User Tools

Site Tools


cbdc:public:cbdc_omg:04_doc:20_comments:brp:q11:start

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
cbdc:public:cbdc_omg:04_doc:20_comments:brp:q11:start [2022/04/24 15:32]
nick [1. Risk of a Software Crisis]
cbdc:public:cbdc_omg:04_doc:20_comments:brp:q11:start [2022/06/17 18:59] (current)
terrance
Line 1: Line 1:
-====== Question: 11. TBD Are there additional ways to manage potential risks associated with CBDC that were not raised in this paper? ====== +====== Question: 11. Are there additional ways to manage potential risks associated with CBDC that were not raised in this paper? ====== 
-[[cbdc:private:​cbdc_omg:​04_doc:​20_comments:​brp:​start| Return to CBDC Benefits, Risks, and Policy Considerations ]]+|< 100% >| 
 +[[cbdc:public:​cbdc_omg:​04_doc:​20_comments:​brp:​start| Return to CBDC Benefits, Risks, and Policy Considerations ]]  ​| ​ <​WRAP>​ 
 +<​html><​b>​ 
 +<a href="​mailto:​[email protected]?​Subject=OMG'​s CBDC WG Response:  
 +Question: 11. Are there additional ways to manage potential risks associated with CBDC that were not raised in this paper? 
 +">​Provide Feedback</​a></​b>​ 
 +</​html>​ 
 +</​WRAP> ​ |
  
 ===== Question ===== ===== Question =====
-[[cbdc:private:​cbdc_omg:​04_doc:​20_comments:​brp:​q11:​start| Return to Top]]+[[cbdc:public:​cbdc_omg:​04_doc:​20_comments:​brp:​q11:​start| Return to Top]]
  
 **Are there additional ways to manage potential risks associated with CBDC that were not raised in this paper?** **Are there additional ways to manage potential risks associated with CBDC that were not raised in this paper?**
  
 ===== Answer ===== ===== Answer =====
-[[cbdc:private:​cbdc_omg:​04_doc:​20_comments:​brp:​q11:​start| Return to Top]]+[[cbdc:public:​cbdc_omg:​04_doc:​20_comments:​brp:​q11:​start| Return to Top]]
  
 By all descriptions,​ the U.S. CBDC is primarily a large [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​s:​sos | System-of-Systems (SoS)]] or even an SoS of SoSs. Some of these would ideally already exist and some will need to be created. The new systems are predominately a [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​s:​software | Software (SW)]] effort. Yes, there will be some specialized [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​h:​hardware | Hardware(HW) ]] required, but the primary focus appears to be Software (including [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​c:​cots | Commercial-Off-The-Shelf (COTS)]], [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​g:​gots | Government Off-The-Shelf (GOTS)]], or [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​m:​mots | Modified Off-The-Shelf (MOTS)]]. This software will ultimately need to be  [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.4_req:​2_nonfunc:​28_manageability:​04_costs | Managed ]] and [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.4_req:​2_nonfunc:​20_maintainability:​modifiability | Modified]]. By all descriptions,​ the U.S. CBDC is primarily a large [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​s:​sos | System-of-Systems (SoS)]] or even an SoS of SoSs. Some of these would ideally already exist and some will need to be created. The new systems are predominately a [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​s:​software | Software (SW)]] effort. Yes, there will be some specialized [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​h:​hardware | Hardware(HW) ]] required, but the primary focus appears to be Software (including [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​c:​cots | Commercial-Off-The-Shelf (COTS)]], [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​g:​gots | Government Off-The-Shelf (GOTS)]], or [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​m:​mots | Modified Off-The-Shelf (MOTS)]]. This software will ultimately need to be  [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.4_req:​2_nonfunc:​28_manageability:​04_costs | Managed ]] and [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.4_req:​2_nonfunc:​20_maintainability:​modifiability | Modified]].
 +
 +The following is a list of potential risks not identified in the **White Paper**.
