====== 4.5 National Security Considerations ======
|< 100% >|
| [[cbdc:public:cbdc_omg:04_doc:15_common:start| Return to Common Elements]] | Provide Feedback |
===== Overview =====
[[cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:start| Return to Top]]
: **Note:** See the [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:m_acts_laws#appendix_mfinancial_laws_regulations_and_authorities | OMG DIDO-RA Financial Laws, Regulations and Authorities]] for more on Security.
The following Laws and Regulations governing Privacy, Money Laundering, Terrorism, and Financials apply in the U.S. and need to be part of any DIDO solution concerned with currency, money, financials, or cryptocurrencies. Often these Laws and Regulations are considered obstacles or barriers to innovation, but each law or regulation is developed in response to some situation that occurred in the past. To prevent a "modern" repeat of these situations, the laws and regulations should be upgraded, not ignored or overturned.
Some of these Laws, Regulations and Authorities have general applicability to DIDOs when the data stored within the DIDO refers to [[https://www.omgwiki.org/dido/doku.php?id=didopublic:ra:xapend:xapend.a_glossary:p:pii | Personal Identifiable Information (PII) ]] and therefore subject to the tenets of privacy. See [[https://www.omgwiki.org/dido/doku.php?id=didopublic:ra:xapend:xapend.a_glossary:r:right_to_privacy | Right to Privacy.]].
Some Laws, Regulations, and Authorities are relevant to DIDO when the DIDO is considered a [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:f:financial_instrument | Financial Instrument]] or a [[https://www.omgwiki.org/dido/doku.php?id=didopublic:ra:xapend:xapend.a_glossary:s:security_finance | Security]]. Certain [[https://www.omgwiki.org/dido/doku.php?id=didopublic:ra:xapend:xapend.a_glossary:c:cryptocurrency | Cryptocurrencies]] and [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:i:ico | Initial Coin Offerings (ICOs)]] may be found to meet the definition of an "investment contract" under the [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:h:howey_test | Howey Test ]] from which the U.S. Supreme Court ruling determined that an Investment Contract must:
- Have an investment of money
- Enter into a common enterprise
- Have the expectation of profit
- Be derived from the efforts of others
===== Details of National Security Considerations =====
[[cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:start| Return to Top]]
Table {{ref>summaryLawsReg}} summarizes the number of Laws and Regulations covering National Security Considerations. The total number (i.e., **''44''**) indicates the complexity of National Security issues that confront the CBDC. The more Laws and Regulations, the more effort to coordinate the CBDC efforts and work with the Legislative and Executive Branches to keep the Laws and Regulations current with CBDC efforts.
Summary of the number of laws and regulations covering National Security Considerations.
|< 30% 20% 10% >|
^ National Security Consideration ^ No. of Laws and Regulations |
^ [[cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:10_human_traf| Human Trafficking ]] | 14 |
^ [[cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:20_drug_traf| Drug Trafficking ]] | 9 |
^ [[cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:30_corrupt| Corruption ]] | 10 |
^ [[cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:40_launder| Money Laundering ]] | 11 |
^ Total ^ **44** |
National Security Considerations are concerned with: Human Trafficking, Drug Trafficking, Corruption and Money Laundering. These are discussed in more detail in the following subsections:
===== Examples =====
[[cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:start| Return to Top]]
Examples of **security** Desirements identified during the White Paper Analysis conducted by the OMG's CBDC WG
: **Note:** **''B''** = Benefit, **''P''** = Policy, **''R''** = Requirement, **''D''** = Design.
===== Discussion of Examples =====
[[cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:start| Return to Top]]
The "desirements" specified in [[https://www.omgwiki.org/CBDC/doku.php?id=cbdc:public:cbdc_omg:15_summary:start&do=edit | White Paper]] and identified by the [[https://www.omgwiki.org/CBDC/doku.php?id=cbdc:public:cbdc_omg:15_summary:start | OMG's CBDC WG White Paper Analysis]] as **Security Issues** are listed in Table {{ref>securityReqDiscussion}}.
