Today, the Nordic BIS Innovation Hub published two white papers for Project Polaris on cybersecurity. One paper is about threat assessments using learnings from the DeFi sphere. And the other one is a CBDC cybersecurity framework.

Most retail central bank digital currencies (CBDCs) will have two tiers and commercial banks will often provide the wallet UI. However, the reputational risks of something going wrong will often fall on the central bank.

There is a daunting list of cyber security risks, but many of these exist today for other payment systems. However, some do not. For example, digital currencies add programmable and automated payments. The document points to DeFi smart contract hacks as evidence of the type of losses the hacks could cause.

Cyber ​​threats are modeled using the MITER ATT&CK framework. However, the BIS concluded that there are gaps in existing techniques when it comes to novel technologies such as DLT and smart contracts.

“While DeFi is not synonymous with CBDC, several of the current operational retail CBDC implementations are based on a similar technology stack or use one or more of DLTs, smart contracts, tokens, digital identities, and immutable data. This allows DeFi to serve as a starting point for this CBDC analysis,” the authors wrote.

The CBDC Cybersecurity Framework

The other document focuses on a CBDC cybersecurity framework.

“It is assumed that a CBDC system would be complex, with a large attack surface and many potential points of failure, creating new and elevated risks,” the authors wrote.

To an outsider, the risks seem daunting. Here is a list of the sources that might be targeting the CBDC:

• Nation states or groups sponsored by nation states
• organized crime groups
• hacktivist groups
• Lone hackers or petty criminals
• professional criminals
• insiders
• Malicious end users
• Hacked third-party technology providers
• Natural or man-made disasters
• cyber warfare providers
• AI bots.

The list of attack events is a bit longer. But Project Polaris provides a seven-step framework for addressing risks: prepare, identify, protect, detect, respond, recover, and adapt. Each comes with a checklist, some of which have 30 or more items.

The paper concludes: “The framework helps central banks identify areas that need development, both within the central bank and across the jurisdiction, and could help inform technology providers of the opportunities and expectations that lie ahead.”

Meanwhile, the other output of Project Polaris was a book outlining CBDC options offline.