A revealing new detail has emerged in the saga of the Colonial Pipeline. The key gasoline distribution link was shut down for six days following a hack, causing gas shortages across the southeast United States. According to a CNN report, though, the main target of the hack wasn’t pumps or switching stations or other physical pipeline infrastructure. Instead, the hackers went after the money.
“The company halted operations because its billing system was compromised,” sources told CNN. The pipeline’s operators “were concerned they wouldn't be able to figure out how much to bill customers for fuel they received.”
The Colonial shutdown is just the latest in a drumbeat of examples of the rising threat of cyberattacks. Ransomware attacks are rapidly approaching crisis levels, while cyberespionage between nations also continues to accelerate. Most recently, the reportedly Russian-backed Solarwinds attack burrowed deep into a still-unclear number of systems, with ramifications likely to last years.
Despite the rising tide of hugely damaging hacks, many nations’ central banks are pursuing the creation of new digital systems that would be major hacking targets: central bank digital currencies, or CBDCs. The goal of these systems, broadly, is to allow users to directly hold central bank dollars in a digital form, rather than through an intervening bank or payments platform. Central banks already do this in the form of physical banknotes, and so creating "digital cash" isn’t a wild stretch of their mandate.
But CBDC systems, while nominally influenced by cryptocurrencies like bitcoin, are unlikely to be based on the distributed blockchain technology that keeps cryptocurrency base layers essentially hack-proof. That means the systems could become an unimaginably alluring target for hackers – with potential disruptions even bigger than the shutdown of a crucial gasoline pipeline.
The targeting of the pipeline’s financial system, rather than its valves or switches, highlights the fundamentally heightened cybersecurity risk that accompanies conventional digital finance. While it’s true that more and more infrastructure is digitally connected in one way or another, it’s still generally a very challenging and long-term process to compromise those systems. Attacks like the Stuxnet worm, which the U.S. and Israel allegedly used to physically damage Iranian nuclear facilities, take many years and state-scale resources to execute.
The Colonial hackers, at least for now, appear to have been a freelance criminal gang rather than state actors. Because they had more limited resources, it’s little surprise that they aimed for the softer target of financial records (It’s also a matter of strategy: Though it could turn out to be a misdirection, the gang said in a statement that their goal was to make money, not disrupt the pipeline). Interfering with such records is fundamentally easier than disrupting physical infrastructure, for the simple reason that for the most part they are purely digital. Changing numbers in a computing system (or, in this case, just locking the files) is pretty much always more straightforward than using that same system to change the physical world.
That core vulnerability of digital money is what necessitated the unwieldy but nigh-impenetrable blockchain system securing bitcoin. Any central bank digital currency has to solve the same problem, but politics makes the same solution impractical: The security of a cryptocurrency like bitcoin is inextricable from the fact that nobody truly controls it. Most central banks, which ultimately must be responsive to governments, can’t make that trade-off.
But CBDCs could still introduce decentralized security by taking carefully selected pages from the crypto playbook. One might be “elements of node validation” similar to the way blockchains rely on many copies of a ledger, according to J.P. Schnapper-Casteras, a lawyer who works with the Atlantic Council on CBDC research and consulting. At least in broad outline, that would make it impossible for a FedCoin to be hit with the same kind of attack that took down Colonial’s system by locking up financial data housed in one central location.
Similarly, one proposed “two-tier” CBDC design would allow various versions of a piece of software to interact according to standards established by central banks. While a fully centralized system with uniform code could be leveled by one vulnerability, a diverse codebase makes cyberattacks harder to scale, increasing security.
Even more crucial is the use of open-source software to build CBDCs. Releasing source code publicly, along with incentives like bug bounty programs, means legions of white-hat hackers can and will scrutinize it for bugs. “Open-source systems have proven to be more enduring, more reliable, [and] more extensible over time,” says Schnapper-Casteras. That’s why much of the internet now runs on software that was battle-tested in the open-source arena, such as Apache and Linux. And bitcoin is famously open-source, with a particularly arcane and bureaucratic update process that prevents unnecessary changes that might introduce security risks.
But that option is likely unavailable to arguably the most influential player in CBDCs – the People’s Bank of China. Its “digital yuan” is widely believed to be subject to major centralized surveillance and censorship, "features" that would likely be highlighted if its code were public.
That would seriously interfere with another apparent goal of China's project: driving greater usage of the yuan outside China. But it also means the system can’t be robustly tested for security vulnerabilities. Lack of transparency could in turn box the PBOC out of negotiating standards for international CBDC interoperability. “I’m not sure if China and the U.S. will be playing at the same standards-setting bodies at the end of the day,” Schnapper-Casteras says.
Though things are still quite early, the U.S. Fed may be more amenable to making its system open-source. The Boston Fed last year launched a CBDC research program with the Massachusetts Institute of Technology, and will reportedly be releasing not just its ideas, but also its code, in July.
That's one major reason why, though much has been made of China’s first-mover status on CBDCs, Schnapper-Casteras and others think that being careful will ultimately be more important than being fast.
“In terms of being deliberate about security choices and having an open-source codebase, it could in the long run be a major advantage and source of strength,” Schnapper-Contreras says. “Because you don’t want to roll out something super quick and have it be buggy. That would be a disaster.”