  
 <nspages -tree -r -exclude -subns -pagesInNs -h1 -textNs="">​ <nspages -tree -r -exclude -subns -pagesInNs -h1 -textNs="">​
  
-==== 1. Risk of a Software Crisis ==== 
-[[cbdc:​private:​cbdc_omg:​04_doc:​20_comments:​brp:​q11:​start| Return to Top]] 
- 
- 
-==== 2. Risk of Lack of Stakeholder Buy-In ===== 
-[[cbdc:​private:​cbdc_omg:​04_doc:​20_comments:​brp:​q11:​start| Return to Top]] 
- 
-A major risk confronting the U.S. CBDC is the lack of Stakeholders'​ "​buy-in"​. The [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​s:​stakeholder | Stakeholders]] for a U.S. CBDC is far beyond just the Federal Reserve. The definition is applied to the U.S. CBDC is a large and spreading network of other U.S. Government Departments and Agencies, the current financial institutions that participate in the U.S. Finacial system, ​ the U.S. Executive and Legislative Branches of the U.S. Government, international governments and institutions,​ the citizens and residents of the U.S, and for that matter, almost everyone on the planet since the U.S. Dollar is the dominate [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​r:​reserve_currency | Reserve Currency]]. Obviously, it is not possible to invite everyone to sit down at a table and have discussions about a U.S. CBDC. Most people will rely on elected officials, government organizations,​ etc. to represent them. 
- 
-In the Object Management Group'​s (OMG'​s) response, we tried to help enumerate the U.S. CBDC in section [[cbdc:​private:​cbdc_omg:​04_doc:​15_common:​05_stakeholder:​start]]. Table {{ref>​summaryStakeReg}} is a summary of the list identified so far that could be considered potential Stakeholder. 
- 
-<table summaryStakeReg>​ 
-<​caption>​Summary of the estimated number of Government Stakeholders for the CBDC.</​caption>​ 
-|< 50% 30% 10% >| 
-^  Potential Oversight Authorities ​ ^ No. of Stakeholders ​ | 
-^ [[https://​www.omgwiki.org/​CBDC/​doku.php?​id=cbdc:​private:​cbdc_omg:​04_doc:​15_common:​05_stakeholder:​start#​us_federal_government_oversight_authorities | U.S. Federal Government Oversight Authorities ]] |  14 | 
-^ [[https://​www.omgwiki.org/​CBDC/​doku.php?​id=cbdc_omg:​04_doc:​15_common:​45_privacy:​start#​us_state_laws_and_regulations ​  | non-U.S. Federal Government Oversight Authorities ​ ]]  |  19 | 
-^             Total ^  **33** | 
-</​table>​ 
- 
-Although a U.S. CBDC is something new, it will also be part of the U.S. monetary system that is already established. The U.S. population relies on the monetary system and has expressed its aspirations for the monetary system through laws and regulations already in effect to control the monetary system. These laws and regulations have evolved since the founding of the U.S. and are generally a response to negative impacts on the U.S. people. Therefore, a major way to include the people as Stakeholders is to follow the laws and regulations of the U.S. The same can be said for the potential international stakeholders who rely on international treaties and agreements between the U.S. and their countries. 
- 
-In the Object Management Group'​s (OMG'​s) response, we tried to enumerate the U.S. and U.S. State laws and regulations that are concerned with Privacy in section [[cbdc:​private:​cbdc_omg:​04_doc:​15_common:​45_privacy:​start]]. Table {{ref>​summaryPrivReg}} is a summary of the list of Laws and Regulations identified so far for the U.S. and U.S. State laws covering Privacy. 
