The article discusses the cybersecurity measures of digital payment ecosystems in modern conditions. It is shown that new instruments and work with digital national currencies supplement payment ecosystems. The cybersecurity of its platform and ecosystem has been identified as a major challenge in the implementation of the digital currency concept. Cybersecurity measures are classified: legal, technical, organizational, capacity-building, joint actions. The set of cybersecurity measures that need to be applied for the successful implementation of the digital ruble is highlighted: continuous monitoring and updating of the national cybersecurity strategy; creation and development of national and industry Computer Incident Response Teams; the use of a specialized software module of the Bank of Russia integrated with mobile applications of credit institutions; implementation of cryptographic protection of channels of user interaction with the infrastructure of the credit institution; generation and storage of a cryptographic key for a credit institution's client to access a digital wallet; conducting research by the central bank in the field of ensuring the offline regime in the transition to the digital ruble, providing access to the digital ruble platform based on the exchange of incident notifications, exchange of best practices, harmonization of minimum security measures within the framework of multilateral agreements on cybersecurity. It is proposed to form a budget and assess the feasibility of investments in cybersecurity, taking into account the definition of all risks, their quantitative measurement, and their prioritization.
3 https://www.cbr.ru/Content/Document/File/119960/Consultation_Paper_02042021.pdf 134 - Open platform model
VTB
MTS - Closed platform model - Open platform model
VK Pay
The introduction of the Bank of Russia Digital Ruble (RBDR)4 is a response to the challenges of global technology companies, which, through their global presence, are uniquely positioned to offer services in the area of global cross-border transactions. Today, the new major players in the financial services market (Big Tech, also known as the Tech Giants) are the digital companies that dominate the US information technology industry, namely Amazon, Apple, Google (Alphabet), Facebook, and Microsoft.
The proliferation of digital currencies offered by foreign companies will make Russian payments dependent on technologies developed and regulated in other countries. At the same time, digital currency as a new digital asset creates a new vulnerability to cyber-attack. In this regard, Russia, like other states, in the transition to digital currency, has to do a lot of work to create the necessary technical solutions to ensure the appropriate level of cybersecurity of the corresponding system.
Therefore, it seems logical to consider what cybersecurity of a payment system can be when paying with a digital ruble, based on possible models and mechanisms for implementing a digital currency, and what cybersecurity measures can be applied.
The sphere of cybersecurity is constantly changing, as threats, vulnerabilities, risks,
countermeasures in the internal and external environment are constantly changing [
The work provided a critical review of the literature on the study conducted in areas of interest and references to the Global Cybersecurity Index (GCI) and its methodology. This helped to define and apply the following guidelines in this study. 4 Concept of the digital ruble. Bank of Russia. URL: http://www.consultant.ru/document/cons_doc_LAW_381918 1. Cybersecurity issues are addressed through a multidisciplinary and holistic approach in line with the national concept of cybersecurity. 2. The structure of cybersecurity measures is based on five pillars: legal measures; technical measures; institutional measures; capacity-building measures; and cooperation measures. 3. The implementation of the digital currency concept is based on the development of both the national, and industry (financial and credit) Computer Emergency Response Team (CERT). The Bank of Russia Computer Emergency Response Team (FinCERT) was established in 2015 to consolidate financial and information security market participants in the fight against computer crime.
The study aims to help payments ecosystem actors identify threats and cybersecurity measures, improve overall cyber-security, harmonize practices and promote a culture of cybersecurity in the payments ecosystem, in the context of digitization.
At the end of June 2021, the International Telecommunication Union (ITU) of the United Nations published a new edition of the Cybersecurity Ranking of Countries. Russia ranked fifth with 98.06 out of 100 possible (table 1).
The structure of the cybersecurity index of Russia is shown in Figure 2.
The rating showed that the number of countries with cybercrime legislation had increased. The number of countries with a National Cyber Security Strategy has also increased. More than 50 percent of States reported that they had set up “Computer Emergency Response Team”. This represents an increase of 11 percent over 2018. In 2020, 64 percent of States reported that they had adopted national cybersecurity strategies (58 percent in 2018), and more than 70 percent had conducted awarenessraising campaigns (66 percent in 2018)5.
To implement the concept of the digital ruble, it is necessary to create a new payment infrastructure, integrated with the main one, allowing online and offline payments. Transactions with the digital ruble can be carried out through special payment applications similar to Google Pay, Apple Pay, and other similar services, or using remote banking services, mobile and online banks, using contactless payment technology.
