Cyber Security in the Digital Ecosystem

For a while now, I have been writing about the emerging Digital Democracy, its viral growth and the optimism it augurs for Asia’s middle class and under served. The 5 Billion~ people, 20MM+ SMEs and the 10s of 1000s of corporates, big and small, in this part of the world are all striving towards progress, trying to participate in the growth revolution of current decade, optimizing resources and time, empowered by cheap smart phones and robust telecom infrastructure and the thriving technology plays who bring these consumers, SMEs and corporates more convenience, control and choice. Internet of Things and Artificial Intelligence are changing the way we live and do business – mostly for the better. Regulators in Asia Pacific, also, have enthusiastically and firmly adopted the ‘Digital Nation’ agenda in line with government sponsorship.

In short, all is good and going digital! As an eternal optimist, I should stop here. But, for an honest debate, the counter point is crucial. Numbers mislead, particularly, when we throw in high population and diverse economies around the region. There are still large segments of consumers and institutions who haven’t gone digital. Why would that be? Fear is the oldest and most primal deterrent to adoption of change. Is the fear of going digital justified?

Even while many technology start-ups are looking to provide convenience, some of them are looking for vulnerabilities to exploit. Tracking your phone, when not in the app or collecting more of your private data than needed, Home assistants messaging private conversations & purchasing toys for minors, security cameras with flaws, data breaches of companies that lost all your personal data, cyber crime that targets the defenseless and the vulnerable, malware attacks all discreetly and collectively reinforce the ‘Digital-phobia’ factor ( For those who like trivia - Digitophobia is what I thought it should be called, but Google told me it was the fear of fingers and toes !). The technologies are getting better and the intent of deployment is getting more questionable. Even technologies like Block chain that offered immutability as its USP has been discovered to store illegal content and hence, is as much a problem as it is a solution. Unquestionably, all of this undermines our trust in technology.

The subject of cyber security risk for an article is admittedly, not original. Much has been written about it. The above is but a summary of the Terra bytes of information available on the subject. Let us talk a bit more about what can be done about it here.

Digital security in the Digital Democracy is as critical, as is a Nation’s defense forces and its defense investment to the protection of its citizens and its own sovereignty.

To get ahead in the digital adoption agenda, a three-pronged focus is required across the ecosystem to address the security debate underpinning the digital conversation.

1.       Protection of Personal and Private Information: This calls for responsible behavior from both the Data collectors and the Data providers. Sharing of personal data on unverified sites, indiscriminate sharing of passwords, weak passwords, lack of investments in adequate processes, technology and standards to secure data collected all compromise personal and private information.

2.       Secure digital transactions: Weak authentication methods, unsecured transmission of data across devices and the ecosystem; lack of digital identity certification; differential standards in financial and non-financial messages and proprietary message protocols can compromise a transaction at any point in its path.

3.     Defend against attackers: Security infrastructure, deployed across multiple components of a value chain can create a risk to the data embedded in any transaction in its flow across its member components. IoT, seamless connectivity across devices, cloud and ERP systems, while creating efficiencies, also multiply the risk of a security breach manifold.

Mitigation Strategies to address the risks and expand digital adoption

 Protection of personal information, Security of digital transactions and defense against attacks is a shared responsibility and needs collective effort from all stakeholders in the digital ecosystem – Consumers, Service Providers and the Government (&related institutions).

Consumers can demand for security certifications and liability caps from their service providers – banks, merchants, telcos, hospitals, social media platforms – indeed, any entity that has collected information about the customer for a specific or a general purpose. They also need to be wise about evaluating the incremental risk to their information against the benefit they hope to receive through the sharing. Self-education about digital devices, transactions and risks will serve the information led and the more technology friendly folks well. Understanding that the decision to share personal data or not is a fundamental consumer right (now formalized in EU; UK and Australia) is important for the consumer behavior pattern to shift. Providing consent for usage of personal data by the consumer to the data collecting entity themselves or other service providers will become the norm in the medium term.

Companies can do a lot. Engaging security experts at the start, conscious risk management, acquiring the right talent and leadership, raising workforce awareness and accountability with appropriate training and policies, linking security to business goals, creating data governance programs and revenue strategies to avoid misuse of consumer data, boosting investments to build cyber resilience, knowing the enemies peculiar to each industry and creating threat intelligence and management strategies, compliance with new laws and regulations and understanding technologies including the Internet of Things (IoT) and Artificial Intelligence (AI) and their potential impact on security and operations – all of these actions need to converge to create the right defense moats. As such, security of Network, Application(s), Endpoints, Data, Identity management, Database and Infrastructure, Cloud, Mobile devices and User Education are all components of Cyber Security management that companies are responsible for. 

