paint-brush
Policy Implications Stemming from the ECCB's CBDC outageby@hughharsono
230 reads

Policy Implications Stemming from the ECCB's CBDC outage

by Hugh HarsonoFebruary 1st, 2022
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

The Eastern Caribbean Central Bank (ECCB) announced the outage of their central bank digital currency (CBDC), also known as Dcash. Without the ability to complete transactions, users on the Dcash platform are left in significant limbo. Cybersecurity risks and concerns must be integrated into contingencies associated with protecting CBDCs. The implications of a cyberattack by a threat actor on a CBDC would be extremely damaging for any economy regardless of scale, particularly as payment continuity is simply a necessity for any national-level CBDC.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - Policy Implications Stemming from the ECCB's CBDC outage
Hugh Harsono HackerNoon profile picture

In mid-January 2022, the Eastern Caribbean Central Bank (ECCB) announced the outage of their central bank digital currency (CBDC), also known as Dcash. American-based Bitt helped the ECCB launch Dcash in March 2021, following up with a launch in October 2021 of Nigeria's e-Naira.

Since that time, Bitt has also launched a pilot electronic hryvnia test with Ukraine's TASCOMBANK in December 2021, while also unveiling NBB Pay, a stablecoin and digital payments infrastructure, for the National Bank of Belize in December 2021

While Bitt's success has helped to bring decentralized finance (DeFi) to many individuals in these nations, its recent Dcash outage is particularly concerning given the critically important nature of a CBDC.

Without the ability to complete transactions, users on the Dcash platform are left in significant limbo, with this situation raising unique questions for legislators. It is essential for CBDCs to preserve the defining features of physical money, which includes the need to be constantly available in an offline format and to ensure consumer data privacy. With this in mind, what are some of the policy implications that government officials and central bankers can focus on to mitigate concerns over similar outages throughout CBDC networks?

Cybersecurity concerns

The stability of a CBDC must be one of the highest priorities for regulators. In this respect, protecting a CBDC's infrastructure from both internal and external threats should be top-of-mind for regulators.

Cybersecurity risks and concerns must be integrated into contingencies associated with protecting CBDCs, with these values being validated in pilot-test CBDC frameworks.

This type of advance testing will help ensure maximum flexibility in the event of any outage, such as Dcash's current failure, particularly in the case of a cybersecurity event.

The implications of a cyberattack by a threat actor on a CBDC would be extremely damaging for any economy regardless of scale, particularly as payment continuity is simply a necessity for any national-level CBDC.

If taken offline for even a brief period, a CBDC outage similar to the current Dcash situation might invoke a currency collapse because of it being a single point of failure, with significant implications during and after such an event.

Additionally, a CBDC outage would also undoubtedly decrease consumer confidence in that specific medium of exchange, thereby reducing the influence and credibility of that central bank in this instance. 

Risk management operations

The current Dcash outage also raises concerns over establishing contingency operations in the event of a specific CBDC outage.

While there is currently no particular standard for establishing risk management operations for CBDCs, general information technology standards, including ISO/IEC 27005:2008, BB 7799-3:2006, and NIST SP 800-39 could be particularly applicable in establishing contingencies in the event of such an outage.

Properly identifying, estimating, and evaluating risks must be integrated into CBDC development. Having proper governance response procedures to help manage such risks in the future will be essential for central banks to implement if moving forward with CBDC platforms.

Industry standardization and development

The high number of existing CBDC technologies presents a wide variety of different vendors for CBDCs, with some examples including Bitt's usage of IBM's Hyperledger Fabric for the ECCB, the Hong Kong Monetary Authority picking ConsenSys for Project Inthanon-LionRock, and Bhutan selecting Ripple for its CBDC project.

Ensuring interoperability between different CBDCs is a specific policy issue that must be addressed given the growing CBDC development market. Additionally, reserve currencies must be considered for use in the event of a CBDC outage, thus potentially creating conflicts between primary and alternate CBDC platforms. 

Launching a CBDC would also transfer a high amount of critical technology risks to the government, and eventually, taxpayers. With this in mind, the ever-developing nature of blockchain and other emergent technologies present challenges for governments to test, regulate, and implement.

It will be interesting to see how the public and private sectors interact in regards to supporting these types of technologies, particularly with these technologies having critical national security implications. In this case, protecting the public prominence of money is a must for governments and regulators, something that might present a significant challenge due to technology's pace of innovation. 

Conclusion

All in all, the ECCB's Dcash outage provides central bankers, governments, and technology providers with the opportunity to reflect on the challenges emerging from system outages and failures.

Addressing cybersecurity concerns, implementing risk management operations, and ensuring continued pace with developments in emerging technologies is important for regulators to incorporate into their CBDC pilot-tests and eventual programs.

Ensuring proper governance over CBDCs and establishing legislation for specific issues like data privacy will also be necessary for regulators as CBDCs become increasingly prominent in the age of Web 3.0.