eNIC in Sri Lanka: Evolution, Revolution, and a looming Breach?

On Wednesday, May 13, Issuing a statement via The Presidential Office Media communique, Sri Lanka’s technocratic President Gotabaya Rajapaksa instructed officials to start work on a digital database of citizens. This database will have their bio-data and will link all activities connected to a person including income tax and voting.

“Individual bio-data could be viewed physically as well as through the internet…The new identity card which contains the most accurate data comprises information required by departments and agencies governed under different laws…It includes information that has to be furnished not only for obtaining passports and driving licenses but also for purposes of pension, Samurdhi allowance, income tax and casting vote…President instructed the officials to take measures to issue the new identity card to every citizen as soon as possible.”

“..The new identity card will be prepared by a committee of experts under the direction of Information and Communication Technology Agency (ICTA) and the supervision of a Presidential Task Force..”

Incidentally, the original idea for a Digital NIC in Sri Lanka was proposed back when President Rajapaksa was Defense secretary, therefore drawing more emphasis by the president to expedite the project. Insiders and policymakers were of the view that the current COVID-19 pandemic and deficiencies identified due to a lack of Digital ID were seen as a catalyst for this policy direction.  

A Background to the Smart-NIC (eNIC)  

Sri Lanka to its credit has foundational and functional identity systems that are well-developed and robust, Ownership of the National Identity Card (NIC) throughout the population is high, (reported at 95% for men and 90% for women – GSMA Digital Identity country report) with only small pockets of Sri Lankan society less likely to own a NIC. The NIC avails many identity-linked services that are accessible to the population thus seen as crucial to transact with public sector entities.   

The Births and Deaths Registration Act of 1954 is the basis of Sri Lanka’s civil registration system. To register a birth, an application form is obtained from the Registrar of Births and submitted to the Divisional Secretariat in the area where the child is born. Birth registration forms require details specifically from the mother and father, and a valid parental identity document — commonly a NIC; a driving license; or a passport — is required. Births are expected to be registered within 42 days, but late fees do not apply until after three months. In 2009, the birth registration process was decentralized. The Digitization of the birth register also began in 2017. The birth registration and certification process are largely consistent throughout the country.

Sri Lanka is in the process of digitizing both functional and foundational identity registries. For example, there have been recent reforms in the digitization of patient records (PHN) linked to the national identity, and microchipped drivers’ licenses can now provide details on the holder’s ability to operate certain vehicles. These initiatives follow a desire to digitize the national identity database. 

The Electronic National Identity Card (eNIC) has been in development for several years. But it wasn’t until the 27^th Oct. 2017 that the Department for the Registrations of Persons (DRP) rolled out eNICs. These eNICs featured a machine-readable barcode and stored biometric data. Subsequent insight into the progress of the eNIC project is limited.

However there were reports that the initial groundwork was laid for a wider roll-out, yet implemented at a sluggish pace. The preparations include delivering information material to Divisional Secretariats running capacity-building programmes on data and biometric capturing, and undertaking a pilot program to trial new data capturing practices. 

So far, the issuance of the eNICs has been limited to those obtaining their NIC for the first time, or those who are renewing their NICs. Notably, legislation surrounding the roll-out of the eNIC suggests that NICs will soon be issued at a younger age (15 years rather than 16), and that family data will also be collected during registration. 

The NIC is required to obtain all forms of functional identity in Sri Lanka, except for a Patient Health Number (PHN). Beyond healthcare, the NIC is usually used as a breeder document — a type of document used to obtain other, often functional, identity documents, including passport, and Driving licenses. (see Figure 1)   

It appears that under fresh directives by President Rajapaksa the government is working to integrate NIC into other forms of functional identity, creating much needed interoperability between different identity registers. For example, passports and driving licenses can be used to validate identity because they contain an individual’s NIC number, a functionality that is currently done as a manual system.   

Who is missing at the table? Cybersecurity on GovTech 

A centralized database linked to an eNIC would lead to a transformative change in how Sri Lankans deal with its public sector. One that’s been far too long marred by allegations of inefficiency and Luddites that argue technology will lead to job losses. I have been a key supporter of technocracy in government and continue to support key Digital Transformations in public sectors. However, far too long we have looked at Digital Transformation without due attention being given to a critical cog. One that ensures a system’s robustness and that is its cybersecurity and health of public sector systems against data breaches and cyber-attacks.

As one can imagine, definitive global data on public sector and government data breaches are hard to come by. Not all territories are covered by laws such as the EU’s General Data Protection Regulation (GDPR), which mandates a breach disclosure clause. Also, governments consider data breaches and cyber-attacks as an integral part of their national security thus covered under classified labels in some cases.  

Here’s a list of some of the latest and most serious government data breaches for 2019/2020:

• Government of Quebec, Canada (February 2020) – The government of Quebec admitted to a data breach potentially impacting around 360,000 teachers employed in the Canadian province.

• Generate, New Zealand (February 2020) – Generate, a savings scheme provider with links to the New Zealand government, reported a security incident impacting around 26,000 citizens.

• Jailcore, US (January 2020) – Researchers discovered that Jailcore, a provider of prison services in the US, was leaking data related to 20,000 prison inmates.

• Aurora Water, US (December 2019) – Customers of this Colorado water supplier were the latest victims of a series of attacks on the Click2Gov municipality payment software.

• Government of Brazil (October 2019) – Details relating to as many as 92 million Brazilian citizens were reported to be on sale on the dark web.

• Sberbank, Russia (October 2019) – Russian police opened a case against an unnamed former employee of the state-owned Sberbank who allegedly confessed to selling the credit card details of 5,000 customers on the dark web.

• Suprema, UK (August 2019) – Private biometric company Suprema, which supplies organizations including London’s Metropolitan Police, exposed a database that included more than one million fingerprints, user names, passwords, and facial recognition data.

• NRA, Bulgaria (July 2019) – Bulgaria’s tax authority was hacked in 2019, with the incident affecting more than five million people. The country’s finance minister admitted that 3% of the agency’s database had been accessed.

• City Power, South Africa (February 2019) – Ransomware hit Johannesburg’s electricity supply, with the state-owned City Power losing access to its customer-facing systems. The incident affected more than 250,000 people.

Furthermore, two of the most infamous Public Sector breaches would be The Aadhaar Database Hack in 2018 where the biometrics and personal information of over 1 billion Indians were compromised and The SingHealth Hack; which suffered a massive data breach affecting a huge portion of the Singapore’s population, including its Prime Minister Lee Hsien Loong. Both instances found fundamental cybersecurity requirements were overlooked to compensate on functionality and efficiency.   

Finally, eNIC in its fully integrated form is welcome, and I firmly believe the President has the foresight and the resolve to implement this fully-fledged system. My apprehension is that the security of such a system will take the back burner over implementation, recently on social media a prominent technology entrepreneur called cybersecurity worries “Fear Mongering.” 

Unfortunately, this is the view taken by most senior officials. When discussions are made, I see a visible silence on security measures for these types systems, already some old tender documentation of eNIC has been leaked by Wikileaks. We are yet to see draft legislation on cybersecurity passed, in short Cybersecurity is not at the table. Meanwhile, cybercriminals are watching and waiting. I hope we are ready.