The Node Ahead 52: Bitcoin as a cyber security network

grain overlay

By Brett Munster

The implications of bitcoin stretch far beyond just a speculative financial asset. In past issues, we have covered how bitcoin mining is helping to stabilize energy grids, reduce methane emissions, and incentivize the adoption of renewable energy sources. We have covered the socio-economic impacts bitcoin is having for those living in hyper-inflationary economies or oppressive regimes by providing a way for citizens to opt out of a failing economy and into a financial system that is transparent, predictable, immutable, and inclusionary. We have discussed in depth why Bitcoin is the fastest, cheapest, and most secure settlement network to ever exist thus enabling cross border payments to millions of people around the world regardless of whether they have a bank account or not. 

There is another potential use case for Bitcoin’s network that we have yet to cover but may turn out to have global implications. It is possible Bitcoin could be the greatest cyber-security defense network ever created.

To date, the vast majority of the analysis regarding Bitcoin’s underlying proof-of-work protocol has almost exclusively focused on its financial, monetary or economic impacts. However, a new thesis written earlier this year by Jason Lowery, a US National Defense Fellow at MIT, argues that Bitcoin can not only function as a monetary network, but could also function as a cyber-security technology that could empower individuals, companies and nation-states to secure their digital information. 

Major Jason Lowery is an active duty astronautical engineer and field officer in the US Space Force. Jason has worked for over a decade as a technical and weapon system development advisor for high-ranking U.S. officials such as the Office of the President of the United States, the Office of the Secretary of Defense, and Office of the Director of National Intelligence. He is a subject matter expert in electronic warfare which makes him uniquely qualified to publish a thesis on the benefits of Bitcoin as a cyber security system. This article is a high level, though not a fully comprehensive, summary of Jason’s thesis intended to highlight his main arguments. If the reader finds this recap interesting, I highly encourage you to read Jason’s full thesis which can be found here.

But before we get into how Bitcoin can secure information in cyberspace, it’s worth establishing an understanding of how we secure things in the real world. The basis for all security resides in the ability to project physical power in the form of kinetic energy. We protect valuable items by putting them in safes or vaults. Why? Because it would require a prohibitive amount of energy to be exerted by a would-be thief to break into those safes and vaults. Even though we write laws to define how society expects its citizens to act, we use physical power to enforce those laws. For example, a police officer will handcuff an offender (thereby exerting physical force to some degree) and then physically transport that individual to jail. At a national level, countries may engage in diplomacy to come to an agreement but it’s a nation’s military that enforces those agreements with physical power (or threat of using physical power). The basis for all security is the ability to channel energy at adversaries or force adversaries to expend a prohibitive amount of energy to achieve their end goals.

The use of physical force or power can be measured in Watts. A Watt is a standard unit of power which measures the rate of energy transfer over a unit of time. Over the course of history, we have become increasingly more creative, and more effective, in how many Watts we can project (aka how much physical power we can exert on our adversaries). Over time we progressed from swords (ability to deliver a greater amount of force than punching with our fists) to bow and arrows (which could project more Watts over greater distances than a sword) to guns (even more Watts over even greater distances) to bombs (I think you get the point). Throughout history, humans have constantly increased their ability to channel Watts to secure resources, settle disputes and establish hierarchies. 

This ability to channel Watts and project kinetic energy (one could think of this as a “proof-of-power protocol”) imposes severe physical costs on the attacker until they don’t have the capacity or inclination to continue their attack. That is how humans have historically protected themselves and secured their resources in the physical world. Unfortunately, this form of physical security is energy intensive and prone to causing destruction, injury, and death in extreme circumstances. 

Despite its harmful drawbacks, this form of physical security is zero trust (physics works as intended regardless of whether you trust the other party or not), egalitarian (all organisms are subject to the same potential damage caused by kinetic energy), inclusive (everyone is able to access and leverage Watts the same way) and permissionless (an invading country doesn’t ask for permission to invade, they do so because they believe they have superior physical power projection capabilities). If these properties of a “proof-of-power protocol” in the real-world sound similar to bitcoin’s proof-of-work protocol, that’s the point (but don’t jump ahead of me just yet).

