Noman Mosharef :
The National Identity Card (NID) database faces technical risks. Five ‘open-source databases’ are being used as main database having no enterprise support. The operating system being used in database and application servers are old and expired. As a result, no enterprise support would be available in a ‘critical situation’.
A colossal database which has been established gradually over last 18 years is facing risk due to installing an alternative ‘Disaster Recovery System (DRS)’ by previous commissions. If any untoward incident occurs at NID database, it will hamper NID service, making impossible the printing the print voter list and more significantly losing the information of citizens.
Not only that, more shocking information is that there are no international standard tools to backup ‘open-source database’. Even though, there is no ‘dashboard’ to monitor whether the backup is working properly or not.
There are no visible monitoring tools to see how much resources the applications or databases are using. The Election Commission’s (EC) own officials do not have control over the technical administration of the National Identity Card System (Voter Database, Core Network, Server and BVRS Software).
That control is in the hands of contracting companies and temporary project officials. The report of the EC’s ‘Internal Cyber Audit Committee’ has highlighted various aspects of the technical risks, errors and weaknesses of the database.
The committee has already submitted a report to the EC. Various source from EC has informed over these issues.
When asked NID Director General (DG) ASM Humayun Kabir told The New Nation, “Some recommendations have been made in the Cyber Audit Committee report. We have taken them as a challenge.
No information of citizens has been leaked from our database yet”.
The database is still safe. We are constantly trying to keep it safe in the coming days as well, he added.”
In response to a question, he said, “Gradually, the complete control of the database is being taken under the supervision of EC officials.
For this, the capacity of our own manpower is being increased. In addition, we have formed a committee with experts from BUET to understand everything from the contracting organization, including all kinds of credentials and source codes.”
It is known that the database contains 46 types of personal information and biometric fingerprints of about 125 million citizens of the country. This database has been developed with the information collected during voting.
From here, various types of services are provided, including new voter registration, correction of national identity card information, verification of the person concerned using the national identity card number. In addition, the EC has agreements with 187 government and private organizations.
Those organizations verify the information of citizens using the NID number. Voter lists are printed from this database in the national parliament and local government elections. National identity card services are sometimes closed due to technical weaknesses in the data center. NID services were also closed for 5 hours on Saturday.
This database is under tight security at the Election Building in Agargaon in the capital. According to the rules, a DRS has to be established at a remote location to protect information. If the main database is attacked or damaged for some reason, information is recovered and used through DRS as an alternative. But the previous election commissions did not establish an active DRS.
However, Bangladesh Computer Council and Kaliakoir Hi-Tech Park in Gazipur have kept mirror copies of the database.
If the database is attacked, recovering information from those mirror copies is time-consuming and risky. In short, recovery may or may not be possible. The Cyber Audit Committee report has recommended the establishment of DRS quickly. Recently, EC officials visited potential locations in Cumilla and Jessore.
When asked, EC Senior Secretary Akhtar Ahmed told the New Nation, “We are very serious about conducting DRS. The feasibility is being examined in several areas including Jessore, Kushtia, and Barishal.
The location will be determined by considering the power supply system and whether it is earthquake-prone or not.” He said, the NID database is being maintained. The officials and employees are working tirelessly so that people can easily get services from here.
It is also known that the process by which 187 government and private organizations are verifying the information in the NID of citizens from the EC database is not completely secure. Taking advantage of the verification of NID information, the Directorate General of Health Services, UCB Bank’s U-Pay, Chittagong Port Authority, Department of Women Affairs and the Ministry of Finance leaked citizens’ information to third parties through IBAS.
The EC said that earlier too, there had been incidents of citizens’ information being leaked from the Ministry of Land and the Birth and Death Registration website. However, the Ministry of Land denied it. At that time, the Information Technology Department recommended a cyber audit of the EC database.
Although the EC has not yet conducted that audit. However, the situation was reviewed through an ‘Internal Cyber Audit Committee’ led by Md. Rafiqul Haque, System Manager of the EC’s ICT Division. Thirteen EC officials were co-opted into the four-member committee.
The committee made recommendations on the current status of the database, challenges and things to do.
Changes are being made in the process of providing information to 187 institutions. In this context, National Identity Registration Division Director General ASM Humayun Kabir said that information will no longer be provided to institutions that are taking citizen information verification services.
The process is only being done to inform them of the accuracy of the information by indicating ‘yes’ or ‘no’ according to their needs. For this, changes are being made to the existing system.
