Govt must address vulnerabilities
The reported illegal offer for sale of the private data of some 30 million railway passengers is the latest incident highlighting the dangers of an insecure, yet digitally enabled economy. This breach comes on the heels of a cyber-ransom attack targeting the county’s top medical institution. These two incidents are just the highly visible tip of a cybercrime iceberg. India has turned into a major hub for global cybercrime and the large volume of cybercrimes makes it obvious that the policy thrust towards Digital India must be backed up by a far more robust cybersecurity regime. Large databases of personal data are sold regularly, more or less openly, in an almost normalised fashion. There have been innumerable data breaches and leaks on smaller scales across multiple sectors. There are organised gangs, making a living out of running phishing scams and cybersex blackmail rackets. India also registers a very high number of cyberransom attacks.
None of this should be surprising. India is famously the cheapest place in the world in terms of data tariff. It is also the nation with the highest per capita data consumption. As new high-speed internet technologies such as 5G and satellite broadband roll out, data generation is likely to rise exponentially even off this high base. The Digital India initiative aims to deliver the entire spectrum of government services online, and it also aims to enable a cashless digital economy operating across the entire range of products and services offered by the private sector. The Unified Payments Interface ties together many disparate fintech service providers, and financial entities generate billions of daily transactions. The Open Network for Digital Commerce is even more ambitious in that it conceptualises end-to-end seamless logistics, and transactional ability across the retail and e-commerce space.
However, in an economy where everybody, the local shopkeeper included, is digitally enabled, and a high and rising proportion of transactions is digital, there is a lack of consciousness about the need for cybersecurity. There are also legislative lacunae in that India doesn’t have a personal data protection law. If a large number of organisations is connected digitally, and there’s a policy thrust to further increase the size and complexity of the digital network, cybersecurity can only be as good as the weakest links in the network.
Policymakers need to recognise this and adjust the approach to make the citizens of this country aware of the dangers in a prescriptive way. Agencies like the Indian Computer Emergency Response Team (CERT-In) need to look at creating outreach programmes to spread the gospel of cybersecurity well beyond government organisations and companies to individuals. A personal data protection law needs to be implemented at the earliest and it needs to offer the citizens both adequate protection and the chance of recompense for damaging data leaks, possibly through allowing class-action suits to claim damages from the leaking organisations. These are policy issues that can be tackled only by the government and must be followed on an urgent basis. Many citizens are already concerned about data issues like surveillance via the digital economy. If they also become nervous about making transactions with various organisations and businesses, the aim of Digital India would be undermined. The country thus needs to invest in cybersecurity and data protection.