Resilient, secure and trusted: The next frontier for Digital Public Infrastructure

Digital Public Infrastructure (DPI)* is no longer a distant vision: it’s already shaping how billions live and interact every day. A few weeks ago, the Global DPI Summit in Cape Town highlighted a quiet revolution: when people can prove who they are, pay securely, and access services from a phone, everything moves faster—from paying utilities to accessing healthcare services and social benefits.

The rising cost of insecurity 

As countries connect more services and people, the “attack surface” is growing—there are simply more doors and windows for cybercriminals to sneak in. That matters most in developing countries, where cybersecurity capacity is still catching up. According to the Global Anti-Scam Alliance, consumers worldwide lost more than $1 trillion to scams in 2024. 

Beyond scams and phishing, ransomware has become a major cybersecurity threat for DPI. It doesn’t just lock up computers—it stalls hospitals, tax systems and social protection programs. In Costa Rica, the 2022 ransomware crisis forced the government to declare a national state of emergency and resulted in losses up to 2.4% of GDP—a reminder that digital shocks can translate into macroeconomic pain. In parallel, artificial intelligence (AI) is raising the stakes for security. Criminals leverage generative AI models to churn out look-alike government websites at scale, luring more citizens into handing over sensitive data and credentials. 

But beyond these direct costs, the biggest loss is trust. When people doubt that digital IDs or payment systems are safe, they delay sign-up, avoid sensitive transactions, or revert to cash and paper. Adoption slows, inclusion gains stall, and the return on digital investments shrinks. 

Four priorities for achieving digital resilience

In this rapidly evolving context, how can developing countries maximize the benefits of DPI while minimizing the risks? In our recently published paper, we argue that the path towards digital resilience can start small, by mainstreaming basic cyber hygiene and investing in “security-by-design”. But to truly achieve digital resilience for DPI, we need to scale up public-private partnerships and innovative practices such as government application badging and bug bounty programs.

Mainstreaming basic cyber hygiene

Most incidents affecting DPI do not require sophisticated hacking—they exploit well-known, common vulnerabilities. That’s why simple security measures can make a big difference. For operators, it means keeping an up-to-date inventory of digital assets and applying regular security updates. For people, it includes activating multi-factor authentication and using official government applications—which can be promoted through awareness-raising campaigns and targeted digital literacy trainings. 

At the national level, countries must invest in basic cybersecurity infrastructure, such as Computer Security Incident Response Teams (CSIRTs), the digital equivalent of firefighters. They provide a lifeline when trouble hits, yet in 2025, only 20% of low-income countries have a fully functional CSIRT.

Investing in “security-by-design” 

“Security by design” means embedding cybersecurity requirements across the entire DPI lifecycle, starting at the design and procurement phase—instead of considering cybersecurity as an afterthought. When procuring a digital wallet or biometric sensors, governments should integrate cybersecurity as a core requirement. In practice, governments can leverage international standards (e.g., ISO/IEC 27001) as a pre-requisite for vendor qualification in their requests for proposals. They can also embed cybersecurity clauses in service level agreements, such as requiring minimum support periods for security updates and clear incident-reporting timelines. 

Partnering with the private sector

Many of the devices and applications that power DPI are developed or run by private companies, making public-private cooperation essential. In 2024, the government of Viet Nam partnered with Google to launch a badge for official government apps, empowering citizens to easily identify legitimate apps in Google Play. It’s a small design change with a big safety impact: when users know what’s official, they’re less likely to download scams and look-alikes. 

Scaling up innovative practices 

Once the foundations are in place, governments can adopt more advanced practices to achieve sustainable digital resilience. While bug bounty programs are common in the OECD, they are still rare in developing countries. Think of it as a platform for crowd-sourcing talent to harden digital infrastructure, where vetted cybersecurity researchers (or “ethical hackers”) can responsibly report vulnerabilities—before malicious actors find them. Unlike one-off audits, these programs can run year-round and leverage a global talent pool—a major benefit for small countries where cybersecurity talent is rare. 

In 2022, the Indian government launched a bug bounty for its national digital identification platform, Aadhaar—an important “proof-of-concept” for ID ecosystems. France soon followed suit with a program co-designed with YesWeHack for its own digital ID ecosystem. And in July 2025, M-Pesa—a major mobile money transfer service active across multiple African markets—launched its own program, in cooperation with HackerOne. 

Together, these examples of early adoption have demonstrated the value of bug bounty programs, uncovering hundreds of critical vulnerabilities across DPI platforms and enabling swift mitigation before they were even exploited. The next challenge is to scale up these innovations across borders, including in Africa.

From principles to implementation

In Cape Town, the conclusion from conversations with governments and development partners was clear: bold DPI rollouts must be paired with equally ambitious investments in digital resilience. When safety and security are prioritized, trust follows, and adoption scales—turning early pilots into daily practice.

Read more: Enhancing the Cyber Resilience of Identification (ID) Ecosystems : Key Risks and Good-Practice Mitigations

* DPI is an approach to digitalization focused on creating foundational building blocks designed for the public benefit, including digital IDs, payments and data sharing.