Security references of Desirements in the **White Paper**
|< 100% 5% 35% 60%->|
^ Desirement No. ^ Desirement Text ^ Comment ^
^ B0005 ^ Protect against criminal activity| |
Criminal Activity is a broad, extensive topic that requires an understanding of the U.S. Laws and Regulations as well as international treaties and agreements. Within the context of the CBDC, criminal activity can be one more of the following:
: 1. [[cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:10_human_traf| Human Trafficking]]
: 2. [[cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:20_drug_traf| Drug Trafficking]]
: 3. [[cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:30_corrupt| Corruption]]
: 4. [[cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:40_launder| Money Laundering]]
|
^ B0052 ^ Prevent Financial money laundering crimes |
There are already quite a few Laws and Regulations within the U.S. to cover [[cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:40_launder| Money Laundering]]. However, within the context of CBDC, these laws need to be reviewed, updated, or amended to reflect Digital Currency and how it might be used in Criminal Activities.
|
^ B0053 ^ Provide resiliency to threats to existing payment services—including:
: 1. operational disruptions
: 2. cybersecurity risks
|
**1. Operational Disruptions** occur when there is a failure in the infrastructure of the CBDC. This implies a compound
[[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:1.4_req:2_nonfunc | Non-Functional Requirement]] that needs to be levied on the CBDC. The following **Non-Functional** requirements need to be specified for the CBDC:
: 1. **[[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:1.4_req:2_nonfunc:14_reliability | Reliability]]**
: a. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:1.4_req:2_nonfunc:14_reliability:01_matuity | Maturity]]
: b. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:1.4_req:2_nonfunc:14_reliability:02_availability | Availability]]
: c. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:1.4_req:2_nonfunc:14_reliability:04_faulttolerance | Fault Tolerance]]
: d. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:1.4_req:2_nonfunc:14_reliability:12_recoverability | Recoverability]]
: 2. **[[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:1.4_req:2_nonfunc:20_maintainability | Maintainability]]**
: a. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:1.4_req:2_nonfunc:20_maintainability:modularity | Modularity]]
: b. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:1.4_req:2_nonfunc:20_maintainability:reuseability | Reusability]]
: c. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:1.4_req:2_nonfunc:20_maintainability:analysability | Analyzability]]
: d. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:1.4_req:2_nonfunc:20_maintainability:modifiability | Modifiability]]
: e. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:1.4_req:2_nonfunc:20_maintainability:testability | Testability]]
: 3. **[[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:1.4_req:2_nonfunc:28_manageability | Manageability]]**
: a. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:1.4_req:2_nonfunc:28_manageability:02_types | Types of Manageability Functions]]
: b. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:1.4_req:2_nonfunc:28_manageability:04_costs | Manageability Costs]]
: c. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:1.4_req:2_nonfunc:28_manageability:06_system | System Manageability Issues]]
: d. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:1.4_req:2_nonfunc:28_manageability:08_software | Software Manageability Issues]]
**Note:** Although the OMG DIDO-RA provides general definitions for these non-functional requirements, only the Federal Reserve, in conjunction with the [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:1.4_req:2_nonfunc:28_manageability:08_software | CBDC Stakeholders]], can define these requirements in terms of the CBDC. This process takes time and there are no shortcuts. It is part of the System Engineering process.
**2. Cybersecurity Risks**, as with **Operation Disruptions**, represent a compound non-functional requirement for the CBDC. The following [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:1.4_req:2_nonfunc:25_security |Securability]] **Non-Functional** requirements need to be specified for the CBDC:
: a. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:1.4_req:2_nonfunc:25_security:confidentiality | Confidentiality]]
: b. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:1.4_req:2_nonfunc:25_security:04_data_integrity | Data Integrity]]
: c. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:1.4_req:2_nonfunc:25_security:nonrepudiability | Non-repudiation]]
: d. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:1.4_req:2_nonfunc:25_security:authenticity | Authenticity]]
: e. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:1.4_req:2_nonfunc:25_security:accountability | Accountability]]
Securability is also a layered stack:
{{ :cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:layers_of_security.png?400 |}}
The layers of Security.
