Securing Your Reputation When Issuing a CBDC
The Bank for International Settlements (BIS) has published its second guide to creating a Central Bank Digital Currency (CBDC) 1. This edition focuses on a security and resilience framework to guide central banks through the critical task of creating a safe CBDC. The challenge, of course, is a CBDC may require a central bank to develop and update a mass market product and serve retail consumers, tasks outside its normal world. Given the complexity of CBDCs and the critical role of payments, the reputational risk is significant.
The paper explains the size of the challenge from the technology touch points through who the bad actors may be to what can go wrong ending up with a framework to create a safe solution. Roles and responsibilities are assigned, and the stakeholders identified. While the paper predominantly deals with the security risks, delivering a resilient solution is actually just as important.
Understanding complexity
A CBDC system is critical national infrastructure in the same way as the countries Real Time Gross Settlement system. It is, therefore, a target and faces a range of threats from the simple and opportunistic through to Advanced Persistent Threats (APT) attacks. As a result, a CBDC system faces a diverse and complex cyber landscape.
Vulnerability: Today we live in a highly digital world which is increasingly interconnected. All this rests on telecommunication and on internet systems. In addition, the physical-cyber system space is becoming increasingly complex with the internet of things (IOT) linking consumers to their everyday machines and industrial components. Add in Artificial Intelligence for good measure and the area of potential vulnerability is huge.
CBDCs are part of this because some of the rationale for them lies in their potential programmability, which could allow delivery versus payment, machine to machine payments between consumer devices and industrial automation.
Attackers: When thinking about the security of a CBDC system, breaches, criminal activity and physical manipulation must be considered. There are also unpredictable threat actors, new threats, a wide range of large attack services and points of failure and supply chain risks. If an attacker succeeds, there are big upsides for them giving them a real incentive to persevere.
Implications: For the central bank a failure brings a potential loss of confidence in the financial system and major reputational, operational and legal impacts.
Polaris framework
This paper offers a security and risk framework for designing, implement and operating a secure and resilient CBDC system against attack and operational failure. The framework is a baseline on which to build and is organised around seven steps – prepare, identify, protect, detect, respond, recover and adapt.
The central bank will need to recognise the complexity and threats created by having a CBDC, adopt modern enabling technology, take stock of the central bank’s existing capabilities, identify capabilities that need to mature and identify new capabilities.
Risk assessment and making choices
The system will need to be resilient against a broad range of scenarios including short term outages, structural infrastructure short comings (eg. lack of reliable telecommunication and internet connectivity, power outages) and civil emergencies.
The starting point will be having in place 24/7 incident monitoring and response, ensuring the critical infrastructure can be implemented and operated at scale, being aware of ‘concentration’ risk (if many organisations in the payment system use the same service provider increasing operational complexity and risks) and working out the risks associated with introducing new technology. With quantum computing becoming a reality, whatever technology is adopted will need to be ‘crypto-agile’, capable of being upgraded and adapted quickly.
Trade-offs will have to be made. For example, cloud computing may provide additional computing resources and protect against the loss of a data centre, but it also introduces new and additional risk.
An early step will be assessing the gap between where the central bank is now and what will be required if a CBDC is introduced. A complex iteration of stakeholders and known and possible dependencies will need to be understood. The possible range of end users and the choice of payment instruments that could be used will add to those stakeholders and dependencies. RTGS systems, instant payments, e-money, mobile money solutions, point of sale solutions, embedded payments etc. all add to the story. And cross-border payments increase it even further.
The paper makes some assumptions, for example that the stakeholders will act responsibly. It also points out that pilot projects are different from live schemes. Generally, resilience is treated as less important while security is treated as if it were a live system.
Key to security
The payment system needs to be able to maintain confidentiality, integrity and its availability. This is common to any payment system and so the key requirements are well- trodden ground; designing for resilience, eliminating single points of failure, emphasising timely action, promoting technical diversity and interoperability, implementing defence in depth, assuming that breaches will happen and be ready to respond and introducing changes in staggered releases.
The list of threats is also well known. The paper listed 16 and it wasn’t an exhaustive list. They ranged from human error to insider breaches to social engineering right through to Advanced Persistent Threat attacks. An outage in the infrastructure or a technical failure seem mundane in comparison.
The paper put forward an industry framework and guidelines along with exhaustive check lists. At the top of the pyramid is the CBDC system itself. This is the input layer for currency and payment related functions.
The middle layer consists of two items, modern IT practices and emerging technology. This is the input layer for control objectives in IT modernisation and Distributed Ledger Technology.
The bottom layer is the input layer for baseline control objectives. It consists of three items:
National Institute of Standards and Technology cyber security framework
Computer emergency response team and European Union Agency for Cybersecurity resilience model
ISO 27001 Information Security Management System.
The paper goes on to detail roles and responsibilities, how to create a project plan and control objectives for every part of the framework. All this should deliver security and resilience management, secure access management, business application environment, secure and resilient infrastructure and incidence management.
This is another good paper from BIS offering central banks a practical starting point for achieving resilience and security.
1 - Project Polaris: A security and resilience framework for CBDC systems (bis.org)
Subscriber content
Read the full article
Full access to Cash & Payment News articles, newsletters and archives.