The Journal of The British Blockchain Association ()
The Need for Cyber Resilient Enterprise Distributed Ledger Risk Management Framework
Abstract
Critical infrastructure sectors are increasingly adopting enterprise Distributed Ledgers (DL) to host long-term assets, systems, and information that is considered vital to an organization’s ability to operate without clear or public plans and strategies to migrate safely and timely to Post Quantum Cryptography (PQC). A quantum computer (QC) compromised DL would allow, eavesdropping, unauthorized client authentication, signed malware, cloak-in encrypted session, a man-in-the-middle attack (MITM), forged documents and emails. These attacks can lead to disruption of service, damage of reputation and trust, injury to human life, and the loss of intellectual property, assets, regulated data, and global economic security. In 2018, Gartner revealed that a QC is a digital disruption that organizations may not be ready and prepared, and CIOs may not see coming. On September 18, 2019, IBM announced the largest universal QC available for commercial use would be available in October 2019. On October 23, 2019, Google officially announced “Quantum Supremacy,” “by performing a calculation in 200 seconds that would take a classical supercomputer approximately 10,000 years.” DL Cyber Resilience requires “reasonable” measures, policies, procedures, strategies, and risk management before large-scale deployment. Cyber Resilience implementations must be a critical component during the design and building phase, or during the initialization phase. The most significant existing attack vectors for enterprise DLs is the Public Key Infrastructure (PKI), which is fundamental in securing the Internet and enterprise DLs and is a core component of authentication, data confidentiality, and data and system integrity [1] [2]. Effectively implementing and managing a quantum-resistant PKI solution requires adherence to PKI standards, industry requirements, potential government mandates, certificate management policies, training personnel, and data recovery policies that currently do not exist. This research discusses security risks in enterprise DL PKI, areas that can be compromised, and provides an idea of what should be in a PKI DL Risk Management Framework plan.
