With over a billion Aadhaar IDs allotted to Indian citizens, the Unique Identification Authority of India (UIDAI) is the largest national identification number project in the world. For the same reason, this centralised data base is also one that needs to be secure all the time.
Ilias Chantzos, senior director—government affairs, EMEA-APJ at Symantec, however, says the enormity of this data set has not added to the vulnerability in any way. “In the end it is all about finding the right balance and making sure you have the right protections in place while offering the flexibility and advantages of digital usage,” he says. “We have to accept that identity is going more and more online, as you see with banks, and it is a natural evolution. So don’t view this as an additional vulnerability.”
Any standard for protecting public data, he says, needs to take into consideration local context as well. “There is a school of thought that argues the need for a sector specific standard for finance or health. This is the American way. But the European way is horizontal, to have a more encompassing standard irrespective of a sector or area of business. And these two models do seem to compete,” says Chantzos. He represents Symantec before government bodies, national authorities and international organisations advising on public policy issues, with particular regard to IT security and data risk management and availability.
“Depending on the trade flows and data flows, countries such as India will be pulled into these two directions. In the end, every country is going to have something that fits its idiosyncrasies, but it would have to be somehow compatible to do business with other major trading partners,” he adds. According to him, the right approach will be to put emphasis on individual data protection, because “that is where the value is”.
But governments often add more context to individual data, without permission from them. This is again a call that has to be taken at a local level, he says. “There needs to be information self-determination, but even that is subject to certain restrictions. In the end you have to manage the identity and the use case will determine how you do it. But in such a case we will need to look at even the potential use cases of Aadhaar,” he says, underlining that when GSM standards were set up, no one had thought that mobile phones would be used for banking.
Chantzos says there is growing realisation that since we are all connected these days, the impact of a cyber incident will be much more. “There is greater realisation that there is value in the data and data economy, which is why you see more attacks on the infrastructure that supports it,” he says, adding that in that sense India is no different from the rest of the world. “On one hand you see a lot of effort from the government in the UID project, but at the same time there is the challenge to share this information.”