Image by Tumisu via Pixabay
Most nations are exploring the possibility of launching a central bank digital currency (CBDC) and a handful of CBDCs are already live. This Global Government Fintech webinar explored the cyber-risks
Central bank digital currencies (CBDCs) are an increasingly prominent topic for government authorities worldwide.
Just a handful of nations – including the Bahamas, Jamaica and Nigeria – have to date formally issued one. But China’s authorities continue to progress the rollout of a digital yuan, India is moving towards issuance of a digital rupee and the European Central Bank has begun a “preparation phase” for a potential digital euro.
Among the most important considerations facing policymakers and CBDC developers is cybersecurity – a topic that (alongside CBDCs themselves) is among the Bank for International Settlements (BIS) Innovation Hub’s 2023 priorities.
Global Government Fintech – the sister title of Global Government Forum – convened a webinar titled ‘CBDCs and cybersecurity: resilience considerations and digital money’ to hear three experts’ perspectives on a topic that BIS general manager Agustín Carstens recently described as being of “critical importance” and “addressing themes at the very heart of central banks’ mandates”.
There are two main types of CBDC: a retail CBDC (also known as ‘general purpose’ CBDC and often abbreviated to ‘rCBDC’) is for people’s everyday use; and a wholesale CBDC, often abbreviated to ‘wCBDC’, which is for interbank use.
A UK House of Lords economic affairs committee report concluded that a CBDC poses two main security risks: first, that individual accounts could be compromised through cybersecurity weaknesses; and, second, that a centralised CBDC ledger could be a target for attack from “hostile state and non-state actors”. The report (published in January 2022) added that while no system design can guarantee absolute security, any CBDC system “will need to be adaptable to emerging security threats and technological change, including fast-developing quantum computing”.
Brazil’s ‘Drex’ progress
Aristides Andrade Cavalcante Neto, chief of cybersecurity and the technological innovation office at Banco Central do Brasil (Brazil’s central bank – BCB), kicked off the webinar – held on 14 November 2023 – by presenting the South American nation’s CBDC project Drex. Its distributed-ledger technology (DLT)-based systems are currently being pilot-tested.
Cavalcante Neto pointed out that launching a CBDC increases the size of a nation’s “critical payment infrastructure” and that any problem, for example “operational disruption or prevalence of fraud”, is very likely to “damage the reputation of the central bank [which] could impact the economy”.
A CBDC system needs to operate 24/7 and offer “high scalability” – having the capacity to process “1,000s of transactions per second”. But the challenge with technology is that “any component can fail”, he cautioned.
The involvement of external partners in actually delivering a CBDC, for example payment service providers (PSPs), means their own resilience and cybersecurity standards are just as important as the central bank’s.
The private sector’s important role was also highlighted by Carstens in his speech at the BIS ‘Securing the future monetary system: cybersecurity for central bank digital currencies’ conference (8-9 November). The former Bank of Mexico governor said that “most customer-facing services [for CBDCs] will remain in the private sector’s remit” and so “cyber-resilience among these institutions will also be crucial to maintaining trust in the system as a whole”, adding that it is “probably reasonable to think of cybersecurity and resilience as public goods among connected institutions”. (BIS also published a 73-page ‘CBDC information security and operational risks to central banks’ document in November 2023).
‘Long way’ to cyber-resilience ‘maturity’
Cavalcante Neto said that “a lot of questions” surround the technology being piloted in Brazil. Drex is being developed on Hyperledger Besu, a DLT incorporating smart contracts (self-executing contracts).
The BCB is drawing on its experience from its existing real-time gross settlement (RTGS) system, as well as Pix, the instant payment platform launched by the BCB three years ago (and which has proved very successful).
Concerns that he mentioned included: potential “unauthorised access” to the network; data leakage (“as data is stored in a decentralised way” and “cryptography could be broken”); theft or loss of private digital wallet ‘keys’; breaking encryption; and the vulnerability of smart contracts (which he described as “code”).
“We have a long way to run to get mature enough to a cyber resilience that could be combined with a critical payment infrastructure,” he said.
It was important, he said, to engage tech providers and the “financial community” in a “collaborative environment” to learn from trial activity and develop cybersecurity standards. “My advice is not to solve these problems alone: develop pilots with the private sector, exchange experiences and views to build these pilots,” he said, adding that it was also necessary to invest in “cyber-resiliency skills”.
From ‘closed’ to ‘open’ networks
Frankosiligi (‘Franko’) Solomon joined the webinar from Washington DC, where he is a senior digital expert covering cybersecurity and digital risks in the International Monetary Fund (IMF)’s IT department’s digital advisory unit.