Securing digital data is a massively growing problem. If the total amount of money stolen from cybercrime were treated as its own country, it would represent the third-largest economy behind only the U.S. and China. In a report issued by Cybercrime Magazine, global cybercrime is expected to grow to $10.5 trillion annually by 2025. To put that in context, that is “exponentially larger than the damage inflicted from natural disasters in a year and will be more profitable than the global trade of all major illegal drugs combined.” 

The reason for such proliferation of cybercrime is that the traditional approach we use to secure digital resources (aka data) in cyberspace is vastly different from the approach we use to secure resources in the real world. Whereas in the physical realm, the ability (or just the threat) to channel Watts is used to inflict severe costs on attackers, in the digital realm, there is no link to real world costs. This is due to three reasons.

First, there are zero (or close to zero) marginal costs when it comes to software. This feature is great for some things. It’s why we have unlimited digital photos rather than having to go to the store to develop rolls of film. It’s why we have unlimited streaming music and movies rather than having to buy individual CDs or DVDs. But the same principle holds true for hackers. There are zero marginal costs for a hacker to attempt to compromise a piece of software. It’s nearly no difference in cost to create one bot as it is to create a million. Denial of Service hacks literally work by sending millions of service requests in an attempt to overwhelm a software system. Hackers can do this because costs are trivial. There is no marginal cost for building one more bot, or sending one more piece of spam, or posting one more piece of misinformation to social media. 

Hence, we end up with weaponized misinformation, troll farms, bot farms, sybil attacks, DoS attacks, wide-scale online fraud, censorship, shadow banning, data leaks, state-sponsored surveillance, social network targeting campaigns, and more. No matter where you go online, it has become standard practice for your bits of information to be stolen, surveilled, and/or sold to the highest bidder in large part because it costs hackers next to nothing to try to gain access to your information.

The second problem has to do with how software is built. To ensure a piece of software is used only as intended, developers build logical constraints into the code. However, history has shown time and again that these logical constraints are insufficient at stopping bad actors from exploiting that logic. When a hacker “hacks” a piece of software, they simply execute (or withhold) control signals that were not properly constrained by the software’s code. In other words, they find a way to exploit the software’s logic to use the software in a manner that its creator never intended.

Making matters more challenging is the fact that attempting to prevent exploits by encoding more logical constraints increases the complexity of the code which oftentimes increases the attack vectors for malicious actors, thereby having the opposite effect of its desired intention. Therein lies why securing digital data using traditional methods will always have an inherent vulnerability. It requires a software engineer who can understand all historical vulnerabilities as well as anticipate all future different combinations of control signals that should or shouldn’t occur and then build logical constraints encompassing all of that at the same time making sure the software performs as intended. 

The third problem has to do with trust. Without a way to physically constrain software control actions, a common solution is to employ permission-based hierarchies where special permissions are given to a select few users. The most common example is “Admin Rights” or colloquially known as “God Rights” because of the amount of control and power these admins have compared to regular users of the software. We build most of our computer networks in this manner which results in software administrators having highly asymmetric levels of power and control over other people’s digital information and there is often no way for end users to constrain these administrators. 

Therefore, regular users are forced to trust that these admins will not abuse their capabilities. They also are required to trust that the system is designed in a way that outsiders can’t gain control over the admin’s account. Consequently, anyone that uses software services designed in this hierarchical structure is vulnerable to their digital data being exploited and must rely on the centralized organization to be both highly competent and act in good faith. As Jason states in his thesis, “The predominant software security design methodology produces trust-based, permission-based, and inegalitarian power hierarchies which give a disproportionate amount of control to a select few people who must be trusted not to exploit it or trust that unwanted actors can’t gain access to abuse it. Because these control structures designs rely on trusting people not to execute unsafe control actions rather than physically constraining them, they will always be systemically insecure.”

What we need, Jason argues, is to take the principles of how we secure resources in the physical world and apply them to the digital world. Just like when populations become less capable of imposing severe physical costs on their attackers, they become more vulnerable to invasion; the inability to impose severe and prohibitive costs on bad actors in the digital realm leaves individuals vulnerable to exploitation. Ideally, cybersecurity methods would be rearchitected in such a way that people can protect their information not through logical constraints, but by channeling real world, physical power in the form of Watts in and through cyberspace thereby gaining the ability to impose severe physical costs on bad actors. By rooting our digital information in physical energy, we can eliminate the zero marginal cost of hacking, move from code-based logical constraints to constraints based on real world thermodynamics, and replace hierarchical structures with decentralized ones.