- 
-<table summaryPrivReg>​ 
-<​caption>​Summary of the number of laws and regulations covering National Security Considerations.</​caption>​ 
-|< 40% 20% 10% >| 
-^  U.S. Privacy Consideration ​ ^ No. of Laws and Regulations ​ | 
-^ [[https://​www.omgwiki.org/​CBDC/​doku.php?​id=cbdc_omg:​04_doc:​15_common:​45_privacy:​start#​us_federal_laws_and_regulations | U.S. Federal Laws and Regulations ]] |  10 | 
-^ [[https://​www.omgwiki.org/​CBDC/​doku.php?​id=cbdc_omg:​04_doc:​15_common:​45_privacy:​start#​us_state_laws_and_regulations ​  | U.S. State Laws and Regulations ​ ]]  |   6 | 
-^             Total ^  **16** | 
-</​table>​ 
- 
-Here are some examples of "​resistance"​ to a U.S. CBDC from potential stakeholders:​ 
- 
-  * WASHINGTON – Sen. Chuck Grassley (R-Iowa), a member and former chair of the Senate Finance Committee, and Sens. Ted Cruz (R-Texas) and Mike Braun (R-Ind.) have introduced new legislation to prohibit the Federal Reserve from issuing a central bank digital currency (CBDC) directly to individuals. Specifically,​ the legislation prohibits the Federal Reserve from developing a direct-to-consumer CBDC, which could potentially be used as a financial surveillance tool by the federal government – similar to what is currently happening in China. (( 
-Chuck Grassley, 
-News Release, 
-31 March 2022, 
-Accessed: 24 April 2022, 
-[[https://​www.grassley.senate.gov/​news/​news-releases/​grassley-colleagues-introduce-bill-to-prohibit-unilateral-fed-control-of-a-us-digital-currency]] 
-)) 
-  * People have a wide range of views when it comes to digital assets. On one hand, some proponents speak as if the technology is so radically and beneficially transformative that the government should step back completely and let innovation take its course. On the other hand, skeptics see limited, if any, value in this technology and associated products and advocate that the government take a much more restrictive approach. Such divergence of perspectives has often been associated with new and transformative technologies.(( 
-Janet Yellen, 
-The U.S. Department of the Treasury, 
-__Remarks from Secretary of the Treasury Janet L. Yellen on Digital Assets__, 
-7 April 2022, 
-Accessed: 24 April 2022, 
-[[https://​home.treasury.gov/​news/​press-releases/​jy0706]] 
-)) 
- 
-==== 3. Risk due to Poor Community of Interest (CoI) Governance ==== 
-[[cbdc:​private:​cbdc_omg:​04_doc:​20_comments:​brp:​q11:​start| Return to Top]] 
- 
-Governance of a Community of Interest (CoI) just does not happen by chance. It must be a well-thought-out formal organization with strict Policies and Procedures in place to guarantee the whole community is represented and can help formulate the solution or in this case, solutions to solving the Communities problem (i.e., U.S. CBDC). Too often, the Governance is considered by using [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​o:​oss | Open Source Software (OSS)]]. Although having OSS Projects can have an important role in the Governance of a project, it is primarily focused on the development of Software. Yes, the CBDC will be predominately software, but there is much more that needs to be governed than just software. ​ 
- 
-<​table>​ 
-<​caption>​Examples of non-Software things the U.S. CBDC Community of Interest might need to control.</​caption>​ 
-For example, ​ 
-  * [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.3_gov:​1_legaldocs | Legal Documents]] such as  
-    * [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.3_gov:​1_legaldocs:​1_charter | Charters]] 
-    * [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.3_gov:​1_legaldocs:​2_bylaws | By-Laws]] 
-    * [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.3_gov:​1_legaldocs:​3_pp | Policies and Procedures (P&P)]] 
-  * [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.3_gov:​5_hg | Guides]] 
-  * [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​s:​se | System]] and [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​s:​sw_engineering | Software Engineering]] documents such as 
-    * [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.4_req | Requirements]] 
-      * [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.4_req:​2_nonfunc | Non-Functional]] 
-      * [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.4_req:​1_func | Functional]] 
-    * Models 
-    * [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.2_views:​2_tech_views:​1_core:​1_interface | Interface Specifications]] 
-    * [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​a:​assurance| Assurance]] and [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.b_stds:​tech:​omg:​sacm | Assurance Models]] 
-    * [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.g_testing:​start |Testing regime]] 
