Digital India Raises Security ConcernsExperts: Centralized Incident Response Mechanism Critical
On July 1, India's Prime Minister Narendra Modi launched 'Digital India,' to connect all gram panchayats by broadband internet, promote e-governance and transform India into a digital knowledge economy.
Its vision areas revolve around:
- Digital infrastructure as a utility to every citizen;
- Governance and services on demand;
- Digital citizen empowerment.
But the ambitious project has raised huge concerns among security leaders, given the increase in cyber-threats. They say digital transformation of every process will open up security vulnerabilities.
Experts believe 'Digital India's' success depends on the security platforms that deliver the services, and recommend developing centralized security incident response capabilities with the process.
"While I dream of a Digital India where high-speed digital highways unite the nation and 1.2 billion connected Indians drive innovation and technology ensuring the citizen-government interface is incorruptible, cybersecurity becomes a prime concern," Modi said during the 'Digital India' launch.
"Cybersecurity becomes an integral part of the national security, and we can innovate to provide security worldwide," Modi said.
Digital India Focus
In his welcome speech, IT minister Ravi Shankar Prasad said, "Digital India aims to connect the entire country through broadband by 2019."
Digital India will follow participative implementation. The government will invite suggestions from all stakeholders - citizens, the government and industry - and form innovative solutions. Implementation will be done in several bits and pieces, with each element very crucial in its own place. Every module will have its own timeline and a unique implementation plan. A collaborative approach will be followed by completing each module, thus contributing to the larger picture. Department of Electronics and Information Technology will be responsible for overall coordination. All initiatives, including establishing and expanding core ICT infrastructure and delivery of services, have deÂ¬finite completion targets.
The programme will pull together many existing schemes, restructured, re-focused and implemented in a synchronized manner. Most only require process improvements with minimal cost implications.
Says Prasad, DeitY's already launched "MyGov" (mygov.in) to facilitate collaborative governance. Several consultations and workshops have been organized to discuss implementation.
Says Siddharth Deshpande, principal analyst, Information Security and Datacenter Technology & Services, Gartner, "The success depends on effective information sharing across agencies and private sector entities; sharing can only be effective with clear regulations and a common understanding of data security and identity governance."
Security leaders anticipate challenges in data privacy and protection of critical infrastructure.
The reason is illiteracy, states Coimbatore-based S N Ravichandran, cyber investigator and member, Cyber Society of India. Fifty percent of Indians are uneducated and ignorant about online transactions, depending on a third party to transact for them. He sees key personal information leaked to a third party; so, what security are we talking about?
Mumbai-based Ambarish Deshpande, managing director-India, Blue Coat Systems, agrees. Through Internet of Things, smart cities will have every single device connected to others like never before, generating considerable amounts of data that must be protected. "This complex convergence makes it even more susceptible to cybercriminals, who will stir up confusion by hacking into networks," he argues.
Echoing him, Bangalore-based Sudeep Charles, product head - Asia Pacific & Japan at Akamai Technologies, cautions that given the crunch India faces in web security from infrastructure and expertise perspectives, securing critical data on this scale could pose challenges.
While experts commend 'Digital India,' saying it empowers inclusive and sustainable growth (with countrywide broadband access, digital locker linked with Aadhaar and mobile, etc.), the government must ensure India's critical information infrastructure is secured properly.
Ravichandran maintains the PM made a passing reference to cybersecurity and the need to defend against cyber-threats without mentioning strategy against attacks. "There's no mention of security or indigenisation of cyber hardware or software systems against threats," he says.
Security leaders believe data generated through 'Digital locker' (the campaign's first service, which provides a dedicated personal storage space to securely store government-issued e-documents and Uniform Resource Identifier link of e-documents issued by various departments) will be a goldmine for attackers. The slightest lackadaisical approach to securing data will be catastrophic.
How to Secure 'Digital India?'
While the government realizes that cyberspace is where all online digital assets, protocols and identities reside, interact and transact, and it's imperative to make cyberspace secure, the security fraternity is slightly skeptical about the processes and modalities.
Akamai's Charles observes that success in delivering services online to every one of 1.2 billion citizens hinges on the availability, performance and security of the platform through which they're delivered.
"The government could associate with the right partners through a public-private partnership to circumvent these challenges, while securely gaining scale without compromising on performance," Charles says.
Gartner's Deshpande believes security principles (across people, process and technology elements) must be built into the efforts from the outset.
He explains, "Digital platforms must be viewed as critical infrastructure and treated accordingly - adequate security incident detection and response must be enabled in a centralized manner."
Most agree security cannot be an afterthought; it must be ingrained within the initiative's very foundation.
One way of securing it is as Blue Coat's Deshpande suggests: "The government and security providers working together to deter cybercriminal activity and build a high security network."
Ravichandran recommends ways to strengthen security:
- Bring in Right to Data Privacy Act;
- Strengthen the legal support system to address cybercrime-related cases;
- Educate citizens on using the online system securely.
In response, Prasad announced, "The National Information Security Policy is in place to protect information and information-infrastructure in cyber space, build capabilities to prevent and respond to cyber-threats, reduce vulnerabilities and minimize damage from cyber incidents through institutional structures, people, processes, technology and cooperation as part of the 'Digital India' initiative."
But Ravichandran asks the fundamental question: "How effective and operational is this policy and process that the government has announced?"