Project Polaris: a security and resilience framework for CBDC systems
Cyber attacks on critical infrastructure are among the top five risks with the greatest potential global impact. A future central bank digital currency (CBDC) system would be considered a critical national infrastructure, as real-time gross settlement (RTGS) systems are today.
To help central banks mitigate the potential risks attendant to a CBDC, the BIS Innovation Hub Nordic Centre has published a security and resilience framework for CBDC systems.
This framework takes account of the rapid growth in the digital environment and in the interconnectedness between parties and devices relying on the internet and telecommunications networks, and how it has created a diverse, complex and rapidly evolving cyber threat landscape.
As the new technologies that CBDC systems could use are in many cases unproven at operational scale, their potential to inadvertently introduce new security and operational risks needs to be assessed and addressed.
Central banks and other actors in a CBDC ecosystem will need to face up to this increasingly complex cyber threat landscape.
A breach of a CBDC system due to cyber attacks or technical failures could erode confidence and trust in the infrastructure, a central bank and potentially the financial system, in addition to generating a range of reputational, operational and legal effects.
Many central banks already have robust cyber security and resilience measures in place and adhere to the highest of industry standards in controls and risk management. However, risks cannot be fully eliminated and it is critical that senior leadership is aware of potentially new and elevated threats facing CBDC systems so an appropriate risk management and mitigation strategy can be established.
The Polaris security and resilience framework has been developed to guide central banks in designing, implementing and operating secure and resilient CBDC systems to mitigate the operational, legal and reputational risks facing central banks from cyber threats or operational failures.
This framework is CBDC-focused and leverages existing industry standards and guidelines, providing central banks with a seven-step model for secure and resilient CBDC systems.
Specifically, central banks could use the framework to:
- Recognise the complexity and new threat landscape brought by CBDC systems;
- Adopt modern enabling technologies supporting security and resilience where appropriate;
- Take stock of existing capabilities that could be leveraged for a CBDC system;
- Identify the capabilities that need to mature;
- Identify new capabilities that would need to be implemented.
The framework is a baseline and is intended to be updated periodically, keeping pace with developments related to CBDC systems and the cyber threat landscape, in partnership with the central bank community as well as the public sector and private entities that could participate in a CBDC ecosystem.
Cybsesecurity and resilience are essential to underpinning trust in CBDC systems so they work for everyone in society whenever and wherever. This framework can help guide central banks in their CBDC initiatives.