Home / Advisory / Rolling out Digital Public Infrastructure in India: Adopting the PPP Model and Ensuring ‘Security by Design’ and ‘Adaptive Resilience’ (In specific in the BFSI, FinTech and Payment Industry)

Rolling out Digital Public Infrastructure in India: Adopting the PPP Model and Ensuring ‘Security by Design’ and ‘Adaptive Resilience’ (In specific in the BFSI, FinTech and Payment Industry)

Posted on

India is presently on the path to become a USD 5 Trillion economy, within the present decade; notwithstanding, the challenges that the country faces due to the growth percentage that is prevailing or envisaged. The enablers in this endeavour is the initial liberalization of the Indian economy and policies thereof, and also viewed as a contributor, the year 2009 initiative of the Aadhaar digital identity program. This then leading to the services like the Unified Payments Interface (UPI), JAM (Jan Dhan Yojana, Aadhaar and Mobile number) trinity, and Co-WIN (for managing the Covid-19 vaccination programme), among others. The steps taken by Government of India to adopt financial inclusion and IT enabling services (to include eGovernance measures) has further enhanced the ‘Good Governance’ and ‘Ease of Living’. The rapid Digitisation and investments in Digital Infrastructure which went beyond the Digital Identity Project and Financial Inclusion Program, also extended its rendering to India’s health, education, and sustainability sectors too.

Further, the delivery of digital services through digital inclusion, also offers many opportunities to increase transparency, inclusivity, and efficiency, across the public sector. Even the government while offering seamless e-services for public was able to speed up processes and foster entrepreneurship and innovation. It is also the responsibility of big IT Service providers to participate in the Infrastructure investments, especial digital infrastructure, to enable Public Services.

The story of India’s Digital Public Infrastructure (DPI) cannot be complete, without the participation of Private and Corporate. The core concern is the ‘Security’ around these Infrastructure. All infrastructure including the niche eGovernment infrastructure are vulnerable to cyberattacks which can compromise data and damage computer systems, costing millions in damages for governments and inturn threatening citizens’ privacy and security (not to mention the denial of services to the subscribers). Governments should therefore be prepared for such attacks and adopt preventive measures. The envisaged level of protection is not possible, with the support and participation of the private stakeholders. Cybersecurity should be an integral part of the design of digital public services, and this culture can only be brought in by the Private Stakeholders.

What is Digital Public Infrastructure

Digital Public Infrastructure refers to the set of digital systems, and technologies designed by government agencies to provide essential services to citizens and businesses, its functions include service delivery, data management, and cybersecurity. It can also be referred to that stack of Digital layer that enable modern societies to function efficiently and securely in the digital age. The significance lies in digital inclusion, efficiency, transparency, innovation, and, enhancing government-citizen engagement and economic growth.

Examples of Secure and Successfully Running Digital Public Infrastructure

Estonia, in year 1991 decided to separate itself from the Soviet and establish its own independent sovereignty, but this case with a price. Estonia, in the year 2007, suffered a 22 day of cyberattacks on an unprecedented scale. This attack not only targeted government institutions after the country, but also the limited digital public services. This experience made the country cautious of the importance of Digitisation of the governance component, but also taught the country the significance of a secure digital public services. Estonia, also understood that cyber resilience should be part of their theme to protect the nation from grave sabotage actions. This then led to large scale investments in Cybersecurity.

Singapore’s eCitizen portal, for instance, offers over 1,400 government e-services, allowing citizens to renew passports, apply for permits, and more with ease, all these riding on secure Digital Public Infrastructure.

The Aadhaar project in India, a one of a kind large scale Digital Public Infrastructure, has been seen as a project to provide a digital identity and then use of this biometric identity to enable financial and DBT inclusion to over a 1.4 Billion residents, transforming service delivery and improving financial inclusion.

India’s Digital Public Infrastructure in FinTech and Financial Services – Global in Nature

Digital Public Infrastructure is vital to the emerging Digital Adoption. The DPI then ensures being the enabler, thus reshaping the way Residents/ Citizens/ Government/ Organisations manage and use services and lead life in the country. It also proves beyond doubt that the impact of DPI is profound. It is also to be understood that the foundation of any eService is the implementation of a Digital Identity (ID) System, as part of DPI. The rest of the roll-out is then pivoted around the ID infrastructure and services. The DPI services is found to evolve around the related applications and the access to these services are made robust through security and privacy controls.