-      - [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​u:​unittesting ​      | Unit Testing ]] 
-      - [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​i:​integrationtesting | Integration Testing ]] 
-      - [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​e:​end2endtest ​      | End-to-End Testing (E2E Testing)]] 
-      - [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​s:​smoketesting ​     | Smoke Testing ]] 
-      - [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​s:​sanitytesting ​    | Sanity Testing ]] 
-      - [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​r:​regressiontesting | Regression Testing]] 
-      - [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​a:​acceptancetesting | Acceptance Testing ]] 
-      - [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​w:​whiteboxtesting ​  | White Box Testing]] 
-      - [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​b:​blackboxtesting ​  | Black Box Testing ]] 
-      - [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​i:​interfacetesting ​ | Interface Testing ]] 
-      - [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​i:​interoptesting ​   | Interoperabiloity Testing ]] 
-      - Test Data 
-      - Test Plans 
-      - [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.b_stds:​tech:​omg:​testif | Test Results ]] 
-</​table>​ 
- 
-In addition to all these requirements for Governance, the Governance Model itself must reflect the //"​distributed nature"//​ of the participants in the CoI itself. So far, we have identified 33 different Oversight Authorities that could be part of the CoI (see Table {{ref>​summaryStakeReg}},​ and each one needs to be able to have a voice at the CoI forum or Consortium. See the OMG DIDO-RA discussion of [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.3_gov#​governance | Governance]]. ​ 
- 
-The U.S. CBDC will most likely be a System-of-Systems (SoS) or even an SoS of other SoSs. This means that there probably needs to be a hierarchy of CoI not unlike that of the Federal Reserve itself. For example: 
- 
-  * The U.S. CBDC CoI might be an [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.2_views:​1_stakeholder:​4_ecosphere | Ecosphere]] 
-  * The development of U.S. CBDC ATM equivalents might be an [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.2_views:​1_stakeholder:​3_ecosystem | Ecosystem]] 
-    * The Development of a U.S. CBDC ATM machine itself might be a [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.2_views:​1_stakeholder:​2_domain | Domain]] 
-    * The Development of a U.S. CBDC ATM network might be a [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.2_views:​1_stakeholder:​2_domain | Domain]] 
-  * The Development of a Bridge between the ACH and the U.S. CBDC might be an [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.2_views:​1_stakeholder:​3_ecosystem | Ecosystem]] 
-    * The Development of a U.S. CBDC Bridge Hardware might be a [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.2_views:​1_stakeholder:​2_domain | Domain]] 
-    * The Development of a U.S. CBDC Application Programming Interface (API) might be a [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.2_views:​1_stakeholder:​2_domain | Domain]] 
- 
-<table coiTypes>​ 
-<​caption>​Overview of the different kinds of Communities of Interest (CoIs)</​caption>​ 
-|< 100% 25% >| 
-^  CoI Type  ^  Description ​ | 
-^ Ecosphere Community ^ <​WRAP>​ 
-**Ecosphere Community** is the highest level [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​c:​coi | Community of Interest (COI)]] that encapsulates DIDO Ecosystem Communities and DIDO Domain Communities. The Ecosphere usually provides high-level requirements and some funding for the administration of the other CoIs. The Ecosphere'​s role is to act as a coordinator of the Ecosystems and to provide a framework for all other CoIs to establish working agreements such as [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​m:​moa | Memorandum of Agreement (MoA)]] or [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​m:​mou | Memorandum of Understanding (MoU)]]. The Ecosphere is often the only CoI that is recognized as a Legal Entity with legally binding [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.3_gov:​1_legaldocs:​1_charter | Charter]], [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.3_gov:​1_legaldocs:​2_bylaws | Bylaws]] and official [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.3_gov:​1_legaldocs:​3_pp | Policies and Procedures]]. Often the Ecosphere control [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​i:​intelp| Intellectual Property (IP) rights ]]  and allowable [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​c:​copyright | Copyrights]] that are acceptable for the Ecosphere and the Domain. 
