The government’s move to link one billion of these numbers to bank accounts and mobiles is fraught with security risks. Studies say that digital security must be beefed up before this happens
Alarm bells have been ringing in the ministry of electronics and information technology (MeitY). This was ever since Union finance minister Arun Jaitley announced on August 28 that the linking of one billion Aadhaar IDs with bank accounts and mobiles is very much on the cards. The minister, speaking at a function to mark the completion of three years of the Pradhan Mantri Jan Dhan Yojna, said that the linkage would ensure “financial inclusion” which will be “nothing short of a social revolution”.
Officials in MeitY, are a worried lot. The ministry has been entrusted with the onerous task of ensuring cyberspace security in the country and managing the Indian Computer Emergency Response Team (CERT-In) which deals with hacking and related crimes. More importantly, it is also directly responsible for the functioning of the Unique Identity Authority of India (UIDAI) which operates the Aadhaar database. It will have an important role to play once the linkage referred to by Jaitley covers all Aadhaar cards—virtually the entire adult population in the country.
STOLEN DATA
A MeitY official told India Legal: “The finance minister has talked about a social revolution but we will need a cyber security revolution if the grand plan has to take off without floundering and losing its way. As things stand now, there are too many holes in the security set up which are being exploited by hackers. We have to prepare ourselves for a flood of cyber-related crime once the linkage happens. To make matters worse, no one is clear about the volume of Aadhaar data that has already been stolen or accessed by the wrong people.”
According to him, there are several reports with the ministry which point to the urgent need for a complete overhaul of the cyber security apparatus in the country. This will be a time-consuming process, but he feels it nevertheless needs to be done before any major three-way linkage is even attempted. “A new financial division of CERT-In has been promised. It has to be set up and tested. No system is fool-proof. The basic problem with Aadhaar is that the safety of data was not thought through when it was launched. Much of what is being done is a post facto response,” he added.
MeitY sources also point out that according to official data, 164 government websites were hacked during 2015. There have also been instances where government departments have placed Aadhaar numbers in the public domain. The problem, they say, has several dimensions. And laws alone cannot deter the criminals. Prevention and detection are key aspects in any fight because the cyber-criminal floats in cyberspace and may operate from a foreign land outside India’s jurisdiction.
MASSIVE LEAKAGE
International consultant Deloitte’s August 2017 report on Cyber Regulation in the Asia Pacific is the latest that has come to the notice of the ministry. The report makes a pertinent point: “Even though India is making leaps and bounds on the ‘Digital India’ initiative, it still does not have a cyber security framework.” It records that in 2016, hackers accessed and leaked details of 3.2 million customer cards from several Indian banks.
The report recommends a ten-fold path that must be implemented to make the security system well-oiled and in tune with the times. This includes developing a cyber risk culture that goes beyond the IT department and is incorporated into the management framework of financial service providers and in the government. It also talks about developing a dynamic contingency plan and keeping various arms of the government and financial services companies informed about developments across the world. It stresses the need to innovate through exchange of information. In short, a major attitudinal and infrastructural change is recommended to make cyber security effective, up to date and relevant.
Shree Parthasarathy, partner, risk advisory services, Deloitte India, explained in a note: “While businesses are accelerating their adoption of digital and other emerging technologies, criminals and organised crime are not far behind. They are going digital too and they seem to have far more at stake. This is validated by the increase of cybercrime/fraud and breaches… India still does not have a cyber security framework and its National Cyber Security Policy lacked an implementation framework and is yet to be adopted by industry. Which leads to the next question: Is our cyber space safe? While we go Digital, India Inc and the Government have to embrace the fact that Cyber Security is not an option. We need to accelerate the pace of implementation of security measures before it is too late and before citizens start losing trust in the system.”