Governments: For those who expected that government policy on cyber security in the digital economy would be led by industry activity, President Trump’s recent actions would be revealing of shape of things to come. As Trump says, Cyberspace is, indeed, an integral component of all facets of a nation, including its economy and citizen life. In the last 18 months, America has undertaken many actions (we are not debating the validity or the justification of the actions or Trump’s rhetoric on the subject here). Indictment of cyber criminals, malicious actors and interventionists, holding the bureaucracy as responsible for security breaches as the corporate sector and the release of the first fully articulated National Cyber Strategy document are all directionally positive government steps. Closer in Asia, the first draft of the National Cyber Security policy in India was released back in 2013.

I fully expect Governments across the globe to follow the lead, albeit more moderated in tone and administration. The 4 tenets that the American National Cyber Strategy espouses will be consistent in their adoption across most countries.

• Defend the homeland by protecting networks, systems, functions, and data;
• Promote the nation’s prosperity by nurturing a secure, thriving digital economy and fostering strong domestic innovation;
• Preserve peace and security by strengthening the country’s ability, in concert with allies and partners — to deter and, if necessary, punish those who use cyber tools for malicious purposes; and
• Expand influence abroad to extend the key tenets of an open, interoperable, reliable, and secure Internet.

From a consumer protection perspective, the GDPR regulation in Europe will set the tone on how governments legislate the collection, storage, usage of data and permission rights. With the prolific rise of the technology led ecosystems across Asia and its adoption across consumer demographics and use cases, Regulators in Asia need to be particularly conscious of impending phenomenon of rebalance of power across the financial ecosystem in unregulated play. 

Creating a robust security ecosystem across players, an assurance framework (authentication, KYC, digital identity certification etc.), encouragement of Open standards (expansion of proprietary message protocols versus internally approved open standard protocols like EMVCo standards, ISO messages etc.), strengthening the regulatory oversight and legislative framework, securing e-Governance initiatives, protection and resilience of Critical Information Infrastructure are the minimum that a regulator needs to do to stay ahead and steer the digital nation agenda. It needs to be underpinned by an ethical and legislative framework. 

Additionally, setting up of specialized Research & Development wings, creating national Cyber Security awareness, developing effective Public-Private Partnerships, multilateral information and cyber security cooperation agreements are all initiatives that many of the more progressive governments have already embarked upon.

The Payment technology Point of View

Payment technology innovations will benefit the whole ecosystem:

1.       A more intelligent view of a digital transaction is possible by using more information including factors like, location, device ID, browser and IP address to authenticate a transaction thus guarding against automated bots. Using convenient biometric methods, such as thumbprints and facial recognition instead of static passwords, account registration and knowledge-based questions will improve security.

2.       EMVCo standards apply to the payment networks, and are developed in partnership with other industry participants, to encourage open, interoperable and highly secure operating protocols for payment transactions.  The new EMVCo specification (often referred to as 3DS 2) is mobile friendly and integrates with mobile apps as well as with browser-based environments. It also gathers up to ten times more transaction data, which can be used to better authenticate a transaction. What’s more, users can authenticate using something they’re familiar with, like a fingerprint– making the authentication step much more seamless. The EMVCO specifications extend across many acceptance methods, plastic usage, digital cards, contactless payment methods and QR codes (as distinct and secure / standardized from discreet QR code standards created by large technology players and certain countries).

3. Tokenization service is a solution where the Primary Account Number on the Card is replaced by a surrogate value called the token. Tokenization, when applied to data security, is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, which has no extrinsic or exploitable meaning or value. The solution renders tokens infeasible to reverse in the absence of the tokenization system; is secured and validated using security best practices and provides data processing applications with the authority and interfaces to request tokens, or detokenize back to sensitive data. Apple Pay, Google Pay, Samsung Pay are all widely recognized examples of applications where the payment card credential that is stored on these devices is tokenized and the payment network  acts as the intermediary layer to verify the token and process the transaction.

Tokenization can safeguard any sensitive data eg., bank accounts, financial statements, medical records, criminal records, driver's licenses, loan applications, stock trades, voter registrations, and other types of personally identifiable information (PII). 

My vision for a vibrant, open, global and inter-operable digital democracy is underpinned by the hope of a reality where consumer consent to data usage is a fundamental right of the democracy, where the nation’s infrastructure includes digital identity services to all – individuals, SMEs and corporates – to boost the digital nation agenda; where the defense strategy includes a rigorous National Cyber Defense plan; where the judicial laws include an ethical and legislative framework to monitor and penalize cyber criminals and the negligent; and where the mind of the simple citizen knows no fear of the unknown in the digital dimension…A Utopian reality? Not really, it just needs a revolution in policy, education, infrastructure and intent.