Linking Aadhaar to nearly everything creates a “map of maps” that is vulnerable at multiple points.
The widespread adoption of Aadhaar numbers and linkages to Unique Identification (UID) programme databases for the purpose of authenticating sensitive transactions should give pause to India’s foreign policy and military planners. That Aadhaar is a centralised database, and therefore susceptible to cyber attacks, is already known. But pervasive “Aadhaar-isation” brings together systems and platforms in a digital ecosystem without interoperable standards for security.
The UID is device-agnostic. Whether an Indian enters her Aadhaar number into a virus-infested desktop at a local cyber cafe or a highly secure iPhone, her device is linked to and authenticated by the Aadhaar database. In almost all cases, there is a two-step authentication process, involving a one-time password from the user. The UID Authority of India claims such authentication (at its most basic level) is a simply “Yes/No” interaction of the Aadhaar database with the machine, and that no biometric or personal information is sent back. Biometric or demographic records of Indians are available today in multiple databases, and hardly an invitation to target Aadhaar servers. Based on the specific transaction involved – filing tax returns, transferring money or purchasing health insurance – Aadhaar, however, creates a “map of maps” of Indians identifying, the platform, device, location and successful/failed attempts at authentication. Coupled with the demographic data that can anyway be extracted from an insecure mobile phone or app, this Aadhaar authentication data is of strategic value to a foreign adversary.
Some questions of strategic import that should weigh on India’s security mandarins are listed below:
In the event of conflict, could the Aadhaar database be targeted by India’s adversaries?
Yes. To the best of this author’s knowledge, the Aadhaar database has not been defined as “critical infrastructure” by the Indian government. The National Critical Information Infrastructure Protection Centre (NCIIPC), India’s nodal agency for this purpose, has sought to identify CII, but so far it has focused on flagging certain sectors – banking, health, energy – as “critical” databases. The UID programme, by contrast, is a cross-sectoral effort to authenticate the credentials of Indian users or consumers. At some point, the NCIIPC will seriously weigh bringing Aadhaar into its fold, but no publicly available information suggests such developments for now.
Identifying a database or sector as “critical infrastructure” is important because it is internationally accepted that CIs are not to be attacked during peace time or armed conflict. The 2015 UN Group of Government Experts (GGE) say:
“A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public” (emphasis added)
The GGE’s recommendations, endorsed by the UN General Assembly, are not binding on UN member states. They nevertheless represent the views of the most powerful “cyber” powers, including Russia and China. It is notable that the US’s election machinery, which Russia is formally alleged to have hacked during the 2016 US presidential campaign, was not classified by the Obama administration as CI at the time. Attacks on critical infrastructure are been uncommon – a US banking network, a Saudi state-run oil company, an Iranian nuclear installation, an Ukranian power plant, to name a few recent targets – given the difficulty in attributing cyber attacks to state agencies. That said, the international community is stealing moving towards declaring the targeting of CI as a grave violation of international law. If the Indian government sees Aadhaar as a gateway to its services or entitlement schemes, it should move immediately to designate UID as critical infrastructure and set up a dedicated Computer Emergency Response Team to monitor attacks or intrusions on the database.
Why would Aadhaar be attacked during an armed conflict?
Targeting the Aadhaar database would serve two purposes: first, attacking a highly centralised national database – thereby limiting the access of Indian citizens to essential services – forces the Indian government to reconsider its military options against an adversary. This could be done by a DDoS attack on Aadhaar servers, preventing legitimate devices or applications from authenticating transactions. Aadhaar data also offers valuable intelligence, which can be harvested by penetrating Aadhaar-enabled applications. For instance, the Bharat Interface for Money (BHIM) app merely requires entering the 12-digit Aadhaar number to transfer money from one account to another. Perhaps the two-factor authentication in BHIM would prevent fraudulent transfers of money. But hacking the Aadhaar database will allow an adversary to map the flow of funds in an area – thanks to BHIM – as well as its busiest banks. Based on such intelligence, it is possible to selectively attack financial networks in an Indian town (say, along the border).
Similarly, if the government intends to link tax returns to Aadhaar numbers, sensitive financial information of individuals and companies will be exposed through breaches of the UID database. A “man in the middle” attack by an actor posing as the Aadhaar authenticator, could confuse the e-filing portal to divulge information. Doomsday scenarios around Aadhaar revolve around identity theft or loss of huge sums of money – exploiting the database’s information without conducting disruptive activities is far more valuable to an adversary. Aadhaar, by linking platforms together, makes mapping and intel-gathering exercises easier.
How would an adversary attack Aadhaar databases?
An Aadhaar ecosystem requires an infrastructure layer, a data layer and an application layer. Aadhaar enrolment data, sandwiched between the base infrastructure and end user application is strongly encrypted, and therefore secure in transit. The infrastructure, however, could be owned by an authenticating user agency (like NPCI), a sub-authenticating user agency (ICICI Bank) or a “terminal device” (a Xiaomi or Micromax mobile phone).
Similarly, the application layer would be managed by non-UIDAI entities (PayTM, Jio, etc). While Aadhaar regulations require all contracting parties to “put appropriate network security in place to ensure their systems are protected from attack”, it is impossible to ensure systems-wide compliance. India’s digital supply chains are based abroad, effectively resulting in a situation where the security standards of Smartphone X differ widely from Smartphone Y. (It is worth noting that four of the top five smartphone models by market share in India are Chinese.) If an adversary assumes control of a mobile phone, the additional layer of authentication provided by a one-time password to effect Aadhaar-based transactions would be rendered useless. There is also no national encryption policy to regulate data security at the application layer. These applications rely on end-to-end protocols that encrypt financial data but not the user’s information (such as the name, telephone number, number of successful/failed login attempts, details of purchases, etc). The more these applications link together Aadhaar numbers and (unencrypted) personal information, the easier it becomes for an adversary to map the behaviour of Indian users. Based on the profile of the user/ consumer, this information can be used for counter-intelligence, extortion or blackmail.
The Aadhaar database, when matched with a database of personal information, becomes a goldmine for foreign actors to exploit and disrupt India’s digital networks. If operators of nuclear power plants require the Aadhaar numbers of employees to authenticate their entry into the complex, a breach of the UID database will render them vulnerable by exposing their daily activities to an adversary. If the “Bank of X” is known to be sustaining the financial lifeblood of a disputed border town through Aadhaar Enabled Payments, hostile actors may be tempted to shut down its servers located elsewhere. In the future, Internet of Things (IoT) ecosystems will likely be connected to Aadhaar databases – for instance, to allow traffic monitoring systems to directly deduct a fine from the motorist’s bank, her driving license/plate could be linked to an Aadhaar number, which in turn connects to a bank account. The security of IoT systems leave much to be desired, and could potentially compromise Aadhaar databases as well.
To counter these strategic threats, India’s policymakers must urgently consider:
- Designating UID databases as “critical infrastructure”
- Crafting an encryption policy that specifically addresses encryption for Aadhaar-enabled apps
- Security testing of all Aadhaar-enabled applications
- Encouraging device-level encryption for mobile phones and laptop computers
- Creating a Computer Emergency Response Team to monitor attacks on Aadhaar
- Working with the private sector at forums like the International Electronic and Electrical Engineers (IEEE) and the Internet Engineering Task Force to create interoperable security standards for platforms relying on national identity databases.
Arun Mohan Sukumar is at the Observer Research Foundation, New Delhi