Having born and brought up in the semi-urban part of India, I am used to the Indian way of doing things when it comes to spending – one step at a time and in all probability think of what is immediately needed. This frugal way of living has served us for generations – though one can argue the efficiency of this way on a long term basis.
We plan to build the highways only when the requisite traffic is already there and hence there is no debate to be undertaken about the return on the investment as the highway infrastructure is lagging the traffic that is already there.
We build the roads and then return to put the drainage system, broadband line, cable-line or the telephone line as needed instead of having to build the road up front that has various conduits already in place to avoid any repetitive digging of roads (though one can argue as to why this is not seen in our individual lives whereby when we build a home we put all the electrical-wiring, water-piping, and drainage at the beginning; which is quite strange – but, we also do not shy away from continuously adding extensions to our houses as the need arises. Adding few rooms or floors to an already existing structure as the family grows is a common sight.
When we are used to the frugal way of living, can that be the guiding light for building Digital India faster and at a lesser cost to the public exchequer (and hence to the taxpayer)?
Why bother about spending the resources on privacy and security? Shouldn’t we be focusing on having the availability of requisite digital services first and let their adoption be in place before we start spending our resources on securing them? Wouldn’t it help free the precious resources that can instead expedite the delivery of these services?
Having said that, let us spend some time to look at the attack surface that our Digital India is likely to be exposed to. Broadly speaking, there are three categories of attacks that the Digital India shall be subjected to –
- Denial of Service attacks
- Breach of Information Privacy attacks
- Data Integrity attacks
A Denial of Service (DoS) attack targets a service to make it unavailable for consumption by its users. For example, if the Income Tax site is under Denial of Service attack, taxpayers will not be able to make any tax payments during that duration while the service remains unavailable either completely or partially, causing anxiety and loss of productive bandwidth to taxpayers while delaying the realization of tax-revenue to the government.
If the website that is to issue the road-permit for material that is being sent over the road route becomes unavailable, all the new shipments would come to a halt during the period.
So, essentially, a Denial of Service attack pretty much cripples the service under attack and its impact is visible instantaneously.
While one can argue about the likelihood of a service being subjected to such an attack, the very objective of Digital India being able to provide the services through digital channels requires the service infrastructure to be publicly available (as against the closed or private networks that one can assume to be somewhat, if not entirely, difficult to access and hence with far lesser probability of coming under an attack – even though there are people who can, and probably rightly so, argue as to how perilous such an assumption can be? Cyber attacks from the past, the likes of Stuxnet worm, shall be an easy reminder against making such a folly to assume that private/closed networks are impenetrable) and hence providing a set of readily known entry points for an attack to begin.
While a successful attack requires a lot more than just an entry point, it certainly means that these entry points cannot be left unguarded and have to be secured to resist unauthorised attempts to enter.
One can possibly think of this to be no different than the need for having a minimum level of immune system that every biological species need to have in place in order to stay healthy in the standard environment that it lives in, hence, fight against a continuous onslaught of various forms of bacteria and viruses in order to keep them at bay. Some of the environments can be much more hygienic than others but it is hard to perceive a biological species that doesn’t require any immune system.
So, really the question herein is, will Digital India be effective and successful if the services are crippled every now and then?
As against the Denial of Service attack that leads to crippling of the very service, the breach of information privacy attacks leads to a different kind of challenge altogether.
In the case of Denial of Service attack, the users who intend to consume the service are unable to consume it with the desired satisfaction related to its functionality and performance. In the case of a breach of information privacy attack, while the service remains available for usage, the appeal of service for its user-base starts fading away and hence the service may end up eroding its usability.
This is due to the unauthorised access to information, considered sensitive, and hence valuable to the business or the individuals that leads to embarrassing situation (for example, public sharing of sensitive medical information can be embarrassing for individuals whereas the public sharing of increase/decrease in per capita income by religion/caste can create an embarrassing situation for the government) or creating a situation of vulnerability (for example, public sharing of income data can make the individuals/companies vulnerable to criminal elements whereas the loss of privacy for sensitive defense information or even the insights to the email communication by ministers and officers of Government of India, can leave the entire nation vulnerable to a competitive nation).
Either way, the service runs the risk of dying a slow death.
Think of this as a human being either sick, disabled or dead (all various forms of Denial of Service situations) vis-à-vis the human being losing its competitive position in the society to engage in any fruitful social, personal and/or commercial activities because no one wants to engage with the person. Will Digital India be effective and successful if the citizens stay away from consuming those services? Building citizens’ confidence in the services is a critical aspect of their use of that service. One can think of the prevailing concerns around the privacy of Unique Identification Number (UID) data that is coming in the way of citizen’s adoption of UID linked services. To clarify, while there are multiple aspects at play, one of the touted reasons for the opposition to the wider adoption of UID is the concern around the privacy.
Lastly, the Data Integrity attacks, while arguably new to the world of Cyberattacks, are probably known to mankind for a long time whereby the empires have been won/lost on the back of wrong information.
Essentially, in the Data Integrity attack, the underlying data-set is modified without anyone being aware of the same and hence leading to incorrect outcomes for the decisions made on the basis of that incorrect data-set.
Think of someone altering the data related to rainfall or area under cultivation or the amount of food-grain available in the storage or the number of people below poverty line etc. What will be the outcome?
The decisions being made in the wake of that incorrect data shall be incorrect – garbage-in-garbage-out.
The challenging part herein will be that it will be far too late before such an attack is discovered and possibly in all the cases the damage would have already been done – for example, the decision to have a particular mix of area under crop cultivation because it was incorrectly thought that there is an abundance of a particular set of food-grain which can lead to a situation whereby one set of food-grain will be available in far too excess (leading to crashing of prices for those food-grains and hence bankruptcy for the farmers involved) whereas the other set of food-grain may be available in way too little quantity (leading to sky-rocketing price inflation for those food-grains leading to social unrest). Do we want to build a Digital India that can lead to such a scenario?
The jury is still out, as to whether the answers to these questions is a resounding ‘’no’’ and hence there is no other choice but to explicitly acknowledge the need to build Information Security as a critical part of the Digital India that we intend to have in place or is it still possible to do this in a different manner?
I leave the reader to make her own mind and do encourage to find as to why does a nation like Singapore has not only put a department like Cyber Security Agency (CSA) in place but has also changed its line of reporting to make it answerable directly to the Prime Minister’s office.
Rana Gupta, Vice President, APAC Sales, Gemalto
Rana Gupta is a veteran professional having worked in the areas of use of Licensing and Protection Technology for the IPR Protection & Monetization, and Information Protection. He currently works with Gemalto as APAC Vice President of Sales for Identity and Data Protection. Views expressed herein are personal and are in no-way representing any of the entity that the author works for.