LONDON, July 7 (Reuters) – The central bankers’ central
bank, the Bank for International Settlements (BIS), has laid out
a seven-point plan designed to help countries prevent cyber
hacks on the new wave of digital national currencies under
development.
Around 130 countries are now exploring central bank digital
currencies (CBDC) to keep up with technological change, but
there are worries that the online nature of them could make them
a major target for criminals and hostile states.
The BIS acts as an umbrella body for the U.S. Federal
Reserve, European Central Bank, Bank of England and other
central banks around the world and has been co-ordinating a lot
of work on CBDC development.
In two interlinked reports published on Friday it warned
that CBDC systems were, “complex, with a large attack surface
and many potential points of failure, bringing new and elevated
risks”.
Analysis of past cyber attacks also revealed “gaps” in the
security attack modelling systems of the more
technologically-advanced CBDCs and that the “mean time to
attack” – the time it took for hackers to successfully
compromise a blockchain type set-up – was only around 10 months
on average.
“This is a key point to note for central banks about to
launch a CBDC, they must be thoroughly prepared to adequately
monitor and repel both well understood and novel” cyber attacks,
the BIS said.
The worry is that a successful attack on a CBDC could
seriously erode public confidence in the new currencies as well
as the central banks themselves and the wider financial system.
Hackers have struck a number of central banks in recent
years from Denmark to Bangladesh. According to crypto research
firm Elliptic, users of cryptocurrency, non-fungible tokens
(NFTs) and other digital assets lost $10.5 billion due to theft
in 2021.
The BIS called its seven-point plan the “Polaris security
and resilience framework”.
Specifically, it calls on central banks to:
Recognise the complexity and new threat landscape brought by
CBDC systems.
Adopt modern enabling technologies supporting security and
resilience where appropriate.
Take stock of existing capabilities that could be used by a
CBDC system.
Identify areas that need to improve and new capabilities that
need to be implemented.
It also called for central banks to use the global “MITRE
ATT&CK” database of past cyber attacks, and for an “official
extension” of the MITRE ATT&CK framework to help central banks
beef up their security measures.
(Reporting by Marc Jones; Editing by Susan Fenton)
