Translation: Chinese Researchers Take On Blockchain Security
Official think tank CAICT lays out effort to secure blockchain development
Blog Post
Shutterstock / Production Perig
Oct. 16, 2018
Published by the China Academy of Information and Communications Technology (CAICT), a think tank under the Ministry of Industry and Information Technology (MIIT), and the China Communications Standardization Association, which operates with MIIT support, this white paper is one of a series DigiChina is excerpting and translating for English-language audiences.
The paper summarizes the increasing prominence of blockchain applications around the world, outlining the global landscape for blockchain security standardization, before offering the section translated by DigiChina below on China’s own evolving efforts. The most concrete insight into Chinese blockchain security regulatory and standardization efforts comes in the paper’s delineation of several official research and standards-setting processes under section (2)(iii) below.
The remainder of the paper, not translated here, lays out a framework for measures on blockchain security that begins with a delineation of layers. Beginning from the bottom, they are: storage layer, protocol layer, development layer, and application layer. The paper then goes into relatively high levels of technical depth, describing specific potential threats to these layers and, in appendices, listing international and Chinese experiences with these challenges. Among the Chinese cases examined are China’s certificate authorities, the cybersecurity firm Qihoo 360, and Tencent.
Watch DigiChina for further white paper translations, and feel free to e-mail DigiChina Coordinating Editor Graham Webster with questions or comments.
Translation: Excerpts from “Blockchain Security White Paper—Technology Application Edition” (2018)
Published by the China Academy of Information Communications Technology (CAICT) and the China Communications Standardization Association (CCSA)
(2) China’s Development and Application
(i) China’s technological ecosystem structure roughly identical to that of foreign countries; bright prospects for security-related services
Compared to foreign countries, China’s blockchain work began late in terms of technology development, policy guidance, and other aspects. However, in recent years, blockchain has received a high degree of attention from all walks of life as blockchain and related industries developed rapidly. While sufficiently absorbing foreign experience, China has at the same time actively explored combining blockchain technology with its own experiences. By the numbers, China has a great number of active blockchain projects; it accounts for 85.5% of the total projects in Asia and ranks number one in the world. From the perspective of the overall ecosystem, 55.4% of China’s projects focus on industry applications of blockchain, 31.6% of projects focus on base-level technology, 8.5% on hardware and infrastructure, and 4.5% on security services—overall basically identical to the global technological ecosystem structure.
Despite the fact that China has numerous blockchain enterprises, especially when it comes to industrial applications and the continuous exploration of modes for integrating blockchain with existing industry, there are also many industry scams like “blockchain pyramid schemes,” shanzhai currencies, and air currencies (空气币), as well as general industry chaos caused by false and exaggerated product claims. From the perspective of long-term market standardization and development, these issues need to be urgently addressed. In addition, since China’s blockchain development is focused on exploring industry applications, many blockchain technology developers, platform operators, and users generally have low awareness of security, and the demand for blockchain security products and services still does not have strong momentum [emphasis original throughout]. In small and medium enterprises, teams of entrepreneurs, and other enterprises where employees and other resources are limited, the development and project management personnel often do not have professional blockchain security knowledge and rarely establish professional teams dedicated to security management and technology, i.e. personnel that specialize in security development and control, security testing, security management, and related work. For a number of reasons, China’s blockchain security products and services market has not developed at scale.
As security incidents involving blockchain platforms, applications, and smart contracts increased in recent years, domestic enterprises have begun to pay attention to blockchain security issues. Traditional security enterprises and security teams have gradually begun the roll out of blockchain security, continuously carrying out relevant practices in the areas of probing smart contract vulnerabilities, auditing blockchain product code, and monitoring business security, and thereby raising application security levels and the ability to withstand attacks. Some enterprises and research institutions have also begun exploring application models based on “blockchain + cybersecurity” and are working to tap blockchain’s potential to upgrade data security storage and authentication security.
(ii) Policies focus on technology development and application deployment; guidance on security is beginning to take shape
In recent years, China has repeatedly pushed forward policy and has often stressed the value of blockchain applications at the national level, encouraging the development of blockchain technology and applications. The government first mentioned the need to strengthen basic R&D and advance deployment of strategic frontier technologies like blockchain in the December 2016 13th Five Year Plan for Informatization. During his speech at the 19th Meeting of the Academicians of the Chinese Academy of Sciences (CAS) and the Chinese Academy of Engineering (CAE) in May 2018, General Secretary Xi Jinping made clear the need to strengthen “accelerated breakthrough applications in new-generation information technologies, represented by AI, quantum information, mobile communications, Internet of Things, and blockchain.”
