When Senator Mark Warner (D-VA) questioned witness Dr. Neha Narula, Director of the Digital Currency Initiative at MIT, on security risks associated with cryptocurrencies, she responded that, with respect to ransomware attacks, the issue is that valuable data has not been properly secured, and suggested that a CBDC could have built-in safeguards. She also believed that open-source software is critical for security.¹⁾

Data can exist in many states depending on how it is being used. Each of the different Data States poses its own risks of compromising data. The primary concern with data is that it compromises End User Privacy. See section 4.4 National Privacy Considerations.

The risks and concerns about Data in each of the different states are also important. Often, the primary focus for understanding data is to concentrate on Data-at-Rest. Although this data is relatively static, it can change over time. In the past, there was little concern for Data-in-Motion , which can have serious effects on Reliability, Maintainability, and Availability (RAM), as well as, Securability and can leave a system vulnerable to breaches. With the advent of HTTPS, these vulnerabilities are mitigated. The latest issue has become the need to secure Data-In-Use. A recent WhatsApp data breach ²⁾ found that switching data between image filters could cause memory corruption followed by a crash that left data exposed.

Figure 1 graphically represents the different Data States within a system. Most systems are now able to handle the Data-in-Motion and the Data-at-Rest issues but have traditionally relied on physical security to protect Data-in-Use.

Figure 1: The Various States of Data.

Any risk assessment must include the Security Infrasture and the state of data:

• Data-at-Rest
• Data-in-Motion
• Data-In-Use