The controversy surrounding the Central Board of Secondary Education's On-Screen Marking portal has evolved beyond a mere software glitch. It has ignited a broader debate on accountability, digital governance, and the risks of deploying inadequately tested technology in systems affecting millions of students.
Audited Yet Vulnerable
As an IIT-led audit panel prepares to submit its report to the Ministry of Education, emerging findings raise serious concerns. According to a panel member speaking anonymously to ANI, the portal was audited, but the checks were insufficient to detect several vulnerabilities that later surfaced. This distinction is crucial: it was not a lack of security testing, but potentially inadequate testing procedures for a portal managing sensitive exam results. Cybersecurity experts note a significant difference between compliance testing and thorough security tests simulating realistic cyberattack scenarios. In this case, even if an audit was performed, it did not undergo rigorous testing.
Ethical Hacker's Role
The controversy gained traction due to 19-year-old ethical hacker Nisarga Adhikary from West Bengal. The vulnerabilities he reportedly identified, including OTP bypass methods, examiner account access via a hardcoded master password, and potential access to answer-sheet data, were later found to align with issues observed during the IIT panel's assessment. The concern is not that a young hacker discovered these weaknesses, but that they were not flagged during earlier audits, raising questions about the robustness of existing security review mechanisms.
Digitalisation Challenges
India's education system has rapidly digitized over the past decade, moving processes like examinations, admissions, and evaluations online. While technology has streamlined these processes, the OSM case highlights the dangers of inadequate measures to match digital expansion. Unlike commercial platforms where failures cause inconvenience, security lapses in examination systems undermine fairness, credibility, and public trust. For students, parents, and educators, confidence in the examination process is paramount.
Accountability Cannot Be Outsourced
The OSM portal was developed and managed by Coempt Eduteck, a private technology company now under scrutiny. However, the IIT panel member emphasized that this is not just a vendor-specific issue. Government agencies often rely on private companies for technological needs due to the complexity of building and maintaining such systems. Yet, experts argue that even when services are outsourced, accountability for proper functioning cannot be outsourced.
Temporary Fix
After vulnerabilities were highlighted, representatives from IIT Madras, IIT Kanpur, CBSE, and Digital India Corporation collaborated to develop a new platform for examiners. Currently used for verification and reevaluation, this platform is described by the IIT representative as "kind of patchwork," implying a temporary solution. This raises an important question: should critical examination infrastructure be upgraded only after problems emerge, or is a more strategic, future-ready approach needed?
Security by Design
A key recommendation from the IIT panel is the adoption of stronger cybersecurity practices before platform deployment. The panel member noted that systems of this scale should undergo vulnerability assessments, penetration testing, and Red Team-Blue Team exercises simulating real cyberattacks. These standard practices in mature cybersecurity environments aim to identify weaknesses before malicious actors exploit them. The emphasis suggests that cybersecurity may not yet be fully embedded into the design process of some public digital platforms, often receiving attention only after concerns arise.
No Evidence of Misuse
The IIT panel member told ANI that investigators found no evidence of student records being leaked or misused. The ethical hacker accessed and downloaded certain data but later deleted it, with no indication of distribution or exploitation. While reassuring, experts caution that the absence of actual damage does not eliminate concern. The larger issue is that vulnerabilities existed in a system handling highly sensitive academic information.
A Wake-Up Call
The OSM controversy extends beyond one portal or security audit. It highlights challenges public institutions face as governance increasingly relies on digital infrastructure. As CBSE awaits the IIT panel's final report, one message is clear: institutions must maintain stronger control over sensitive data and ensure critical platforms undergo exhaustive security testing before rollout. This lesson applies beyond education; as more public services move online, trust in institutions will depend on the strength and reliability of supporting technology. The OSM episode serves as a reminder that security is not just a technical requirement but essential to maintaining public confidence.