Over the past two decades in Russia, the financial sector, as well as those companies that develop ecosystems that use payment technologies, have done a great job of introducing a culture of cashless payments. In recent years, according to literary sources, there has been an increase in the use of remote channels of access to financial services and non-cash payments by the population. According to the studied statistics, the share of non-cash payments by the population for goods and services in the total volume of retail trade, catering, and paid services to the population increased from 39% in 2016 to 70% in 2020. It is expected that the technology of using the national digital currency will be similar to the existing technologies of payments based on mobile phones, making it understandable for users.
Next, consider the conceptual two-tier retail model of the digital ruble shown in Fig. 1.
So, at the first stage of the transition to the digital ruble, it is necessary to test the emission of the digital ruble, transfers between individuals, and the interaction of the client, the bank, and the digital ruble platform. At the second stage of the transition to digital currency, it is necessary to conduct tests on payment for goods and services, on transferring non-cash money into digital rubles, and vice versa 5 https://www.cbr.ru/Collection/Collection/File/32122/Attack_2019-2020.pdf digital rubles into non-cash funds. The new functionality, which is the most complex and has not yet been fully studied in terms of implementation details, is offline calculations, that is, calculations in the absence of Internet access. If the possibility of offline settlements in digital rubles is realized (when implementing the government's plans to provide access to the Internet for every resident of the country in every locality), it is planned to provide for some measures aimed at protecting the interests of users (the possibility of restoring payments in case of loss of a device, limiting the number and total amount of transactions that can be performed during a certain period, the introduction of a limit on the amount of a single transaction).
The main types of computer attacks in the sphere of credit and finance in 2019-2020 are presented
in materials prepared by the Bank of Russia Computer Emergency Response Team (FinCERT) of the
Information Security Department of the Bank of Russia. The Federal Service for Technical and Export
Control (FSTEC) has developed the Information Security Threat Assessment Methodology. These
materials can be used to create a cybersecurity system for the transition to digital currency. As the
analysis of literary sources on cyber-threats and cyberattacks, in general, has shown, the threats to the
digital ruble are the same as those to the clearing of bank accounts and cards, as well as the risks inherent
in the segment of cryptocurrencies [
platform
Cybersecurity is a multi-disciplinary area, involving all sectors, industries, and stakeholders, both
vertically and horizontally [
digital currency and on amendments to certain legislative acts of the
2. Technical measures 3. Organizational measures
development measures
measures
organizations of the banking system of the Russian Federation.
security incidents during money transfers” STO BR IBBS-1.3-2016.
Terrorism»). 1.Technical measures of cybersecurity are presented in the form of various electronic equipment and communication networks, specialized software that performs protective functions (together with other means of protecting information or independently). In addition, cybersecurity measures are represented by systems for supporting search and applied research in the field of new technologies that ensure national security. 2.Cryptographic protection of user interaction channels with the infrastructure of a credit institution (encryption) when using a mobile application using cryptographic information protection tools, certified by the FSB of Russia.
institution's client to access a digital wallet
and strategic plans, as well as the formal definition of institutional roles, responsibilities, and responsibilities to ensure their implementation. These measures are indispensable in supporting the development and implementation of effective cybersecurity policies. The Bank of Russia should establish general strategic goals and objectives, as well as a comprehensive implementation and measurement plan. National agencies should be present to implement the strategy and evaluate the results. Without a national strategy, governance model, and oversight body, efforts across sectors collide, hampering efforts to achieve effective harmonization in cybersecurity development.
cybersecurity professionals, cybersecurity training courses, educational or academic programs, etc.). Measures to raise awareness, knowledge, and know-how in all sectors, for systematic and appropriate solutions and to promote the development of qualified professionals.
Cybersecurity measures (technical, strategic planning, capacity building) are investigated in [24].
Effective mechanisms and institutional structures at the national level are needed to reliably counter cyber risks and incidents. Computer Incident Response Teams (CIRTs) or Computer Emergency Response Teams (CERTs) or Computer Security Incident Response Teams (CSIRTs) enable countries to respond to incidents at the national level through a centralized point of contact and facilitate rapid and systematic action, allowing countries to learn from experience and build cyber resilience [24].
The cybersecurity costs of introducing the digital ruble will not necessarily reduce risks. Most of the funds will be spent on the introduction of new technologies that may be useless if you do not consider how the tool will be used and what threats it will be aimed at. Cybersecurity budgeting should begin with a thorough assessment of the threats, as well as the existing and potential risks associated with the digital ruble. After identifying all these risks, quantifying them, and prioritizing them, the Central Bank of the Russian Federation must determine a strategy to ensure cybersecurity. Only when all risks are taken into account in the strategy and the means of their control are determined, the Central Bank will be able to ensure proper effective and continuous management of cyber risks, and will be able to correctly form the budget in the field of cybersecurity. Assessing the feasibility of investing in cybersecurity can be performed using the guidelines presented to the US Agency for International Development in May 2020.