Jaitley did not specify any date when the great Aadhaar revolution will happen. But as things stand, a finance ministry notification of June 1, 2017 (No2/F. No P. 12011/11/2016-Es Cell-DOR) makes it compulsory for all bank account holders (including corporate accounts) to link their accounts with their PAN and Aadhaar numbers before December 31, 2017. On August 30, the government told the Supreme Court that pending hearings on the matter, it will extend the deadline to furnish Aadhaar details to avail benefits from September 30 to December 31. So, the last day of 2017 will see Jaitley’s revolution unless the court rules against the integration of Aadhaar at multiple levels.
A Defence Threat
That India needs to beef up its cyber security to protect itself against spying was recently illustrated in a report by Symantec Corporation, a California-based digital security company. According to a Reuters report, Symantec identified sustained cyber spying of both India and Pakistan dating back to October 2016. It suspects that it was a state-sponsored effort at a time when tensions were mounting between the two countries. The campaign appeared to be the work of several groups, but tactics and techniques used suggest that the groups were operating with “similar goals or under the same sponsor”, probably a nation state, according to the threat report. It did not name the state.
The malware used for the “breaking in” was Ehdoor. Malware is a software which is specifically designed to disrupt, damage or gain unauthorised access to a computer system. The malware allows spies to upload and download files, carry out processes, steal personal data and take screenshots.
According to Symantec, the attackers used decoy documents related to security issues in South Asia to install the malware. The documents included newspaper and news agency reports related to military issues and Kashmir.
In a Wi-Fi Risk report released in July this year, Symantec also drew the conclusion that 96 percent Indians put personal information at risk while using public Wi-Fi. They apparently risk checking bank accounts, photos and videos and emails little realising that their mobiles and laptops can be easily accessed through unsecured Wi-Fi networks or even vulnerable apps.
DEMONETISATION DEMONS
The Deloitte report did not factor in the Aadhaar aspect since it is yet to happen. But other studies with MeitY have examined this in detail. And the prognosis is not very encouraging, to say the least. One report that is being discussed in the government and in MeitY is a confidential study conducted by senior scientists Manindra Agarwal and Sandeep Shukla of the Center for Cyber Security for Critical Infrastructure at IIT-Kanpur. It highlights the following key points:
- Digitalisation of the banking sector post-demonetisation has led to a sharp increase in cyber-crime. Since the government is pushing towards Aadhaar-based financial transactions, securing the Aadhaar database should be accorded top priority.
- It has come to light that certain banks have carried out hundreds of transactions using the Aadhaar numbers without informing citizens.
- With the Aadhaar number being integrated to various services, leakage of UID data is a matter of serious concern.
- Financial institutions, banks, and online transactions are vulnerable to cyber-crime. Digital wallets promoted post-demonetisation like Paytm and BHIM are unsafe.
- Advanced layer of protection is missing in most financial institutions and the banking system.
- A Cyber Security Commission needs to be urgently established modelled on the Atomic Energy Commission with similar powers and mandate since it also involves defence risks (see box) as well as finance related concerns.
“There are too many holes in the security set up… a flood of cyber-related crimes will take place once the linkage happens.”
—MeitY official
In a recent interview, Dr Sandeep Shukla, who co-authored the IIT-Kanpur study, pointed out some of the problems related to Aadhaar. To quote: “The database does not seem very secure. The entire process of Aadhaar-enabled services are prone to cyber attacks. The biggest worry should be ‘insider attacks’. What is most scary, though, are the statements made by officials in the UIDAI—one saying that even if your Aadhaar number is leaked, it is not a danger, or someone else saying that planes also have accidents and likewise cyber attacks would happen— that display a total lack of understanding or complete indifference to privacy and individual security. Linking Aadhaar with all kinds of services is making things worse.”
So, how does the government secure the already stolen data? It has to call in experts for advice, perhaps even delete the biometrics and put the UID numbers to limited use.
A sweeping vision of one nation linked by Aadhaar may only usher in a revolution which may benefit cyber thieves, hackers and those who make millions by trading data.
—By India Legal Bureau