-</​WRAP>​| 
-^ Ecosystem Community ^ <​WRAP>​ 
-**Ecosystem Community** is the midlevel level [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​c:​coi | Community of Interest (COI)]] that encapsulates [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​d:​dido_domain_community|Domain Communities]]. The Ecosystem has a [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​c:​charter | Sub-Charter]] approved by the [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​d:​dido_ecosphere_community | Ecosphere CoI]]. The Ecosystem usually relies on the Ecosphere for [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​b:​bylaw | By-Laws]] and [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​p:​p_p | Policy and Procedures (P&​P)]] ​ but can provide addendums that do not conflict with the Ecosphere. The primary role of the Ecosystem is to coordinate the activities of the Domains which fall under its jurisdiction. As a general rule, the Ecosystem does not actually create anything but acts as the integrator and coordinator of all the Domains it is responsible for. The Ecosystem may have more restrictive [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​i:​intelp | Intellectual Property (IP) ]] Rights than the Ecosphere. It can only subset the [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​c:​copyright | Copyrights]] allowed by the Ecosphere. 
- 
-The Ecosphere'​s role is to act as a coordinator of the Domains, however, one Ecosystem can also have a Sub-Ecosystem that it is responsible for. The Ecosystem can have its own [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.e_tools:​bugtrack | bug tracking system]] that covers integration issues. The Ecosystem is responsible for all [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​i:​integrationtesting|Integration Testing]]. 
-</​WRAP>​| 
-^ Domain Community ^ <​WRAP>​ 
-**Domain Community** is the lowest level [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​c:​coi | Community of Interest (COI)]]. The Domain has a [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​c:​charter | Sub-Charter]] approved by the [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​d:​dido_ecosystem_community | Ecosystem Community]]. The Domain usually relies on the Ecosphere for [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​b:​bylaw | By-Laws]] and [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​p:​p_p | Policies and Procedure (P&P)]] but can provide addendums that do not conflict with the Ecosphere. The primary role of the Domain is to produce a product that meets the Functional and Non-Functional Requirements of the Ecosystem and the Ecosphere. As a general rule, the Domain actually builds or deploys things to be integrated into the Ecosystem. The Domain may have more [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​i:​intelp | Intellectual Property (IP)]] Rights than the Ecosystem. It can have a subset of the [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​c:​copyright | Copyrights]] allowed by the Ecosystem. 
- 
-The Domain'​s role is to build products as per the requirements and maintain products according to the [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.e_tools:​bugtrack | Bug Tracking System]]. The Domain is responsible for all testing at the Domain level (See: [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.4_req:​2_nonfunc:​20_maintainability:​testability | Testability]]). 
-</​WRAP>​| 
-</​table>​ 
- 
- 
-  : **Note:** One way within the U.S. Government to create an Ecosphere, might be to use the [[cbdc:​private:​cbdc_omg:​8_append:​50_other:​start |Other Transaction Authority provisions]] within the U.S. Code. 
- 
-==== 4. Risk due to lack of Broad, Wide Ranging Security Planning ==== 
-[[cbdc:​private:​cbdc_omg:​04_doc:​20_comments:​brp:​q11:​start| Return to Top]] 
- 
-An important way to make sure the Security Planning is adequate is to design it into the U.S. CBDC from the onset, especially if the U.S. CBDC adopts the use of Distributed Technologies currently in wide use in cryptocurrencies. First, it is important to detail what needs to be secure and why. See Table {{ref>​datatypeSecurity}}. 
- 
-For a more detailed discussion, see the OMG DIDO-RA section on Non-Functional requirements for [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.4_req:​2_nonfunc:​25_security |Securability]]. 
- 
-<table datatypeSecurity>​ 
-<​caption>​Main reasons why data needs to be secure.</​caption>​ 
-  * [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.4_req:​2_nonfunc:​25_security:​confidentiality ​   | Confidentiality]] 
-  * [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.4_req:​2_nonfunc:​25_security:​04_data_integrity ​ | Data Integrity]] 
-  * [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.4_req:​2_nonfunc:​25_security:​nonrepudiability ​  | Non-repudiation]] 
-  * [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.4_req:​2_nonfunc:​25_security:​authenticity ​      | Authenticity]] 
-  * [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​1.4_req:​2_nonfunc:​25_security:​accountability ​    | Accountability]] 
-</​table>​ 
- 
-All too often, projects try to "​bolt-on"​ security after products are built. When building as essential and critical to the U.S. as a new financial mechanism such as CBDC, it is essential to think about it at every stage of the development,​ starting at the specification of requirements and at each layer of securability. See Figure {{ref>​layerSecDarw}} and Table {{ref>​layerSec}} 
- 
-Securability is also a layered stack. At each layer, there are different steps that need to be taken to secure the system. For example, **Culture Security** it may just mean having employees hold a security clearance and/or take Drug Tests. For **Physical Security** it may mean having a locked facility to house the computers and network devices. Data Security might be software and cultural procedures such as encrypting all data stored in a disk drive and using software to access the data. 
