With a huge focus on the Digital India programme, technology driven projects have increased across all government departments. Most of these projects and especially the IT related projects are executed either through the tender or the PPP mode. Therefore, it is essential to have proper information security strategy in place to secure the data. In an interview with EC’s Mohd Ujaley, Rudra Murthy KG, CISO, Digital India, Ministry of Home Affairs, Government of India, says “Be it the managed service provider (MSP) or internal resources, government organizations should take proper security measures. In fact, security measures should be the part of the contract itself. It means that you assess your service provider prior on boarding and you keep on monitoring during the execution.”
Some edited excerpts from the interview:
What is your sense of the present status of information security in the Digital India project?
There is a great focus of the Government of India on the digitalisation as it has realized that it can help them in delivering good governance. One of the classic examples in this regard could be the initiative of Aadhaar by UIDAI which has become one of the fastest large scale programmes across the globe by crossing the enrollment mark of one billion recently. The government now has the necessary information about the citizen. They can use this data for framing policy and welfare schemes in a far more efficient way than what they have been doing. Aadhaar alone has offered the capability to government to provide simple authentication solution, deliver subsidy directly into the hands of the beneficiaries, leading to reduced corruption and improved transparency.
This clearly shows the role of technology in improving governance. The Digital India project takes these things to the next level. Apart from focusing on the nine-pillars of the Digital India programme, the back-end process and platform of most of the government services are also getting digitized. The paper work is gradually coming down. For example, under CCTNS project, entire compliance processes is being automated for e-policing.
But having said that, the criticality of information security management has also increased with this technology intervention because number of users and flow of data have increased substantially. Therefore, the government organisations need to ensure adequate information security framework for protecting the information. For me, information security in the Digital India project is vital and basically it is the work in progress for all the stakeholders.
You mentioned about the benefits of Aadhaar initiative but some of the security experts have recently raised questions around the security of the Aadhaar data. Do you really believe that Aadhar is fully secured?
First of all, you need to understand that there is no deterrent to security. There is always scope for improvement of the security in any organisation or in any project. You must also understand that security is a continuous process. If you see Aadhaar on those fronts, they are always driving towards more and more robust security on day to day basis, in fact minute to minute basis. The strategy level direction for security of Aadhaar data is very much settled.
What kind of security framework is being adopted in the government to protect data?
I mostly work for the initiative of the Ministry of Home Affairs, Government of India. There are close to three-four frameworks. The Government of India has recently issued a National Information Security Policy & Guidelines that could be taken as reference by all the central ministries, state governments and PSUs for developing their own information security and control mechanism.
For framing a policy which really serves the purpose of the organization, first of all government organizations should have a proper strategy in navigating the access control. They should understand their requirement, their process and function. Questions such as – what kind of user life-cycle they have, what type of user mix they have, what type of data they need, what is the life cycle of the data – must be asked. They should understand these things before creating the operational model for security control. Then they have to come to the technical control and implementation of this framework. Unfortunately, the implementation does not come easily. There should be a dedicated responsible person, may be a chief information security officer to oversee it, not as an additional responsibility given to some officers.
And trust me, the security does not stop there, government organisation should have strategy to frequently check themselves, how good they are, from the day they started. There should be frequent assessment and external audit, and develop a proper information security management system framework. This, in my view, will be the best strategy for them to start with.
There are many projects, specially e-governance projects, where service providers or PPP partners are involved? How can one ensure security of data or information for such projects?
I fully agree with you that the government projects, specially the IT related projects are executed either through tender or PPP mode. That is why it is essential that government departments should have proper information security strategy to understand the data protection. Be it the managed service provider (MSP) or internal resources, the government departments should take proper security measures. In fact, security measures should be the part of the contract itself. It means that you assess your service provider prior on boarding and you keep on monitoring them during the execution. Also, there should be clarity about intellectual property rights, data protection rights, technology retention rights post boarding of the service provider. These controls generally should consider proactive, corrective and reactive mechanisms.
Basically, risk comes from external agencies and internal agencies. And, in most of the e-governance projects there is a project management consultant. So, you have three stakeholders with privilege access to the system. Obviously, chances are high that anything could happen because of any reason, therefore the government needs to monitor the agencies working for them. Some of the recent data breaches have shown that internal security is crucial. Similarly, departments should have control over the software or an application development programme.
What changes do you see happening in the administration of the cyber security in government organisations?
I think the time has come for the top of the government to scale up, in terms of the human resource talent and its technical expertise to understand the nitty–gritty of the scope of the work given to service provider. This will help them to understand – what is expected during the implementation and how to get the work done within time. Right now, most of these controls are in administrative hands but ideally it should go to a technical person. And, you know the security challenge is further aggravated by the fact that government is hiring consultants for its project management, which is another third party to the system. By this, they increase the number of stakeholders and unknowingly the scope of the risk to the data, as it gets handled by multiple parties. I personally feel, this could be addressed when talent becomes part of the government itself.
How serious are ministers and bureaucrats in MHA about information security?
Everybody is very serious about it. In fact, when I get the direction from my seniors, they are already aware about the problems. The only thing is that as the subject matter expert, they expect an individual like me to come with a better solution and explain to them in a better way. A level of understanding about the cyber security is already there. The Prime Minister Narendra Modi himself is very keen on cyber security. He spoke on this topic for 16 minutes during his address to the Digital India week celebration programme.