GS Paper II

News Excerpt: 

Recently, resecurity, a US company, informed the world about the availability of Indians’ personal data on the dark web.

More about news:

• The seller of the data set was providing verifiable, sensitive information of 55 per cent of the Indian population — roughly around 815 million ( 81.5 crore) citizens.
• This included personally identifiable information like name, phone number, Aadhaar number, passport number and address. 
• All for a paltry sum of $80,000. 

Past incident:

• Earlier in the summer, multiple reports surfaced about a leak that exposed the personal information of individuals registered on the CoWin website. 
• In 2022 - November, Delhi’s prestigious AIIMS had to work with pen and paper to register a sea of patients after a ransomware attack. 

Implications of sensitive information:

• Thieves who have stolen names, Aadhaar numbers and passport information can use that information not only to sign up for new accounts in the victim’s name.
• For example,
• To commit tax identity theft.
• Online-banking theft.
• Financially motivated scams. 
• Rise in cyber frauds, with people losing their life savings, taking on debt and suffering shame and stigma for having been scammed.

Issues of data breaches - US and India incident response system:

• Incident Response in US - The Biden administration has issued multiple Executive Orders to modernise and implement stronger cybersecurity standards in the federal government. 
  • When such instances happen, the Computer Emergency Response teams spring into action and impacted users are informed and educated about what steps they can take to reduce the chance that their information will be misused. 
  • Basically, a near-term and a long-term plan is devised and executed. 
    • These strategies and tactics have been instrumental in reducing the impact of data breaches.

Incident Response in India - 

• There are various issues involved with the Indian system that are responsible for the data theft in India.
  • Citizens are never informed about the leak of their personally identifiable information or educated about any recourse. 
  • They are left to their own devices until the next breach happens.
  • If the government of India were a business, it would have seen a sharp decline in its stock value, coupled with a mean market cap loss of billions of dollars resulting in a credit rating downgrade. But because market forces don’t apply to governments, the Indian government continues to operate without a long term cyber security strategy.

How can Aadhaar be a problem?

• Despite a crystal-clear prohibition issued by the Supreme Court against making Aadhaar registration mandatory.
  • The central government and enthusiastic parties in both state governments and industry proceeded to adopt Aadhaar-based technology.
  • Impose requirements for Aadhaar registration for social services and benefits 
    • Educational scholarships.
    • To booking railway tickets 
    • To marrying voter ID databases to Aadhaar. 
• By making Aadhaar registration mandatory, the government imposed on every Indian citizen an unmanaged risk of digital environment catastrophe.

• In 2018, the Supreme Court, recognised that the Aadhaar number is the “bridge” linking all the silos of information and behavioural data collected through the vehicle of the “smartphone” in contemporary networked society. 

• The Court also recognised that UIDAI’s “Verification Log” contains enough data about the activities of citizens that a “leak” would involve an unconstitutional violation of privacy. 
• But it did not do much, saying that UIDAI’s computer security will eventually become “foolproof”. 
• The constant flow of news about data breaches, whether at Comcast or UIDAI, is normalising massive losses of personal data. 
• Despite all the puffery and all the claims about how Aadhaar makes India a world leader, no one has so far intimated how we are managing the obvious harms that are plaguing our society. 
• From Brookings to Moody’s to the CAG, everyone has called out UIDAI on its failure to properly regulate its client vendors and address security, lack of transparency and accountability.

India’s steps for data security:

• The Draft National Data Governance Framework Policy aims to ensure that non-personal data and anonymized data from both Government and Private entities are safely accessible by the Research and Innovation ecosystem.
• CERT-In issued “Guidelines on Information Security Practices” for Government Entities for Safe & Trusted Internet.
• The Information Technology Act, 2000 (“IT Act”) and rules made thereunder contain several provisions for safeguarding users in cyberspace.
• The Ministry of Home Affairs operates a National Cyber Crime Reporting Portal (www.cybercrime.gov.in) to enable citizens to report complaints pertaining to all types of cybercrimes, with special focus on cybercrimes against women.
• The Government of India has made the personal data protection act, 2023 for the security and privacy of data of the common citizens of the country.

Limitations of  Recent Data protection act:

• India’s recently introduced Data Protection Act does nothing to address sensitive health information. 
• Under Clause 17(4), in fact, the government is exempt from provisions of data retention and erasure of personal data. 
• Unless that data can make a difference in making a decision about a data principal, right to correction, completion and updation is also not available. 
• Exemptions to data processing by the State on grounds such as national security may lead to data collection, processing, and retention beyond what is necessary. 
• The Act allows transfer of personal data outside India, except to countries notified by the central government.  This mechanism may not ensure adequate evaluation of data protection standards in the countries where transfer of personal data is allowed.
• The Act does not grant the right to data portability and the right to be forgotten to the data principal.
• The Act does not regulate risks of harms arising from processing of personal data. 

Way forward:

• Make the prevention, detection, assessment, and remediation of cyber incidents a top priority. 
• Recognise the importance of digital infrastructure as essential to national and economic security of the population. 
• Make the state digital infrastructure trustworthy by increasing transparency and accountability. 
• A cyber security board should be established with government and private sector participants that has the authority to convene, following a significant cyber incident, to analyse what happened and make concrete recommendations for improving cybersecurity. 
• Adopt a zero-trust architecture, and mandate a standardised playbook for responding to cybersecurity vulnerabilities and incidents. 
• Urgently execute a plan for defending and modernising state networks and updating its incident response policy.

Conclusion:

It should be the government's responsibility to Put people at the centre of all policies. Informing them immediately, helping them protect themselves and remediate fallout from cyber incidents.

Mains PYQ:

Q. Implementation of Information and Communication Technology (ICT) based projects/programmes usually suffers in terms of certain vital factors. Identify these factors and suggest measures for their effective implementation. (UPSC 2019)

Q. Impact of digital technology as a reliable source of input for rational decision making is a debatable issue. Critically evaluate with suitable example. (UPSC 2021)