He described the heightened pressure that central banks are facing as technology becomes more prevalent and sophisticated. “IT modernisation introduces some complexity,” he said, adding that cybersecurity risks are concurrently on the rise. But many central banks have “restricted and constrained resources when it comes to cybersecurity”.
“The implementation of new digital payment systems such as CBDC may see central banks moving from closed network architecture to open network architecture,” he continued, pointing out that this can increase “vulnerability” to potential “bad actors”.
“If we combine all these challenges, we see that all of them are expanding the attack surface of the central bank network,” he said. “But that is not the only thing,” he continued. “We know that cybersecurity attackers are sharpening their skills and their capabilities – they have real focus to attack the financial sector because this is where the money is.”
Operational failures, too, can “create a vulnerability that can be exploited by an intruder and impact the cybersecurity of the central bank”, he said. “On the other hand,” he continued, “a vulnerability can create an operational failure, which may also put the central bank payment system offline”.
Lessons from ‘live’ CBDCs
Solomon referred to examples of how two ‘live’ CBDCs – the Eastern Caribbean Central Bank (ECCB’s) DCash and Nigeria’s eNaira – had faced difficulties.
DCash was hit by ‘service interruption’ in January 2022 (less than one year after launching), with the problem identified as certificate expiration on nodes in the Hyperledger Fabric network (an open-source permissioned blockchain framework). DCash resumed service a few weeks later. “From a cybersecurity point of view, an expired cybersecurity certificate implied that this is a vulnerability. This wasn’t a cybersecurity attack. But it resulted in an outage of the CBDC,” Solomon said.
Nigeria’s CBDC digital wallet app suffered “technical glitches” shortly after the eNaira launched in 2021, he said.
“The lesson from these two examples is that operational challenges or vulnerability can impact central bank payment systems, and these may undermine the confidence that citizens or business may have in the payment systems,” he said.
Solomon concluded his opening remarks by highlighting common problems that many authorities face related to cybersecurity. These include internet and power outages; data protection compliance (also mentioned by Cavalcante Neto); and that “very few jurisdictions have identity verification systems”.
Given these challenges Solomon advised that authorities need to determine whether their cybersecurity capabilities are “commensurate with the evolving data and cybersecurity landscape” before focusing on working out how they would optimise the cybersecurity of any CBDC (should they launch one).
Retail payment systems’ challenges
Dr Geoff Goodell, a lecturer in financial computing at University College London (UCL), was the webinar’s third speaker. He led a multi-organisation research initiative focused on CBDC design and cybersecurity titled ‘Project FIRE’ (‘Future Infrastructure for Retail Remittances’) and is now director of a UCL-led research initiative titled ‘Future of Money’ (which follows a line of research that started in 2017).
Goodell began by proposing that “core problems” of (digital) retail payment systems fall into three categories: challenges associated with the use of centralised systems; the use of identity and authorisation; and “account-based transaction models”.
“Centralised systems that process transactions and keep records can potentially be compromised,” he said. “And that means that they can potentially be used to deny service, but also to change the history of what happened.”
Identity-linked authorisation creates opportunities for identity theft, he said, “and of course, the entire set of challenges associated with the protocols that can facilitate identification”.
On the third problem, he said that “systems that have transactions linked to accounts can potentially reveal information about transacting parties” – a set-up creating “significant cybersecurity requirements associated with the protection of data”.
‘Alleviating some of the cybersecurity burden’
The Future of Money initiative has shown that it is possible for users to directly hold “centrally issued electronic tokens” with clearing and settlement by “independent and private actors”, explained Goodell, who is a member of the Bank of England ‘CBDC Technology Forum’ (among numerous other roles). “That’s something that bank deposit-based mechanisms or ‘closed-loop’ payment system-based mechanisms such as [Chinese payment companies] WeChat Pay and Alipay, and so on, do not provide because, ultimately, they’re providing someone else’s promise [to pay] instead. We think that that’s a security issue on many levels. And not only a cybersecurity level, but a more general national security level. I think many central banks would agree.”
He differentiated between “centralised control of the distribution of redemption of assets” and “centralised control of the transaction infrastructure”.
“Many of the digital currency systems that use distributed ledgers today rely upon smart contracts or manage tokens directly on the ledger. These characteristics introduce all sorts of problems,” he said. “At the same time, we need the distributed ledger to facilitate an ‘immutable record of truth’ that avoids a cybersecurity risk of there being a single point of failure associated with someone who has control to the extent that they can actually modify the set of transactions that had happened.”
He added that consumers should be “protected from profiling” by using “privacy by design” and ensuring that the “payer stays private in transactions”. “We think that this is an important way to alleviate some of the cybersecurity burden on the merchant side of transactions,” he explained, going on to reference “blind signatures” as featured in the BIS/Swiss National Bank’s ‘Project Tourbillon’ (the CBDC project that he said had the closest resemblance to his own work).
