Project Polaris: closing the CBDC cyber threat modelling gaps

Decentralised finance (DeFi) continues to revolutionise the financial industry. Cryptocurrencies in particular have enjoyed a remarkable adoption rate due to their accessibility and low transaction fees, all without the need for intermediaries as in the case of traditional banks.

However, cryptocurrencies can be volatile, often lacking coherent regulations, governance and government support. Perhaps most worrisome are the known and unknown security vulnerabilities, which are unique to this ecosystem and stem from the use of novel technology and the lack of verified secure designs and implementations.

Many central banks are interested in developing central bank digital currencies (CBDCs). CBDCs offer the promise of a more secure and stable digital currency that could also support financial inclusion and could provide an alternative means of payment as cash usage declines while allowing for more efficient, faster and cheaper transactions. In contrast to private cryptocurrencies that aim to maximise profits, CBDCs, while in some cases using the same underlying technology, are an alternative that serves the needs of the public.

By the end of 2022, four jurisdictions had launched CBDCs, while others were piloting projects of various sizes. As far as is known, there have not been any successful cyber attacks against operational CBDC systems. However, there have been many high-profile cyber attacks in the DeFi domain, such as exploiting weaknesses in consensus mechanisms as well as smart contracts that enable attacks on cryptocurrency exchanges and wallets. According to a report by Elliptic, DeFi users lost $10.5 billion due to theft in 2021. Since CBDCs may, and in some implementations or pilots do, use novel technologies such as DLT and smart contracts, they too could be exposed and vulnerable to the type of attacks that were successfully made in the DeFi domain.

To illustrate this point, a new report developed by the BIS Cyber Resilience Coordination Centre in partnership with the BIS Innovation Hub Nordic Centre analysed several notable DLT attacks in the DeFi domain using the MITRE ATT&CK framework. MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations, which can be used as a foundation for the development of specific threat models and methodologies to identify and analyse adversary behaviour.

This analysis reveals that there are gaps in existing threat modelling techniques that may not adequately address the threats and associated security controls to properly protect CBDCs that make use of novel technology (eg DLT, smart contracts) from the tactics, techniques and procedures (TTPs) used by threat actors in the DeFi space. Specifically, although the majority of existing TTPs could be used to model the attacks, some will require slight modification, while there exist new attack vectors that do not fit within the framework and will necessitate the creation of new TTPs.

Examples of new TTPs that could be used to model the novel attacks are provided and the use of crowdsourcing is proposed to further analyse how attacks against CBDCs that use DLT as part of their reference architecture can be adequately modelled using the MITRE ATT&CK framework.

Additionally, the "mean time to attack" (based on the DLT attacks studied in this analysis) is around a 10-month period between the launch of a DeFi implementation and the successful compromise. This is a key point to note for central banks about to launch a CBDC – they must be thoroughly prepared to adequately monitor and repel both well understood and novel TTPs.

Furthermore, this preliminary analysis supports the argument that an official extension of the MITRE ATT&CK framework may need to be undertaken to help properly model attacks against DLT-enabled systems.

This analysis uses DLT as a starting point to begin threat modelling and gap analysis for CBDC. Even for a CBDC implementation that does not plan to utilise DLT, the analysis around other related DeFi concepts, such as smart contracts, may still be relevant.

More generally, the application of the MITRE ATT&CK framework to CBDC more broadly, regardless of technology, is likely to be an important step for any central bank looking to launch a wide scale pilot or full implementation of a CBDC.