Just today, I had sent a letter to the RBI Governor Mr Urjit Patel to immediately issue the “Limited Liability Circular” of August 11th in an operational form. (Refer this article)
The circular was first issued in draft form for public comments upto August 31. Now, it is 3 months since the closure of the public comments but RBI has not yet re-issued the circular.
We had expressed our apprehension earlier that the powerful vested interest lobbies may prevent the RBI from going ahead and unfortunately, our apprehension has proved to be correct.
The letter sent today has been marked as copy to the Finance Minister and the Prime Minister and hopefully it would not be ignored.
In the meantime, the hacking of Twitter accounts of Mr Rahul Gandhi and other INC accounts created a flutter today about the need for Cyber Security in the emerging digital India. Though the current issue was relatively innocuous from the point of view of Cyber Security in Digital India, the noise made by the Congress workers in the TV studios today has attracted some public attention about the risks ahead of us and to that extent, we welcome the attention that Cyber Security deserves.
Just to place things on record, preliminary information indicates that the e-mails in the inc.in server might have been compromised and resulted in the twitter passwords being stolen leading to what we now call as hacking. This is similar to the website defacements and despite the public outcry is a low priority cyber security event.
However, there is a possibility that the information in the compromised e-mail accounts could have reached the hacker’s hands and there is a faint possibility that it may lead to a situation similar to what Hillary Clinton is facing in USA due to Wikileaks hacking of her personal e-mail server.
The views of Cyber Security specialists is that possibly some of these account holders must have been using wweak passwords of the type “Password123” or “abcd1234” etc which could have resulted in the compromise. May be this will be known in the next few days. The way Congress spokes persons were talking as if it was a national security issue was a little amusing.
On the other hand, the existence of risks to the digital India projects including the now aggressively promoted digital banking systems is very real and needs to be addressed. Government is now thinking of an Aadhar based bank payment system which could result in its own risk vectors to add to the UPI, the USSD codes and Mobile wallets besides Internet banking. Our Bankers are yet to implement adequate security measures for Internet Banking which is in use since around 2000 and there is no way to consider that they are ready for handling the risks associated with other platforms.
The proposed system intends to integrate all bank accounts of a customer linked to Aadhar to be accessible through a mobile using a biometric capturing app/usb device to enable all banking transactions. While the idea looks attractive, it would be a KYC based account access which can expose Rs 50000/- from each of the customer’s account to the risk of hacking, unlike a limit of Rs 1000/- per month in the PayTm type of mobile wallets. This will therefore increase the risks for uninformed customers several folds.
In this context the need for the “Limited Liability” of customers to be defined under regulation and provision of “Cyber Insurance for All” become essential for survival of digital India as well as Mr Modi’s political future.
This has been brought to the attention of Mr Modi himslef through direct letters but unfortunately there is no confirmation about any action taken suggesting the recognition of this risk so far.
There is definitely lack of support at the PMO level and DeITy to enable Mr Modi to focus on the developmental projects without worrying about security issues.
Now it appears that a committee of experts has been formed by the Government to further promote Aadhar based payment systems but there is no indication if this committee would also take care of the security issues.
Knowing the composition of the team (which consist of Mr Nandan Nilakeni amoing others) and the pressing priorities of finding a quick solution to the currency shortage, this committee will further push implementation of new avenues of digital banking but will not focus on security.
The Committee would be like any IT team in a company which focusses on functionality but does not prioritize on security which needs a separate Infosec team to supervise along with a compliance team to ensure that the technical measures are within the legal framework.
It is the lack of such foresight which has placed the demonetization action under the judicial review of a generally hostile Supreme Court which could have been avoided if there was better compliance consultancy available to the Government.
In other words, apart from the committee already formed, the Government needs an expert committee on “Security of Digital India Projects” and an expert committee on “Legal Compliance of IT and Inforamtion Security Initiatives of Digital India”.
Let’s hope that the Twitter hacking incident will remind Mr Modi to initiate necessary action in this regard.