger, even if decentralized, creates a highly attractive target for cybercriminals. A breach could have far-reaching implications, potentially exposing the intimate details of individuals’ lives. While blockchain technology can significantly contribute to achieving SDG 16.9, ensuring the cybersecurity of such a system is paramount. And not to get overly controversial, errant governments could use the information in your personal life ledger to restrict access to important assets like your bank, or your job. This is already happening in China.

To mitigate these risks, a multifaceted approach is necessary. First, enhancing the security of endpoints through regular updates, robust encryption, and user education on cybersecurity practices is crucial. Second, implementing dynamic consent mechanisms where individuals have control over who accesses their information and for what purpose can help address privacy concerns. Additionally, exploring technological solutions, such as zero-knowledge proofs, can allow for the verification of information without revealing the information itself, further safeguarding privacy.

International cooperation and the development of global standards for blockchain security in the context of digital identities are essential. This would ensure a unified approach to tackling cyber risks, fostering trust in blockchain-based identity systems.

While blockchain presents a promising though possibly troubling pathway towards achieving UN SDG 16.9, it is imperative to navigate the associated cyber risks with a strategic, multifaceted approach. In this way, we can cautiously use blockchain technology to provide secure and immutable digital identities for all (if a person chooses to participate, but that’s another argument for another article), thereby unlocking access to essential services. One could even speculate that tying essential life services to a digital ID might do more harm than good.

Original article can be found here.


Business Owners: Red or Blue Pill?

The Choice: The choice is yours. Continue to read this article, and you choose the red pill. The true nature of existence will be revealed. Leave now, and you’ve chosen the blue one. You will remain blissfully ignorant. This article isn’t intended to terrify you. However, at the end of it, you might wish you’d chosen blue instead. Sometimes truth is a bitter pill. 

The Ransom: In July, 2019, on a sticky summer’s day in Rockville Center, NY, the IT administrator for the school district had a message pop-up on his monitor: “Your data has been encrypted.” He frantically pulled the plug on the infected computer.  He limited the damage, but key files were being held for ransom.  Fortunately, the school district had cyber insurance. The insurance company paid almost $100K to get the decryption key from the attacker.  

A Different Result: Contrast this with the recent ransomware payment by University of California at San Francisco (UCSF) of $1.14M, where they did not have any cyber insurance to pay the ransom.  The cost of the ransomware and recovery came from the university’s pockets. 

Cyber Insurance: Cyber insurance is protection against the CONSEQUENCES of cyber attacks. This includes data breaches, and ransomware.  The insurance covers the costs of:  the investigation and forensics, notification and identity recovery for clients, restoring compromised data, and system downtime.  Some policies cover losses from social engineering and, like the policy held by the school district mentioned above, cover the cost of a ransomware attack.  Like other insurance policies, some items are not covered, such as the loss of future profits and theft of intellectual property.  

Just a Piece of the Puzzle: You may consider cyber insurance a part of, but not a replacement for, your cybersecurity business strategy.  Insurance companies have been known not to pay out if they find negligence on the part of the insured. Covered companies are supposed to implement industry best practices, policy, and training.  Some underwriters will require company-wide training programs prior to issuance of the policy. 

What About Me: You might be wondering, “Does my business need cyber insurance?” If you lived in a flood plain, would you get flood insurance?  Your business “lives” on a cyber flood plain. One out of every five cyber attacks are against small- and medium-sized businesses.  Of those that suffer an attack, over 60% cannot recover from the residual financial loss.  So, it’s not only big companies that need it.  Small businesses have been flooded right out of business from cyber attacks, when not properly covered.  

Transfers Risk: Cyber insurance transfers the financial component of cyber risk from your company to the insurance carrier.  If your organization deals with a reasonable volume of Personally Identifiable Information (PII) or Protected Health Information (PHI), you should look into insuring it.   The cost of an attack could shut your doors.  So, if you are a health provider, a utility, or a government organization, it would be sensible to get a quote.  If you run an AirBnB or a small-repair shop, you may be OK without it.  Several local organizations have been impacted by cyber attacks, so don’t think it only happens in the big cities.   Calculate the risk. If your company was attacked, what would be the impact?  There could be stiff penalties from the Department of Health and Human Services — or worse, government scrutiny! So, is your organization prepared for the risk of the cyber world?  Would you be like Rockville Center or  like UCSF?  Consider the options, then … choose wisely.

The Dangers of Unencrypted Email

Postcards from War: Recently, I was reading some of my grandfather’s faded postcards from World War I. I happened to read one in which he mentioned being released from quarantine: March 11, 1918, Fort Lewis, Washington – the Spanish Flu pandemic.

Then & Now: Postcards were how our grandparents sent brief messages over long distances. They are the antique analogs to modern email. The messages and attachments you send via email are every bit as private and secure as that dusty, old postcard.

Is This Normal: Recently, a close associate of mine, I’ll call him “John”, was required to take a defensive driving course. The business providing the service asked John to send a copy of his driver’s license. John promptly took a picture of his driver’s license in beautiful, high-definition color and attached it to an unsecure email. He didn’t even question it.

How It Works: Let’s look momentarily at a seemingly benign example to illustrate what happens when you hastily click the “send” button. Say you work for a medical practice and you send an email from your office to a patient. Here’s what happens:

  1. The email leaves your computer.
  2. It travels on your Internet Service Provider’s (ISP) network.
  3. It arrives at your mail server – a server you probably don’t control.
  4. Your hosted email provider then forwards a copy of the email to the patient’s mail server, probably webmail, like Gmail.
  5. A copy of the email languishes on the mail provider’s server.
  6. It then takes the last leg of the journey to land on the patient’s personal computer.

Everybody Sees It: As you can see, at any of those points, the email (like a postcard) can be read by anyone with access. That means, if any of those computers storing a copy of the emails is compromised, so are the emails. All of them.

Unsecure By Design: Email is by design, unsecure. That is why you should never, (let me repeat, EVER) include any important, private information in any email, not just the protected health information (PHI) of patients. Unencrypted email is simply the wrong medium for transmitting sensitive data.

From the website:

Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual.

For Healthcare: Now, I’m not a HIPAA lawyer, and this is not legal advice, but basically, if you are a medical practice, you know that much of your communication with patients is over email. In fact, many prefer it. So as long as you warn the patient that your email communication is over unsecure media, and the patient acknowledges, then you may be absolved of the consequences of a PHI breach … maybe. You can even get patient acknowledgment with (ironically) a simple email waiver form that the patient signs and returns to your office, over email.

Secure Options: If you only send PHI through your Electronic Medical Record’s application, it may take care of the encryption for you. But if not, there are email providers that will encrypt your emails. If you use Microsoft Office 365, there is a tier that will allow you to encrypt email. Other email providers like ProtonMail offer encryption capabilities. A Chrome extension even exists allowing you to encrypt Gmail. It can be a little inconvenient because you have to think up a strong password for each email, then you have to deliver the password to your patient by calling or texting them. If emails containing sensitive data are sent infrequently, the risk is lower. You decide whether you’d rather go through the effort or experience a breach.

You don’t have to protect sensitive data forever. Its value degrades over time. Conversely, that little postcard my grandfather hastily scrawled over 100 years ago is ever more precious to me.