(Reuters) — The central bankers’ central bank, the Bank for International Settlements, has laid out a seven-point plan designed to help countries prevent cyber hacks on the new wave of digital national currencies under development.
Around 130 countries are now exploring central bank digital currencies (CBDC) to keep up with technological change, but there are worries that the online nature of them could make them a major target for criminals and hostile states.
The BIS acts as an umbrella body for the U.S. Federal Reserve, European Central Bank, Bank of England and other central banks around the world and has been coordinating a lot of work on CBDC development.
In two interlinked reports published Friday it warned that CBDC systems were, “complex, with a large attack surface and many potential points of failure, bringing new and elevated risks.”
Analysis of past cyberattacks also revealed “gaps” in the security attack modeling systems of the more technologically advanced CBDCs and that the “mean time to attack” — the time it took for hackers to successfully compromise a blockchain-type setup — was only around 10 months on average.
“This is a key point to note for central banks about to launch a CBDC, they must be thoroughly prepared to adequately monitor and repel both well understood and novel” cyberattacks, the BIS said.
The worry is that a successful attack on a CBDC could seriously erode public confidence in the new currencies as well as the central banks themselves and the wider financial system.
Hackers have struck a number of central banks in recent years from Denmark to Bangladesh. According to crypto research firm Elliptic, users of cryptocurrency, non-fungible tokens and other digital assets lost $10.5 billion due to theft in 2021.
The BIS called its seven-point plan the “Polaris security and resilience framework”.
Specifically, it calls on central banks to:
• Recognize the complexity and new threat landscape brought by CBDC systems.
• Adopt modern enabling technologies supporting security and resilience where appropriate.
• Take stock of existing capabilities that could be used by a CBDC system.
• Identify areas that need to improve and new capabilities that need to be implemented.
It also called for central banks to use the global MITRE ATT&CK database of past cyberattacks, and for an “official extension” of the MITRE ATT&CK framework to help central banks beef up their security measures.