Safety and cybersecurity

• In October, a US company, Resecurity, revealed the availability of Indians' personal data on the dark web.
• The data set included sensitive information of approximately 815 million citizens (55% of the population).
• It highlights the persistent problem of data breaches in India and points out the deficiencies in the government's handling of the situation.

The Issues

• Magnitude of Data Breach
  • The breach exposed personally identifiable information, making individuals susceptible to various types of fraud.
  • The information includes names, phone numbers, Aadhaar numbers, passport details and addresses.
• Government Response to Data Breach
  • It is characterized by denials, semantic evasions, and a lack of clear communication to citizens.
  • There is an absence of a comprehensive and efficient cybersecurity strategy by the Indian government.
  • It contrasts this with other countries, like the US, where incident response teams promptly address breaches, inform affected users, and implement short-term and long-term plans.
• Aadhaar Registration Concerns
  • The mandatory nature of Aadhaar registration despite a Supreme Court prohibition has been criticised.
    • The linkage of Aadhaar to various services creates unmanaged risks.
  • The government's ability to ensure foolproof security has also been questioned.
• Normalization of Data Breaches
  • The continuous news about data breaches is normalizing massive losses of personal data.
  • Despite claims of Aadhaar's success, there's a lack of information on how the government is managing the harms resulting from breaches.
• Data Protection Act Critique
  • The recently introduced Data Protection Act in India is criticized for not addressing sensitive health information adequately.
  • The government is exempt from data retention and erasure provisions.
  • The act also lacks provisions for correction, completion, and updation.

Recommendations

• Priority on Cyber Incident Management: The government is urged to prioritize the prevention, detection, assessment and remediation of cyber incidents.
• Transparency and Accountability: Transparency and accountability in the state's digital infrastructure should be increased.
• Establish Cybersecurity Board: Form a cybersecurity board with government and private sector participants to analyze and recommend improvements post-cyber incidents.
• Adopt Zero-Trust Architecture: Implement a zero-trust architecture and mandate standardized playbooks for responding to cybersecurity vulnerabilities and incidents.
• Defend and Modernise State Networks: Execute a plan for defending and modernizing state networks and update incident response policies urgently.
• People-Centric Approach: Put people at the centre of policies, ensuring immediate and transparent communication, assistance and remediation in the event of cyber incidents.

Conclusion

• There is a need for a robust cybersecurity strategy in India, particularly in safeguarding sensitive data like Aadhaar.
• A proactive and people-centric approach is crucial to address the challenges posed by cybersecurity threats and breaches.