The adoption of Central Bank Digital Currency (CBDC) is gaining traction across the globe, with 130 countries now exploring their use, according to The Atlantic Council.
This new form of digital money is issued and guaranteed by central banks and pegged to a sovereign currency. In an increasingly cashless world, CBDCs could be used for both retail and wholesale purposes.
They would support consumer and business transactions, cross-border payments, and the financial activities of governments, financial institutions, and large companies.
By centralized blockchain ledger technology, they differ from cryptocurrencies and other digital assets because all transactions are regulated and controlled from a single Central Bank Digital Currency platform.
The CBDC initiative is premised on certain key benefits for both central banks and consumers. These include;
- Payment efficiency – faster, cheaper, and more seamless transactions.
- More secure and reliable digital payments.
- Enhanced cross-border payment capacities.
- Greater transparency in the fight against financial crime.
- Financial stability and wealth creation.
- Financial inclusion for the unbanked.
- More powers for central banks to dictate monetary policy.
CBDC and the associated risks
While the benefits are numerous, Central Bank Digital Currencies are still controversial. For many, making all CBDC transactions, and the data they produce, available to the authorities, would allow them potentially draconian powers of surveillance and financial control.
For others, these powers are necessary to counter illicit activities like money laundering, fraud, cyber threats, and terrorist financing.
Potential drawbacks also relate to cost and feasibility, the technical and infrastructural challenges, and the impact on the current financial system and financial institutions.
However, the most cited disadvantage of CBDC is its vulnerability to cyber attacks and other online security risks. The centralized nature of CBDC, it’s argued, with unparalleled amounts of currency and data stored in one place, would inevitably create new cyber risks.
But, are those fears grounded in reality, and what could be done to prevent such issues in the new digital money landscape? This article will address those key questions.
Growing threat level
In recent years, amid the acceleration of digital technologies, we have witnessed a big increase in the sophistication and frequency of cyberattacks.
According to Cybersecurity Ventures, the global cost of cybercrime is anticipated to grow by 15% per year, reaching US$15 trillion by 2025.
The financial sector, second only to healthcare, suffers a high cost – on average cost of $210 per breach. Cybersecurity concerns, left unaddressed, hinder innovation, impact trust in digital financial services, and can even threaten national security.
The key cybersecurity risks
The single ledger system used for Central Bank Digital Currencies is a centralized database that tracks the progress of all financial transactions from the time they enter the system. From a security perspective, the increased risks stem from this being a central failure point and a unified target for attackers.
With vast volumes of personally identifiable information and sensitive data on offer, a targeted attack on the CBDC ecosystem would be an ideal opportunity for hackers to reap maximum damage.
Such attacks could therefore lead to major worldwide financial shocks, serious liquidity shortfalls, bank defaults, and systemic outages that would disrupt everyday transactions and even global financial stability.
Heightened risk of malicious use
A central bank-administered currency system could centralize huge amounts of data stored about individuals, with sensitive information and granular details of their purchasing history and habits.
If it were breached, all that would be available to unauthorized parties, violating user confidentiality, and heightening the risk of malicious use.
In a privacy-preserving design that hides sensitive user data even from trusted system insiders, a similar breach or insider attack will have significantly less severe consequences for security and confidentiality.
Even if the final design of CBDC systems could preserve privacy through limiting access, or by using encryption to protect sensitive data, it could still be vulnerable to insider attack.
There’s also a significant issue around the reliability of the technology, and the system’s ability to maintain constant connectivity. Technical failures and outages, resulting from both malicious and unimagined threats, could effectively knock out an entire financial system. Physical money, if you have it, never turns off, and is always available to spend.
Payment systems and cyber security guarantees
For wholesale CBDC, and cross-border retail CBDC use, if international systems are fragmented, or weak, they could fall prey to attack or manipulation by cyber criminals.
The exact set of new cybersecurity risks depends largely on the digital currency variant that a country chooses for its CBDC system. Each one offers different properties in terms of system robustness, scalability, user privacy, and network requirements.
While it would be subject to some of the existing cybersecurity risks, Central Bank Digital Currencies could create new ones. The centralization of payment processing and user data could:
- Hinder regulatory oversight of financial systems.
- Make reversing fraudulent or erroneous transactions difficult.
- Be susceptibility to phishing attacks and malicious automated threats.
CBDCs, intermediaries, and cyber threats
The limitation of the CBDC ecosystem, where supervised intermediaries will most likely conduct their own AML and KYC checks, increases their vulnerability to financial crimes. The inability to track CBDC transactions across the entire financial system could be exploited by sophisticated criminal means.
Existing real-time payment systems are already being exploited by moving the proceeds of crime rapidly between accounts, making it all but impossible to discover, monitor, and recover illicit funds.
Central banks must therefore play a crucial role in helping intermediaries flag suspicious activity. This could be done by setting rigorous compliance standards for financial institutions, for example anti money laundering measures, and giving them a more holistic network level view.
Enhancing cyber resilience
With key decisions about final design of a CBDC ecosystem architecture still to be made, it’s clear that adequate security measures must be prioritized. At the same time, they should not detract from the usability of Central Bank Digital Currencies, because to do so would make it less appealing.
