Following is a question by the Hon Charles Mok and a written reply by the Secretary for Commerce and Economic Development, Mr Gregory So, at the Legislative Council meeting today (May 7):
It has been reported that OpenSSL, a data encryption technology widely used in electronic network systems, has recently been found, in its version 1.0.1 released on March 14, 2012, to have a security loophole known as Heartbleed. Hackers may make use of the loophole to steal encrypted information (including information protected by key encryption, usernames and passwords, personal financial information, contents of communications, etc.) in web site servers, and they may even crack other network security measures such as firewalls. In this connection, will the Government inform this Council:
(1) of the Government’s (i) internal applications and (ii) the electronic public services, which are currently using the OpenSSL data encryption technology and, among them, those applications and services that previously used or are still using version 1.0.1 of the encryption technology;
(2) whether it has implemented network security measures in respect of the aforesaid programme loophole to reduce the risks of data leakage; if it has, of the details; whether it has suspended the use of OpenSSL data encryption technology and the electronic public services concerned, or switched to other encryption technologies; if it has, of the details; if not, the reasons for that;
(3) whether it has assessed the impacts of the aforesaid programme loophole on local network security, including (i) which industries other than the finance industry will be seriously affected, (ii) the extent to which those industries will be affected, (iii) whether the information technology personnel in those industries are aware of the impacts, and (iv) whether such personnel are equipped with the skills to remove the risks in question;
(4) whether it has assessed the impact of the aforesaid security loophole on electronic commerce (e-commerce); if it has, of the details; whether it will provide assistance to e-commerce platform users or subsidise the trade to enhance network security; and
(5) whether the authorities have received any request from private companies for assistance in respect of the aforesaid programme loophole so far; if they have, of the background of the companies requesting for assistance and the assistance offered by the authorities?
The Government has adopted international standards on information security management as well as advanced information security technologies to protect government networks, application systems and e-government services. For network security, government application systems generally use the prevalent Secure Sockets Layer (SSL) network security protocol to encrypt network communications in order to protect the confidentiality and integrity of data during transmission. OpenSSL is one of the encryption technologies for the implementation of the SSL network security protocol. Regarding the five parts of the question, the Administration’s reply is as follows:
(1) There were around 90 government application systems that had used OpenSSL version 1.0.1 encryption technology, of which 85 are government internal applications, including management consoles and virtual private networks. The remaining five are systems that provide electronic services to the general public, including portals and electronic systems for submitting applications. All affected systems have completed rectifications as detailed in part (2) below.
(2) The concerned departments have immediately taken appropriate security measures for the affected application systems after being informed of the Heartbleed vulnerability, including installing patches, arranging the renewal of digital certificates and cryptographic keys, and reminding users to change their passwords when necessary. All departments have already assessed the risks and impacts in relation to this security vulnerability. Since the vulnerability has been fixed within a short time, there is no need to suspend the relevant services or switch to use another encryption technology.
(3) Upon receiving the notification of the Heartbleed vulnerability, the Office of the Government Chief Information Officer (OGCIO) has immediately requested all departments to conduct a risk assessment on the affected systems and take corresponding remedial actions. This security incident has not affected any government services. We have also published a security notice on the InfoSec website (www.infosec.gov.hk) and disseminated related information via “GovHK Notifications” to the subscribers who have registered for receiving such messages.
Besides, the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) and the Hong Kong Police Force (HKPF) have notified relevant stakeholders by emails on the Heartbleed vulnerability, its impacts and responsive measures. The Hong Kong Monetary Authority (HKMA) has also requested all banks to review their related services. According to HKMA’s findings, all local retail e-banking services have not been affected. Based on the information we received, this security incident has little impact on local network security.
Measures to avoid the risks in question include checking if there is any vulnerability in a system and installing patches provided by the system suppliers. Information technology (IT) personnel can refer to the procedures specified in the security notice and follow the steps to implement the solution. The related techniques are not difficult to master.
(4) Operators of e-commerce platforms have generally taken appropriate security measures to manage information security and maintain network security in order to provide a secure e-commerce environment. Information shows that this security incident has not caused serious impacts on the e-commerce platforms commonly used by businesses and the general public because the concerned operators have checked their systems for the vulnerability and implemented corresponding measures. For example, Taobao indicated that they had completed the appropriate remedial actions while Amazon, eBay, PayPal and Alipay said that their online shopping websites were not affected.
Public education is very important in enhancing network security. OGCIO has been working closely with HKCERT and other industry bodies to arrange security promotion activities to enhance public awareness and knowledge on information security. In case citizens or businesses encounter security incidents or need support on network security, they may contact HKCERT for assistance. At present, we have no plans to subsidise the industry to enhance network security.
(5) So far, HKCERT and HKPF have not received any reports or requests for assistance in respect of the Heartbleed security incident. We will continue to monitor the development of the incident. Upon receiving enquiries or incident reports, HKCERT will provide advice and support on IT security matters to those in need of help, and assist them in fixing the vulnerability and protecting against computer security threats.