Fortunately, such a technology does exist. 

Bitcoin’s system of validating transactions (otherwise known as mining) works by a decentralized network of computers competing against each other to create a block that consists of numerous transactions. This process of validating a block takes a considerable amount of energy to accomplish and the result of successfully creating a block on the blockchain is a “Block Hash.” A hash function is an encryption method for validating the integrity of a piece of data. This hash is proof that energy was expended, and real-world work was done to verify and secure all those financial transactions within the block.

Blocks are created in chronological order thus creating a chain of blocks (hence the name “blockchain”). In order to hack Bitcoin’s network, a cybercriminal would have to break the encryption of the most recent block, then break the encryption of the previous block and so on. Breaking the encryption of just one block requires an extreme amount of computing power applied in a short period of time and each subsequent block further back in the chain requires exponentially more computing power to hack. This is why after just a couple of blocks, it becomes impossible for any modern-day computer or decryption technique to work on Bitcoin’s blockchain. There literally isn’t enough compute power in the world today to break Bitcoin’s string of encryption.

Therefore, Bitcoin’s blockchain is immune from hacking due to the limitations of real-world compute power. It’s this same property that prevents any single entity from gaining control of the network as well. Proof-of-Work blockchains work on a consensus mechanism, meaning that 51% or more of the participants in the blockchain must verify the details of each transaction before it is added to the block. Therefore, one of the few vulnerabilities Proof-of-Work has is called a 51% attack. If any one entity controls a majority of the network, that entity would be able to dictate which transactions get verified and which don’t.  

While theoretically possible, this is likely an impossibility for practical reasons. Bitcoin is by far the largest computing network on the planet. The amount of physical infrastructure it would take to accumulate 51% of the network’s hash rate would cost trillions of dollars to acquire. Even if an entity such as a nation state was willing to spend that amount (which would be against their own financial self-interest), it would take years and years to acquire that amount of hardware because the number of ASICs needed to aggregate that amount of computing power in one place literally isn’t available to buy at the moment. It’s not like you can just go to Walmart and put in a bulk order of specialized computing chips. During the time it would take to acquire enough hardware (we are talking numerous years), the Bitcoin network will continue to grow in hash rate thus requiring even more ASICs by the would-be attacker. Practically speaking, it’s impossible for one entity to gain control over the network because of the extreme physical costs it would take to do so.

As we can see, in order to attack bitcoin’s network, it requires an immense amount of physical infrastructure and electricity. There are no admin rights or logical constraints to exploit. The only method to attacking Bitcoin’s network is through brute force computing power but to do so would require would-be hackers to take on prohibitive real-world costs that can be measured in Watts and dollars. 

Users can therefore leverage Bitcoin’s proof-of-work protocol to protect their digital data from bad actors by making it either impossible or not economically worthwhile to attempt to hack a transaction in the first place. For example, rather than signing documents electronically, in which its rather trivial to counterfeit the electronic signature or tamper with the document after the fact, it would be far more secure to put that document on the blockchain behind a wall of encrypted energy. Hashing contracts, wills, and other legal documents directly onto the Bitcoin blockchain makes it impossible for someone to tamper or counterfeit those documents in the future because of the severe real-world costs of hacking the Bitcoin blockchain. Just as strong property rights in the real world are key to a functioning economy, Bitcoin could become the foundation of commerce on the internet not only because of its economic properties but also because of its cyber defense properties. 

Because Bitcoin is fundamentally architected differently than traditional software systems, we can now merge the benefits of physical security with cyberspace for the first time in computer science history. At its core, Bitcoin is a computer network that converts physical power in the form of Watts into digital bits of information. Whereas most computer systems only use encoded logical constraints to prevent systemic exploitation, Proof-of-Work uses real world physical power to keep these digital bits of information secure by physically constraining and imposing severe physical costs on anyone who tries to gain or maintain centralized control over those digital bits. Think of bitcoin as a way of importing real world physical constraints and thermodynamic restrictions into the digital realm, anchoring cyberspace in the real world.

