Some questions of strategic import that should weigh on India’s security mandarins are listed below:
Yes. To the best of this author’s knowledge, the Aadhaar database has not been defined as “critical infrastructure” by the Indian government. The National Critical Information Infrastructure Protection Centre (NCIIPC), India’s nodal agency for this purpose, has sought to identify CII, but so far it has focused on flagging certain sectors – banking, health, energy – as “critical” databases. The UID programme, by contrast, is a cross-sectoral effort to authenticate the credentials of Indian users or consumers. At some point, the NCIIPC will seriously weigh bringing Aadhaar into its fold, but no publicly available information suggests such developments for now.
Identifying a database or sector as “critical infrastructure” is important because it is internationally accepted that CIs are not to be attacked during peace time or armed conflict. The 2015 UN Group of Government Experts (GGE) say:
“A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public” (emphasis added)
Why would Aadhaar be attacked during an armed conflict?
Targeting the Aadhaar database would serve two purposes: first, attacking a highly centralised national database – thereby limiting the access of Indian citizens to essential services – forces the Indian government to reconsider its military options against an adversary. This could be done by a DDoS attack on Aadhaar servers, preventing legitimate devices or applications from authenticating transactions. Aadhaar data also offers valuable intelligence, which can be harvested by penetrating Aadhaar-enabled applications. For instance, the Bharat Interface for Money (BHIM) app merely requires entering the 12-digit Aadhaar number to transfer money from one account to another. Perhaps the two-factor authentication in BHIM would prevent fraudulent transfers of money. But hacking the Aadhaar database will allow an adversary to map the flow of funds in an area – thanks to BHIM – as well as its busiest banks. Based on such intelligence, it is possible to selectively attack financial networks in an Indian town (say, along the border).
Similarly, if the government intends to link tax returns to Aadhaar numbers, sensitive financial information of individuals and companies will be exposed through breaches of the UID database. A “man in the middle” attack by an actor posing as the Aadhaar authenticator, could confuse the e-filing portal to divulge information. Doomsday scenarios around Aadhaar revolve around identity theft or loss of huge sums of money – exploiting the database’s information without conducting disruptive activities is far more valuable to an adversary. Aadhaar, by linking platforms together, makes mapping and intel-gathering exercises easier.
How would an adversary attack Aadhaar databases?
An Aadhaar ecosystem requires an infrastructure layer, a data layer and an application layer. Aadhaar enrolment data, sandwiched between the base infrastructure and end user application is strongly encrypted, and therefore secure in transit. The infrastructure, however, could be owned by an authenticating user agency (like NPCI), a sub-authenticating user agency (ICICI Bank) or a “terminal device” (a Xiaomi or Micromax mobile phone).
Similarly, the application layer would be managed by non-UIDAI entities (PayTM, Jio, etc). While Aadhaar regulations require all contracting parties to “put appropriate network security in place to ensure their systems are protected from attack”, it is impossible to ensure systems-wide compliance. India’s digital supply chains are based abroad, effectively resulting in a situation where the security standards of Smartphone X differ widely from Smartphone Y. (It is worth noting that four of the top five smartphone models by market share in India are Chinese.) If an adversary assumes control of a mobile phone, the additional layer of authentication provided by a one-time password to effect Aadhaar-based transactions would be rendered useless. There is also no national encryption policy to regulate data security at the application layer. These applications rely on end-to-end protocols that encrypt financial data but not the user’s information (such as the name, telephone number, number of successful/failed login attempts, details of purchases, etc). The more these applications link together Aadhaar numbers and (unencrypted) personal information, the easier it becomes for an adversary to map the behaviour of Indian users. Based on the profile of the user/ consumer, this information can be used for counter-intelligence, extortion or blackmail.
The Aadhaar database, when matched with a database of personal information, becomes a goldmine for foreign actors to exploit and disrupt India’s digital networks. If operators of nuclear power plants require the Aadhaar numbers of employees to authenticate their entry into the complex, a breach of the UID database will render them vulnerable by exposing their daily activities to an adversary. If the “Bank of X” is known to be sustaining the financial lifeblood of a disputed border town through Aadhaar Enabled Payments, hostile actors may be tempted to shut down its servers located elsewhere. In the future, Internet of Things (IoT) ecosystems will likely be connected to Aadhaar databases – for instance, to allow traffic monitoring systems to directly deduct a fine from the motorist’s bank, her driving license/plate could be linked to an Aadhaar number, which in turn connects to a bank account. The security of IoT systems leave much to be desired, and could potentially compromise Aadhaar databases as well.
To counter these strategic threats, India’s policymakers must urgently consider:
Designating UID databases as “critical infrastructure”