Spotlight on: Building a sustainable and resilient future for digital currencies

Central Bank Digital Currencies (CBDCs) are government-backed digital currencies which are issued by a central bank to the general public – in other words, they are the virtual form of a country’s fiat currency.

They are currently being actively considered by major economies across the globe; for example, President Biden announced this week that his administration is placing ‘the highest urgency’ on researching and developing a potential digital dollar, the European Central Bank is undertaking a two-year digital project on what a digital euro might look like, the Bank of England will consult on the case for launching a retail CBDC in 2022 and earlier this year it was announced that India will introduce a digital rupee this year.

CBDCs could provide a range of benefits to users, but they also present resilience and security challenges and considerations that must be addressed if they are to become a sustainable currency.

Late last year the Group of Seven (G7) published a report on Public Policy Principles for Retail Central Bank Digital Currencies (CBDCs), including a core principle on operational resilience and cyber security. The White House has since reiterated the need for a secure CBDC system, requiring senior officials to review and report on the technical risks and benefits of a digital dollar within the next six months. With these recent developments in mind, we’re sharing thoughts on the cyber risks CBDCs could present, and how principles of resilience and security by design can protect their long-term future.

What are the risks?

In our 2021 Annual Research Report, Jennifer Fernick, Global Head of Research at NCC Group, noted that while large financial institutions ‘each spend hundreds of millions – sometimes even billions – per year on cyber security,’ the same levels of investment are not usually found in decentralised finance applications and cryptocurrencies.

Jennifer also warned that decentralised finance companies could become the ‘highest-risk value stores on the planet,’ explaining that ‘in the sphere of decentralised finance (DeFi), where value is exclusively stored digitally and mediated directly by code, a threat actor could directly and immediately remove value from a company through attacking the underlying infrastructure, protocols or cryptographic implementations. One leaked cryptographic key or a single software flaw could lead to the collapse of entire organisations.’

What has the G7 said so far?

Encouragingly, the G7 Public Policy Principles suggest that cyber resilience will be at the forefront of national governments’ CBDC policies, highlighting, if a CBDC ecosystem is to be built, it will require ‘careful decision-making in the design and configuration…as well as in its ongoing operation, maintenance and evolution’ in order to be secure and resilient to cyber, fraud and other operational risks.

The report also states that all entities in a CBDC ecosystem – both within the public and private sectors – should have operational resilience, data security and cybersecurity strategies ‘consistent with national and international standards.’

As well as ensuring operational resilience in the design stage, the report recommends that ‘sound response and recovery practices are critical to maintaining the resilience of any CBDC infrastructure’.

How does the White House’s Executive Order build on that?

Biden’s Executive Order confirms that the G7’s goals to deliver secure and resilient CBDC systems are being taken forward at a national level.

Specifically, the White House highlights the need to address technical risks, including with respect to emerging and future technological developments such as quantum computing, as well as the risks and benefits a CBDC would present to cyber security. More broadly, the Executive Order calls for the broader digital currency ecosystem – including digital asset issuers, exchanges and trading platforms, and intermediaries - “whose activities may increase risks to financial stability” to be regulated in the same way traditional financial market infrastructures and firms are.

The Director of the Office of Science and Technology Policy and the Chief Technology Officer of the United States now has 180 days to provide President Biden with a technical evaluation of the technological infrastructure, capacity, and expertise that would be necessary to deliver a secure and resilient US CBDC.

Ollie Whitehouse, Global CTO, NCC Group comments:

“As the industry and sector develops at pace, the value to both good and bad actors is becoming apparent. Threat actors will employ ever more sophisticated methods to both utilise and acquire digital currencies via illegal means and it is encouraging to see a strong focus from governments and organisations on putting operational resilience at the very heart of CBDCs.

Building a CBDC from the ground up requires resilience and security by design at the core, to ensure that the currency can evolve into a trusted digital form of payment and minimise risk from cyber attack, supply chain disruption or software failure.

Although national governments have flagged this at an early stage, it is crucial that they follow through with those commitments as they continue to futureproof the digital currency landscape and the ultimate launch of a Digital Dollar and Britcoin, to name a few."