It is my pleasure to welcome you all to this conference arranged by the BIS Innovation Hub and the BIS Cyber Resilience Coordination Centre (CRCC). The theme of the conference, “Securing the future monetary system: cyber security for central bank digital currencies”, is one of critical importance, addressing themes at the very heart of central banks’ mandates.
The financial system is on the cusp of significant change. The digital revolution that has affected so many aspects of our lives is increasingly being felt in the financial realm. Households and firms rightly expect financial services to deliver the ease and digital functionality that they experience in so many other aspects of their lives. Central banks know that they have a responsibility not only to keep pace with the digital age, but to lead innovation to ensure that it serves the public good.
Central bank digital currencies (CBDCs) are central to this effort. Whether in wholesale form – as a type of digital central bank reserve – or retail form – as a digital banknote – it is increasingly clear, at least to me, that these new forms of money will sit at the core of the future financial system. To fulfil this role, CBDCs will need to meet several requirements, such as a user-friendly and versatile technical design and a robust legal framework. Above all, they must be secure – and be seen to be so.
Security is an important consideration for central bank money today. After all, the public’s confidence in central bank money underpins trust in the broader financial system. Wholesale settlement systems invariably have sophisticated risk management systems in place to ensure that they operate smoothly, efficiently and without fail. At the retail level, banknotes contain a range of sophisticated security features to guard against counterfeiting.
But the security challenges are even larger when central bank money takes a digital form.
Central banks must grapple with new technologies and new threats. On the technological side, a key challenge is that many jurisdictions have yet to decide on which form their CBDCs will take or what technical architecture will underpin their design. There is therefore a need to prepare security approaches for a range of different possibilities and then to deploy them rapidly when final designs are determined.
The new threats largely fall under the broad umbrella of cyber risks. As well as creating scope for more efficient and sophisticated financial services, technological innovation also opens new possibilities for criminal activities by unscrupulous actors. The crypto universe has provided us with several case studies of how easy it is for hackers to infiltrate poorly designed and poorly supervised financial systems. High-profile security breaches have been one factor – admittedly, among many others – that has undermined trust in cryptocurrencies as useful financial instruments. The stakes for a CBDC are much higher, and the steps we take to address these risks must accordingly be much, much greater.
As well as being new, the security challenges facing CBDCs are constantly evolving. The emergence of quantum computing is one that has received considerable attention. But technology advances so rapidly that others – perhaps from generative AI – will surely emerge in rapid succession. Flexibility in CBDC design will be key to ensure that security measures can adapt rapidly to meet the challenges of tomorrow, as well as those of today.
Of course, in seeking to make CBDCs secure, it will be crucial not to ignore other design objectives. Maintaining an appropriate level of privacy, for example, will be crucial to ensuring public acceptance of retail CBDCs.
In sum, securing the future monetary system is a formidable challenge. But it is an unavoidable one if central banks are to fulfil their mandate of providing money in a form that meets the public’s needs and expectations.
The BIS stands ready to help central bank in their efforts. The BIS Innovation Hub and Cyber Resilience Coordination Centre are leading our efforts in this regard.
Since its inception, the Innovation Hub has completed a number of projects examining how to make CBDCs more secure. Without going through the projects one by one, let me just note that they have addressed issues such as: how to make retail CBDCs secure without sacrificing functionality or hindering competition; how to integrate quantum-resistant cryptography into CBDC systems and how to ensure the cyber resilience of CBDC systems both on- and offline.
Meanwhile, the Cyber Resilience Coordination Centre has helped foster knowledge-sharing, collaboration and operational readiness across central banks. This includes the deployment of its Cyber Resilience Assessments Tool and regional cyber range exercises.
The private sector also has a role to play. Although I expect CBDCs to sit at the core of the future financial system, central banks’ role will remain limited. Most customer-facing services will remain in the private sector’s remit. Cyber resilience among these institutions will also be crucial to maintaining trust in the system as a whole. Indeed, it is probably reasonable to think of cyber security and resilience as public goods among connected institutions. If your institution is safer, so is mine. And this activity does not need to be done by individual organisations in isolation – we can share knowledge. In fact, collaboration between the private and public sectors is key to manage existing and emerging cyber threats.
Today’s conference is therefore timely and important. It brings together they key players whose hard work and creative thinking will be essential to delivering secure and successful CBDC systems. In the next two days, you will have many fruitful discussions on cyber security and how to secure the future monetary system. This includes lessons from experiments at the BIS Innovation Hub, the advances existing public sector organisations have made in their management of cyber threats as part of their CBDC journey, and the latest experience of private sector firms working at the forefront of cyber security. A diverse range of themes will be covered, from the approach to governance and policy-setting, through risk management in the cloud, to many technical aspects such as managing the quantum computing threat.
Again, welcome to this important conference. I look forward to learning from your discussions.