- 
-<figure layerSecDarw>​ 
-{{  :​cbdc:​private:​cbdc_omg:​04_doc:​15_common:​48_natsec:​layers_of_security.png?​400 ​ |}} 
-<​caption>​The layers of Security.</​caption>​ 
-</​figure>​ 
- 
-<table layerSec>​ 
-<​caption>​The layers of Security.</​caption>​ 
-  - [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​p:​physicalsecurity ​   | Physical Security]] 
-  - [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​d:​datasecurity ​       | Data Security]] 
-  - [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​n:​networksecurity ​    | Network Security]] 
-  - [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​p:​platformsecurity ​   | Platform Security]] 
-  - [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​a:​applicationsecurity | Application Security]] 
-  - [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​c:​securityculture ​    | Culture Security]] 
-</​table>​ 
-==== 5. Risk of Data being hacked due weak Security Infrasture ==== 
-[[cbdc:​private:​cbdc_omg:​04_doc:​20_comments:​brp:​q11:​start| Return to Top]] 
- 
-  : //When Senator Mark Warner (D-VA) questioned witness Dr. Neha Narula, Director of the Digital Currency Initiative at MIT, on security risks associated with cryptocurrencies,​ she responded that, with respect to ransomware attacks, the issue is that valuable data has not been properly secured, and suggested that a CBDC could have built-in safeguards. She also believed that open source software is critical for security.//​(( 
-Buckley Firm, 
-__Senate holds hearing on central bank digital currency__, 
-16 June 2022, 
-Accessed: 24 April 2022, 
-[[https://​buckleyfirm.com/​blog/​2021-06-16/​senate-holds-hearing-central-bank-digital-currency]] 
-)) 
- 
-Data can exist in many states depending on how it is being used. Each of the different Data States poses its own risks of compromising data. The primary concern with data is that it compromises End User Privacy. See section [[cbdc:​private:​cbdc_omg:​04_doc:​15_common:​45_privacy:​start]]. 
- 
-The risks and concerns about Data in each of the different states are also important. Often, the primary focus for understanding data is to concentrate on [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​d:​dataatrest | Data-at-Rest]]. Although this data is relatively static, it can change over time. In the past, there was little concern for [[https://​www.omgwiki.org/​dido/​doku.php?​id=[dido:​public:​ra:​xapend:​xapend.a_glossary:​d:​data_in_motion | Data-in-Motion ]], which can have serious effects on [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​r:​ram |  Reliability,​ Maintainability,​ and Availability (RAM)]], as well as, [[https://​www.omgwiki.org/​dido/​doku.php?​id=[dido:​public:​ra:​1.4_req:​2_nonfunc:​25_security | Securability]] and can leave a system vulnerable to breaches. With the advent of HTTPS, these vulnerabilities are mitigated. The latest issue has become the need to secure [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​d:​data_in_use | Data-In-Use]]. A recent WhatsApp data breach (( 
-Czarina Grace, 
-__WhatsApp Data Breach 2021 Could Expose 2 Billion Users: Update Now on Android, iOS to Fix Security Risk__, 
-iTechPpost, 
-6 September 2021, 
-Accessed 6 October 2021, 
-[[https://​www.itechpost.com/​articles/​106929/​20210906/​whatsapp-data-breach-2021-expose-2-billion-users-update-now.htm]] 
-)) found that switching data between image filters could cause memory corruption followed by a crash that left data exposed. 
- 
-Figure {{ref>​DataStateFigure}} graphically represents the different Data States within a system. Most systems are now able to handle the Data-in-Motion and the Data-at-Rest issues but have traditionally relied on physical security to protect Data-in-Use. 
