Reining in the AI butterfly 🦋 | India's Aadhar Data Breaches again
CyberInsights #117 - US Government releases an Executive Order for managing AI || 815 million PII records of India residents allegedly up for sale
It’s probably the biggest news in AI regulation
And it’s a hotchpotch of random AI thoughts strung together.
Do you remember yourself as a child trying to catch a butterfly? (Not you Gen Z, people, the ones before that). Just as you sneak up behind a butterfly 🦋, stretch your hand quietly and are about to grip the wings of the butterfly between you thumb and index finger, it flies away. Not very far, mind you. It moves to the next plant. You sneak up behind the next plant and again it flies — just out of your reach.
That’s the story of AI regulation & AI. Regulations try to play catch up, but AI has moved to the next plant — just out of reach. To understand what I am talking about, you have to read the executive order released by the US government today. [LINK]
Here is a mind map that explains what the executive order covers:
It covers the areas of:
AI safety and security
Protecting Privacy while using AI
Ensuring Equity and Civil Rights
Consumer, Patient and Student Protection (?!!?!)
Supporting workers (well?)
Promoting innovation and competition
The US government has tried to cover all known risks of AI by providing guidelines, which will eventually, become regulations. They should also ensure that all these areas work together cohesively.
Take Action:
If you are in the business of AI, then you should keep an eye on future developments. Each area is a vast topic and will soon have specific guidance around it.
NIST has, in January, released the AI RMF (Risk Management Framework). It gives the infosec professional a good direction on managing AI risks. I had written about it here. Read the document for a better understanding of how to manage AI risks.
Indian Citizens’ database ‘Aadhar’ breached exposing 815 million records
Again.
I wrote about it in June 2022:
Aadhar in Hindi means ‘support’ and is the equivalent of the US social security number (SSN). It’s use, in theory, is optional. To avail any government service in India, however, you have to use your Aadhar number. This database not only contains personally identifiable information of the residents of India, it is also linked to the tax information of said individual.
There have been concerns about the security and privacy of this database time and again. The government of India has steadfastly maintained that the database is secure.
Today, again there is an alleged breach of the database. Security research company Resecurity has published a detailed post about the breach. [LINK]
Resecurity says “The leak of PII data containing Aadhaar (and other details) of Indian citizens on the Dark Web creates significant risk of digital identity theft. Threat actors leverage stolen identity information to commit online-banking theft, tax refund frauds, and other cyber-enabled financial crimes. Resecurity observed a spike in incidents involving Aadhaar IDs and their leakage on underground cybercriminal forums by threat actors looking to harm Indian nationals and residents.”
Take Action:
If you are resident of India and have an Aadhar number, then keep an eye out for more communication about any breaches. Do the following to protect your digital identity:
Lock your biometrics on the UIDAI website
Use only e-aadhar (a masked version of Aadhar with a virtual ID) for sharing with others
If you are a cyber insurer providing personal / retail cyber insurance, then your risk levels for identity theft claims might have changed. Check how you do the math.