Bot technology is all the rage these days, and with good reason. Bots help you shop and provide customer service. In fact, one bot keeps contacting me on Facebook, telling me how I can optimize my marketing spend. They’re everywhere and they’re getting smarter all the time. Any one bot can access the entire intelligence of the internet to answer your most arcane questions or give you insightful suggests tailored to the details based on your online profile.

Still, the full potential of bot technology has yet to be realized. Right now, most bot interactions take place between a bot and a human. But, what would it be like if bots could bring their powers of recognition, recommendation and bargaining to bear interacting with other bots? Such a time is not that far away. The implications will be profound, particularly for those in DevOps.

The Emergence of Bot-to-Bot Communication

Machine-to-machine communication is nothing new. Unassisted stock trading has been going on for years. A machine monitors stock exchanges throughout the world looking to buy or sell stock according to its programmed logic. Once an opportunity is identified, a trade takes place without any human intervention. While it is true that each machine is acting with some degree of autonomy, the scope of interaction is limited. A machine designed to buy and sell stock is not going to go awry and buy a car. Also, the details of the interaction are well-known. When a trade takes place, the details of the transaction are recorded and an audit trail is created on both ends of the transaction. However, when it comes to bot technology, things start to look different.

Bots can act autonomously. For example, imagine a bot that is on a mission to find the best price for red sneakers in size 9. Instead of using a predefined list of sneaker vendors, the bot can use an internet search service such as Google to find online merchants that sell sneakers. The bot will use the result of the search to continue forward, looking for the best sneaker price. (See Figure 1.) As you can see, there is a good deal of machine autonomy in play already.

Figure 1: Bots use the internet and can act autonomously

Once the best price for red sneakers in size 9 is identified, typically, the bot will defer back to a human to make a purchase decision. However, deferring to a human is not mandatory. As we saw with the stock trading scenario, a machine-to-machine purchase transaction is entirely possible. Thus, given the proper programming, there is nothing to prevent a “buyer bot” from interacting with a “seller bot.” Furthermore, it also is entirely possible for the “buyer bot” to interact with a variety of “bank bots” to determine the best credit card to use to make the sneaker purchase. Who knows? Credit card “A” might be offering better air miles than Credit card “B” on that purchase date.

The important thing to understand is that, in the past, machine-to-machine interaction was pretty much a two-party interaction that is well-known. Today, modern bot technology makes it possible for a bot to engage in any number of transactions with any number of other bots with a high degree of autonomy. Along with such autonomy comes a good deal of risk: Any one of those bots could be an impersonator or could be using fraudulent information.

The Perils of Bot Impersonation

Any transaction is subject to fraud—a person writes a check without the backing funds, another makes a purchase using a stolen credit card, somebody else submits an invoice to a company by impersonating a vendor. These types of misdeeds happen all the time within the scope of human activity. So, too, will such crimes happen with bots. Just as a cybercriminal can impersonate a bank website to lure unsuspecting customers into giving away money and sensitive information, bots will be able to fool other bots into fraudulent transactions.

As bots become increasingly autonomous, the degree of harm that one bot can perpetrate upon another will grow, too. So, what’s to be done?

Ensuring Bot-to-Bot Interaction Using Blockchain

If you want to know that bots are playing by the rules, you have to be able to observe their behavior. For those in DevOps, the usual way to observe the behavior of the systems within an enterprise is by analyzing logs.

Logging is a way of life in DevOps. We put logging statements into the software we write to report the details of the commands executed; we put entry dates in the records we write to our databases; we log the requests being made to websites, and administrators use logs to provide the audit trail necessary to determine the integrity of the transaction being made in systems and between systems. Coupling logging with comprehensive system security and data encryption practices makes it so that IT operations knows who is in the systems and what those entities are doing.

However, given the autonomy that bots can have and the wide scope of interactions that they can engage in, the usual mechanisms used to determine transactional integrity degrade. Going back to our red sneaker example described above, imagine the “buyer bot” contacts an unknown number of “seller bots” to negotiate the best price for a sneaker. Part of the negotiation process is in a bidding war among all the “seller bots.” Then imagine that once the sneakers have been identified, the “buyer bot” negotiates with two “bank bots” to determine the best credit card to use. That’s a lot of transactional activity, all of which is dynamic and most of which is unknown. How do we know that each of those “seller bots” is authentic? What do we know about the details of the negotiations done by all the bots in the bidding war for the sneakers? How do we know that the credit card used to make the purchase is not stolen? The fact is, without a common source of truth that describes all the transactions in the sneaker scenario, we don’t.

While it is true that each bot might keep records of its part in a given conversation or transaction, there is no common ledger that records all interactions made by all the bots in the given scenario. Without a common ledger by which to audit the activity, the security, integrity and quality of bot behavior is compromised.

This is not a new problem. Those who work with cryptocurrencies have had this problem for a long time—making sure that the information provided in a transaction is authentic, true and auditable. The way that cryptocurrency systems solve this problem is to use blockchain technology. Given that cryptocurrencies and bots share many of the same security issues, blockchain technology can be applied to bots. In fact, there is an emerging technology that applies the principles of the blockchain to bots. It’s called botchain.

Botchain makes it so that all activities conducted among bots are reported in a common, secure ledger. The botchain ledger is a distributed resource on the internet. Botchain provides the mechanisms and audit trail required to ensure that bot-based transactions on the internet are conducted by authentic bots, acting within the scope of their rights.

Botchain technology is projected to be an important part of the modern internet, particularly as IoT technology grows. As bots become more a part of general DevOps landscape—particularly in the e-commerce-enabled IoT space (think: refrigerators that can buy their own inventory)—systems and engineering staff will need to become more adept at using botchain technology to protect the enterprise.

Bots will bring added benefit to the enterprise, no doubt, but they will also create new types of threat vectors. Agent impersonation is but one one of many security risks that are sure to emerge. The wise DevOps organization will do well to prepare. At the least, having a working knowledge of botchain will be a good insurance policy to battle the threats on the horizon. As those of us in IT have learned, the best insurance you can buy is the insurance you never use.

Mastering the details of botchain technology is an excellent way for DevOps to address the security issues that will arise with the increased use of bots in the modern internet. There is little downside in preparing for a future that is sure to come.

— Bob Reselman