- 
- 
-<figure DataStateFigure>​ 
-{{  :​cbdc:​private:​cbdc_omg:​04_doc:​20_comments:​brp:​q11:​data_states.png?​600 ​ |}} 
-<​caption>​The Various States of Data.</​caption>​ 
-</​figure>​ 
- 
-Any risk assessment must include the Security Infrasture and the state of data: 
- 
-  * [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​d:​dataatrest ​     | Data-at-Rest]] 
-  * [[https://​www.omgwiki.org/​dido/​doku.php?​id=[dido:​public:​ra:​xapend:​xapend.a_glossary:​d:​data_in_motion | Data-in-Motion ]] 
-  * [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​d:​data_in_use ​    | Data-In-Use]] 
- 
-==== 6. Risk of Meta-Data being hacked due weak Security Infrasture ==== 
-[[cbdc:​private:​cbdc_omg:​04_doc:​20_comments:​brp:​q11:​start| Return to Top]] 
- 
-[[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​m:​metadata | Metadata]] is data about data. Although this data can provide specific insight into personal data such as [[https://​www.omgwiki.org/​dido/​doku.php?​id=dido:​public:​ra:​xapend:​xapend.a_glossary:​p:​pii | Personal Identifiable Information (PII)]] (see [[cbdc:​private:​cbdc_omg:​04_doc:​15_common:​45_privacy:​start | Privacy Concerns]]),​ there is also a problem with hackers gaining access to Metadata. ​ 
- 
-For example, knowing your name, address, phone number, and credit card details can be used to make illegal purchases in your name. This is a [[cbdc:​private:​cbdc_omg:​04_doc:​15_common:​48_natsec:​start | Criminal Activity]] in itself, but gaining information about your behavior and habits is a different kind of privacy violation. This information can be used to target you for advertisements or more nefariously specific scams. For instance, the metadata can now be used to determine that an individual is visiting a well-known cancer clinic and target the person for "​miracle cures"​. ​ 
- 
-Another example might be the discovery that a well-known founder and CEO of a publicly-traded company has visited the same well-known cancer clinic. This information is then used to in essence glean insider information about the company and make stock trades. 
- 
-The use of Metadata is the primary engine for companies such as Google, Facebook, Microsoft, Apple, etc. However, this is done using their own mechanism to collect the data and users sign their rights away with the Service Level Agreements (SLAs), etc they "​sign"​ when they choose to use these products. It is another thing to use government-provided data.  
- 
-Therefore, Metadata not only contains Data about Data, but it can also contain information about the association of data elements together. Sometimes this activity is referred to as Triangulation. ​ 
- 
-  : //​**Metadata Triangulation** describes taking two pieces of metadata to infer a great deal more. Let me give you an example. You take a picture of something with your iPhone. That picture has both a date/time stamp and a GPS location tag. Two different pieces of information that, when combined, can lead to so much more. Some examples of information that can be inferred are://(( 
-Aaron Edell, 
-__Coining a term: metadata triangulation__,​ 
-11 February 2016, 
-Accessed: 24 April 2022, 
-[[https://​www.linkedin.com/​pulse/​coining-term-metadata-triangulation-aaron-edell/​]] 
-)) 
-    * //The weather// 
-    * //Top news stories (including the content of those stories)// 
-    * //Local objects, buildings, structures, etc. // 
-    * //Natural disasters// 
-    * //Nearby housing prices// 
-    * //Stock prices, economic conditions, inflation, etc. // 
-    * //Flights overhead, traffic conditions//​ 
- 
-There is an assumption that Bitcoin transactions are anonymous, the reality is that they are anonymized. The following article by John Bohannon highlights the issue:(( 
-John Bohannon, 
-__Why criminals can't hide behind Bitcoin - Even with cryptocurrency,​ investigators can follow the money__, 
-Science, 
-9 March 2016, 
-Accessed: 24 April 2022, 
-[[https://​www.science.org/​content/​article/​why-criminals-cant-hide-behind-bitcoin]] 
-)) 
- 
-  : //Bitcoin, the Internet currency beloved by computer scientists, libertarians,​ and criminals, is no longer invulnerable. As recently as 3 years ago, it seemed that anyone could buy or sell anything with Bitcoin and never be tracked, let alone busted if they broke the law. "​It'​s totally anonymous,"​ was how one commenter put it in Bitcoin'​s forums in June 2013. "The FBI does not have a prayer of a chance of finding out who is who."//​ 