By anchoring cyberspace in the physical world through a decentralized network that anyone can access but no one can control, bitcoin demonstrates that people can gain and maintain zero-trust, permissionless, egalitarian, and decentralized control over their own digital information. But here is another key insight by Jason; bits of information secured on Bitcoin’s network could denote any type of information, not just financial. Thus, bitcoin could represent a completely novel system for securing any and all information in cyberspace. It makes sense that once we have figured out how to keep digital financial information physically secure, we have figured out how to keep all bits of information physically secure from cyber-attacks. Viewed in this light, Bitcoin becomes more than just a monetary system, but also potentially a revolutionary new cyber security system.

If you stop to think about it, Bitcoin is already the most secure computing network in human history. Bitcoin has operated for nearly 15 years, securing upwards of a trillion dollars’ worth of value without ever being hacked. It’s not that people don’t know how to exploit or hack Bitcoin’s network, it’s that it’s not practical for attackers to justify or overcome the immense physical costs to do so. Bitcoin’s infrastructure consists of the global electric grid and existing internet infrastructure that is spread across the world. Because it’s a decentralized network, the only way to destroy it would be to simultaneously destroy the global internet and global energy grid. 

There is no technical or logical reason why Bitcoin could not serve as both a monetary network and cybersecurity network. Bitcoin is therefore, theoretically, also of national security significance because it would represent the discovery of a globally adopted physical security protocol for transporting digital information throughout the world. The actions taken by organizations like SWIFT to impose financial restrictions against foreign countries have showcased to the world that whoever controls the network of computers managing the valuable bits of digital information has power over them. Nations are beginning to see that a zero-trust, permissionless computing network that enables bits of info to be transmitted, received, and stored is becoming vital to national security. 

But as Jason points out, it’s not just financial info, but any kind of digital info. As nations rely more and more on drones and cyber warfare, militaries will need to ensure that state sponsored hackers do not gain control of their weapons or communication systems. The best way to do that is to leverage Bitcoin’s proof-of-work protocol to impose real world costs on any potential threats. 

Sovereign nations use physical force to protect their country and resources via land (tanks), sea (aircraft carriers) and air (fighter jets). It’s becoming more and more necessary for sovereign nations to also protect their country’s valuable bits of digital resources. And if that’s true, Bitcoin’s “coins” would represent not just an economically valuable digital resource, but also a strategically advantageous resource within cyberspace. Much like canals and ports are strategically valuable spaces in the real world, bitcoins could become the most strategically valuable resource in the digital realm. 

Is Jason arguing that the Bitcoin network and bitcoin tokens are of military and national security importance. Yes! And if that seems like a crazy thought, Bitcoin wouldn’t be the first technology initially used for one purpose only to turn out to have major military significance. Black powder was originally invented for medicinal purposes and stayed that way for hundreds of years. Eventually, we figured out how to channel the energy stored inside black powder to power weapons and the nature of warfare and security was forever changed. In the 1450’s, Emperor Constantine XI refused to adopt cannons after an iron engineer invented them and offered to build them to defend Constantinople against the Ottoman Empire. Emperor Constantine was killed a year later during the siege of Constantinople by…you guessed it…cannons. Even after seeing the first planes in person, General Ferdinand Foch, the Supreme Allied Commander in WWI, famously stated that “airplanes are interesting toys, but of no military value.” Even though planes had been around for years prior to WWI, it wasn’t until after the attack on Pearl Harbor that the U.S. government start to take the notion of planes as a security technology seriously. Considering how many times in recorded history that society has failed to recognize the strategic importance of emerging technologies, technologies which seem obvious in hindsight, it would not be a surprise that most people have failed to recognize Bitcoin’s potential as a cyber security defense network. 

There would be side benefits to adopting Bitcoin as a cybersecurity protocol beyond the ability to secure digital information. The first could be the acceleration of clean and renewable energy creation. If Bitcoin is of national security interest, then it is likely that a competitive race between nations to build hash power on the network would develop. Of course, this is a bit ironic because the more people and organizations use their physical energy to increase their hash power on the network, the more physical power is required for any single entity to gain and maintain centralized control. The more they compete against each other and add more power to the network, the more secure all parties become against hacks and exploits. Jason Lowry refers to this property as “mutually assured preservation.”

