ADVERTISEMENT
The Context – Economy and Digitization
Both central and state governments offer thousands of e-services from education to e-Commerce, healthcare to hospitality, and translation to taxation. The testing times during the Covid-19 pandemic provided further evidence on importance of e-services.
Enabling policy instruments, well-resourced public institutions and world-class infrastructure are essential for India’s transformation to ‘Viksit Bharat’. However, in line with ‘Ease of Living Mission’ highlighted by the Prime Minister on Independence Day, e-services would be crucial in this national endeavor. No wonder, theme of 27th National Conference on e-Governance was ‘Viksit Bharat: Secure and Sustainable E-Service Delivery’.
With more than 1.2 billion mobile connections a majority on smartphones and almost one billion Internet users with almost half of them on one or more social network, average monthly mobile data consumption in India is 24 GB, according to Nokia. Not only India’s Digital Public Infrastructure (DPI) model is being highlighted by World Bank, UN and G20 but is also being adopted elsewhere. For example, while India clocked 14.4 billion UPI transactions during July 2024, UPI also works at Eiffel Tower, Singapore taxis and UAE stores.
However, such a massive and busy networks with diverse users and providers, devices and services, are also a hotbed of cybersecurity risks like identity theft, financial frauds, misinformation, disinformation and much more.
While all cybersecurity risks create challenges, the impact is further accentuated in case of government services. Moreover, malicious actors could even compromise and cripple critical infrastructure, as seen during the 2023 cyber-attack targeting AIIMS, the most premier healthcare facility in the country. During the New Delhi G20 Summit in September 2023, its official website experienced 1.6 million attacks per minute. Hence, it is crucial to ensure that the e-Services are secure by design and by default.
The Challenges – Speed, Software and System
Public sector e-services have some unique challenges of balancing seemingly divergent needs – speed and scale; inclusion and innovation; accessibility and affordability; ease of use and cybersecurity. In addition, geopolitics is intricately linked with the cybersecurity. Overall, there are three important trends.
1) Firstly, there is a need to have better metrics to assess the challenges as well as the efficacy of solutions. Just like the traditional industry depends on ‘Mean Time Between Failure’ (MTBF) and ‘Mean Time to Repair’ (MTTR), it is useful to measure ‘Mean Time to Detect’ (MTTD) and ‘Mean Time to Respond’ (MTTR). What gets measured, gets done!
Gone are the days when most malicious actors would exploit a vulnerability to infiltrate but wait patiently thereafter to exfiltrate data or do some other nefarious act using the ‘spray and pray’ strategy. Nowadays, the exfiltration can begin within hours if not within minutes, rather than days and weeks even as enterprises spend a median of 37 days to recover from a breach, according to Forrester. According to the2023-24 Report on Currency and Finance published by the Reserve Bank of India, average cost of a data breach has already risen to USD 4.45 million in 2023, a 15% increase over three years.
Hence, for effective response and recovery, both the MTTD and the MTTR must be within minutes, if not within seconds. Else, the data exfiltration chould occur even after the detection of an attack under the helpless watch of defenders. A stitch in time does save nine, perhaps more! 2) Secondly, attackers continue to exploit software vulnerabilities, often discovered with Artificial Intelligence (AI) tools.
3) Thirdly, saddled with formal structures and slow processes the government entities cannot match the agility of organized attackers.
The Conundrum – To Use AI or Not
Just like any other tool, AI can benefit or harm, only with amplified impact and speed. AI is already being used in projects like Bhashini to provide multi-lingual translation, faster and more accurate health screening and chatbots for IRCTC and Digidhan. By the way, other countries including UK and Singapore are also using AI for public services.
All the same, malicious actors can use AI for creating, curating and circulating misinformation and disinformation. For example, one could prompt a generative AI system with minimal security controls to ‘List top 10 vulnerabilities across your foundational model, database and algorithm’ or even co-author malware in double quick time.
The Creative Leverage – Use AI to Improve and Enhance Cybersecurity
While the attackers can use AI, so can the cyber defenders also have the opportunity and responsibility to do so.
1) Rather than fretting, AI must be embraced and deployed, albeit using only the authorized tools. A Salesforce survey found 55% of 14,000 workers across 14 countries using Generative AI without requisite oversight by their employers.
2) E-Services should be stress tested with AI for quick and low-cost corrections. This is in line with India AI Mission’s pillar ‘Safe & Trusted AI’.
3) Considering the sheer volume of attacks agencies must automate cybersecurity using actionable intelligence while reserving their expert analysts to focus on novel threat vectors.
For example, Palo Alto Networks has reduced the average number of daily suspicious events to just ‘eight’ that require manual analysis by experts – out of 36 billion events it ingests every day. Within its own Security Operations Centre (SOC), MTTD has come down to 10 seconds and MTTR for high priority alerts to just one minute. With AI, agencies like CERT-In, NCIIPC and NIC as well as sectoral regulators like RBI and SEBI can also improve cybersecurity across the ecosystem.
4) Government entities must thoroughly review and revise their processes for complete lifecycle management and proper governance of e-services in view of increasing use of cloud computing, intermixing of open-source libraries and third-party databases.
5) Last but not the least, e-Services need to be designed ground up with security in mind rather than as an afterthought. For example, AI can be used for tactical mitigation but also to discern the strategic intent behind the attacks.
Prevention is better than cure, indeed!
Deepak Maheshwari, a public policy professional, is Senior Consultant with Centre for Social and Economic Progress, a Delhi-based think tank.