Aadhaar linking to everything poses serious national security challenges
The widespread adoption of Aadhaar numbers and linkages to Unique Identification (UID) programme databases for the purpose of authenticating sensitive transactions should give pause to India’s foreign policy and military planners. That Aadhaar is a centralised database, and therefore susceptible to cyber attacks, is already known. But pervasive “Aadhaar-isation” brings together systems and platforms in a digital ecosystem without interoperable standards for security.
The UID is device-agnostic. Whether an Indian enters her Aadhaar number into a virus-infested desktop at a local cyber cafe or a highly secure iPhone, her device is linked to and authenticated by the Aadhaar database. In almost all cases, there is a two-step authentication process, involving a one-time password from the user. The UID Authority of India claims such authentication (at its most basic level) is a simply “Yes/No”
interaction of the Aadhaar database with the machine, and that no biometric or personal information is sent back. Biometric or demographic records of Indians are available today in multiple databases, and hardly an invitation to target Aadhaar servers. Based on the specific transaction involved – filing tax returns, transferring money or purchasing health insurance – Aadhaar, however, creates a “map of maps” of Indians identifying, the platform, device, location and successful/failed attempts at authentication. Coupled with the demographic data that can anyway be extracted from an insecure mobile phone or app, this Aadhaar authentication data is of strategic value to a foreign adversary. Some questions of strategic import that should weigh on India’s security mandarins are listed below: In the event of conflict, could the Aadhaar database be targeted by India’s adversaries? Yes. To the best of this author’s knowledge, the Aadhaar database has not been defined as “critical infrastructure” by the Indian government. The National Critical Information Infrastructure Protection Centre (NCIIPC), India’s nodal agency for this purpose, has sought to identify CII, but so far it has focused on flagging certain sectors – banking, health, energy – as “critical” databases. The UID programme, by contrast, is a cross-sectoral effort to authenticate the credentials of Indian users or consumers. At some point, the NCIIPC will seriously weigh bringing Aadhaar into its fold, but no publicly available information suggests such developments for now.(READ MORE)
ARTICLE SOURCE – BUSINESS STANDARD