Part 2 of a two-part interview
In the first part of the interview, Mr. Randeep Sudan, Adviser on Digital Strategy and Government Analytics with the World Bank talked about leveraging the Singapore experience and data analytics. One of the most critical aspects of the data chain is security. We asked Mr. Sudan what are the challenges faced by governments on this front and what are they doing about it.
Mr. Sudan said that we need to be mindful of the fact that cybersecurity is not just for government data. It also applies to data with the private sector. There are weaknesses in the private sector infrastructure, which hackers exploit and then use it for sending out malicious data or carrying out distributed denial of service attacks. China has the reputation of being highly capable in the area of cybersecurity. Nonetheless it faces issues of securing large amounts of data in the private sector and in government.
“Unless one is able to deal with data security comprehensively, one cannot really improve the trust level and cybersecurity in any country. It is a job which the government cannot do alone. It has to get more stakeholders involved in this,” Mr. Sudan reminded us.
Going forward, one way of doing this could be a greater reliance on cyber risk insurance and reinsurance. If companies are buying insurance, then their levels of premiums will depend on the levels of risk to which they are exposed and there’s a market mechanism to assess those risks and monetise them. Currently, the market mechanisms are weak in most countries.
Role of international cooperation for enhancing cybersecurity
It’s a borderless world when it comes to cybersecurity. Many countries are trying to forge partnerships internationally for addressing it.
Mr. Sudan talked about several examples of international cooperation, while saying that more needs to be done. The Korean Internet Security Agency (KISA) has established a Global Center for Cybersecurity for Development (GCCD) to help developing countries on cyber security issues. The UK Government has helped establish the Oxford Cyber Security Center that is working with countries across the world on cyber security issues. Interpol has a centre in Singapore, the INTERPOL Global Complex for Innovation. It tracks threats and shares information. ENISA, the European Union Agency for Network Information Security Agency, shares data across Europe. The US also has programmes for data sharing.
Risks for developing countries
KISA has a direct link into all the ISPs in Korea, so that they are able to monitor the traffic coming in and out of the country, and have a better understanding of the threat landscape. Besides establishing sophisticated monitoring capabilities Korea is now getting into AI to see how these threats can be better identified, predicted and pre-empted.
This level of sophistication requires capabilities and investments. Such investments do not come cheap. Mr. Sudan said that developing countries often struggle with this. Because firstly, there is a lack of availability of skills. Secondly, the institutional and regulatory structures are weak. Then there is a lack of awareness of the serious nature of threats. See for example how the Bangladesh Central Bank lost $81 million on account of a cyber heist.
In addition, the decisions are siloed. “If you have the education department putting up their data centre, the health department putting up their own data centre, the capability to deal with cybersecurity issues gets diluted to an extent that it exposes the whole system to risk. The more you digitise, unless the security part is taken care of, the more risk and complexity you are introducing into the system. And to manage this complexity in a decentralised way with each ministry managing cyber security threats independently makes things difficult. It might be easier to manage the cyber security function centrally with complementary management of the function at the agency level. And of course, you cannot keep all your eggs in one basket, you need to have secure backups in different places,” Mr. Sudan explained.
Korea has government data centres which are entirely in the control of government and are shared across agencies. These multiple data centres provide redundancy and backup capabilities to mitigate cyber risks.
Estonia has gone a step further and started experimenting with data embassies. The thinking is that in case their systems are completely compromised in Estonia, they should still continue working as a government. Estonia established its first data embassy in Luxembourg and is looking at other options of replicating data and keeping it in data embassies abroad, so that no matter what happens to Estonia as a physical entity, it can still function as a virtual government.
Major countries like India while pursuing digitisation aggressively, need to do a lot more on cybersecurity. It has to be ensured that cybersecurity is built into everything digital. The architecture needs to make things secure. There should be metrics to measure and systems to test security at each stage.
Recent trends in IT services development could offer a part of the solution. Mr. Sudan said, “If we look at microservices, this whole approach of DevOps for example, the advantage is that one doesn’t need to secure the whole system. The parts which are vulnerable can be secured in the best possible way. An added advantage is that such a strategy can bring the cost down.“
Talking about the criticality of cybersecurity, Mr. Sudan added, “All said and done, there are very serious consequences if data security is compromised. If people’s bank accounts are compromised or the electricity networks suffer a serious outage, it can create social chaos on an unprecedented scale. You don’t need a terrorist attack. A cyber breach would be enough to knock out the social system. So, it’s a question of social order, development, security. These are all intertwined.” The cybersecurity function has to be systematically addressed both as a horizontal across agencies and organisations – both public and private and as a vertical to mitigate such risks.
Digital ID is one of the foundational elements of a digital economy. It is a key enabler for the fast developing world of FinTech. Mr. Sudan said that being able to uniquely identify each individual is critical. Many years ago, Singapore realised this and the government centralised data on citizens, companies and geospatial data. These were the three core databases that were identified as absolutely important.
Mr. Sudan brought up the example of the Indian Unique ID, Aadhaar, as a great initiative on this front.
In his view, it is the most sophisticated ID system in the world at the moment. He said, “You don’t even need to carry a card. Your biometrics is your identification. Moreover, the system architecture is very good. It only gives information which is needed. If someone in the US wants to buy alcohol, they ask to see the drivers licence to verify age. A drivers licence shows a lot of details, including address, date of birth, and full name. All this information is not required for checking if a person is above 18 years or not. In the Aadhaar system the system would simply say whether a person is 18 and older with a simple yes or no. It doesn’t reveal any of the additional, unnecessary information. Information provided is on a need to know basis.”
ID data is secured and access is only through a query engine which is not allowed to alter in any way the core data.
Of course there are new approaches to secure digital IDs that are emerging and use blockchains. We have to see how these approaches play out as they mature. Developing countries will have to be mindful of such approaches in addition to ID systems like Aadhar while determining how best to go about creating digital IDs.
Digital transformation- top-down or bottom-up?
“My experience is that it has to be both top-down and bottom-up,” Mr. Sudan responded.
Defining standards has to be top down. Similarly, cybersecurity strategy and establishing national digital infrastructure like high speed networks has to be done from the top. So also legal and regulatory provisions to safeguard data privacy for example.
But the bottom-up aspect of citizen engagement, feedback from citizens, customising services for citizens is also important. And the private sector will increasingly have a role there because most of the platforms where the citizens are most comfortable in interacting are platforms with the private sector.
In Korea the government is using Kakao Chat for delivering government services. Mr. Sudan narrated another experience form a trip to China, “I was recently in China. And I had a meeting with Tencent. I realised that many of the Chinese government services are on Wechat. The point of delivery is a private sector platform, not a government website. For example, citizens can schedule their hospital appointments and pay for hospital expenses using WeChat.”
“The Tencent executives told me that in the case of a car accident, if the photographs of the accident are sent from the cell phone an insurance claim can be settled in 30 seconds. Backend algorithms, and visual analytics are now able to assess the damage very accurately. Based on the huge volume of data collected on past accidents the algorithms have become quite reliable,” he added.
In addition to users’ convenience using these platforms, there is another reason why governments should work with the private sector to deliver services. In many cases large digital platform companies have superior security as compared to what government might be able to muster.
The private sector also by and large has much better flexibility. If security technology changes or a new threat is found, the speed of response is likely to be significantly better in the private sector. Of course one cannot generalize this for all cases, as there are many examples where data with the private sector has been breached.
“I feel that on balance, it might be better for the government to work with the private sector, after assessing the systems and processes in place for ensuring data privacy and data security compliance.” Mr. Sudan commented.