India’s Cyber Vulnerabilities on Digital Public Infrastructure is on the Rise

The DPI that enables the related services need to be secure and resilient against cyberattacks. There is a need for investments in cybersecurity measures to build digital systems with inherent protection against cyberattacks. The DPI systems and its providers will also have to cater for inherent ability to manage regular audits to identify the vulnerabilities of the system. This then will ensure robustness, planned inclusion, ensure resident centricity, and enable sustainable applications with resilience.

As on Dec 2023; The average volume of UPI transactions per month amounts to 11 billion in numbers. The average volume of Aadhaar authentication in a month is over 2.1 billion in numbers. This then proves beyond doubt the penetration of DPI especially in the BFSI and Payment Industry in particular.

Also, for that matter, DPI is not something new. (If one would draw certain similarity, the “gmail services” is also a form of DPI extended by “Google” for public good) The very fact that DPI is conceptualised around ‘open source’ technology which is available to the public and government for review, inspection, recycle, modify, etc. The ability to adopt ‘Open-APIs’ to facilitate universal access, inclusive design, integrable by all, interoperability, security by design, privacy by design, etc, is also a key component of the DPI. All this and more makes the DPI vulnerable and susceptible to perpetrators who wish the worst for such endeavours. The ease of use of attack techniques against opensource, and also for the fact that the DPI by virtue of its magnitude, becomes a broader target for these Machiavellian elements, makes the DPI a soft target.

Cybersecurity Concerns Around India’s Digital Public Infrastructure

Consequent to the extensive digital networks that India has managed to create, one major concern is the security of this massive infrastructure. The exposure on the web of these DPIs are also large and has a much wider spectrum for the attacker. The All India Institute of Medical Science (AIIMS) attack that took prominence in news reports in November of 2022; the Aadhaar exposure reported by cybersecurity firm Recorded Future in the year 2021; the revelation by a Dark Web entity of an incident in which the personal information of more than 800 million Indian citizens was put up for sale on the dark web, termed as one of the worse data breaches ever reported from  Indian Council of Medical Research (ICMR) or of CoWin database; have all be largescale threats to the Indian DPI. India being the largest user of DPI and extensive digitalization, it has to have a cybersecurity-first attitude. Protecting the integrity and security of digital infrastructure is paramount.

The advent of artificial intelligence (AI) has now got in a renewed dynamic in the DPI ecosystem. The potential to harness the power of AI both by the owners of DPI and the adversaries, hence, providing for concerns in cybersecurity and the ability to use the same to augment the protection of these assets.

Protecting the DPI around the BFSI industry, FinTech and Payment Industry in Specific

DPI ecosystems across the globe is a gold mine, when we consider value that this structures and standardised data hold. In India the systems that ride on DPI is a treasure trove, due to the enormous size that it is at today. In India, due to the large population that the DFI cater to, we see that the BFSI industry is poised to grow at an exponential rate. The Digital Economy has also see a boost due to the unlimited penetration of internet especially into rural India where the 80% of the population resides. However, this proliferation of digital technology adoption has led to an exponential increase in online fraud, prompting DPI stakeholders to be on guard.

It is at this juncture that the Cyber Security Industry finds its partnership with the countries DPI environment. The BFSI and Payment Industry players who ride on DPI for their services are sometime small and do not generally have higher capability to subscribe to top of the shelf costly enterprise solutions. Here, comes the role of robust and generic cloud-based solutions. These BFSI and Payment Industry service providers hold may hold fragmented solutions which prove expensive and non-scalable in the long run. To protect against the futuristic and dynamic advanced threats, these industries need to look at outsourcing security to trusted partners who also will have to mount the solutions on DPI. This then will ensure mutual trust with the least of cost of ownership.

Cloud based security solutions that can provide real-time fraud detection and automated protection, with complete visibility of its analytics of the encountered incidents offered through zero-touch semantics will be the game changer in the DPI services ambit. The BFSI and Payment Industry is presently facing Fraud, Misuse, Ransomware threats, Malware attacks Account Pilferages, Account Takeover, difficulty in anomalies detection, etc. A low-cost model to cater for this industry will be the in-thing for the Indian market today.

One thought on “Rolling out Digital Public Infrastructure in India: Adopting the PPP Model and Ensuring ‘Security by Design’ and ‘Adaptive Resilience’ (In specific in the BFSI, FinTech and Payment Industry)

  1. DPI protection initiatives by GoI viz Aaadhar Act 2016, DPDP Act 2023 and Cyber Swachhta Kendra are good. However, it requires participation from private for holistic cyber resilience.

Comments are closed.

%d bloggers like this: