As due dates near for agency deliverables under an executive order, the Atlantic Council has produced a report that could help officials inform the president of implications for cybersecurity.
With just three months remaining for the Office of Science and Technology to report to President Joe Biden on the cybersecurity risks and benefits of establishing a central bank digital currency, per a March executive order, a key official was all ears at an event the Atlantic Council hosted on the question Wednesday.
Carole House, director of cybersecurity and secure digital innovation for the National Security Council, said she was “very excited for [a] panel to examine some of the key issues related to the design choices, and technology, and governance that we need to account for in looking at CBDC developments for the United States, as well as working with our international partners.”
Pressure to explore a potential central bank digital currency has risen, along with estimates of market capitalization for non-state issued digital currencies. Proponents have also argued that increased interoperability can help underprivileged peoples more easily access cross border transactions, including remittances and financing not available to them through traditional banking services.
“We need robust protections,” House said. “We also need to confront how our financial system has and has not worked for certain consumers and ensure that we have access to services that are equitable, inclusive and efficient. That's why, in the U.S., we are placing the highest urgency on the research into the merits of a possible U.S. central bank digital currency, continuing to build off of the many years of efforts being driven out of the Federal Reserve.”
The Federal Reserve and other relevant agencies including the Treasury Department—where House worked on the enforcement of regulations for virtual currencies prior to her move to the White House—will collaborate with OSTP in reporting on the cybersecurity considerations within 180 days of the March 9 order being issued.
“Recent events and major incidents like SolarWinds, the Microsoft Exchange hack, Colonial Pipeline, Log4J, all of these make it very clear on the need for action to improve the cybersecurity posture of federal networks but also critical infrastructure,” House said, noting, “any future potential CBDC systems would certainly count as part of that critical infrastructure and need to account for measures that we need to put in place to better secure the integrity of our software supply chain.”
The Atlantic Council’s extensive report doesn’t make any definitive recommendations, but offers several principles for consideration. Among them, panelists speaking at the event emphasized the importance—and opportunity—of designing a system that prioritizes privacy and the minimization of personal data from the start.
“If you build a CBDC that collects information about everybody's financial transactions in a nation, that database becomes a very high value target,” said Giulia Fanti, an assistant professor of electrical and computer engineering at Carnegie Mellon University, who co-authored the report. “So by building this kind of really high value target, we're potentially increasing security risk as well by creating a target not just for abuses by a central bank, but also by external hackers. I think this is an important theme that kind of pervades the article.”