On Monday, this newspaper reported that the website run by the government to help taxpayers file returns had been crippled. Accessing the website using some Web browsers threw up a warning message. One such browser alert is worded thus: “You have asked Firefox to connect securely to incometaxindiaefiling.gov. in, but we can’t confirm that your connection is secure.”
Users can click through to the site. But only after allowing their browser to accept an expired server security certificate. The certificate expired on 8 May. This means transactions on the site could be risky.
Illustration: Shyamal Banerjee/Mint
Ostensibly, there is no reason to panic. The deadline for filing income-tax returns is still months away. And renewing a server security certificate should not take more than a week or so. Meanwhile, it is unlikely that there are taxpayers so eager to file their returns that they would contend with such an ominous warning and do so anyway.
Viewed from a larger perspective, however, this lapse on the part of the government institutions concerned is alarming.
Digital security, or lack thereof, is beginning to grow into a many-headed hydra of vulnerability for the government.
In April, a Canadian research team revealed that Chinese computer hackers had attacked several critical Indian institutions, including embassies.
Subsequently, the government banned import of Chinese telecom equipment citing espionage fears. Diplomatic wrangling is now under way to find a solution amiable to both parties.
Doubts have also been raised about the security involved in projects such as the Unique Identity where vast amounts of personal data, including biometrics, will be stored on government-managed servers.
A recent report on Internet threats ranked India fifth in terms of origin of online attacks.
It is this ubiquity of digital information that is posing a growing challenge. A server security certificate might seem a negligible vulnerability compared with transnational hacking. But it also shows a lack of seriousness. Perhaps a private vendor who designed the site activated the certificate and forgot to mention renewals. Or perhaps the requisition for certificate renewal is pending approval on a desk somewhere.
Digital threats and security needs not only a 21st century mentality but also a 21st century talent pool. The government has to invest in infrastructure and people that manage security proactively rather than reactively. And can, if required, both defend and attack.
Otherwise, when your only tool is medieval bureaucracy, every threat is going to look like an import licence application.
How serious are government institutions about digital security? Tell us at firstname.lastname@example.org