HHS’s Blockchain Initiative & Its Security Pitfall
A Review of Cybersecurity Shortsightedness
I really enjoy attending the Washington DC’s Chapter of the National Contract Management Association’s (NMCA) dinners every so often. I see the interest in the challenges and plights of the
On November 14, I attended an excellent round table on how the Department of Health and Human Services (HHS) is embracing “blockchain.” (I was attending because I was not sure if blockchain was just that next “shiny object.” The federal government has had a poor track record in embracing technologies without a clear understanding of what it can and cannot do. After over 20 years in federal service, I have found the government seldom considers second and third order effects. I was
HHS is essentially employing blockchain to provide “trust” or what we call “integrity” to its overall contracting efforts. Being able to assure that the data in all aspects of the “contract” lifecycle, from inception to closeout, is consistent and true. HHS’s efforts were impressive and finally brought this “cynic” around.
HHS will use blockchain to ensure that contractor data being provided to its operational divisions (OPDIV) is trusted data. The data will be provided by its contractors and protected by its blockchain technology. It will be used to ensure that data about costs, inventories, labor categories, rates, etc., are not tampered with or inadvertently modified. Blockchain employs a “publicly” known hashing algorithm that ensures that the original internal data is not altered. If it is changed the recipient is made aware of the modification.
Garbage In, Garbage Out
The data will only be good as the data provided and maintained
by the respective contractor
Now for the Bad News
So, as I am listening to HHS’s lead engineer on the program describe how blockchain will improve “security” of “data at rest (DAR),” I could not stop shaking my head. “It will provide added security…change the way of doing business…and provide greater cybersecurity protections” …….NOOOOOOOOO!
Blockchain is about providing INTEGRITY, not CONFIDENTIALITY. The hashing algorithm used is publicly known, and that’s why you have “bitcoin mining” that can conceivably break the hash–that’s why all the craze about individuals stealing computational-time from university and work computers’ processing power.- The mandate for the federal government is that Data at Rest (DAR), as well as Data in Transmit (DIT)/Motion (DIM), require that it is ENCRYPTED, and NOT JUST HASHED. This lack of understanding opens the HHS initiative to a serious “self-inflicted” security vulnerability. (I hope my friends at HHS and the HCICC/HC3 are going to read this article–I plan to share it with them shortly.)
This is not an article to lambaste a fellow cybersecurity professional. This article is about a basic myth/misunderstanding by many who wear the mantle. It is even more important for a deeper understanding of the C-I-A principles and the underlying concepts that we must practice, understand, and learn as professionals in the field.
Q: When COULD hashing be a form of CONFIDENTIALITY/ENCRYPTION?
A: If and when the hashing algorithm is SECRET.
Dr. Russo is currently the Senior Data Scientist with Cybersenetinel AI in Washington, DC. He is a former Senior Information Security Engineer within the Department of Defense’s (DOD) F-35 Joint Strike Fighter program. He has an extensive background in cybersecurity and is an expert in the Risk Management Framework (RMF) and DOD Instruction 8510, which implement RMF throughout the DOD and the federal government. He holds a Certified Information Systems Security Professional (CISSP) certification and a CISSP in information security architecture (ISSAP). He has a 2017 Chief Information Security Officer (CISO) certification from the National Defense University, Washington, DC. Dr. Russo retired from the US Army Reserves in 2012 as a Senior Intelligence Officer.
