How secure is the Aadhar biometrics project in India?
E Security January 21st India has been implementing a biometrics project called "Aadhar" since 2009. In recent years, it has implemented biometric data collection (including photos, ten-finger fingerprints and iris scans) for approximately 1.2 billion people across India, Provided a unique 12-digit identification number for each resident. As a result, the government can provide subsidies, medical care, social security, training, employment and other services directly to each citizen. However, as one of the largest biometrics projects of its kind in the world, the disputes over privacy, security and other aspects of the project can be described as one after another.
Can such a huge project really guarantee safety?
Prior to this, Edward Snowden, a former employee of the US Security Agency, and Troy Hunt, an Australian security expert, had questioned the security of Indian databases. A 2017 study conducted by PricewaterhouseCoopers and Assocham showed that the number of attacks on Indian websites has increased fivefold over the past four years, with cybercriminals occurring every 10 minutes in the Indian capital. This also shows that the "Digital India" program actually costs very little in terms of security.
Printing various databases at risk
The implementation of the "Digital India" program
has spawned many important databases covering a large amount of sensitive
personal information for each resident, including bank transaction records, tax
files, passport details, property ownership, birth certificates, photos, etc.
Data across systems and institutions continues to grow rapidly in this form.
Every month, hundreds of thousands of people in India apply for Aadhaar
accounts or update and correct personal information.
While the amount of data
has exploded, the security of the database has obviously become a hot topic.
Simply put, if there are not enough protective measures, the connection with
the Aadhaar system will inevitably pose a risk to the security of the data.
Who
uses the data and who keeps it? How do these organizations use the data?
The use of data is mixed, but we find it difficult to find malicious users. After the Indian government implemented the Aadhaar project, it gained a lot of convenience.
The identification number provided by the Aadhaar project is bound to a mobile phone number and a bank account. Indian citizens can access the database online for identification and mobile phone "real-time" verification, while also enjoying medical, social security, training, driver's license, employment and other services.
Government
departments can also provide subsidies and benefits to residents in a targeted
manner, monitor the health status of residents, effectively provide public
services such as medical and epidemic prevention, and achieve real-time
improvement of administrative processes.
However, because India's network infrastructure is not stable, the issue of security risks is still relatively acute. In addition, many related databases are updated in real time, and there are various access users, which also increases the challenges in this regard.
It is difficult to regulate the use of data
The Indian Identity Card Authority (abbreviated UIDAI, the
executive arm of the Aadhaar project) has recently provided all users with the
option of masking the true identification number by creating a virtual
identity.
A bank’s chief technology officer, who asked not to be named, believes that although the measure is very important to protect identity, users must understand how to use this function reasonably, otherwise only ulterior motivated people will take advantage of the opportunity, such as human factors will also affect the database Security has an impact, and perhaps disgruntled employees have decided to abuse their authority to steal sensitive information.
The Aadhaar project has now been widely entered into the daily lives of Indian citizens, but not all institutions are using data with strict control standards. For example, users read their own information under public WiFi, but the WiFi environment here has been hacked in advance by hackers, and related information is easily obtained by hackers.
There is a gap in investment in security
Most companies still do not spend enough funds to protect network assets. For example, JPMorgan Chase’s IT budget and security spending ratio is 10: 1. The Indian Ministry of Electronics Industry and Information Technology authorized all government departments in September 2017 to use 10% of the technology budget for security.
After an attack like WannaCry, India ranked 23rd in the United Nations in the 2017 Global Cybersecurity Index. Although India's performance in security is better than in the past, it does not completely eliminate risks.
Network security needs to keep pace with the times
The field of cybersecurity is a never-ending game of cats and
mice. Hackers constantly try to attack and destroy the network. The biggest
threat to the "Digital India" program may come from hackers anywhere
in the world. Twenty years ago, 40-bit encryption was considered a high-tech
encryption method, but this encryption can be cracked within a few minutes
today.
Many companies have already switched to 128-bit and 256-bit encryption
technologies.
Aadhaar's database uses 2048-bit encryption protection. Even so, with the rapid development of network technology, only by constantly adjusting and improving the protection methods can we adapt to the objective needs of the network era.
Cyber security talent gap is difficult to fill
In fact, India does not have enough cyber security talents to
protect its own cyber assets. The "Digital India" plan puts a lot of
demand on top professionals, hoping to establish an anti-hacking system
mechanism, using technologies such as blockchain and quantum computing, to
ensure that it is not affected by cyber threats with a 24 hour × 7 day defense
posture.
According to the National Association of Software and Service
Companies (Nasscom) in India, India is working to reduce the gap between the
demand for cybersecurity professionals and the available talent pool, but the
gap is still huge.
The lack of relevant professionals is also a global problem. Even by 2021, there will be 500,000 or more vacancies in cyber security in the United States.
Post a Comment