State of Blockchain in Public Sector
Hello! My name is Rudy Subramanian, a Cloud Platform Solution Engineer at SAP, and also a public sector blockchain SME and emerging technology enthusiast. Prior to joining SAP, I worked in investment banking and held finance roles in the healthcare and utilities industries.
In this document, we will understand the state of blockchain (BC) and innovation within public sector in general, within a number of federal agencies, their areas of focus, and potential for co-innovation and future revenue opportunities.
Most government leaders today agree that modernization/innovation initiatives have fallen flat. Frontis Wiggins (DoS CIO) best explains the difference between modernization and innovation. Modernization means to optimize existing processes to be faster and easier. Innovation means to break the mold. One example is the ACP140 format created for telegrams 70 years ago, a format that was created with the technological limitations of the 1940s in mind. Telegrams evolved into Mod40, and then to personal computers, but the format stayed. Is the next step simply to migrate those archaic formats to Cloud?
We need to change the outdated business process created 70 years ago, now that the tech landscape has changed, and BC is part of that revolution. But DoD research could not identify any business processes upon which BC could simply be overlaid to improve security or efficiency; the processes need to be reimagined. While BC can help drive that transformation, there are some very real concerns that first need to be addressed, concerns around security, privacy, and interoperability.
Security – The first security concern revolves around encryption. All encryption protocols have a time horizon; it isn’t a question of whether the encryption can be broken, but rather when. Are encryption protocols (SHA256, etc.) robust enough to resist threats, given recent developments in other technologies like machine learning and quantum computing? The second security concern revolves around establishing identity. Identity is typically established in a BC network by matching a public and private key. What happens if the private key is lost, and how can a new key be created and tied back to the account? A robust identity management solution compatible with BC technology will need to be developed before any solutions become feasible. The third security concern revolves around militarization of a BC network by a nefarious entity. What if such an entity gains control of >50% of mining nodes in a network? Integrity of the BC is no longer assured.
Privacy – Privacy concerns naturally stem from security concerns. If encryption has a finite time horizon, and BC networks are by nature decentralized, then private information stored on the BC will eventually become public. Firstly, we need to understand the nature of privacy risk – how will a privacy breach impact those whose data is stored on the BC? Secondly, based on those risk standards, we need to determine which information must remain private and which can be made public. Thirdly, we need to understand how technology can be utilized to create a system that keeps private information off the BC, while still taking advantage of the benefits offered by BC.
Interoperability – When the discussion around technology begins, we need to understand how we can create robust and flexible systems that are interoperable. Government IT is full of siloes, created by poor procurement methodologies and other systemic issues. Agency leadership seems intent on rectifying some of these issues, but interoperability is dependent on three primary things: payload, policy and protocol, and it is often difficult to align stakeholders in each.
Of course, there is a common underlying thread through each of these concerns, the establishment of standards. In Jan 2018, NIST released Draft NIST Interagency Report (NISTIR) 8202: Blockchain Technology Overview. While not a true standard, the document explains the technology, explores the most common implementations, and also addresses some of the shortfalls and concerns associated with BC. It is an important step towards BC adoption. But NIST isn’t the only organization establishing standards. W3C, which was key to establishing web standards, is now also engaged in creating standards for BC technology.
In conclusion, the technology is evolving quickly and there is a lot of scope for innovation as BC matures. What is the quality that humanity holds most dear? Some may argue that the most important virtue is love or truth. Others may argue that humans hold most dear science or art. But in truth, the quality humanity holds most dear is timing. Let’s explore how SAP can work with the government to co-innovate, to build use cases that are relevant today, not ones that may only be feasible in 5 or 10 years.
According to GSA leadership, the government needs sandboxes, tools they can use to experiment and collaborate. These tools have not yet been defined, and SCP could be the perfect sandbox environment, especially if agencies are dealing with enterprise data.
To properly position SAP, however, we need to understand the state of BC understanding and exploration within specific agencies.
Department of Defense
John Bergin (DoD CIO) admits that DoD is no longer driving innovation but rather chasing it. According to him, DoD programs fail for a number of reasons. DoD typically invests in monolithic systems that are always ‘green.’ Teams are not incentivized to admit that systems are ‘red’ or simply no longer working. Over time the DoD has locked itself into long term contracts for these monolithic systems that stymie innovation. One example is an automated filing system developed in the 1950’s that is still running. When the focus is on technology, systems are simply modernized, and business processes remain unchanged. For true innovation to take place, these business processes need to be reengineered.
