C Jayashankar Prasad, director, Kerala State IT Mission (KSITM), in conversation with Shivangi Narayan, talks about cyber security in Kerala, the ways to make it better and the ultimate dream of the state to become a digital society.
What is CERT-K and what kind of powers does it have to tackle cyber security?
CERT-Kerala was formed in line with the Indian Computer Emergency Response Team (CERT-In) as a separate society which would have a separate large team of its own with all kinds of infrastructural facilities. But when I took over, I had an evaluation of what CERT-K could do and we found out that it did not have enforcement powers like the Hi-Tech Crime Inquiry Cell, and does not have statutory powers like CERT-In. We realised that when the organisation does not have the bite and backing then there is really no point of having that organisation. But then, is there a purpose of CERT-K? Yes, there is. Because it is very important to have a nodal agency to monitor all the government applications and that they comply with the CERT-In norms. CERT-K is that agency which is now a separate group under KSITM with a sanctioned strength of around five persons.
What kinds of efforts have been made to tackle cyber security issues in Kerala?
We have taken two kinds of measures to tackle issues of cyber security in Kerala: proactive and reactive. Proactively, we review all web applications in the data centre, try to fix the vulnerabilities and then send out a report. We then conduct trainings based on these learnings so that future problems can be avoided. Today, there are applications which can hack on people’s behalf so no one has to be a genius to hack an application or a website. We have to thus be proactive and take care of small things so that we can avoid bigger issues. Also, we have to conduct more and more training with CERT-In for better cyber security in Kerala. Also we do not let any application be hosted in the state data centre (SDC) until it is safe to host and we are very careful about it. Unless the websites are hosted in SDC, we have no control. All government apps have to be hosted on SDC compulsorily.
In reactive measures, too, we generate a report and provide recommendations on what can be done to prevent such attacks in future. We also send the entire log to CERT-In for analysis. They advise corrective measures, for which, we are constantly in interaction with them.
There are two reasons why people hack: one is for obstructing a service and the next is for showing off to their contemporaries. If a person is hacking to show off then he sure will talk about his antics on his blog. We have our people analysing and checking blogs and the moment a reference of the hacking incident comes up, we get to know it and then we pull down that site and take the corrective measures.
What are the future plans for CERT-K?
CERT-K plans to become a certifying empanelled agency and ensure that it can do a six-monthly audit of the websites which it certifies. We have to work hard on security because today the hacking incidents are moving from denial of information to denial of service and to finally denial of financial transactions. The biggest concern is security and it is imperative that we work hard in that domain. We need to ramp up our team and expand our scope. We will continue with our research in cyber security but I believe that one need not be loud in one’s research as it may attract future attackers.
What are you doing to end the issues of interoperability of various applications in the state?
Interoperability of the applications is an issue in Kerala. I am going to just focus on consolidation and integration. Under consolidation, we noticed that huge infrastructure was present all over the state (in the form of SDC and state wide area network, SWAN) but the departments were not using it because they were not getting proper mails due to absence of internet on SWAN. To fix that we have moved the entire NIC mailbox on the wide area network.
The work of the Friends centres can be done through the Akshaya centres.Even the work of the 95 Jana Seva Kendrams in every corporation can go through Akshaya.
On a random check, we found out that only 25-30 percent of the servers were being utilised for actual work. Thus, even in infrastructure and hardware, we are promoting co-hosting rather than co-location. I even made all the village officers shift from desktops to laptops. With the desktop, the purchase estimate also includes the cost of the furniture. There is no such thing in the laptop; plus, they can carry laptops with them and work on it all the time. Some of the village officers have started working on Sundays.
What are the issues with the integration aspect of interoperability of applications?
Many of the applications in the state are running in silos and the programs are discrete. The other levels of integration are the accessibility and affordability of different applications to the common man. This is where the Akshaya system comes in and also the state service delivery gateway (SSDG).
At a macro level, to identify the unique beneficiaries of any scheme of the government, Aadhaar comes in for authentication of the beneficiary through biometrics. Government officials spend 50 percent of the time in making, validating, proofreading, approving and issuing certificates. Imagine a ‘certificate-less integrated society’ where data is verified in one step through Aadhaar which can be done online.
An integrated database, which is the fourth layer of e-governance, is what we call transformative e-governance. This is when individual components of e-governance talk to the people and simultaneously talk with each other.
Are there any steps being taken on data analysis in Kerala?
We are trying to connect the other than-mandatory data captured in Aadhaar enrolments and then we will let the state resident data hub connect to the central repository to verify the biometrics of the beneficiaries to analyse and build on existing data. Big data analytics can make your decisions much more precise so that you can take a much more conscious decision. Today we take popular decisions. A common data repository can make our work easier, but is an ideal state to achieve. However, we can work to reach somewhere near.
How is the geospatial project going in Kerala? How do you plan to take it forward?
We are using the photos taken by a GPS-enabled device for traffic alerts, drugs control, distribution of food and all other sorts of services where there are chances of a problem. The photo could be used as evidence because it will carry GPS coordinates which can identify the exact location of the incident. This photo is transferred and uploaded on the GIS platform in Kerala.
Kerala has been named the most progressive state in the geospatial domain. There is a geo-portal in the state which is a common repository of all the geospatial data crowd sourced from various departments. It is not just data repository but it is also used for providing services to the people.
When is the SSDG coming up in Kerala?
The SSDG would be set up very soon. Thirteen departments have been selected for pilot for SSDG, 10 of them have signed the SRS. The portal is being developed and the service side is being set up. I might go ahead with these 10 departments and make it through to start the SSDG as soon as possible, maybe in a couple of months.
What is the status of the Mobile Service Delivery Gateway (MSDG) in Kerala?
The MSDG has already been integrated with the central mobile services system. We are looking at more value-added services for mobile phones, on the lines of incident reporting so that we can use the power of the mobile for all kinds of purposes.
