Smart Legal Contracts: Are they as secure as we think?
Current legal systems and processes are not known for their agility. Many of the important tasks carried out by legal teams are cumbersome and time-consuming – and contracts are a prime example. With often complicated conditions and multiple parties involved, ensuring legal contracts are appropriately updated, shared, and securely transferred can be complex.
Smart Legal Contracts (SLCs) could provide the answer. Powered by blockchain technology, this emerging technology is more reliable, transparent, and secure than paper alternatives. Potential use cases and benefits include cutting out intermediaries to streamline transactions and improve property ownership documentation in real estate; automating transactions and maintaining product integrity to protect against counterfeits in supply chains; and securing data privacy on a blockchain only retrievable by authorised personnel.
However, before industries consider the use of SLCs, it’s vital to thoroughly investigate the implications, risks, and impacts.
The advantages and adversities of Smart Legal Contracts
SLCs are a specific type of smart contract that perform legal contract obligations as defined by the UK Law Commission. A smart contract is a self-executing contract with the terms of agreement between two or more parties directly written into the code. The code and the agreements exist across a distributed, decentralised blockchain network, receiving data on the agreement conditions and performing required actions. Transactions are trackable and irreversible between parties, tightening security and reducing administrative burdens. SLCs offer unique benefits over traditional paper contracts, such as streamlining contract executions, providing transparency via coded business logic, and significantly reducing third party costs.
Although the underpinning blockchain technology offers appealing security features, SLCs are not as inherently secure as commonly perceived. Firstly, blockchains are hackable. In 2019, cryptocurrency exchange platform Coinbase noticed its transaction history was under attack. The attacker gained control of more than half of the network’s computing power, using it to rewrite the transaction history of the Ethereum Classic cryptocurrency so it could be spent more than once. In the context of SLCs, this could cause contracts to execute an action, such as a fee payment, multiple times. Secondly, like most information technologies, SLCs rely on good security governance to ensure integrity – poor governance can expose organisations to various threats and legal consequences. So, how can organisations safeguard SLC to minimise risk and reap the rewards?
1. Define and embed strong security governance
Establishing security governance to oversee the SLC infrastructure enables leaders to coordinate security efforts to high risk, high impact areas. Monitoring these areas is important to the integrity and availability of the SLC, as business critical functions may depend on them. An important factor within governance is a vulnerability management framework enabling organisations to manage risks at scale. There are many vulnerability management frameworks available, but they must be appropriately adapted and tailored for SLC use.
SLCs are built on new technology and require multi-party engagement throughout the lifecycle, including parties directly involved in contracts, the coders of smart contracts, business legal teams, banks, and even cryptocurrencies. In some cases, multiple SLCs may be dependent and interlinked. This is the landscape which frameworks must consider, however this is still a developing area of knowledge with little to no best practice guidance available. This makes it all the more important to carefully assess the vulnerability management requirements for SLC when developing a framework.
2. Monitor SLCs to flag and address vulnerabilities
It’s vital to proactively monitor SLCs when in use. Discovering potential vulnerabilities in the execution of contracts is a key security feature that supports contract integrity throughout their lifecycles. While there are smart contract vulnerability detection tools available, the key issue is the efficiency and speed at which they operate. New vulnerabilities are constantly being discovered within SLCs, and tools must be adapted for SLCs in scope. These tools should be capable of scanning data feeds into SLCs to flag any malicious intent at speed. This is still a developing area – many solutions have been proposed for common smart contract vulnerabilities, and more dynamic solutions aim to use machine learning capabilities to address the detection latency and accuracy of tools.
3. Maintain integrity through data provenance
As SLC are legally binding, data provenance is a critical part of maintaining contract integrity. SLCs require continuous data feeds to guide the execution of business logic. This widens the risk surface – threat actors could manipulate contract executions with false data feeds or even perform denial of service (DoS) attacks to disrupt the SLC. Historical records of data and its origin are critical, and must be admissible in court if required.
To reduce legal liability, SLC infrastructure must be able to demonstrate that data has been securely collected, stored, accessed, and processed. In mitigation, SLCs can engage a trusted third party to provide data sources, access to Public Key Infrastructure (PKI), and digital signatures. This protects the confidentiality and integrity of data feeds while proving where data is sent from (and to whom) through non-repudiation.
Organisations should apply these important security considerations before engaging in the use of SLCs. Where organisations choose to outsource SLC development and maintenance to a third party, they must take due diligence to confirm that the third party’s security posture incorporates appropriate controls. By taking this pre-emptive, proactive approach to security, organisations can protect their business assets and functions while optimising the benefits that SLCs bring.