As a result of the research, the following main cybersecurity measures in the digital payments ecosystem during the transition to the digital ruble have been identified.
1. Continuous monitoring and updating of the national cybersecurity strategy with clear implementation plans. 2. Continuation of the creation and development of national and sectoral CIRT. 3. Application of a specialized software module of the Bank of Russia integrated with mobile applications of credit institutions. 4. Implementation of cryptographic protection of the channels of user interaction with the infrastructure of the credit institution (encryption) when using the mobile application of the credit institution with the use of cryptographic information protection tools, certified by the FSB (Federal Security Service) of Russia. 5. Generation and storage of a cryptographic key for a credit institution's client to access a digital wallet and sign orders for transactions with digital rubles. 6. Application of complex technological measures for information protection (logical control, structural control, duplication control, authorship control); organization of control over the integrity of "smart contracts". 7. Creation of digital rubles exclusively with the use of the issue key of the Bank of Russia. The Bank of Russia issue key is registered in the specially designated Certifying Center of the Bank of Russia (CC BR) for issues. 8. Conducting by the Central Bank of scientific research in the field of providing an offline regime in the transition to digital ruble. 9. The introduction of the digital ruble in stages, which will allow banks and trade and service enterprises, small and medium-sized enterprises to increase their potential and adapt their infrastructure for settlements in the digital ruble. 10.Ensuring access to the digital ruble platform and business continuity based on information exchange networks, exchange of incident notifications, exchange of best practices, harmonization of minimum security measures within the framework of multilateral agreements on cybersecurity. 11.Budgeting and assessing the feasibility of investments in cybersecurity, taking into account the identification of all risks, their quantitative measurement, and their prioritization.
[18] A. A. Petrenko, S. A. Petrenko, K. A. Makoveichuk, A. V. Olifirov, Methodological recommendations for the cyber risks management, CEUR Workshop Proceedings, volume 2914, (2021), pp. 234-247. URL: http://ceur-ws.org/Vol-2914/paper20.pdf. [19] A. S. Petrenko, S. A. Petrenko, K. A. Makoveichuk, P. V. Chetyrbok, Protection model of PCS of subway from attacks type «wanna cry», «petya» and «bad rabbit» IoT, Proceedings of the 2018 IEEE Conference of Russian Young Researchers in Electrical and Electronic Engineering, ElConRus 2018, 2018-January, pp. 945-949. DOI: 10.1109/EIConRus.2018.8317245. [20] Petrenko S. Cyber resilient platform for internet of things (IIoT/IoT)ed systems: survey of architecture patterns. Voprosy kiberbezopasnosti [Cybersecurity issues]. 2021. N 2 (42). P. 81-91.
DOI: 10.21681/2311-3456-2021-2-81-91. [21] S. A. Petrenko, A. A. Petrenko, K. A. Makoveichuk, A. V. Olifirov, Development of a CyberResistant Platform for the Internet of Things Based on Dynamic Control Technology. In: Singh P.K., Veselov G., Vyatkin V., Pljonkin A., Dodero J.M., Kumar Y. (eds) Futuristic Trends in Network and Communication Technologies. FTNCT 2020. Communications in Computer and Information Science, volume 1395 (2021), pp. 144-154. Springer, Singapore. URL: DOI: 10.1007/978-981-16-1480-4_13. [22] S. A. Petrenko, K. A. Makoveichuk, A. V. Olifirov, Concept of cyber immunity of industry 4.0, CEUR Workshop Proceedings, volume 2603, (2019), pp. 93-99. URL: http://ceur-ws.org/Vol2603/paper20.pdf. [23] S. A. Petrenko, K. A. Makoveichuk, A. V. Olifirov, New Methods of the Cybersecurity Knowledge Management Analytics. In: Sukhomlin V., Zubareva E. (eds) Convergent Cognitive Information Technologies. Convergent 2018. Communications in Computer and Information Science, volume 1140 (2020), pp. 296-310. Springer, Cham. URL: DOI: 10.1007/978-3-030-37436-5_27. [24] Petrenko S. La Administración de la Ciberseguridad. Industria 4.0. Publicado según la decisión del consejo de redacción de la Universidad de Innopolis. Universidad de Oviedo, Universidad de Innopolis. Oviedo, Asturias, 2019.