(Reuters) — The central banks’ central bank, the Bank for International Settlements, has laid out a seven-point plan designed to help countries prevent cyber-hacks on the new wave of digital national currencies under development.
Around 130 countries are now exploring central bank digital currencies (CBDCs) to keep up with the technological shift, but there are concerns that their online nature could make them a major target for criminals and hostile states.
The BIS acts as an umbrella body for the US Federal Reserve, the European Central Bank, the Bank of England and other central banks around the world and has coordinated much work on CBDC development.
In two linked reports published on Friday, it warned that CBDC systems were “complex, with a large attack surface and many potential points of failure, introducing new and heightened risks.”;
Analysis of past cyber attacks also revealed “gaps” in the security attack modeling systems of the more technologically advanced CBDCs and that the “mean time to attack” – the time it took for hackers to successfully compromise a blockchain-like installation – was only about 10 months in average.
“This is an important point to note for central banks about to launch a CBDC, they must be thoroughly prepared to adequately monitor and fend off both well-established and emerging” cyber-attacks, the BIS said.
The concern is that a successful attack on a CBDC could seriously erode public confidence in the new currencies as well as the central banks themselves and the wider financial system.
Hackers have hit a number of central banks in recent years from Denmark to Bangladesh. According to crypto research firm Elliptic, users of cryptocurrency, non-fungible tokens and other digital assets lost $10.5 billion to theft in 2021.
BIS called its seven-point plan the “Polaris Security and Resilience Framework”.
Specifically, it calls on central banks to:
• Realize the complexity and new threat landscape that CBDC systems bring.
• Adopt modern enabling technologies that support security and resilience where appropriate.
• Inventory existing functions that can be used by a CBDC system.
• Identify areas that need improvement and new opportunities that need to be implemented.
It also called for central banks to use the global MITER ATT&CK database of past cyber-attacks, and for an “official extension” of the MITER ATT&CK framework to help central banks tighten their security measures.