By Jyotirmoy Bandyopadhayaya in VULNCON 2025

Trust, Resilience, and Shared Responsibility: Key Insights into Securing India’s Digital Future

Securing India's Digital Future - A Panel Discussion organised by VULNCON
Securing India's Digital Future - A Panel Discussion organised by VULNCON
A recent panel discussion hosted at VULNCON 2025 brought together key leaders from the defense, government, and private sectors to discuss the intricate landscape of "Securing India's Digital Future". Moderated by Anant Shrivasta, the discussion featured Sandeep Khanna (Director & CISO, UIDAI), Chaitanya K K (Wing Commander, Indian Air Force), and Lt Cdr Amit Pal Singh (retired Indian Navy, now with Siemens Healthineers). The core takeaway from the discussion was clear: securing citizen-scale systems goes beyond mere technology; it is fundamentally about earning trust at a population scale.

1. Defining the Mission: National Security vs. Business Goals

A foundational difference exists in the mission statements driving cyber defense across sectors.

For those in the armed forces and defense, the primary mission is national security, focusing on achieving resilience, deterrence, or even offensive actions.

Conversely, in the corporate sector, cybersecurity is primarily viewed as a business enabler. Its value is tied to business profit, risk appetite, and the organization's risk framework. While national-level defense focuses on protection, the corporate world focuses more on business-driven objectives.

Sandeep noted that for enterprises, security is inherent to business enablement, safeguarding reputation and Intellectual Property (IP). However, when dealing with Digital Public Infrastructure (DPI), trust is the security and privacy by design.

2. The Mandate for Resilience by Default

Chaitanya, representing the defense perspective, emphasized that every military system, whether a missile platform, radar, or communication equipment, must be built with the assumption that it will face disruption or threat.

Key principles driving this defense mindset are security by design and resilience by default. Military networks are often isolated, segmented, and encrypted, designed specifically to operate in "denied and degraded conditions". For critical infrastructure, this means building for operational continuity under threat, not just mere compliance. This approach incorporates measures such as red teaming, cyber drills, zero-trust architecture, and "safe fails" from day one.

Sandeep confirmed that DPIs like UIDAI must adopt these pillars, stressing that privacy principles must be inherent in the architecture from the beginning to avoid an uphill task later.

3. Navigating Healthcare's Digital Complexities

Amit Pal Singh discussed the immense challenges in the medical field, particularly the transition from isolated data environments to interconnected systems.

  • Legacy Systems: A major hurdle is reliance on legacy equipment in hospitals, where reinvestment in new, secure equipment is often resisted if the existing technology (e.g., an X-ray machine) remains functional.
  • Mitigation Strategy: Manufacturers are addressing this by placing additional controls outside the equipment to secure the device's perimeter.
  • Data and Research: Because medical research is data-driven, the industry is shifting to tokenization and anonymizing data to ensure data sets are available for research without revealing sensitive Protected Health Information (PHI).
  • Compliance: Global manufacturers like Siemens Healthcare are already compliant with international regulations like HIPAA and GDPR. In India, the Central Drugs Standard Control Organisation (CDSCO) has rules similar to those of the FDA for testing medical devices.

Critically, the industry is adopting a shared responsibility model. It is no longer solely the manufacturer's responsibility to guarantee security; the environment in which the device operates (the hospital network) must also be secure. Manufacturers provide assurance of their device's security and compliance, but they also require the hospital to ensure their environment is safe to host the equipment.

4. Agility, Governance, and Scale at UIDAI

Operating at the scale of India’s population, equal to or surpassing the efficiency of large corporations, demands both agility and innovation. Sandeep explained that UIDAI, functioning as an independent authority operating on a corporate model, sustains this agility and innovation, which are essential for managing roughly 10 crore transactions each day.

The strategies employed include:

  1. Sandbox Environment: Enabling the community to support and bring in innovations.
  2. Shift Left: Evolving daily by adopting the SDLC "shift left" standards, automation, and utilizing Private and Public Large Language Models (LLMs).
  3. Partnerships: Leveraging academia (e.g., IIIT Bangalore) and industry for indigenous projects, such as building fully indigenous biometric systems and developing verified credentials for digital wallets.
  4. Strict Governance: The UIDAI architecture is designed to prevent cross-linkages and to minimize data collection, collecting only seven attributes. Biometric data never leaves the UIDAI premises. Partners (Aadhaar User Agencies) must comply with stringent controls, including three levels of audit (self-audit, UIDAI audit, and governance audits), with non-compliance resulting in service suspensions.

5. Overcoming Hurdles in Large Federated Networks

Chaitanya highlighted that any large-scale federated network (like DPIs connecting government, startups, and private players) is only as secure as its weakest link. While this "oneness" drives innovation, it also presents an enormous attack surface.

Technical challenges in these massive networks include:

  • Monitoring: Traditional Security Information and Event Management (SIEM) systems are insufficient for monitoring the entire network and require more robust anomaly detection.
  • Privacy Enforcement: Ensuring encryption, data minimization, and adherence to privacy principles across a large network is difficult.
  • API Security: The necessary use of APIs for data flows increases the potential for entry points, making API security crucial.

Organizational challenges stem from the fact that participants often have different levels of cyber maturity. The solution involves establishing standardized protocols and a baseline of security standards, enforced through measures like red teaming, threat modeling, and vulnerability assessments.

Finally, future threats such as quantum computing are already being addressed. The goal is to start building Post-Quantum Cryptography (PQC) models, beginning with digital signatures and moving to toy encryption, aiming to be ready by 2028 or 2030 despite current challenges related to latency and performance in existing Hardware Security Modules (HSMs).

Conclusion: Awareness and Accountability

Ultimately, securing these critical citizen-scale systems relies on both developers and users. Amit Pal Singh emphasized that systems must be user-friendly, citing the success of UPI, which required no formal training.

However, resilience also demands citizen awareness. Users are equally responsible for securing the environment and must be educated about potential abuse scenarios, such as the dangers of sharing one-time passwords (OTPs).