LCQ15: Handling OpenSSL software vulnerability
Following is a question by the Dr Hon Elizabeth Quat and a written reply by the Secretary for Commerce and Economic Development, Mr Gregory So, at the Legislative Council meeting today (May 21):
Network systems generally use the prevalent Secure Sockets Layer (SSL) network security protocol to encrypt network communications in order to protect the confidentiality and integrity of data during transmission. OpenSSL Project is an open-source toolkit for the implementation of the SSL network security protocol, and the toolkit can be used to produce digital certificates (e-Certs). The official website of OpenSSL announced on April 7, 2014 that a security loophole known as "Heartbleed" was found in version 1.0.1 of OpenSSL. Some network security experts have pointed out that e-Certs produced by servers installed with version 1.0.1 of OpenSSL are susceptible to attacks or hacks, which may result in usernames, passwords or other sensitive information being stolen and may hence cause global network disasters. In addition, the Financial Secretary proposed the initiative of "considering the provision of digital identity to all Hong Kong citizens in order to develop a common, shared and safe platform" in the 2014-2015 Budget. Some members from the information technology sector opine that when implementing the relevant policies, the authorities should ensure that the security loopholes of the encryption technology concerned have been plugged. In this connection, will the Government inform this Council:
(1) whether it has investigated if the aforesaid security loophole has caused any data leakage from the Government's servers; if there was data leakage, whether it has taken effective remedial measures;
(2) as it has been learnt that after the aforesaid security loophole was made public, a number of SSL technology service providers in the United States have been busily implementing the relevant remedial measures for their local clients, and a majority of such service providers do not have an office in Hong Kong, whether it has tried to find out if these service providers have given sufficient support to their clients in Hong Kong; whether it has requested these service providers to take the initiative to provide relevant information and assistance to their clients in Hong Kong;
(3) whether it has set up a dedicated task force to handle and follow up the problems caused by the aforesaid security loophole, and proactively informed and offered assistance to the business sector and small and medium enterprises; if it has, of the specific arrangements; if not, the reasons for that;
(4) whether it has estimated the amount of economic loss brought about by the aforesaid security loophole to Hong Kong; if it has, of the details;
(5) given that OpenSSL encryption technology can be used to produce e-Certs, whether it has tried to find out if, apart from Hongkong Post Certification Authority, the service providers issuing e-Certs for local use have provided solutions in respect of the aforesaid security loophole, and the jurisdictions in which such service providers are located; and
(6) what specific measures it will draw up to plug the security loophole of the encryption technology concerned and further enhance network security, so as to encourage the use of e-Certs by the public and the business sector?
The Government attaches great importance to information security. We follow international standards on information security management systems and adopt advanced information security technologies to protect government networks, application systems and e-government services. The Government has well-established information security management framework and procedures in place to deal with matters related to information security, including issues arising from this OpenSSL vulnerability. Regarding the six parts of the question, the Administration's reply is as follows:
(1) Following the existing mechanism, government bureaux and departments (B/Ds) have immediately taken effective security measures after knowing the security risk of OpenSSL, including installing patches, arranging the renewal of digital certificates and cryptographic keys, and reminding users to change their passwords when necessary. All affected government systems have completed rectification within a short time. We have not received any data leakage reports due to the vulnerability.
(2) Generally speaking, customers can obtain system-related information and support through their service providers. According to online information, major system vendors adopting OpenSSL software, such as Dell, Cisco Systems, Hewlett-Packard, Microsoft, IBM, Juniper Networks, RedHat, VMWare, etc. have proactively provided relevant information or patches to their customers worldwide through websites or emails. Customers in Hong Kong can obtain relevant information and support through their local distributors, agents or business partners. Besides, the Office of the Government Chief Information Officer (OGCIO) has immediately published a security notice on the InfoSec website (www.infosec.gov.hk) and disseminated related information via "GovHK Notifications" to the subscribers who have registered for receiving such messages. The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) and the Hong Kong Police Force (HKPF) have also notified relevant stakeholders by emails of this vulnerability, its impacts and responsive measures. Since local customers should have already obtained relevant information and necessary support for this vulnerability through various channels, there is no need for the Government to raise specific requests to individual service providers.
(3) According to the Government's established procedures, OGCIO, HKCERT and HKPF join hands to handle all matters related to information security within the Government and in the community. To keep B/Ds apprised of impending security threats and enable them to take prompt preventive measures, OGCIO issues security alerts and reminders to request B/Ds to take appropriate follow-up actions when necessary. The problem arising from this vulnerability and the associated remedial work were swiftly and properly dealt with through the procedures.
For the business sector and the general public, HKCERT has published related security bulletins and security blogs on its website. HKCERT has also notified relevant stakeholders, including Internet service providers, of this vulnerability, as well as the detection methods and responsive measures through emails. Upon receiving enquiries or incident reports, HKCERT will provide advice and support on IT security matters to those seeking help, and assist them in fixing the vulnerability and protecting them against computer security threats.
(4) Since the Government, HKCERT and systems vendors have timely disseminated relevant information of the vulnerability and provided support to the community through various channels, the concerned organisations should be able to solve the problem if they have taken immediate actions to fix the vulnerability. So far, HKCERT and relevant B/Ds have not received any reports or requests for assistance on information or financial loss due to the vulnerability. We do not expect the vulnerability to have a significant impact on our economy.
(5) This incident originates from a vulnerability in the OpenSSL software, which has already been fixed. The digital certificates issued by a number of overseas and local digital certificate service providers also make use of this software. We understand that these service providers are assisting users to replace their digital certificates so as to prevent any possible data leakage arising from the OpenSSL vulnerability.
(6) The prevailing digital certificate encryption technology is safe and secure. As best practice, the two recognised certification authorities in Hong Kong regularly review the settings of their systems to ensure security and reliability of the digital certificates they issue. The Government attaches great importance to information security. OGCIO will continue to collaborate with HKCERT to raise the awareness and knowledge of information security, and organise promotional activities to publicise and promote the importance of protecting computer systems and ensuring network security, and the secure use of digital certificates and online services among the general public and business sector.
Wednesday, May 21, 2014