Cyber security is a very challenging sector for any government, especially one that aims at inclusion and development through the use of digital technology and Aadhaar. Arushi Bedi caught up with Dr Ajay Kumar, addÂitional secretary, Ministry of Electronics and IT (since promoted to secretary, Defence Production), at the Global ÂConference on Cyber Space to talk about the importance of Digital India, Ârecent cyber attacks on Indian software and the lack of an international polÂicy to deal with growing cyber threats.
What is India바카라s idea of cyber inclusion?
Today, India is perceived to be one of the fastest-growing cyber destinations in the world, recognised by all world powers thanks to Digital India. We are seen as an IT country which can provide solutions and services as well as one of the greatest users of technology, with a unique value proposition about how to use digital technologies with a human face while ensuring development.
This contrasts with how the western world sees technology바카라if you look at some of the original literature, it is characterised as a tool for productivity and efficiency. There is debate on whether IT in fact increases productivity or not with the Solow paradox, but never Âbefore has IT been used to improve devÂelopment in sectors like agrÂiculture, health, ÂeduÂcation, skill development, finÂancial Âinclusion and poverty reduction. We have continuously striven to make sure that technology is used to leap onto Âdevelopment바카라 something to which the world is now waking up.
How is the government working on achieving this philosophy?
This unique proposition is led by three major ideas. The first is creating affordable technology바카라not inferior technology, but superior technology which reduÂces the cost to the user. The second is an inclusive approach targeting not just the middle class and the urban population, but all the country바카라s 1.3 billion people, even those in the remotest of villages. The third is development. This has been very unique to the Indian idea. Given this, the scale of operations has increased tremendously. For example, under the JAM Yojana, we have the ability to deliver services to nearly the entire population thanks to mobile phones, Jan Dhan accounts and Aadhaar.
Such initiatives are also leading to incÂreasing security threats. How is the government tackling those?
When you scale up the whole infrastructure so rapidly, cyber security reqÂuirements also become extremely impÂortant, and the government has Âtaken high-level decisions to give greater impÂortance to these. The first priority is to get an application going, but if one just concentrates on that, other aspects may be neglected. The second is to Âcreate the necessary capacity and acquire enough trained manpower to meet this growing need. We need lots of power within and Âoutside the government.
Speaking of inclusion, the Aadhaar data collected by the government has proved to be unsafe from leaks. What is the government doing to make this data safer?
First, there has been no leak of Aadhaar data. If you leak it, that바카라s your problem. Security is always a moving target. No one can ever rest and say, 바카라I am secure now,바카라 in the digital space. No one is secÂure. Every time you reach a certain level of security, someone will find a way to breach it. The work on improving securÂity is continuing on all applications, incÂluding Aadhaar. See, you do not go and look into the operational aspects of indÂividual organisations, since that in itself would be a security breach. At our level, we actually look at the policy framework required to ensure that the broad systems are robust and are followed.
But many of our laws are now outdaÂted, and don바카라t take into account emerging cyber security issues.
Today we have the IT Act which provides certain safeguards for data protection. Any person or corporate entity collecting sensitive personal data is responsible for taking reasonable measures for its security, and thus for any breach that occurs. But this has limitations, and that is why we are now creating the Data Protection Act under Justice B.N. Srikrishna. That said, the existing law is fairly reasonable. When the Act was framed in 2001, people didn바카라t foresee the issues we face today. There are provisions in the IT act such that, if a content platform collects data, they must ensure that it doesn바카라t get hacked or stolen and isn바카라t misused.
So some measures are already in place, but things have become far more Âcomplicated. For example, the phone you use or Google is accessing all your data. Such companies ask you to sign massive consent forms before allowing you to use their services, so they are able to profile you fully. The problem is that there is no provision in this regard since they have taken permission and collected data. Today, thanks to this you see companies like Google and Amazon which are now worth hundreds of billions, whereas the user gets nothing.
What about international standards for cyber security?
Recently, the prime minister called for a global Âformal mechanism which is Âmulti-stakeholder and discusses intÂernational cyber security. Currently, one has no recourse but to the Mutual ÂLegÂal Assistance Treaty (MLAT) which is not meant for cyber warfare, but rather for the physical world where you make a Ârequest, wait for hours or days before getting a response and then send someone; a long, drawn-out Âprocess. In the cyber world, things change in a matter of seconds바카라you can바카라t afford to wait for very long. A Âmulti- stakeholder mechanism is the need of the hour, and it is good that India has come forward and asked for it, since no other country has done so.
How does the government respond to cyber threats such as the recent Uber security breach or the ÂWannaCry attÂacks that took place Âearlier this year?
The Indian Computer Emergency ResÂponse Team (CERT-In) is positioned to respond to any cyber threat. They are state-of-the-art and take part in collaborations the world over. They have been responding to all such situations. Every time an incident is reported to them, they analyse the event to see the kind of preventive measures that can be taken, and then distribute it to other vulnerable stakeholders. One attack may occur, but a second one can be prevented with proper information. They do detailed analysis to identify the attack, where it came from, what the vulnerabilities are.
Is the government also tapping into Âresources in the private sector?
We work very closely with the industry on various fronts. We work on developing solutions with the industry; start-ups are being encouraged and we are developing a cyber security grant which the Data Security Council of India (DSCI) manages on our behalf. We are finalising a policy which gives preference to cyber security products for government procurement. We set up a task force with NASSCOM and DSCI which has given a set of recommendations which we are examining and acting on. When you make cyber security products, you need to creatively do a lot of testing, which constitutes nearly 30 per cent of the costs바카라 a significant hurdle for a start-up.
We are also working with the industry on formulating standards and creating testing infrastructure. We have set up several groups to decide the security standards for major devices or products which have large-scale application like mobile phones, set-top boxes, cameras and other devices that form part of the internet of things. These groups include industry, academia and government representatives. We have a highly specialised facility in standardisation testing and quality certification (STQC), which we are expanding, yet there are areas that the government doesn바카라t have the capability to test. Here we are tying up with other security labs and are encouraging them to come up with common criteria for lab infrastructure, since once these are mandated, there will be a need for a large number of security labs where the private sector can play a huge role.