The layers of Security:
: 1. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:p:physicalsecurity | Physical Security]]
: 2. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:d:datasecurity | Data Security]]
: 3. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:n:networksecurity | Network Security]]
: 4. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:p:platformsecurity | Platform Security]]
: 5. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:a:applicationsecurity | Application Security]]
: 6. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:c:securityculture | Culture Security]]
|
^ P0005 ^ Protect against criminal activity |
See **''B0005''**.|
^ P0024 ^ CBDC would need to comply with the U.S. robust rules |
^ Criminal Activity ^ Approx. Number of Laws and Regulations ^
^ [[cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:10_human_traf| Human Trafficking]] | 14 |
^ [[cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:20_drug_traf| Drug Trafficking]] | 9 |
^ [[cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:30_corrupt| Corruption]] | 10 |
^ [[cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:40_launder| Money Laundering]] | 11 |
^ Total ^ **44** |
|
^ P0028 ^ Require significant international coordination to address issues such as:
: 1. common standards
: 2. infrastructure,
: 3. the types of intermediaries able to access any new infrastructure,
: 4. legal frameworks
: 5. preventing illicit transactions
: 6. the cost and timing of implementation
|
** 1. Common Standards: **
There are lots of "common standards" that can apply to Blockchains. See within each of these sections for a list of applicable standards:
: a. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.b_stds:tech | DIDO RA - Technical Standard Bodies ]]
: b. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.b_stds:defact | DIDO RA - de facto Standards Bodies]]
Unfortunately, within the //"blockchain"// world, there is confusion about what constitutes a standard. Often, if something is Open Source, it is considered a standard. However, often these projects lack the rigor needed to be considered a //"standard"//. Also, see the discussion in the DIDO RA on [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.b_stds:defact:todo:start | Talk Openly Develop Openly (TODO)]] and look at the DIDO RA definition of a [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:s:sdo | Standards Developing Organization (SDO)]].
** 2. Infrastructure: **
The CBDC Infrastructure needs to be considered [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:m:missioncritical | Mission Critical]] since any loss of functionality could be considered as a threat to survival. This is why the desirements: **''B0053''**, **''D0015''**, **''D0016''**, **''D0017''** are in the **White paper**.
** 3. Types of Intermediaries able to access any new infrastructure: **
**''B0026''** specifies bridges between legacy and new payment services and this will require new infrastructure.
**''D0012''** specifies leveraging existing tools already in use by intermediaries
** 4. Legal Frameworks: **
There are already legal frameworks in place to handle:
: a. [[https://www.omgwiki.org/CBDC/doku.php?id=cbdc:public:cbdc_omg:04_doc:15_common:45_privacy:start | National Privacy Considerations]]
: b. [[https://www.omgwiki.org/CBDC/doku.php?id=cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:start | National Security Considerations]]
Although these frameworks were developed without a CBDC, they already //"comply with the United States are subject to robust rules"// and are continuously being reviewed, updated, and amended based on new information obtained from the field. As part of this process, these frameworks need to add to the existing frameworks rather than created new frameworks.
** 5. Preventing Illicit Transactions: **
There are two areas within the existing legal frameworks covering Illicit transactions:
: a. [[https://www.omgwiki.org/CBDC/doku.php?id=cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:40_launder | Money Laundering]]
: b. [[https://www.omgwiki.org/CBDC/doku.php?id=cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:30_corrupt | Corruption ]]
Although these frameworks were developed without a CBDC, they already //"comply with the United States are subject to robust rules"// and are continuously being reviewed, updated, and amended based on new information obtained from the field. As part of this process, these frameworks need to add to the existing frameworks rather than created new frameworks.
** 6. Cost and Timing of Implementation: **
The CBDC is a complex issue that, once released, could have a life expectancy of many, many years. Only through extensive Systems Analysis, Engineering, Design, and Testing will CBDC have the stability it needs to instill confidence in the public (**''B0020''**).
|
^ D0013 ^ Design should facilitate compliance with a robust set of rules already intended to combat
: 1. money laundering
: 2. the financing of terrorism
: 3. customer due diligence
: 4. record-keeping
: 5. reporting requirements
|
** 1. Money Laundering: **
There are roughly **''11''** Laws and Regulations in the U.S. covering [[cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:40_launder]] that took years to create, usually in response to known or discovered Money Laundering schemes that are continuing to evolve. In many ways, it is an //"Arms Race"//. The people with a need to launder money keep developing new ways around existing rules, requiring the government to create new rules.
