India Inc. technology expert delves into why it is time for policy-makers to address issues around data security.
Over the last few weeks, the sinister side of technology has come to the fore. Cambridge Analytica is alleged to have collected the data of up to 87 million Facebook users worldwide, the majority of which were in the US.
While this data is said to have been used to target and influence voters in the US presidential election and in the Brexit referendum in the UK, it is also thought, according to reports, that Cambridge Analytica's parent firm had offered services to Indian political parties for the 2014 elections to carry out caste research, behavioural polling, and target audience analysis, amongst several projects.
The fact this has happened shouldn't really be a surprise to anyone in the technology industry. Whether you're in London or Bangalore, the tech start-up scene is full of thousands of wannabe entrepreneurs with the latest app, looking to rapidly sign up and grow the number of users of their app Why Because the more data they have on their users (in whatever way it is collected, whether it's a game or a consumer lifestyle app), the more valuable it becomes. It enables them to sell that data to brands, advertisers and sponsors. They're all trying to become the new Facebook or Google.
The data held by companies like Facebook has massive value, since the volume of data enables accurate profiling. In the US and UK, this enabled the political campaign teams to profile voters and precisely target them with specific ads to help influence their vote. It is reported that between Trump and Clinton, some $81 million was spent on Facebook advertising.
In the tech world, there's a constant debate around
, and Facebook-Cambridge Analytica is a high-profile example of how data collected by an app can be potentially misused. In Europe, a new data protection law, GDPR, comes into force on May 25 this year, which is supposed to reduce the risk of data misuse. The big US tech companies are already trying to figure out how they will provide a fix that enables them to conform to the new law, though it is reported that Facebook is considering implementing any measures to conform only for European users, leaving those in the rest of the world open at the same level of exposure as before.
It's not the only security risk from technology in the modern world. The more that countries around the world, including the Indian government, talk about implementing
, the more the potential for cyberattacks that bring down cities and nations.
Fiction versus non-fiction
They say art imitates life, so if you want to see examples of the risks of the technology we have today, you only need to watch movies like the 'Bourne Ultimatum' and 'Die Hard 4.0'. You may think the ideas are far-fetched, but these films illustrate technology which is already in widespread use. In the Bourne movie, the ability to track and follow every move of anyone is not just fiction; every smartphone's operating system is traceable, even if they have their phones in flight mode. You only have to witness the revelations made by Edward Snowden, the former intelligence community officer and whistleblower, who made public documents that revealed the US security agencies' and their international intelligence partners' secret mass surveillance programs.
And in the 'Die Hard' franchise, we see the ultimate doomsday scenario that could happen from our quest to implement Smart Cities and the internet of things (IoT). The 'bad guys' are able to take control of traffic systems and cars, power grids, bank accounts and more. This is indeed possible - during the London Olympics for example, traffic management systems were able to control traffic signals to enable VIPs to be sped through congested roads in London, giving them priority when their vehicles were detected in designated lanes. Imagine if the wrong people got hold of the traffic management system, as they do on screen.
In Smart Cities, everything is supposedly connected for the public good, but in a cyberattack situation the connected networks can also be commandeered by people who have the knowledge to control it for their own benefit.
We just have to remember the WannaCry cyberattack that paralysed the UK NHS system in May 2017. The UK's National Audit Office (NAO) said back then: “It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.
“There are more sophisticated cyber threats out there than WannaCry so the department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
India itself is concerned about the rapid progress of
without proper cybersecurity policies in place. India′s Telecom Secretary, Aruna Sundararajan, acknowledged as much at a recent conference in Geneva, and said: “Every nation faces cybersecurity challenges. Countries like India, where digitisation growth has been exponential, the magnitude and complexity of these challenges become multi-fold. For example, 300 million Indians adopted digital payments in just 6 months.”
She added that a sound and comprehensive cybersecurity policy is a key building block for India's infrastructure. “We are also working to ensure that all layers of digital access are appropriately secured, including the content, transport and device layers.”
More widely in the technology industry globally, the proliferation of connected devices sending and storing data to the cloud has become a concern for both vendors and customers. While attending the Embedded World conference in Nuremberg, Germany, in February, I became aware of a push back from many vendors from relying on the cloud for secure data.
As I wrote in a US-based technology magazine following the conference, with IoT adoption proliferating, manufacturers of IoT devices are sidestepping security fundamentals as they rush to bring products to market. A lack of familiarity with secure coding concepts is resulting in many vulnerabilities being incorporated into final designs. There is therefore a need for organisations to properly document and test each internet-connected device on their network or face introducing potentially thousands of new attack vectors easily exploitable by cybercriminals. Any device or sensor with an IP address connected to a corporate network may open the doors to a devastating security incident.
In the article, I wrote how chip vendors are increasingly adding more processing and servers at the edge of an IoT network, since their customers are increasingly concerned about storing their secure data in the cloud amid increasing lack of trust in the ability to safeguard sensitive data. In addition, GE Power's Automation and Controls' manager, Vibhoosh Gupta, said to me: “We're bringing intelligence as close to the machine as possible. The cloud might provide an elastic compute environment which is good for things like fleet management. However, for applications requiring real time analytics, the inherent latency resulting from sending data to the cloud means there is no choice but to move to the edge.”
To conclude, it is easy for governments to get on the technology bandwagon, talking about the need for IoT, Smart Cities, and the use of artificial intelligence tools and programmes. However, as recent examples have shown, there really needs to be more consideration about policies and regulation that helps safeguard the users that the technology is supposed to provide benefits to. I am not suggesting we should be luddites, but we need more people who understand the technology and its impact involved in the policy-making process, especially those who are independent and not part of big technology companies or their connected think tanks.
Nitin Dahad is a journalist, entrepreneur, and advisor to the technology sector and government trade agencies, with over 30 years' experience across Europe, US, Asia and Latin America in corporates, start-ups, and media. He currently edits 'The Next Silicon Valley' and 'Go4Venture'.