BIS Project Polaris: Strengthening the Security and Resilience of CBDC Systems
The BIS Innovation Hub Nordic Centre has released two reports as part of Project Polaris, focused on designing secure and resilient central bank digital currency (CBDC) systems. The reports address the critical need to enhance cybersecurity measures and mitigate potential risks associated with CBDCs.
The first report introduces a security and resilience framework specifically tailored for CBDC systems. Recognizing CBDCs as critical national infrastructure, the framework acknowledges the complex and rapidly evolving cyber threat landscape. It emphasizes the importance of assessing and addressing the potential security and operational risks introduced by new technologies employed in CBDC systems.
The framework provides central banks with a seven-step model for designing, implementing, and operating secure and resilient CBDC systems. It urges central banks to embrace modern enabling technologies, evaluate existing capabilities that can be leveraged, identify areas for improvement, and consider new capabilities that need implementation.
While many central banks already have robust cybersecurity measures in place, the framework acknowledges that risks cannot be fully eliminated. It underscores the need for senior leadership to stay informed about new and elevated threats facing CBDC systems and develop appropriate risk management and mitigation strategies.
The second report highlights the growing interest in CBDCs as a secure and stable alternative to cryptocurrencies. While private cryptocurrencies lack coherent regulations and government support, CBDCs can offer greater security, stability, and financial inclusion. However, the report cautions that CBDCs face unique security vulnerabilities stemming from the use of novel technologies and the absence of verified secure designs and implementations.
The report draws attention to the alarming number of high-profile cyber attacks in the decentralized finance (DeFi) domain, resulting in substantial financial losses. These attacks exploit weaknesses in consensus mechanisms and smart contracts, which are also used in some CBDC implementations. The report emphasizes the need for comprehensive threat modeling techniques that accurately address the threats and security controls specific to CBDC systems.
To bridge these gaps, the report suggests leveraging the MITRE ATT&CK framework, a globally accessible knowledge base of adversary tactics and techniques. It proposes adapting existing techniques and developing new ones to adequately model attacks against CBDCs, particularly those employing distributed ledger technology (DLT) and smart contracts. Furthermore, the analysis indicates that central banks must be prepared to monitor and repel both familiar and novel tactics, as attacks typically occur within 10 months of launching a DeFi implementation.
The Polaris security and resilience framework serves as a baseline and will be periodically updated to align with developments in CBDC systems and the evolving cyber threat landscape. Collaboration with the central bank community, public sector, and private entities participating in the CBDC ecosystem will ensure ongoing refinement and effectiveness.
Overall, Project Polaris aims to equip central banks with essential information to inform decision-making, architecture, design, implementation planning, and investments related to CBDCs. By addressing cybersecurity gaps and providing a comprehensive framework, Project Polaris strengthens the foundation for secure and resilient CBDC systems, safeguarding financial stability and public trust.