The CBDC must at least start from the same place as the existing systems with as many of the rules in place as possible in order to prevent the entire system from imploding. It also needs to assess the current sets of Laws and Regulations to determine if there are required updates or amendments that need to be made before the CBDC can "go live".
** 2. Financing of Terrorism: **
The main way to finance terrorism is to engage in [[cbdc:public:cbdc_omg:8_append:20_glossary:financial_crimes]]. There are four main areas of Financial Crimes used to fund terrorism:
: a. [[cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:10_human_traf| Human Trafficking ]]
: b. [[cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:20_drug_traf| Drug Trafficking ]]
: c. [[cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:30_corrupt| Corruption ]]
: d. [[cbdc:public:cbdc_omg:04_doc:15_common:48_natsec:40_launder| Money Laundering ]]
The U.S. and much of the rest of the world have developed extensive systems of Laws and Regulations to combat these crimes and the design of the CBDC should use and leverage these existing systems rather than try to build something new.
** 3. Customer Due Diligence: **
There are two main tools of the [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:a:aml | Anti-Money Laundering (AML)]]:
: a. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:k:kyc | Know Your Customer (KYC)]]
: b. [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:c:cdd | Customer Due Diligence]]
Both of these are well understood and documented in the existing system by Intermediaries. Regardless of the [[cbdc:public:cbdc_omg:04_doc:15_common:08_currency_models:start| Currency Model]] used for the CBDC (i.e., [[cbdc:public:cbdc_omg:04_doc:15_common:08_currency_models:10_cash:start| Digital Cash Model]]
or [[cbdc:public:cbdc_omg:04_doc:15_common:08_currency_models:15_accounts:start| Digital Account Model]]), it should embrace these existing sets of tools and adapt them as need be.
** 4. Record Keeping: **
Under the [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:u:us_patriot_act_-_title_iii | US Patriot Act, Title III: Anti-money-laundering to prevent terrorism of 2001]] Title III facilitates the prevention, detection, and prosecution of international money laundering and the financing of terrorism [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:u:us_patriot_act_-_title_iii#second_subtitle | Second Subtitle]] attempts to improve communication between law enforcement agencies and financial institutions, as well as expanding **record-keeping** and **reporting requirements**.
Also, under the definition of [[cbdc:public:cbdc_omg:8_append:20_glossary:financial_crimes]] provided by the Federal Reserve, financial institutions must comply with a robust set of rules that are designed to combat Financial Crimes. These rules include [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:c:cdd | Customer Due Diligence]], record keeping, and reporting requirements.
Therefore, the CBDC should rely on the existing Intermediaries to help provide well-documented, tried, and true Record Keeping. Blockchain Technology may help alleviate some of the record-keeping responsibilities, but the blocks must include enough information to support **record-keeping** and **reporting requirements**.
** 5. reporting requirements: **
See number 6 above.
|
^ D0016 ^ Design should include offline capabilities to help with operational resilience of the payment system |
See the answer to [[cbdc:public:cbdc_omg:04_doc:20_comments:dsn:q18:start]].
|
^ D0017 ^ Design should include digital payments in areas suffering from large disruption, such as natural disasters |
See the answer to [[cbdc:public:cbdc_omg:04_doc:20_comments:dsn:q18:start]].
|
| **''B''** = [[cbdc:public:cbdc_omg:04_doc:12_summary:start#benefits| Benefit Considerations ]] |||
| **''P''** = [[cbdc:public:cbdc_omg:04_doc:12_summary:start#policy_considerations| Policy Considerations]] |||
| **''R''** = [[cbdc:public:cbdc_omg:04_doc:12_summary:start#risks| Risk Considerations ]] |||
| **''D''** = [[cbdc:public:cbdc_omg:04_doc:12_summary:start#design| Design Considerations]] |||
/**=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
/* To add a discussion page to this page, comment out the line that says
~~DISCUSSION:off~~
*/
~~DISCUSSION:on|Outstanding Issues~~
~~DISCUSSION:off~~