Security-by-design lessons from India's digital public infrastructure journey

Digital public infrastructure (DPI) is the digital equivalent of highways, railways and utility grids. These shared national assets enable economic and social activity at scale. The building blocks of DPI – digital identity, payments and data exchange – are like pipes and power lines that carry trust instead of water or electricity.

And just as national railways and power grids require long-term capital allocation, DPI requires patient investment to create secure, resilient “digital superhighways”.

India's DPI demonstrates this at scale. It treats digital identity, payments and data exchange as secure foundational infrastructure rather than a profit centre. This has yielded extraordinary societal and economic returns and creates a blueprint for other countries developing their own DPI.

DPI can rapidly transform how societies deliver services, empower citizens and drive innovation. These public digital platforms enable the delivery of services across healthcare, education and finance.

Since its launch, India’s digital identity system, Aadhaar, has enrolled over 1.3 billion residents, while UPI (its payments facility) processes over 10 billion transactions monthly, making India a global leader in digital payments adoption. Aadhaar transformed India's economy by dramatically reducing identity verification costs from $10-20 to just $0.27 per transaction. This has enabled millions to access government benefits and banking services directly, while creating significant savings for the government.

When a system serves 1.3 billion people and process billions of transactions every month, the security stakes couldn't be higher. The more these systems scale and become even more critical national assets, the more vulnerable they become to cyberattack.

In India, for example, the public exposure of officials' personal information lead to a comprehensive data leak that affected more than 20 million citizens. The system has also faced tampering through fabricated biometric materials, while dangerous linkage attacks saw Aadhaar's integration across multiple government services create cascading privacy risks.

As governments worldwide, but particularly in the Global South, race to replicate similar architectures, the question is not just how to build DPI, but how to build it securely.

Given the expanding cyberthreat landscape targeting critical infrastructure, securing DPI is essential. Even a potential cyberattack can threaten DPI integrity and availability, while also diminishing citizens’ confidence in digital systems.

DPI face unique challenges beyond conventional IT security. Technical risks include data breaches, system failures and supply chain vulnerabilities. But three emerging threats require particular attention from governments building DPI:

Data sovereignty challenges only add to these risks. Nations could fall into a “data trap” if critical national data is controlled abroad, eroding sovereignty and the long-term trust of citizens. Local hosting does not always mean control, however, because extraterritorial laws can lead to “sovereignty washing” where services appear national but are governed from elsewhere. This raises the risk of nations becoming digital colonies.

India's approach to DPI security offers several lessons for other nations.

First, security cannot be an afterthought, it must be built into the DNA of DPI systems from conception. Security-by-design principles were embedded into Aadhaar's biometric protocols, UPI's transaction frameworks and the data sharing architectures before a single user was onboarded to India's DPI. This foundational approach allowed for widespread smartphone adoption through secure government initiatives, using biometric authentication and AI to enhance both security and user experience.

India's model also involves government-owned infrastructure operating alongside private sector innovation. This hybrid approach enables rapid innovation by private players, while maintaining government oversight of critical infrastructure. This ensures resilience is treated as a public good rather than allowing DPI to be purely commercial.

Finally, the government’s Digital India campaign emphasizes cyber hygiene and digital literacy for all. It recognizes that secure systems remain vulnerable without user understanding of basic security practices.

Many developing nations lack technical expertise and financial resources for secure DPI implementation. It requires sustained investment and international cooperation.

Initiatives like bilateral gov-tech corridors such as the UK-India Technology Security Initiative and specialized Government Technology Centers of Excellence can help to build cybersecurity capabilities through knowledge transfer and skills development.

This must also extend into skills pipelines, from boosting citizens’ digital literacy to advancing cybersecurity expertise in government. Without this human layer, even strong architectures remain fragile.

New frameworks for measuring DPI security maturity also need to be developed. Traditional cybersecurity metrics are insufficient for population-scale systems. DPI metrics must account for societal impact, user trust and systemic risk.

India's DPI journey demonstrates that careful attention to security-by-design principles, privacy and governance can help to build digital systems that are both innovative and trustworthy.

This requires ongoing, coordinated stakeholder action, however. Governments must conduct cybersecurity readiness assessments and invest in digital literacy. The private sector should develop security-first integration standards, while international organizations need to establish comprehensive capacity building with standardized security frameworks. And civil society must advocate for algorithmic transparency while building citizen security awareness.

This kind of multi-stakeholder approach with security-by-design as the foundation can help many more nations to achieve DPI's full potential for innovation, inclusion and economic growth. India's experience proves that patient capital invested in secure digital infrastructure – where security is embedded from conception, rather than retrofitted – can generate extraordinary returns that extend far beyond financial metrics to transform entire societies.