Monday, January 02, 2017
With the focus on demonetisation, India cannot afford a false separation between access and security in digital spaces
rimes in cyberspace, by one estimate,now cost the global economy $445 billion a year. Cyber insecurity is now a global risk no different from the warming climate
or forced displacement. Is such insecurity a business risk or a “public bad”? If the security of digital infrastructure is viewed as a business risk, who should mitigate
it? Should states be responsible for the integrity of networks and data within their territories, failing which they will be classifiedas“ risky”todobusinessin in thedigital economy?
Were cyber insecurity treated as a “public bad”, governments could justifiably conclude that vulnerabilities in one device or platform affect an entire ecosystem, and create a liability regime that shifts the burden on the private sector.
These issues are important to ponder asthe Digital India programme and demonetisationencourage the rapid adoption of digitalpayments technologies. It is not only difficultto assess the “risk” of transacting inthe digital economy, but also determinewho such risks should be absorbed by. Forinstance, a high-end device may be able tooffer security on the back of its tightly controlledsupply chain, but what if an enduser, by opening the door to a hidden exploit, compromised its operating system?
First, if cyberspace is a global commons,
will the socialisation of “bad” follow the
“privatisation of profits”?
Unlike the environment, the oceans or
outer space, digital spaces are not discovered
– they are created. Cyber insecurity
has been made out to be a global threat but
the fact remains that the economic gains
from securing digital spaces still accrue to
a few countries and corporations. Do developed
markets have a common but differentiated
responsibility to secure digital spaces?
If it is the responsibility of all, can
developing countries also get a share of the
economic gains from electronic commerce?
Second, cybersecurity is a private service
– how can we make it a public good?
Digital spaces are common to all, but the
provision of their security is increasingly
guaranteed by the private sector. This is in
stark contrast to governance models in
emerging markets, where the state underwrites
law and order. How can the public
and private sectors work together to provide
this common good?
Third, India is moving towards security
by identity, but many advanced economies
believesecurity comesthroughanonymity.
Are we on the wrong side of history?
Encryption is becoming the norm in
advanced economies, as a result of which
data is increasingly out of the reach of law
enforcement agencies. On the other hand,
Indiahasmovedtowardsbiometricidentification
programmes that place a premium
on identity. The “Aadhaar impulse” is
driven by a requirement to target beneficiarieseffectively,
butwithoutstrongdataprotection
regulations, the digital economy
would be less than secure.
Fourth,ifcash-basedsystems,ATMsand
payment gatewaysareincreasingly vulnerable
to cyber-attacks, are “distributed ledger technologies” going to make governments
adopt cryptocurrencies?
Blockchain and other technologies that
“crowdsource” the authentication of online
transactions using bitcoins are more difficult
to target, because they are by their very
nature, distributed ledgers. Will the
increasing insecurity of the fintech ecosystem
push us towards cryptocurrencies?
Fifth, cyber security is an expensive
proposition in advanced economies, where
themostsophisticatedinstrumentsarealso
assumed to be the safest. How can India
apply its famed “frugal innovation” in this
space, and protect the user while providing
affordable access to the internet?
The ICT supply chain in India is only as
strong as its weakest link: the end user. If
the user is from rural India, with a limited
understanding of the devices and transactions
she accesses, her device is a point of
vulnerability. If the device itself is “lowend”,
which places a premium on cost over
security, this forms a lethal mix that endangers
the security of all users in the ecosystem.
India cannot afford a false separation
between access and security in digital spaces,
as the qualitative nature of access will
determine ICT security for a billion people.
Sixth, who determines the risk of transacting
on the internet, and how?
If transactions in cyberspace will invariablycarryanelementofrisk,
whowillguarantee
them? The buyer, seller or intermediary?
As in the case of shipping, will we see a
form of cyber-insurance applied to cover
the risk of malicious attacks online?
Developments in cyber security leads
one to surmise that economies will soon be
subject to a risk-assessment based on the
integrity of their networks. Risk-based
assessments offer predictive value and
guarantees of stability to businesses, but
they should not perpetuate inequities that
exist offline. Limited means to enhance
cybersecurity in developing economies
should not set back investments in the digital
economy, which in turn create a vicious
cycle rendering the overall ecosystem insecure.
The international community must
articulate ways in which such risks can be
mitigated, and facilitate access in emerging
marketstotechnologyandfinancethatgenerate
investments in cybersecurity.