If security requirements, for example, were to create barriers to transfers between digital wallets, slow payments down, or create unnecessary compliance, the advantages would be lost.
According to the Atlantic Council report into The Challenge of Cybersecurity and Central Bank Digital Currency, a number of benchmarks should be met.
- Countermeasures that ensure user privacy and confidentiality should focus on areas like authentication, encryption, and user education.
- Integrity measures would be used to ensure that data is authentic, reliable and correct, and has not been tampered with.
- All transactions should be non-reputable, meaning the payor can’t deny sending and payees cannot claim to have not received payments.
- The availability of the system would be such that it’s always up and running, with users having reliable and timely access.
CBDC payment systems and security risks
When it comes to securing a nation’s treasury against cyber risks, you can’t be too secure. Malicious hackers are always looking for new targets and are adept at exploiting even the slightest weakness.
Tactics such as inserting malicious code, and commandeering private keys. Private keys are vital elements of a blockchain system, as they validate and secure any transactions made using them. If hackers were to control them, it could lead to them holding a central bank to ransom. Any federal reserve bank adopting CBDC must defend their digital assets, and particularity their private keys, to protect the integrity of their digital payment system.
The risk to the security of CBDC from quantum computers must also be addressed. Quantum hacking is an emerging threat to existing cryptographic algorithms. The potential for quantum computers to undermine CBDC’s underlying infrastructure, requires the speedy adoption of new countermeasures.
Security risks and Central Bank Digital Currency
Specific measures could then address the means to harden CBDC systems cybersecurity risks. Essentially, this means that data about participants and transactions is kept private in the final CBDC design. This in turn would hide data from system insiders, disincentivize outside attackers, and lessen the consequences of such attacks.
The Atlantic Council made a series of policy recommendations that would protect the robustness of a new system. They outline them in six key principles.
Use existing security risk frameworks and regulations
Like the old concept of not throwing the baby out with the bathwater, current laws and regulations should be assessed for their relevance to the digital currency ecosystem. Only then could the gaps in a new framework be properly addressed.
Existing stakeholders and financial intermediaries should be allowed to innovate and compete, bringing their knowledge and practical expertise to bear.
Privacy can strengthen security
CBDC designs that preserve user privacy would reduce the harmful consequences of cyberattacks. Minimizing identifiable information would enhance the cash like privacy. Legislative choices could still provide legislators with appropriate oversight, if they can overcome political objections.
Test, test, and test
Governments should oversee extensive security audits and pilot testing. Political approval and budget should be granted for extensive pilots that allow for broad participation in testing security measures, and longer-term maintenance.
Ensure accountability
Clear rules and policies must be established to govern the overall framework for Central Bank Digital Currencies. In particular, accountability of distributed ledger technology is needed to prevent breaches, errors, and the technical and financial consequences.
Promote interoperability
Policies should increase interoperability with a countries’ financial infrastructure and improve their resilience. Stronger CBDC systems will be promoted by international collaboration and common regulation. Leadership is critical, as well as guidance from theFinancial Stability Board, Financial Action Task Force, and the G20.
Technology neutral legislation
Policy makers must ensure that laws governing cybersecurity risks are even handed to all the CBDC technology that exists. This will promote greater accountability and incentivize the development of a global cybersecurity framework.
Current financial system weakness
The cybersecurity risks around CBDC, prompted by the central storage of massive amounts of sensitive transaction data, are very real. But so too are existing problems of financial crime with current payment systems.
It appears that whatever measures are taken to prevent it, like encryption, and two-factor authentication, or more stringent compliance checks, criminals find a way round them.
For all of this, global regulation is key, because financial crime becomes anonymous and untraceable across a myriad of global financial systems, that host billions of everyday transactions.
Conclusion
Faced with the alternative, the adoption of CBDC presents an opportunity to tackle financial crime. Many countries, and all of the world’s major economies, are taking part. This affords a vision of greater global harmony, joined-up thinking, and more robust powers.
Privacy concerns acknowledged, having digital transactions well and truly on the radar of the authorities, should give them a means to respond to financial crime.
At the current rate of CBDC development, where most countries are hesitant to adopt, and committed to rigorous pilot testing, the exact nature of the cybers threats is unclear. The choices made by governments, policy makers, and central banks, will dictate key cybercrime fighting design and implementation features.
The central issue of whether cybercrime would be worse under a more centralized financial system, should not prevent CBDC adoption. A system with strong privacy protection and consensus mechanisms, that is also inherently more secure, seems achievable.
To fully secure the CBDC ecosystem from cybersecurity threats, and protect user privacy, central banks will need to deploy system-wide continuous monitoring tools that are global in scale. They will rely on partners beyond their national borders.
The question is whether that level of cross-border cooperation can be achieved, and, in the first instance, how long will it take to develop adequate cyber resilience. All the while, new criminal techniques are being developed.
When it comes to internationalizing your business and life, nothing works alone. Nomad Capitalist is the only firm of its kind that combines tax, immigration, asset protection, and investment strategy, all under one roof to create a plan as unique as you are.
Apply now to become a client