If one validator or node is compromised, that compromise may have exploited a vulnerability that remains unpatched among other validators as well. For this reason, robust reporting requirements must ensure that all other stakeholders learn about security breaches as quickly as possible to reduce the risk of attackers exploiting the same vulnerability across multiple validators. This, in turn, mitigates the risk of validators approving faulty transactions. Concretely, there may be a need for baseline requirements to determine how quickly validators should notify other stakeholders upon discovery of a breach or malfunction. While analogous requirements exist for trade finance, the timescales for notifying other parties of a breach are much slower.
The acceptance of digital currencies is very low when it comes to day-to-day transactions, even in the developed economies. The lack of clarity on the regulation of digital currency is a serious impediment to the wider acceptance and usability of digital currency. One of the overarching concerns in the design of the CBDC regime is to combat illegal activities involving currency transactions, which requires a balance between information protection and regulatory compliance.
To prevent double-spending of coins, the payment recipient deposits the coins to the payment validators immediately. The payment validators maintain records of the already used serial numbers and check that the serial numbers in the deposited coins have not been already used. After that, the payment validators add the amount of the deposited coins to the balance of the payment recipient and inform the recipient that the payment has been accepted. As with plaintext ledgers, transaction validation requires access to the (encrypted) system state to validate transactions.
Many financial institutions may be affected by the development of the new currency and lose their primary source of income (fees and services related to payment solutions). Financial inclusion is a relevant matter for developed and developing economies, but it matters the most in less developed countries where the percentage of the population without a traditional bank account is higher (Alliance for Financial Inclusion, 2022). CBDC represents an effective solution for areas where the technology infrastructure is limited and financial institutions are not interested in offering advanced financial services. Also, in the wholesale settlement, when there is no IT infrastructure already in place, the advantages of the CBDC could matter more concerning developed countries where alternative solutions are already available (BIS, 2020).
Overall, the possibility of a CBDC helping the unbanked hinges on giving people “free” access to electronic accounts. This solution really has nothing to do with the private digital currencies that have arisen except that the possible benefits of private solutions like Bitcoin have forced many government officials to acknowledge that people will not always have to use bank accounts and U.S. dollars. As countries across the globe explore increasingly move towards digital currencies, ensuring privacy and security remains paramount. Privacy-friendly solutions are emerging, with research highlighting promising cryptographic approaches to protect both user information and transactional data.
The piloted design follows the plaintext payment token approach where users withdraw coins (tokens), then make payments by passing them to the payment recipient who deposits them back to the payment infrastructure to verify the coins have not already been used (double-spending protection). Chapter 1 assesses the cybersecurity risks facing CBDCs and how design choices will shape vulnerabilities using a framework derived from the CIA triad but customized to the challenges of CBDCs. Understanding how CBDCs will fit into the existing landscape is crucial for turning this insight into actionable steps for policy makers, which we explore in Chapter 2. The key components of the United States’ current payment systems are described below.6See the appendix of this report for a detailed analysis of US payment system providers’ current cybersecurity measures. Current wholesale and retail payment systems face a complex cybersecurity landscape and represent a major point of attack for both organized crime and state-sponsored actors. Cybersecurity risks posed by CBDCs must be assessed relative to this landscape.
The U.S. National Institute of Standards and Technology (NIST) has initiated a standardization challenge, with lattice-based and hash-based algorithms among the first post-quantum cryptographic standards. Over the last decades, several best practices and expert recommendations regarding how to build and deploy secure IT systems have been collected in various cybersecurity frameworks and standards. The ISO series and the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) are two popular examples. In all wallet solutions, safe storage of the payment credential relies on the trustworthiness of the hardware that hosts the wallet software.
Moreover, if they are perceived as being safer than traditional currency, CBDCs could further weaken the business case for traditional financial institutions. The concept of money, and who gets to define it, has been debated since the beginning of time. In this sense, cryptocurrency is just the latest in a long line of currencies. Most either fail or, like the British pound, are surpassed by other currencies over time.
Redefining the investing experience for the Indian investor by offering time tested strategies that match the investor’s risk profile for both the Indian and the US markets. Are we on the brink of a financial revolution, or are we merely repeating the mistakes of the past? Research from the University of Surrey suggests that digital currencies, particularly Central Bank Digital Currencies (CBDCs), could redefine our economic landscape, but not without significant risks that must be addressed immediately. Secondly, according to Article 23 in PIPL, when transmitting and providing information to others, the information processor is expected to notify the individual of the recipient’s basic information, including but not limited to its purposes, name, and contact number.
Studying the Fed’s cybersecurity system also sheds light on other countries’ approaches as the Fed’s payment cybersecurity practices are largely analogous, and often the model, to those of other central banks considering the deployment of a CBDC. Another example is a solution where the zero-knowledge proof shows that the updated account balance of the recipient is below a certain limit (say, $50,000) without revealing the exact account balance to the payment validators or the regulator. The first technique could mimic the current rules regarding the reporting obligation for large cash payments, while the second technique could be used to address excessive migration of bank deposits to protect the stability of banks.
