Digital security flaws exposed

The IT-related online news portal TechCrunch recently reported that the personal data of millions of citizens in Bangladesh has been leaked. Viktor Markopoulos, a security researcher, discovered this leak on a Bangladeshi government website. It was extremely easy to find the data and he then informed the relevant government agency of the matter.

After this report was published in the international media, at least two things happened -- one good and one bad. Let's look at the good one first. As this news had come from a foreign organisation and a researcher, needless to say this was given serious importance by all quarters in the country. Many were heard to say, albeit reluctantly, that our digital security system was really flawed. Rather than having the diligence to assess our own strengths and weakness, we tend to rely on such information when it comes from outside. Well, on the positive side, at least something good has come out of that.

On the bad side, there is the risk of Bangladesh being the target of further attacks. As it is, the Bangladesh Bank cyber heist crops up when the issue of cyber security is broached. Now that the flaws in Bangladesh's digital security system have been exposed and the easy access to personal and sensitive information such as citizens' National IDs on government websites has been revealed, it will be quite natural for international hacker groups to turn their attention here. Bangladesh may fall victim to further cyber attacks in the days to come.

As this matter came to light, many quarters have also raised the questions, just how important is our data actually? Even if it is stolen, what difference will it make?

Say if an unscrupulous group gets hold of someone's NID information, they can make a fake NID in the same name. This fake NID can be used for bank transactions. If any illegal bank transactions take place, the actual, though innocent, NID holder will get the blame.

Also, the present NID cards can be scanned by mobile apps to avail various services. So the fake NID card can be used on any app to commit a crime and again the genuine NID card holder will be held responsible.

There is no point in sleeping with all your doors and windows open and then waking up in the morning to cry out, "Thieves have stolen everything!"

NID is used for all sorts of vital services and work such as mobile phone SIM registration and more. In such cases, especially if biometrics is not used, the stolen data can be used to misuse the fake NID. When we approach the bank, the service provider reels off like a parrot, "For the sake of security, kindly tell us your mother's name and date of birth." This is asked to confirm the person's identity. Yet both of these pieces of information are on the NID. So it is easy to ask, "what difference will it make if my data is stolen," but the answers are not so clear cut.

No digital system in the world can claim to be hundred per cent secure. No one can guarantee that data will not be stolen. Even after all precautions are taken, data can be stolen. But that does not mean we can sidestep the minimum security measures that are required. There is no point in sleeping with all your doors and windows open and then waking up in the morning to cry out, "Thieves have stolen everything!"

There are globally recognised standards to ensure cyber security. If such an incident occurs even after all those are followed, that can be called an unintentional accident. But without following those standards, randomly using the citizens' personal data here and there, is not only unsafe, but unwarranted too.

The state minister for information and communication technology has already said that the data was leaked due to weaknesses in the website and this liability cannot be evaded. The first step in solving a problem is to admit that problem. Since the problem has been pinpointed, the next step is to take due measures to resolve it. If it is said that the concerned organisation has been given due directives, but they have not carried it out, that will not solve the problem. Before the website, software or services of any organisation working with citizens' personal data, is launched, it must be compulsory to check if all precautionary measures have been taken, and only then approval will be given.

If credit card data is stolen, the old credit card can be discarded and a new card issued. But if personal data from the NID is stolen, you can't change your date of birth, you can't replace your father's name. It is hard to create a digital country and even harder to ensure digital security.

* Dr BM Mainul Hossain, Professor, Institute of Information Technology, Dhaka University. email: bmmainul@du.ac.bd

* This column appeared in the print an online edition of Prothom Alo and has been rewritten for the English edition by Ayesha Kabir