The question that should be at the forefront of every conversation centers around lethality. For example, how can we stop paying auditors and start paying soldiers? Auditors are lethal to the DoD, but they are not lethal to the Taliban. How can we innovate business process to increase lethality, while reducing overhead?
One such goal is 10-turn-10 – how can the squadron fly 10 planes in the morning and 10 planes in the afternoon, with high utility and low downtime? Perhaps predictive maintenance can help identify parts requiring replacement before catastrophic failure, and additive manufacturing on a carrier can fabricate these parts just in time (JIT) as needed. In fact, DoD just completed a PoC using blockchain (BC) technology to establish provenance of digital files used to fabricate parts in an additive manufacturing scenario.
The Proof of Concept (PoC) was built by Commanders Steven Dobesh and Jonathan McCarter + team, using a private BC (Tendermint) adapted from a MITRE project. The BC itself was unable to deal with files >150 bytes, and because the CAD files were ~20MB, a distributed file system was used for storage. The team was given $40,000 for this project, and they were successfully able to demonstrate that provenance of digital files could be established using BC technology. Dobesh was given $750,000 for other initiatives.
From this experiment, a number of lessons were learned. Firstly, in government, use cases for public BCs are extremely limited and most implementations will be private or permissioned BC networks. The government is extremely risk averse and fear of militarization drives all decision-making. For example, most cryptocurrency mining is done in China, driven by cheap electricity, and these miners are required to register with the Chinese government. What if in the future, the Chinese government decides to appropriate these nodes and gains control of >50% of the network? The consensus algorithm required to establish authenticity no longer works.
Secondly, BC will drive new business models. The DoD found no business processes over with BC could simply be overlaid, in order to drive security or efficiency. Business processes will need to be reengineered. For example, additive manufacturing will drive new procurement models. How can the DoD fabricate the parts it needs, while still protecting the IP of the OEM? Perhaps a subscription model can be created, where the OEM promises to maintain and update the digital files required by the 3D printer. How will bandwidth limitations in the field affect this model?
Thirdly, establishing and maintaining identity is a bottleneck in most BC scenarios. Identity is typically established by matching a public and private key. What happens if the private key is lost, and how can a new key be created and tied back to the account? How can identity be established without maintaining any personally identifying information (PII) on the BC?
While the focus for FY2018 will be logistics, a number of additional use cases have been identified for BC innovation: secure data sharing, PKI and certificate authority, secure reporting and messaging, and IoT device management.
While the interest in BC is still small, as evidenced by the small budget for the additive manufacturing PoC, the DoD is probably the most sophisticated agency in terms of exploring emerging technology. They are funding early stage BC companies like Evernym and Guardtime, and there is potential revenue to be found. We need to start discussions around co-innovation between DoD and SAP, to position SAP as a leader in the BC arena.
Department of Homeland Security
DHS first started research into BC 3 years ago, and currently the organization is in the process of developing PoCs. Their current areas of focus are digital currency forensics, security and privacy, and integration approaches.
According to Anil John, program manager for BC initiatives within DHS, the current agency initiatives revolve around championing global interoperability specs and investing in customer-driven PoCs if the gain/pain ratio can be proven. For example, the agency is currently working with W3C on standards for decentralized identifiers and verifiable claims data models and is funding private sector companies like Evernym to develop robust identity management solutions for BC. They worked with NIST on a Framework for Designing Cryptographic Key Management Systems.
From these PoCs, a number of lessons were learned:
- Public vs. permissioned and private BC – there are very few use cases for which a public BC would be the right implementation
- Architecture and system design cannot be ignored
- Distributed key management is a bottleneck to any viable implementation
- Common ledger data format needs to be established
- Common security and privacy defaults need to be established
- Smart contracts are relatively immature – outside of creating letters of credit and escrow, other use cases are too hard to automate at the moment
Ideas for current and future customer-driven PoCs include:
- Immutable logging to ensure resiliency, integrity, and independent validation of IoT device and sensor data
- Improve international passenger processing through check-in ® security ® host exit ® CBP FIS ® We need to answer whether a person is eligible to travel.
