Cyber security is a very challenging sector for any government, especially one that aims at inclusion and development through the use of digital technology and Aadhaar. Arushi Bedi caught up with Dr Ajay Kumar, additional secretary, Ministry of Electronics and IT (since promoted to secretary, Defence Production), at the Global Conference on Cyber Space to talk about the importance of Digital India, recent cyber attacks on Indian software and the lack of an international policy to deal with growing cyber threats.
What is India’s idea of cyber inclusion?
Today, India is perceived to be one of the fastest-growing cyber destinations in the world, recognised by all world powers thanks to Digital India. We are seen as an IT country which can provide solutions and services as well as one of the greatest users of technology, with a unique value proposition about how to use digital technologies with a human face while ensuring development.
This contrasts with how the western world sees technology—if you look at some of the original literature, it is characterised as a tool for productivity and efficiency. There is debate on whether IT in fact increases productivity or not with the Solow paradox, but never before has IT been used to improve development in sectors like agriculture, health, education, skill development, financial inclusion and poverty reduction. We have continuously striven to make sure that technology is used to leap onto development— something to which the world is now waking up.
How is the government working on achieving this philosophy?
This unique proposition is led by three major ideas. The first is creating affordable technology—not inferior technology, but superior technology which reduces the cost to the user. The second is an inclusive approach targeting not just the middle class and the urban population, but all the country’s 1.3 billion people, even those in the remotest of villages. The third is development. This has been very unique to the Indian idea. Given this, the scale of operations has increased tremendously. For example, under the JAM Yojana, we have the ability to deliver services to nearly the entire population thanks to mobile phones, Jan Dhan accounts and Aadhaar.
Such initiatives are also leading to increasing security threats. How is the government tackling those?
When you scale up the whole infrastructure so rapidly, cyber security requirements also become extremely important, and the government has taken high-level decisions to give greater importance to these. The first priority is to get an application going, but if one just concentrates on that, other aspects may be neglected. The second is to create the necessary capacity and acquire enough trained manpower to meet this growing need. We need lots of power within and outside the government.
Speaking of inclusion, the Aadhaar data collected by the government has proved to be unsafe from leaks. What is the government doing to make this data safer?
First, there has been no leak of Aadhaar data. If you leak it, that’s your problem. Security is always a moving target. No one can ever rest and say, “I am secure now,” in the digital space. No one is secure. Every time you reach a certain level of security, someone will find a way to breach it. The work on improving security is continuing on all applications, including Aadhaar. See, you do not go and look into the operational aspects of individual organisations, since that in itself would be a security breach. At our level, we actually look at the policy framework required to ensure that the broad systems are robust and are followed.
But many of our laws are now outdated, and don’t take into account emerging cyber security issues.
Today we have the IT Act which provides certain safeguards for data protection. Any person or corporate entity collecting sensitive personal data is responsible for taking reasonable measures for its security, and thus for any breach that occurs. But this has limitations, and that is why we are now creating the Data Protection Act under Justice B.N. Srikrishna. That said, the existing law is fairly reasonable. When the Act was framed in 2001, people didn’t foresee the issues we face today. There are provisions in the IT act such that, if a content platform collects data, they must ensure that it doesn’t get hacked or stolen and isn’t misused.
Google is accessing all your data. Such companies make you sign consent forms before use, so they can profile you fully.
So some measures are already in place, but things have become far more complicated. For example, the phone you use or Google is accessing all your data. Such companies ask you to sign massive consent forms before allowing you to use their services, so they are able to profile you fully. The problem is that there is no provision in this regard since they have taken permission and collected data. Today, thanks to this you see companies like Google and Amazon which are now worth hundreds of billions, whereas the user gets nothing.
What about international standards for cyber security?
Recently, the prime minister called for a global formal mechanism which is multi-stakeholder and discusses international cyber security. Currently, one has no recourse but to the Mutual Legal Assistance Treaty (MLAT) which is not meant for cyber warfare, but rather for the physical world where you make a request, wait for hours or days before getting a response and then send someone; a long, drawn-out process. In the cyber world, things change in a matter of seconds—you can’t afford to wait for very long. A multi- stakeholder mechanism is the need of the hour, and it is good that India has come forward and asked for it, since no other country has done so.
How does the government respond to cyber threats such as the recent Uber security breach or the WannaCry attacks that took place earlier this year?
The Indian Computer Emergency Response Team (CERT-In) is positioned to respond to any cyber threat. They are state-of-the-art and take part in collaborations the world over. They have been responding to all such situations. Every time an incident is reported to them, they analyse the event to see the kind of preventive measures that can be taken, and then distribute it to other vulnerable stakeholders. One attack may occur, but a second one can be prevented with proper information. They do detailed analysis to identify the attack, where it came from, what the vulnerabilities are.
Is the government also tapping into resources in the private sector?
We work very closely with the industry on various fronts. We work on developing solutions with the industry; start-ups are being encouraged and we are developing a cyber security grant which the Data Security Council of India (DSCI) manages on our behalf. We are finalising a policy which gives preference to cyber security products for government procurement. We set up a task force with NASSCOM and DSCI which has given a set of recommendations which we are examining and acting on. When you make cyber security products, you need to creatively do a lot of testing, which constitutes nearly 30 per cent of the costs— a significant hurdle for a start-up.
We are also working with the industry on formulating standards and creating testing infrastructure. We have set up several groups to decide the security standards for major devices or products which have large-scale application like mobile phones, set-top boxes, cameras and other devices that form part of the internet of things. These groups include industry, academia and government representatives. We have a highly specialised facility in standardisation testing and quality certification (STQC), which we are expanding, yet there are areas that the government doesn’t have the capability to test. Here we are tying up with other security labs and are encouraging them to come up with common criteria for lab infrastructure, since once these are mandated, there will be a need for a large number of security labs where the private sector can play a huge role.