CERT-In taking 'no chance' from Heartbleed Bug

A cyber security mission led by Indian Computer Emergency Response Team (CERT-In) is underway to safeguard vital IT infrastructure of the public sector from the Heartbleed bug.

A cyber security mission led by Indian Computer Emergency Response Team (CERT-In) is underway to safeguard vital IT infrastructure of the public sector from the Heartbleed bug.

After publishing an advisory to updating solution to the Heartbleed bug on its website, CERT-In, the national nodal agency for cyber security is taking no chances.

In the last decade, India has implemented US$10bn worth of vital IT projects, including National e-Governance Plan (NeGP). All are aimed at strengthening governance and service delivery in the government of India and state governments. So what are the challenges in dealing with the Heartbleed bug?

Dr Anil Sagar, director of operations at CERT-In at the Ministry of Information Technology and Communications, said: "Whenever CERT-In observes a cyber threat due to a technical vulnerability or virus, immediately an advisory is issued and published on CERT-In website. Point of contacts at key organisations in the government and public sector will also be informed."

CERT-In, headed by director-general Dr Gulshan Rai, has been in operation since January 2004. In the IT Amendment Act 2008, the CERT-In was designated to serve as the national agency to perform key functions in the area of security. They include collection, analysis and dissemination of information on cyber incidents and emergency measures for handling cyber security incidents.

Recently a vulnerability in the implementation of Heartbleed was discovered which is being exploited by hackers to retrieve sensitive data and user credentials.

On the Heartbleed bug, Dr Gulshan Rai said: "There is no threat to the best of our knowledge. In fact, it is a vulnerability in heartbeat extension in the OpenSSL cryptographic library, which is a software component used in the implementation of Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols.”

CERT-In has observed there are few vulnerable OpenSSL servers in India affected by this vulnerability as people are also using proprietary SSL implementations.

IT awareness levels among government institutions and private enterprises are high and competent to handle cyber threats.

Understanding the importance of the Heartbleed bug, D Divya, Project Director, e-Governance, department of information technology and communications, government of Andhra Pradesh, said: "The Department and its team is prepared to handle the bug, if found."

Priyadarsan Roy, CEO of Netzary Infodynamics INC – which handles IT infrastructure of government organisations – said most of his company's clients in Karnataka State had already taken the necessary steps of first auditing the servers that might be vulnerable.

At present, the biggest challenge for the government of India, and Indian state governments where important Mission Mode Projects of NeGP and other IT projects have been implemented, is to first identify the projects where SSL/TLS encryption is deployed. 

Many of these projects implemented through private public partnerships are run and managed by a consortium of IT companies headed by principal bidders or project partners.

Another challenge is the ongoing elections to parliament. More than half of the government of India and state government staff are busy with election duty till the end of May.

A better picture on the status of the Heartbleed bug in India will emerge only post-May.

Read more on Data breach incident management and recovery