Securing the India Stack

IndiaStack-logoOver the weekend, the Times of India ran a front page article about how someone was able to hack into India’s Aadhaar database.

Aadhaar is India’s attempt to give everyone in India a unique 12 digit ID that can be used for a variety of government services. The Aadhaar project is part of what many call the India Stack. According to Wikipedia the India Stack is:

…a set of APIs that allows governments, businesses, startups and developers to utilise a unique digital Infrastructure to solve India’s hard problems towards presence-less, paperless, and cashless service delivery.

IndiaStack

In a nutshell, the government is going digital and everything will revolve around this unique 12 digit number. Initially, it will be basic government services then it will move to eKYC (Know Your Customer), payments and beyond.

As more and more services go online using the Aadhaar number to authenticate services, we will hear about more and more security breaches. This is not uncommon in the technology world, in the early days of PayPal (they provide online money transfers) they dedicated a large number of resources to “plug” these holes. The reason why people prefer open source security solutions is because you have a large community of programmers that are looking at the code base and constantly testing it to find holes in it.

The Government of India (GoI) should not sweep these issues under the rug and say everything is secure. When a government official says their technology is “tamper proof” that’s when you know they don’t understand technology. Actually, if they are so confident they should host hackathons. These hackathons have two purposes: 1. potentially find bugs or security issues 2. an excellent hunting ground to find talent for the India Stack team.

The Government should actually embrace these hackers whether they are black hat or white hat. Creating a platform like HackerOne would be a step in the right direction. HackerOne is a bug bounty platform that connects hackers (or as they called them “cybersecurity researchers”) with companies to crowd-source security vulnerabilities.

The idea of embracing hackers goes against the grain of conventional thinking but when it comes to digital, I think it’s the best way to constantly improve security and enhance service delivery. The current thinking of “nothing is wrong and nothing to see here” is old school and needs to die.

By the way if you are concerned about AI (Artificial Intelligence) and robots taking over your job, you are in luck! I think India has a severe deficiency in technology security experts which I don’t think robots will be able to takeover…for now. If I was coming out of college today:

  • I would read every API spec document on Aadhaar, UPI, eKYC and others
  • Not only would I read them, I would tear them apart and see how they work
  • Build Android apps around them to understand a real world implementation
  • Start a blog and give recommendations on how to make them better
  • Download other apps to sniff the traffic and see how they implement these APIs
  • Find Indian companies on HackerOne and monetize (as of now, only Ola is on the platform)

Then the next battle will be those robots!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s