- Facilitate international trade
- Mitigate forgery and counterfeiting of official licenses and certificates. This use case is probably the only valid public BC implementation.
Based on the state of BC research and development, DHS is ripe for co-innovation with SAP. They are currently funding private sector companies, and there is potential revenue to be found. We need to start discussions around co-innovation between DHS and SAP, to position SAP as a leader in the BC arena.
Department of Treasury
The treasury department is primarily interested in effective financial management. For example, the treasury department oversees:
- $100sB in intragovernmental differences
- $100sB in grants management
- $145B in improper payments
- $125B in equipment purchases
- $10sB in software licenses
They have a number of BC PoC goals:
- Track and manage physical assets
- Asset transfer and disposal without intermediaries (ie. IT equipment)
- Automate and streamline processes
- Create end-to-end visibility
- Reduce expenses
As of October 2017, The Bureau of the Fiscal Service’s Office of Financial Innovation and Transformation (FIT) has hired a contractor to build a prototype system in order to “track and manage physical assets (for example, computers, cell phones, and the like).” The bureau is chiefly responsible for borrowing money to fund the government as well as handling interagency payments and accounting.
Based on the state of BC research and development, Treasury is ripe for co-innovation with SAP. While they are behind DoD and DHS in terms of BC innovation, they are currently funding private sector companies, and there is potential revenue to be found. We need to start discussions around co-innovation between Treasury and SAP, to position SAP as a leader in the BC arena.
General Services Administration
GSA’s Emerging Citizen Technology Office launched the U.S. Federal Blockchain program for federal agencies and U.S. businesses who are interested in exploring distributed ledger technology and its implementation within government. Focus areas include AI, mixed reality, and BC, with a mission to improve accessibility, transparency, and effectiveness.
The Federal Acquisition Service (FAS) has a mandate to build government-wide capabilities aligned with the IT Modernization Act. There is a drive to involve industry in discussions around building shared/managed services. FAS has recently launched the Technology Modernization Fund, from which other agencies can borrow money to fund modernization initiatives.
In July 2017, GSA awarded the federal government’s first contract to use blockchain technology, involving moving FASt Lane, a service that Schedule 70 designed to speed how fast new vendors can get on schedule, onto the BC. A crucial element of GSA’s proof of concept was to change two steps of the process –the review of vendor-submitted financial statements, used to determine the vendor’s financial solidity, and the preparation of a negotiation letter that outlines issues over which GSA wished to negotiate before accepting the vendor on schedule.
On the financial review, the traditional process involved a staffer extracting financial information from the material the vendor provided and calculating the firm’s financial health, which took up to a month. The capability developed for the proof of concept accelerated that process so that, in most cases, it’s nearly instantaneous. An automated financial review now occurs immediately. Offers that pass are moved onto the next step in the workflow; those flagged for further review or rejected are routed to a human reviewer for further analysis.
A pre-negotiation letter, meanwhile, is a document prepared for GSA negotiations with a vendor, listing issues to raise in negotiations. The BC, with its full history of entries in the ledger, became the system of record for an entire offer, replacing multiple emails back and forth between the government and vendor, and back and forth with the contracting officer checking multiple systems. It has reduced the time to prepare the letter from 15-30 days to under 10 days. (The system does not currently suggest items for negotiation to the government, but in the future will analyze past pricing data to flag proposed prices that are out of line.)
Based on the state of BC research and development, GSA is ripe for co-innovation with SAP. They are currently funding private sector companies, and there is potential revenue to be found. We need to start discussions around co-innovation between GSA and SAP, to position SAP as a leader in the BC arena.
While this document is not an exhaustive list of BC initiative within the federal government, it offers proof that there is very real activity in this space and real potential for revenue. While the agencies may not yet be ready to fund large scale BC projects, we need to start discussions between federal agencies and SAP, to understand the issues they are currently trying to resolve, as well as to establish SAP as a leader within the BC domain.
I will continue to stay up-to-date on the state of blockchain, both in general and specifically in public sector, and you can expect future blog posts from me regarding new developments within this space, both from a technical and business perspective. Please reach out to me with any questions or new ideas!