Securing India’s Digital Future: Lessons from Health, Identity, and Infrastructure

Discuss the unique challenges and best practices from securing healthcare, identity systems, and other citizen-facing critical infrastructure.

Panel Discussion Video

Related Blog Post

• Trust, Resilience, and Shared Responsibility: Key Insights into Securing India’s Digital Future - Blog post by Vulncon summarizing the panel discussion

AI Generated Summary

This panel discussion at VULNCON 2025 brought together key leaders from defense, government, and private sectors to discuss “Securing India’s Digital Future”. Moderated by Anant Shrivastava, the panel featured Sandeep Khanna (Director & CISO, UIDAI), Chaitanya K K (Wing Commander, Indian Air Force), and Lt Cdr Amit Pal Singh (retired Indian Navy, now with Siemens Healthineers).

Panelists

• Sandeep Khanna: CISO of UIDAI, with 10-12 years in security domain and 25 years in IT background
• Chaitanya K K: Wing Commander in Indian Air Force, experienced in SOC and CERT operations
• Lt Cdr Amit Pal Singh: Retired from Indian Navy after 10 years, last appointment with Defense Cyber Agency, now working with Siemens Healthcare

Key Themes

1. Mission Differences: National Security vs. Business Goals

• Defense perspective: Mission is national security - resilience, deterrence, or offensive actions
• Corporate perspective: Cybersecurity as business enabler tied to profit, risk appetite, and risk framework
• DPI perspective: Trust is the security - privacy by design is fundamental

2. Resilience by Default

• Every military system built with assumption it will face disruption or threat
• Security by design and resilience by default are core principles
• Military networks are isolated, segmented, encrypted, designed for “denied and degraded conditions”
• Must build for operational continuity under threat, not just compliance
• Incorporates red teaming, cyber drills, zero-trust architecture, and “safe fails” from day one
• DPIs like UIDAI must adopt these pillars - privacy principles must be inherent from beginning

3. Healthcare Digital Complexities

Legacy Systems Challenge:

• Major hurdle: reliance on legacy equipment in hospitals
• Hospitals resist reinvestment if existing technology (e.g., X-ray machine) remains functional
• Mitigation: Manufacturers placing additional controls outside equipment to secure device perimeter

Data and Research:

• Medical research is data-driven
• Industry shifting to tokenization and anonymizing data for research without revealing Protected Health Information (PHI)
• Global manufacturers like Siemens Healthcare compliant with HIPAA and GDPR
• In India, CDSCO has rules similar to FDA for testing medical devices

Shared Responsibility Model:

• No longer solely manufacturer’s responsibility
• Hospital environment must also be secure
• Manufacturers provide device security assurance but require hospital to ensure safe hosting environment
• Similar to cloud shared responsibility model

4. Agility, Governance, and Scale at UIDAI

Operating at India’s population scale (10 crore transactions per day) requires agility and innovation:

• Sandbox Environment: Enabling community to support and bring innovations
• Shift Left: Evolving daily with SDLC “shift left” standards, automation, Private and Public LLMs
• Partnerships: Leveraging academia (e.g., IIIT Bangalore) and industry for indigenous projects
  • Built fully indigenous biometric systems
  • Developing verified credentials for digital wallets
• Strict Governance:
  • Architecture prevents cross-linkages
  • Minimizes data collection (only seven attributes)
  • Biometric data never leaves UIDAI premises
  • Three levels of audit (self-audit, UIDAI audit, governance audits)
  • Non-compliance results in service suspensions

5. Challenges in Large Federated Networks

Technical Challenges:

• Monitoring: Traditional SIEM systems insufficient - need robust anomaly detection
• Privacy Enforcement: Ensuring encryption, data minimization, privacy principles across large network
• API Security: APIs for data flows increase potential entry points - API security crucial

Organizational Challenges:

• Participants have different levels of cyber maturity
• Solution: Standardized protocols and baseline security standards
• Enforced through red teaming, threat modeling, vulnerability assessments

Future Threats - Quantum Computing:

• Building Post-Quantum Cryptography (PQC) models
• Starting with digital signatures, moving to encryption
• Aiming to be ready by 2028 or 2030
• Current challenges: latency and performance in existing HSMs
• US has announced dates of 2030 and 2035 for PQC migration

6. Complexity Management at UIDAI

• Trust as key pillar: Architecture structured with no linkages
• Enrollment and authentication are separate business verticals
• Data collection follows privacy principle of data minimization (only 7 attributes)
• Biometric never leaves UIDAI premises - on-prem data centers
• Data sharing only with consent
• Partner zone model prevents DDoS scenarios
• Three-level audit system for Aadhaar User Agencies
• Service suspensions for non-compliance

7. Compliance and Regulations

• Healthcare: Global manufacturers already compliant with HIPAA, GDPR
• FDA approval required for equipment
• India: CDSCO (under Ministry of Health) has similar rules to FDA
• DPDPA (Digital Personal Data Protection Act) coming - PHI already considered critical data
• Healthcare ecosystem needs revamp for hospitals

8. User Awareness and Shared Responsibility

Key Insights:

• Systems must be user-friendly (example: UPI required no formal training)
• Citizen awareness is equally important - users responsible for securing environment
• Users must be educated about abuse scenarios (e.g., dangers of sharing OTPs)
• Developers/governance must build user-friendly systems
• Security complexity is developer’s responsibility, but users must be aware

9. Final Thoughts from Panelists

What securing citizen-scale systems means:

• Amit Pal Singh: “Growth” - designing digital infrastructure with trust and access in every click for every citizen
• Chaitanya K K: “Trust and accessibility” - securing citizen-scale systems is about earning trust at population scale, not just blocking threats. Building digital infrastructure people rely on for daily needs (payments, health services, identity services)
• Sandeep Khanna: “Guide and enable to protect” - trust is the pillar. Security by design and privacy by design are fundamental. Accountability and ownership in securing the stack. Building trust at population scale.

Core Takeaway: Securing citizen-scale systems goes beyond technology - it’s fundamentally about earning trust at a population scale. This requires:

• Security by design and privacy by design from day one
• Resilience by default
• Shared responsibility model
• User-friendly systems with citizen awareness
• Accountability and ownership
• Building for operational continuity under threat, not just compliance

Important Concepts:

• DPI (Digital Public Infrastructure): Building blocks of India Stack (identity layer, financial system, paperless layer, DigiLocker, consent layer)
• Shared Responsibility Model: Both manufacturer and environment (hospital/network) responsible for security
• Post-Quantum Cryptography (PQC): Preparing for quantum computing threats by 2028-2030
• Security by Design: Security built into architecture from beginning, not bolted on later
• Privacy by Design: Privacy principles inherent in architecture from start
• Resilience by Default: Systems designed to operate in denied and degraded conditions

Actionable Takeaways:

1. Build systems with security and privacy by design from day one - cannot bolt on later
2. Adopt resilience by default - assume systems will face threats and disruptions
3. Implement shared responsibility models - both vendors and end users have responsibilities
4. Ensure user-friendly systems while educating users about security awareness
5. Establish baseline security standards for all participants in federated networks
6. Start preparing for Post-Quantum Cryptography now - begin with digital signatures
7. Balance agility and innovation with security, governance, and compliance
8. Build trust at population scale - this is the core of securing citizen-scale systems
9. Implement three-level audit systems and enforce compliance strictly
10. Focus on operational continuity under threat, not just compliance