Cyber Threat Observatory workshop advises on protections for national digital ID systems

The Alan Turing Institute launched the Cyber Threat Observatory last year to monitor cyber threats to digital ID systems. The observatory hosted a workshop with speakers and experts in cyber threats and digital ID, infrastructure and economy.

The Cyber Threat Observatory reviewed more than 31,000 security flaws, identifying Common Vulnerabilities and Exposures (CVEs) for national identity systems, mapping vendor and product hotspots, weaknesses and attack routes.

“The thing that is important for us is that we maintain our ability to identify the weaknesses in systems because if we identify a weakness we can work as a community to patch that weakness,” said professor Carsten Maple, of The Alan Turing Institute, at the top of the online workshop.

Digital identity flaws are rising the fastest among the four foundational domains of DPI (the other three being finance, health and government), with CVEs increasing from 290 in 2020 to 569 annually by 2024. The observatory found that broken logins and permissions dominate CVEs, while SQL injections and script attacks are “rampant.” And data leaks threaten every sector.

The institute’s research associate Shah Mahmood explained the importance of perimeter defense and segmentation. “We need to segment our networks,” Mahmood said, to avoid cross contamination across different parts of the network.

Adopting a certain mindset was crucial, such as embedding security from the start and to design out CVEs. Conducting regular code audits on authentication and input handling was another recommendation from Mahmood. Digital ID should be considered as critical infrastructure, like power grids or water supply, along with the same protections.

Considering global ID deployment, the observatory notes that cybersecurity skills and resources often lag behind rapid rollout. But there is “immense risk” if security is sidelined. Mahmood talked through the National Level Cyber Threat Observatory Playbook, which shifts protection from a “reactive patchwork” to “proactive, anticipatory defence.”

Speakers from MOSIP, Ernst & Young, Sri Lanka, CMU Africa, among others, introduced their insights and perspectives from the Global South. Sasikumar Ganesan, head of engineering at MOSIP explained that a national ID increases the attack surface. However, the national ID doesn’t mean anything to the attacker until it is more connected, for example to the banking system.

Ganesan also spoke on the particular identity theft that occurs in India and across Asia, with smishing (SMS-based attacks) and quishing (QR code-based attacks). “It’s not real identity theft,” he explained, “but it’s more subtle and very different.”

Navin Kaul, a partner at Ernst & Young, noted that GDP per capita spending on cybersecurity in developed markets is close to $30 but that it’s $1-2 in South Asia. But international collaboration can help with Nepal and Sri Lanka working together on threat intelligence and ICT exposure. Kaul said that it’s about building a culture of establishing digital public goods from a cyber angle.

Scott Rea, global strategic advisor at eMudhra, spoke on why public key infrastructure (PKI) is critical to identity in a zero trust paradigm and why identity starts with nations having strong binding of national identities to credentials that are trustworthy. But Rea also observed that while PKI requires the use of the strongest validated encryption technologies, trust cannot be achieved by technology alone. “A strong governance structure for how the technology will be deployed, operated, used and relied upon is necessary.”

Dasun Hegoda, technical advisor at the Digital Economy Unit, presidential secretariat, Sri Lanka, spoke on the exact components of the country’s digital infrastructure that makes up its digital economy blueprint.

Article Topics

cybersecurity  |  digital public goods  |  digital public infrastructure  |  MOSIP (Modular Open Source Identity Platform)  |  national ID  |  Turing Institute  |  Turing Institute. Cyber Threat Observatory