2017-02-06 09:56 印度观察家研究基金会
原文标题：Moving towards a secure digital economy
中文摘要：印度观察家研究基金会专家SAMIR SARAN和VIVAN SHARAN在《向更加安全的数字经济迈进》一文中表示，尽管持续的政治争论使去货币化的观点极端化，印度仍在积极向数字支付生态系统转变。该项目试图打破城市与农村的鸿沟和只能惠及少数能够获得特定私人和公共服务者的收入标准。这一数字支付系统以强制的方式试图改变印度的交易、贸易和税收方式。数字支付系统的普遍使用无疑将改变风险、犯罪和安全的维度。随着网络罪犯将目光转向数字在线交易，他们可能主导未来的经济犯罪。虽然网络对所有人都有影响，但是对穷人的影响更大。这可能使穷人失去他们仅有的一点积蓄，甚至导致人们对正在建设的金融生态系统失去信心。因此，政府必须关注网络小型欺诈，设计出确保数字生态系统安全的综合方法并立即采取行动。（编译：罗婧婧）
Even as incessant political bickering is polarizing opinion on demonetisation, India is making a significant transition to a digital payments ecosystem. This project endeavours to breach the urban-rural divide, geographical exclusions of the real world, and income criteria that privileged only a few with access to certain private and public services. This new digital payments ecosystem is brutal in its attempt to alter the way India transacts, trades and is taxed.
A wider adoption of digital payments will invariably change the dimensions of risks, crime and security as well. If pickpockets were a common menace some decades ago, cybercriminals may dominate conversations in the days ahead as they eye digital and online transactions. While the “pickpocket” had to select a relatively “fat target” to make the effort and risk worthwhile, the cyber thief will have a low-risk environment (lack of forensic capabilities, human capacities and attribution challenges) and an expansive reach of technology that will make even “petty pickings” attractive. And although cybercrime will affect us all, it will harm the poor disproportionately. It could ravage the small savings of many, deprive them of their meagre means and, most importantly, result in erosion of trust in the financial ecosystem currently being built. It is, therefore, important that the government pay heed to small fraud.
Read Also | Demonetisation
An early warning of this was provided by the frisson of panic that followed the cautionary message from the newly launched Bharat Interface for Money application (BHIM app) on 4 January 2017: “Users please beware: Decline all unknown payment requests you may get! We will work on an update, which will allow you to report spam.” This response is inefficient and leaves the ecosystem vulnerable to malicious intent.
Governments around the world and here in India must respond to this new dimension, where “petty cash is big money” and digital pickpockets pose a range of threats to individuals, institutions and economic stability itself. Most governments have left themselves with little time to create the requisite mitigation capabilities. The velocity of digitization and technology adoption must necessitate a response from policymakers different from what was the norm in the “public sector era”, where Centrally controlled banks and enterprises offered a modicum of stability, privacy, and security (with less efficiency). To achieve this, a comprehensive approach for securing the digital ecosystem must be devised and some actions must be taken immediately.
First, there are a multiplicity of stakeholders operating networks and tools that pose varying degrees of risk. This, in turn, demands differentiated security responses. These include the Reserve Bank of India (RBI)-run National Electronic Funds Transfer (Neft) and Real Time Gross Settlement (RTGS), the National Payment Corporation of India’s (NPCI’s) Immediate Payment Service (IMPS) on which the Unified Payments Interface (UPI) currently operates, traditional card networks, mobile payments solutions, various banking apps. In a report released in December 2016, the Union ministry of finance’s committee on digital payments suggested a hierarchical approach based on the level of “systemic risk” posed by different tools and networks. This must form the design basis going forward.
Second, while industry is consulted by expert committees such as the one referenced above, an inclusive multi-stakeholder consultative process must become the norm for policymaking itself, to avoid arbitrariness. This can be done by instituting multi-stakeholder consultations that are transparent and inclusive. This is the model India has agreed is best suited to govern the Internet internationally, and it’s time to adopt consonant processes at home.
Third, while the “mobile” is being hailed as a replacement for physical wallets as well as a proof of identity through its widespread use in second-factor authentication of digital payments, government and users should be circumspect about the risks involved. For instance, there is evidence to suggest that distributed denial-of-service (DDoS) attacks—in which a multitude of compromised systems attack a single target, causing denial of service for users of the targeted system—are increasingly targeting the applications layer rather than the network layer of the Internet. In layman terms this means a sophisticated mode of cybercrime is being unleashed on unsuspecting users of mobile applications and popular software.
Mature hardware-based solutions, such as tamper-proof Universal Integrated Circuit Cards and Embedded Secure Elements, are being tested against the latest forms of cyberattack. Software-based solutions such as Host Card Emulation are also relatively secure but require upgrades through the cloud, placing large data demands on the user and testing the service capabilities of the issuer.
Globally payment solutions that have been able to integrate hardware- and software-based security exist, but domestic mobile payments providers are relying largely on software-based security solutions. And while the Indian government’s Computer Emergency Response Team, RBI and NPCI are undertaking security audits of payment solutions, it is important that users be given standardized information to make informed choices, particularly when the digital adoption drive is at its height.
Lastly, it may be useful for the government to think of the digital payments ecosystem, now anchored by the NPCI, as analogous to the Internet. And much like the Internet, the National Financial Switch (the infrastructure backbone of all Indian ATMs, operated by the NPCI) must acquire robust redundancies offered by private-sector partnerships in order not to be a vulnerable single point of failure—which can potentially be compromised by self-styled “legions” of hackers. The NPCI should be managed through multi-stakeholder groups that can help with standard-setting, and can ensure that the payments ecosystem serves the common citizen, making even a small transaction online.