Finding Security in Digital Public Infrastructure
By Justin Sherman
October 21, 2024 • 10:00 am ET
In an increasingly digital world, the concept of Digital Public Infrastructure (DPI) has emerged as a critical framework for understanding how governments can leverage technology to enhance public services, improve citizen engagement, and bolster national security. DPI encompasses a wide range of state-run digital systems, including payment platforms, data-exchange frameworks, and comprehensive public document backups. However, the lack of a unified approach to DPI raises significant questions about digital trust, privacy, and cybersecurity. This article delves into the opportunities and risks associated with DPI, drawing insights from a working group of experts from the Atlantic Council.
Understanding Digital Public Infrastructure
Digital Public Infrastructure refers to the foundational digital systems that governments create or manage to deliver services to citizens. These systems can include everything from digital payment solutions to cloud storage for public records. While examples of DPI can be found globally—from Kenya’s M-PESA to India’s Unified Payments Interface (UPI)—the common thread is the involvement of the state in the development and operation of these platforms. This involvement has profound implications for digital trust, privacy, and cybersecurity.
The Importance of Digital Trust
Digital trust is the cornerstone of any successful DPI initiative. For citizens, businesses, and foreign governments to engage with a country’s digital systems, they must have confidence in the underlying technology and the integrity of the government managing it. Trust is built through transparency, accountability, and a commitment to protecting citizens’ rights.
Technological mechanisms that can enhance trust include:
- Open-source code: Making the code behind DPI systems publicly available can foster transparency and allow for independent audits.
- Third-party audits: Regular cybersecurity and privacy assessments by independent organizations can help ensure that DPI systems are secure and compliant with best practices.
- Clear data policies: Governments should clearly communicate how data is collected, used, and protected, ensuring that citizens understand their rights.
The broader trust environment is influenced by the perceived legitimacy of the government, the robustness of privacy laws, and the presence of checks and balances. For instance, in India, the rollout of the UPI was initially met with skepticism, but as citizens began to see tangible benefits, trust in the system grew. However, ongoing concerns about government surveillance and data privacy continue to challenge this trust.
Data Privacy: A Complex Landscape
Data privacy in the context of DPI is not a simple binary; it involves a nuanced understanding of how personal information is collected, stored, and used. Citizens may have valid concerns about both government and private sector data practices. DPI systems often collect vast amounts of data, raising questions about who has access to this information and for what purposes.
Key considerations for data privacy in DPI include:
- Access control: Determining which government agencies can access specific data and under what circumstances is crucial to protecting citizens’ privacy.
- Data retention: Establishing clear policies on how long data is stored and when it can be deleted helps mitigate privacy risks.
- Third-party access: Understanding how private companies involved in DPI projects handle data is essential, especially as governments increasingly rely on commercial partners for technology solutions.
Countries like Kenya have made strides in data privacy by enshrining it as a fundamental right in their constitution. However, gaps remain, particularly regarding government access to data. In India, the new Digital Personal Data Protection Act has introduced protections for citizens but also includes exemptions for government surveillance, raising concerns about potential abuses.
Cybersecurity and Resilience
Cybersecurity is a critical component of DPI, as these systems are prime targets for malicious actors. A robust cybersecurity framework is essential to protect sensitive data and ensure the reliability of public services. However, the lack of standardized cybersecurity practices across DPI initiatives poses significant risks.
Key factors influencing cybersecurity in DPI include:
- Centralization vs. decentralization: Centralizing data storage can create attractive targets for hackers, while decentralized systems may reduce the risk of widespread data breaches.
- Supply chain security: The involvement of multiple vendors in DPI projects can complicate cybersecurity efforts, making it essential to establish clear security standards for all participants.
- Regulatory environment: Countries with strong cybersecurity laws and regulations are better positioned to protect their DPI systems from threats.
For example, Ukraine’s Diia platform, which provides access to numerous government services, has been developed with a focus on cybersecurity, particularly in the context of ongoing conflict. However, the reliance on centralized systems can still expose vulnerabilities that need to be addressed.
Policy Recommendations for Enhancing DPI
To maximize the benefits of DPI while minimizing risks, several policy recommendations can be made:
-
Promote meaningful transparency: Governments should engage in multistakeholder consultations throughout the DPI project lifecycle, ensuring that citizens and civil society organizations have a voice in the process. Transparency mechanisms should be established before projects are rolled out.
-
Define frameworks for digital trust, privacy, and cybersecurity: Governments should align DPI initiatives with recognized best practices and frameworks, such as the NIST Cybersecurity Framework, to ensure robust privacy and security measures are in place.
-
Emphasize the compatibility of DPI with privacy and cybersecurity: Stakeholders should challenge the notion that DPI projects must sacrifice privacy and security for efficiency. Robust guardrails can enhance system functionality and public trust.
- Encourage cross-border collaboration: As countries develop their DPI systems, sharing best practices and lessons learned can help create a more secure and resilient global digital infrastructure.
Conclusion
Digital Public Infrastructure holds immense potential to transform public service delivery and enhance citizen engagement. However, the success of these initiatives hinges on building digital trust, ensuring data privacy, and implementing robust cybersecurity measures. By adopting a comprehensive approach that prioritizes transparency, accountability, and collaboration, governments can create DPI systems that not only serve their citizens effectively but also uphold their rights and freedoms in the digital age.
About the Author
Justin Sherman is a nonresident senior fellow at the Atlantic Council’s Cyber Statecraft Initiative and the founder and CEO of Global Cyber Strategies. He has extensive experience in digital policy and cybersecurity, making him a leading voice in the discourse surrounding Digital Public Infrastructure.
Acknowledgments
The author would like to thank all individuals who contributed to this article, including members of the Atlantic Council working group. Their insights and expertise were invaluable in shaping the discussion on Digital Public Infrastructure.
Related Content
For further reading on the implications of Digital Public Infrastructure and its role in enhancing public trust and security, visit the Atlantic Council’s website.