“We [Future of Money project] have developed a solution that uses a distributed ledger, but only for the purpose of having an immutable record of commitments,” he said. “We do not use it to store tokens or to manage transactions directly.”
Many major central bank CBDC projects remain “quite early” in terms of the stage of their design, he pointed out. He said that “serious conversations” were needed to ensure that “consumers’ identity will not be revealed in their transactions and that there won’t be any fishing expeditions done by unscrupulous governments or even cyberhackers”.
‘Risk bigger in low-income countries’
Cybersecurity and related matters require investment and skills. But central banks, inevitably, have vastly different budgets and capacity. The BCB, for example, has been hit by strikes over wages and faces other related HR challenges (these have spilled over into the operations of its accelerator-style initiative LIFT Lab’s operations being ‘suspended indefinitely’ earlier this year).
“The [cybersecurity] risk is even bigger when we think about low-income countries or even emerging economies,” said Solomon.
Regardless of the country in question, and size of any central bank’s CBDC and cybersecurity budget, however, he emphasised how private companies typically have an important role.
“There are countries where we [the IMF] see private organisations, like a telecoms company, building cybersecurity capability within the country,” he said.
In respect of skills, central banks can stand to benefit from collaborating with organisations such as universities on “big initiatives” such as CBDC development, Solomon said.
The IMF, as well as international organisations such as BIS and the World Bank, help with “capacity-building” in different ways, he pointed out. The BIS Innovation Hub’s Nordic centre published a security and resilience framework for CBDC systems in July 2023 (developed as part of the Nordic centre’s multi-stream Project Polaris work); and also published a ‘Closing the CBDC cyber threat modelling gaps’ report (produced in conjunction with the BIS Cyber Resilience Coordination Centre).
It is incumbent on central banks to ensure they “continue to remain agile… to cope with the evolving cybersecurity landscape,” Solomon said.
Payments’ cybersecurity: three considerations
Goodell was keen to emphasise what he saw as potential threats to user privacy in many digital currencies’ designs.
“Many designs that we have for digital payments today rely upon external credit and enforcement mechanisms, and we have come to depend upon these mechanisms. When we design the future of money, we can do better,” he said. “We can rely less upon external enforcement mechanisms and external credit mechanisms inside the payment channel. I’d like to encourage us to think about ways in which we can design the future of CBDC to be more like cash and less like bank account-linked transactions.”
“With privacy, either you have it or you don’t,” he continued. “It’s not possible for a user of a payment mechanism to be convinced that data, once collected, has not been used to ‘profile’ that user without his or her knowledge, and deferring the task of arbitrating what data can be observed versus not to powerful authorities or system operators is really just tantamount to not having privacy at all,” he said.
He concluded by describing payments’ cybersecurity as being dependent on three main considerations.
First, “functions and interactions intrinsic to the components of the system”. He described authorisation systems that rely upon identity credentials as “particularly dangerous because of the centrality of their role”.
Second, the value of the data being held by system operators “is a major problem”, he said, proposing that new payment system designs should “minimise that”.
Third, the risks of a greater attack surface. “This is absolutely significant in the case of retail CBDC,” he said. “If everyone is trying to use their mobile-phones to conduct transactions this way, there are going to be major challenges that need to be overcome, and we’ll need to think very carefully upon how to make sure the value that individuals and businesses are holding can be isolated from the risks of devices that might have internet uplinks and might be compromised,” he said.
The Future of Money initiative therefore recommends that a CBDC should be designed with a “smaller footprint” (and therefore smaller attack surface). This would mean not relying upon identity-based consumer authorisation nor use of consumer custodial accounts, and “preferably without requiring the use of internet-connected consumer devices such as mobile-phones”.
Visible and invisible threats
Like with most discussions about cybersecurity, the webinar would likely have left those concerned about cyber-threats somewhat uneasy.
The opening two panellists’ presentation slides alone would have served this purpose: Cavalcante Neto illustrated the threats with a picture of an iceberg (and, of course, most of an iceberg is located invisibly below water – metaphorically significant); and Solomon used a red star emblazoned with “expansion of attack surface” on a slide also mentioning “increasing geopolitical conflicts” and “cyberwar and possibility of collateral damage”.
Fusing many of these security risks – which are present and evolving, regardless of CBDCs – with a digital currency project then creates bespoke new challenges and threats.
Despite the progress – and apparent near-readiness-to-launch – of a growing number of CBDC projects, there is sense in treading very carefully before pressing go.
You can watch the full CBDCs and cyber-security: resilience considerations when developing digital money webinar on our dedicated events page. The webinar, hosted by Global Government Fintech, was held on 14 November 2023.