NEWDELHI: Just 10 days are left for the nationwide roll out of the Goods and Services Tax (GST) , but there are still question marks about the GST Network (GSTN) -the IT backbone of India’s most ambitious indirect tax regime.
GSTN chairman Navin Kumar is terse in his response. “Anyone who raises these issues, doesn’t understand the IT ecosystem in India. Take any government project: Who is handling their data centre and operations? It is either Tata Consultancy Services (TCS), Wipro, Infosys or other private companies. All the income tax data is either with Infosys or TCS. I never heard any concerns raised about that.”
Private companies handle the data centres for various government websites, including income tax and Permanent Account Number (PAN).
GSTN was incorporated in 2013. The government has 49% equity stake, while private firms, including ICICI Bank and HDFC, hold the remaining.
With 80 lakh indirect tax payers, GSTN is expected to see around 3.2-billion invoices being raised every month. But is the Network secure enough to handle the huge data?
Kumar thinks so. “At our end, we have taken all the necessary steps. Multi-layered security protocols have been put in place to secure the central database.”
Critics, though, differ, especially since selected private firms, called GST Suvidha Providers (GSPs), will be involved in GSTN. GSPs are companies chosen by GSTN to develop userfriendly software based on the government provided tech interface or APIs for GST payment, documentation and compliance. There are 34 GSPs across India.
“GSTN’s work is of strategic importance to the country and the firm would be a repository of a lot of sensitive data on business entities,” a parliamentary committee on GST, headed by BJP Rajya Sabha member Bhupendra Yadav, had said.
The GSTN platform will be a priority target for hacking groups across the world when it goes live, said Saket Modi, CEO of Lucideus Tech, an online cyber security company. “We are talking about humongous amount of data, which can provide insights into how the country operates.”
GSPs connect with GSTN using APIs or application interfaces. Modi, whose company has conducted security assessment for multiple government projects, including the BHIM Application based on Aadhaar pay, said: “We have been conducting security tests for APIs on other platforms, and our experience tells us that they are vulnerable to multiple security issues.”
According to Kumar, the solution to this lies in the security operations centres (SOCs), which will run 24X7 to monitor the traffic. “If anything is found suspicious, SOC will raise an alarm.”
Besides, to ensure that the Network is insulated against any malware attack, there will also be security monitoring and analysis centres to keep an eye on the movement of data.
Standardisation Testing and Quality Certification (STQC), an agency to test systems against security threats, which functions under the aegis of Ministry of Electronics and Information Technology, is auditing GSTN.
Kumar assured there will be regular security audits of GSPs. But the audit process is yet to be completed, and there’s little time left for GST’s roll out.