In fact, society could potentially benefit from this power competition as it would motivate a greater number of people to search for increasingly more clever technologies to generate more power more efficiently. We have already seen Bitcoin spur innovation in clean and renewable technologies. A global competition would likely further accelerate the advancement and adoption of clean and renewable energy sources. Whereas the byproduct of physical security is physical harm and destruction, the byproduct of securing cyberspace with Bitcoin could be the creation of more energy infrastructure and cheaper energy. As a result, we could see growth in both efficiency and capacity of power grids in the coming future.

The second benefit has to do with the fact that Bitcoin is a non-destructive, non-lethal form of physical security. Whereas in the real world the channeling of Watts results in kinetic energy, proof-of-work channels Watts electronically in and through cyberspace. Kinetic energy-based security protocols in the real world can lead to injury, destruction and even death. Electronic energy-based proof-of-work could represent a way to secure information and ownership of property that is incapable of causing physical harm.

As Jason argues in his thesis, would it not be morally, ethically and ideologically preferable if the physical costs of security were imposed electronically rather than kinetically? Would it not be preferable to adopt non-lethal and non-destructive security tactics such as Bitcoin’s protocol that doesn’t result in physical harm? Lowry theorizes that “it’s possible that an unthinkable amount of human suffering could be replaced by an electricity bill.”

In summary, the way we secure resources in the physical world is by channeling energy (Watts) to impose severe and prohibitive costs on would-be attackers. We have never had the capability of imposing real-world costs on attackers in cyberspace and thus have resorted to other methods. However, these methods are fundamentally flawed and thus will always be vulnerable to exploitation. For the first time, Bitcoin’s proof-of-work protocol allows us to channel Watts in and through cyberspace so that we can impose real world physical costs and thermodynamic constraints on would-be attackers in a zero-trust, egalitarian, and permissionless way that no person or organization has control over. Bitcoin is capable of securing any digital data, not just financial data and thus could become the ultimate cybersecurity network in addition to a monetary network. This form of defense is electronic, not kinetic, and thus has all the benefits of physical security without the downside of destruction, injury or death. And if this theory proves to be true, it will make Bitcoin’s scarce resource, the token, arguably the most valuable economic and strategic digital asset in the world.

Note: The arguments and theories laid out in this newsletter are not the author’s, they are a summary of Jason Lowry’s recently published thesis and intended only to provide the reader a glimpse into the potential use of bitcoin as a cyber security system and the potential national security implications of a proof of work protocol. If the reader would like to learn more, I encourage you to read Jason’s full thesis entitled Software: A Novel Theory on Power Projection and the National Strategic Significance of Bitcoin.

In Other News

$1.4 trillion asset manager Franklin Templeton intends to file for a spot bitcoin ETF.

The SEC acknowledged that after a multi-year investigation, it has no evidence customer funds were misused by Binance. 

Bankrupt crypto exchange FTX has filed a new presentation in a U.S. court, outlining its plans for a potential relaunch of its trading platform.

House Majority Whip Tom Emmer reintroduced his CBDC anti-surveillance state act, with 50 Republicans co-sponsoring the bill.

Binance.US CEO leaves as exchange cuts one third of its workforce.

Deutsche Bank, Germany’s largest bank with its $1.4T of assets under management, has announced that it would start offering crypto custody services to institutional clients.

An interventionist SEC risks a courtroom backlash.

U.S. banking giant Citigroup has started a tokenization service for cash management and trade finance for institutional clients.

The CBDC Anti-Surveillance Bill passed the House Committee and is now headed for a vote before the House.

Disclaimer:  This is not investment advice. The content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained constitutes a solicitation, recommendation, endorsement, or offer to buy or sell any securities or other financial instruments in this or in any other jurisdiction in which such solicitation or offer would be unlawful under the securities laws of such jurisdiction. All Content is information of a general nature and does not address the circumstances of any particular individual or entity. Opinions expressed are solely my own and do not express the views or opinions of Blockforce Capital or Onramp Invest.

Disclaimer: This is not investment advice. The content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained constitutes a solicitation, recommendation, endorsement, or offer to buy or sell any securities or other financial instruments in this or in any other jurisdiction in which such solicitation or offer would be unlawful under the securities laws of such jurisdiction. All Content is information of a general nature and does not address the circumstances of any particular individual or entity. Opinions expressed are solely my own and do not express the views or opinions of Blockforce Capital or Onramp Invest.


Request More Info

"*" indicates required fields

Select all that apply
This field is for validation purposes and should be left unchanged.