The head of the Bank for International Settlements (BIS) has highlighted the need for vigilance and preparedness for the “constantly evolving” security challenges facing central bank digital currencies (CBDCs) in a keynote speech.
Just a handful of nations – including the Bahamas, Jamaica and Nigeria – have to date formally issued a CBDC. But China’s authorities continue to progress the rollout of a digital yuan, India is moving towards issuance of a digital rupee and the European Central Bank moved into a ‘preparation phase’ for a potential digital euro last month.
Switzerland-headquartered BIS hosted a two-day event (8-9 November) titled ‘Securing the future monetary system: cyber-security for central bank digital currencies’, with its general manager kicking off the conference by describing the topic as being of “critical importance” and “addressing themes at the very heart of central banks’ mandates.”
Agustín Carstens made comparisons with the world of crypto-currencies. “The crypto universe has provided us with several case studies of how easy it is for hackers to infiltrate poorly designed and poorly supervised financial systems,” he told the audience in Basel. “High-profile security breaches have been one factor – admittedly, among many others – that has undermined trust in cryptocurrencies as useful financial instruments. The stakes for a CBDC are much higher, and the steps we take to address these risks must accordingly be much, much greater.”
“As well as being new, the security challenges facing CBDCs are constantly evolving,” he said, highlighting the “considerable attention” being given to the emergence of quantum computing. “But technology advances so rapidly that others – perhaps from generative AI – will surely emerge in rapid succession. Flexibility in CBDC design will be key to ensure that security measures can adapt rapidly to meet the challenges of tomorrow, as well as those of today.”
REGISTER NOW ‘CBDCs and cyber-security: resilience considerations when developing digital money’ – Global Government Fintech is hosting a webinar on 14 November 2023: public servants can register here for free to attend
BIS’s multi-strand cyber-resilience initiatives
BIS operates a ‘Cyber Resilience Coordination Centre’ while both CBDCs and cyber-security are among the BIS Innovation Hub’s 2023 priority topic areas.
The Innovation Hub’s different offices across the globe have also led a number of technical projects exploring CBDCs’ cybersecurity challenges. These include ‘Project Sela’, led by the Innovation Hub’s Hong Kong centre and involving the Hong Kong Monetary Authority and Bank of Israel; and ‘Project Tourbillon’, run by the Innovation Hub’s Swiss centre and focused on CBDC cyber-resiliency, scalability and privacy considerations.
A further BIS initiative is ‘Project Leap’, led by the Innovation Hub’s Eurosystem centre. This project involved the sending of test payment messages via a ‘quantum-resistant virtual private network (VPN) tunnel’ between servers located in Paris and Frankfurt. Its experimentation concluded in June 2023 with the verdict that a quantum-safe financial system’s viability had been ‘proven’.
A ‘security and resilience framework for CBDC systems’ was also published this summer by the Innovation Hub’s Nordic centre. The framework, developed as part of the Nordic centre’s multi-stream ‘Project Polaris’ work, aims to help central banks in ‘designing, implementing and operating secure and resilient CBDC systems to mitigate the operational, legal and reputational risks facing central banks from cyber threats or operational failures.’ The Nordic centre also published a ‘Closing the CBDC cyber threat modelling gaps’ report, produced in conjunction with the Cyber Resilience Coordination Centre.
A UK House of Lords economic affairs committee report, published in January 2022, concluded that a CBDC poses two main security risks: first, that individual accounts could be compromised through cyber-security weaknesses; and, second, that a centralised CBDC ledger could be a target for attack from ‘hostile state and non-state actors’. The report added that while no system design can guarantee absolute security, any CBDC system ‘will need to be adaptable to emerging security threats and technological change, including fast-developing quantum computing’.
RELATED ARTICLE Carstens urges countries to get legal foundations in place for CBDCs – a news story (2 Oct 2023) based on a speech given by BIS’s general manager at a BIS Innovation Hub-Financial Stability Institute conference
Private sector’s ‘crucial’ role
Carstens, a former governor of the Bank of Mexico who has been at the helm of BIS for almost six years, pointed out in his speech that a major challenge on the technical side with CBDCs’ potential introduction is that “many jurisdictions have yet to decide on which form their CBDCs will take or what technical architecture will underpin their design”.
“There is therefore,” he said, “a need to prepare security approaches for a range of different possibilities and then to deploy them rapidly when final designs are determined.’
“Of course, in seeking to make CBDCs secure, it will be crucial not to ignore other design objectives,” he said. “Maintaining an appropriate level of privacy, for example, will be crucial to ensuring public acceptance of retail CBDCs.”
He went on to emphasise the important role of the private sector. “Although I expect CBDCs to sit at the core of the future financial system, central banks’ role will remain limited,” he said. “Most customer-facing services will remain in the private sector’s remit.”
“Cyber resilience among these institutions will also be crucial to maintaining trust in the system as a whole. Indeed, it is probably reasonable to think of cyber security and resilience as public goods among connected institutions.”