- 
-  : // The Federal Bureau of Investigation (FBI) and other law enforcement begged to differ. Ross Ulbricht, the 31-year-old American who created Silk Road, a Bitcoin market facilitating the sale of \$1 billion in illegal drugs, was sentenced to life in prison in February 2015. In March, the assets of 28-year-old Czech national Tomáš Jiříkovský were seized; he's suspected of laundering \$40 million in stolen Bitcoins. Two more fell in September 2015: 33-year-old American Trendon Shavers pleaded guilty to running a \$150 million Ponzi scheme—the first Bitcoin securities fraud case—and 30-year-old Frenchman Mark Karpelès was arrested and charged with fraud and embezzlement of \$390 million from the now shuttered Bitcoin currency exchange Mt. Gox.// 
-  ​ 
-In this case, it was the "good guys" who used the Metadata, but this could also have been used for nefarious activities and a U.S. CBDC needs to protect this kind of data. 
- 
-==== 7. Risk of Business Processes Being Hacked ==== 
-[[cbdc:​private:​cbdc_omg:​04_doc:​20_comments:​brp:​q11:​start| Return to Top]] 
- 
-Some government business processes need to be kept confidential,​ secret, or even top-secret when it comes to trying to audit or discover illegal or criminal activities. The reason is that if the processes were made readily available to the public, then the business process can be "​gamed"​ to avoid detection. In these situations, the government is involved in an "arms race" so to speak with those who want to avoid detection. The government business processes are continuously refined and honed to detect illegal or criminal activity, while the "bad guys" continuously test the system to find its weaknesses. ​ 
- 
-As an example, the process of trying to "​reverse engineer"​ the "​rules"​ of a government business process for determining if an individual return gets audited run rampant when it comes to triggering an audit by the Internal Revenue Service (IRS).(( 
-Jacob Dayan, 
-__IRS Audits: 10 Common Myths Debunked__, 
-Accessed: 24 April 2022, 
-[[https://​articles.bplans.com/​irs-audits-10-common-myths-debunked/​]] 
-)) 
- 
-More and more government business processes are using Artificial Intelligence (AI) to aid in the flow of the business process. Many of these AI processes are data-driven either through parameters or by using learning datasets continuously refined based on previous runs through the process. This means that either the original parameters or the learning data sets are subject to hacking attempts. 
- 
-  : //Budget cuts and a significant drop in Special Agents that investigate criminal tax crimes have led the IRS to use Artificial Intelligence (AI) to uncover criminal tax activities. In a recent webcast hosted by the American Bar Association,​ the IRS revealed that research and investigative techniques that used to take weeks or months may now be accomplished in minutes with technology the IRS is rolling out to detect taxpayer noncompliance.//​ 
- 
-  : //These computer tools are able to detect fraud, identity theft, money laundering, and hidden assets that Revenue Agents and Special Agents typically look for manually. The speed and sophistication of these computer data-mining programs have greatly increased the IRS’ efficiency.//​(( 
-Stahl Criminal Defense Lawyers, 
-Accessed: 24 April 2022, 
-[[https://​stahlesq.com/​irs-artificial-intelligence-detects-tax-evaders/​]] 
-)) 
- 
-If the government business processes are hacked, then the ability for illegal or criminal activities to go undetected is advanced. 
- 
-Another problem would be if the government'​s business processes themselves were "​hacked"​ to disable the government process or change the algorithms or parameters of the process to provide an unfair advantage. A simple example might be adding an exclusion for a certain individual within the process. 
  
 /​**=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- /​**=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
cbdc/public/cbdc_omg/04_doc/20_comments/brp/q11/start.1650828730.txt.gz · Last modified: 2022/04/24 15:32 by nick