The security issues associated with blockchain have become clear as the technology and applications develop. At the same time, China has also begun to pay attention to blockchain security issues in policy formulation and has strengthened guidance on describing the security threats, constructing a security system, and issuing security response recommendations. In October 2016, MIIT’s Informatization and Software Services Department published the “China Blockchain Technology and Application Development White Paper,” which clearly pointed out that blockchain faces security challenges but also provides coping mechanisms. The report described the security features of blockchain and its shortcoming in terms of physical security, data security, application system security, encryption security, risk control mechanisms, etc. (See Figure 1.7).
In May 2018, the MIIT Information Center published the “China Blockchain Industry White Paper,” which further analyzed the security issues faced by blockchain, including low-level code security, the security of cryptographic algorithms, consensus mechanism security, smart contract security, and digital wallet security. The report sorted through the technical methods and code audits typically provided by a security service company and proposed various countermeasures. At the local policy level, local governments in China are actively responding to the national government’s call, attaching a high degree of importance to developing blockchain technology as a component of local development and actively promoting the roll out of blockchain applications. They are also increasingly paying attention to blockchain security and will increasingly see blockchain security as an necessary safeguard to ensure the development of blockchain. In December 2016, Guiyang, Guizhou, published “Guiyang Blockchain Development and Application,” a white paper that proposed using blockchain to establish a trustworthy and secure digital economy, strengthen internet governance, and solve the difficult problem of privacy protection in traditional modes of data, among other issues. Beijing, Shenzhen, Shanghai, Nanjing, and other cities have also introduced policies to encourage research and exploration of emerging technologies such as blockchain in the financial sector, as table 1.1 shows.
Table 1.1: Chinese regional blockchain security-related policies
Region | Policy Document | Policy Contents |
---|---|---|
Beijing | "Beijing Finance Industry Development Plan for the 13th Five-Year Plan Period" | While handling security, encourage development of blockchain technology and other Internet finance security technologies. |
Shenzhen | "Shenzhen Financial Industry Development Plan for the 13th Five-Year Plan Period" | Support financial institutions in strengthening new technology exploration in blockchain, digital currencies, etc. |
Guiyang | "Guiyang Blockchain Development and Application" White Paper | Build a trustworthy and secure digital economy using blockchain, strengthen Internet regulation, etc. |
Nanjing | "Nanjing Financial Industry Development Plan for the 13th Five-Year Plan Period" | With technologies like blockchain at the core, advance widespread application of financial technology in areas such as financial credit. |
Shanghai | "Self-Regulation Rules for Internet Finance Practitioners Applying Blockchain" | Emphasize the balance between innovation on one hand and standardization and security on the other. Pay attention to security and safeguarding against system threats, etc. |
(iii) Accelerate the work of setting blockchain security standards; strengthen technical risk prevention
In order to prevent a series of security risks faced during blockchain technology application, guide the development and deployment of products related to blockchain platform and system standardization. China comprehensively advances blockchain security standardization work on the differing levels of national standards, industry standards, and industry association standards, etc., to promote blockchain technology security, orderliness, and long-lasting application.
At present, China's blockchain security standardization work mainly centers on aspects such as security system architecture and application and platform security requirements. Among these, when it comes to national standards, TC260 [Technical Committee 260 - National Information Security Standardization] WG5 [Working Group 5 - Information Security Assessment] is devoted to designing and building standards on the basis of blockchain auditing information infrastructure to handle security threats such as tampering with auditing data or leaks of sensitive information. WG7 [Working Group 7 - Information Security Management] is proposing blockchain application security management modes and formulating basic control measures for blockchain application security management, through researching blockchain application security management principles, roles, and models. SWG-BDS [Special Working Group - Big Data Security] has already begun a blockchain security standard system research program and is: formulating blockchain threat models; identifying blockchain critical assets and major threats; proposing support programs, designs, and implementation for a unified blockchain security framework; and proposing clear and specific security capability requirements for key modules. When it comes to communications industry standards, blockchain security standardization work is led mainly by CCSA TC8 WG4 [China Communications Standards Association; Technical Committee 8 - Network and Information Security; Working Group 4 - Security Foundations], which focuses on blockchain security; develops and implements standards programs, for instance in blockchain development platform networks and data security technology requirements; and blockchain digital asset storage and transfer protection technology specifications. It also conducts research programs, for instance on blockchain technology digital certification management technology and blockchain platform security mechanisms and agreements.