**********************************************************
Following is a question by the Hon Andrew Leung Kwan-yuen and a reply by the Secretary for Commerce and Economic Development, Mr Frederick Ma, in the Legislative Council today (June 25):
Question:
It has been reported that a survey report recently published by an internationally renowned anti-virus software company points out that web sites using domain names ending with ".hk", which are susceptible to viruses and spyware, are the most dangerous in the world, and their security level has dropped drastically by 27 ranks when compared with last year's level. In this connection, will the Government inform this Council:
(a) whether it has ascertained the reasons for the drastic drop in the security level of such web sites, if it has, of the reasons for the drastic drop in the security level (including whether the drop is related to the internal operation of Hong Kong Internet Registration Corporation Limited (HKIRC) which is responsible for the administration of the ".hk" Internet domain names); if it has not, the reasons for that; whether it has assessed the impact of the security problem of such web sites on various sectors of the Hong Kong community; if it has, of the assessment outcome; if not, the reasons for that; and the actions to be taken by the Government to reduce the risks concerned;
(b) how it ensures that HKIRC's administration of the ".hk" Internet domain names meets international standards; whether it knows if HKIRC has provided any guarantee to the users regarding the security level of the domain names; if HKIRC has provided such guarantee, of the details of the guarantee; if not, whether the authorities will require HKIRC to provide a specific guarantee, and whether the authorities have monitored HKIRC's work on a regular basis; and
(c) whether the authorities have accepted the consultant's recommendations mentioned in the Consultation Paper on the Review on Administration of Internet Domain Names in Hong Kong published in May 2007, including the recommendations that HKIRC should establish a new Consultative and Advisory Panel and reduce the number of directors on the Board of HKIRC; if they have, of the transitional arrangements and progress of the restructuring of the Board, and whether the authorities have monitored the implementation of the recommendations by HKIRC and its progress.
Reply:
Madam President,
Governments around the world have been collaborating with the private sector and community organisations as well as intergovernmental and international organisations to prevent, detect and respond to Internet abuses and cyber-crimes. We have been sharing knowledge and intelligence about sources of Internet abuses, network vulnerabilities, and technical, educational and policy solutions with our counterparts at the international level.
Internet domain names are used to identify computers or other resources on the Internet. For example, domain names are used in web addresses and in email addresses. The global system for administration of domain names is run by the Internet Corporation for Assigned Names and Numbers (ICANN). ICANN delegates administration of particular top level domains (TLDs) such as ".com" to Internet domain name registries. Country-code TLDs such as ".hk" are regarded as a public resource, so the delegation is made to an entity designated by the authorities of the country or territory concerned.
Internet domain name registries are responsible for the administration of domain names but it is the domain name holder who controls how a domain name is used and the content of any associated web sites. Registries therefore have no direct influence over the security of individual web sites but their agreements with domain name holders normally give them the ability to cancel a domain name registration if the domain is found to be used for illicit, illegal or abusive purposes.
The Government has designated the Hong Kong Internet Registration Corporation (HKIRC) to administer ".hk" Internet domain names. This arrangement was the recommendation of a joint Government and industry task force in 2000, which looked at the international best practices in the administration of Internet domain names.
With this background, my reply to the three-part question raised by the Hon Andrew Leung Kwan-yuen is as follows:
(a) The mode of operation of spammers and hackers is to look for a place where they can register domain names easily. They will make use of these domain names as their bases to conduct their abusing activities until they encounter a strong counter measure from that place. In the second half of 2006, HKIRC enhanced its online registration process for second level ".hk" domain names to make it more user-friendly. This, however, had made ".hk" domain names more attractive to spammers and hackers.
In 2007, there was a substantial increase in spamming and phishing activities using second level ".hk" domain names. In response, HKIRC, Office of the Government Chief Information Officer (OGCIO), Office of the Telecommunications Authority (OFTA), Hong Kong Police and Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) stepped up efforts to crack down on malicious and suspicious web sites with ".hk" domain names. As a result, more than 14,000 such domain names were cancelled. There has been a drastic drop in spamvertising and phishing cases using ".hk" domain names, from an average of 262 cases a week in 2007 to the weekly average of 2 cases during the past three months (March to May 2008).
The survey referred to in the Hon Member's question gives a misleading impression of the risk profile of ".hk" domains. The timing of the survey happened to coincide with a brief period in which the ".hk" domain was being targeted by malicious operators. The enforcement activities that I have mentioned mean that the domain names that were used for the abuses should no longer exist. However, we need to make sure that the survey report does not have a long-term impact on the image of Hong Kong. We have been working with HKIRC and other industry organisations to set the record straight, and to rebuild the branding of ".hk" domain names. We will continue to require HKIRC to exercise the measures vigorously and implement additional ones as appropriate in light of emerging developments in the future.
(b) The Government closely monitors the HKIRC's work through regular meetings between the management of HKIRC and the OGCIO. Through this mechanism, the Government ensures that HKIRC adopts international standards for the administration of ".hk" domain names, such as those on information security management.
Around the world, it is the domain name holders, not the domain name registries, who take responsibility for the activities associated with a domain name. Registries therefore do not provide guarantee to users about the contents or transactions associated with a domain name, or whether the domain name is bona fide. On the other hand, registries are required to cooperate with governments and other relevant organisations in combating Internet abuses and cyber-crimes. In this respect, the Government has already set up the collaboration mechanism to tackle such abuses and cyber-crimes as mentioned above.
(c) The current Board structure is seeking - within a single board - to engage all interested parties and to manage the operations of the critical infrastructure of ".hk" domain names. The Consultation Paper referred to in the Hon Member's question recommended a smaller Board of Directors to focus on corporate governance and a new Consultative and Advisory Panel to enable various stakeholder groups to advise the Board. We briefed the Information Technology and Broadcasting (ITB) Panel on the above recommendations in June 2007. Following public consultation, we accepted the recommendations and invited HKIRC to settle the detailed implementation arrangements. To monitor the progress of implementation of the recommendations, OGCIO has been holding regular meetings with HKIRC.
The Board of HKIRC has now come to a resolution on the way forward for restructuring the governance arrangements. I understand that they will be proposing to an Extraordinary General Meeting that there should be four Government-appointed directors and four directors elected by members of the company. There will be two directors elected by the Supply Class of members and two by the Demand Class. There will also be a Consultative and Advisory Panel (CAP) as recommended in the Consultation Paper. The company is aiming to implement the new arrangements before the end of this year.
As recommended by the consultancy study and in view of the progress made, it is our intention that the designation by the Government of the domain name management function to the HKIRC, an arm's length organisation, should be continued. We envisage that the appointed directors will be chosen to give the company access to experienced non-executive directors and to insights about the wider interests of the community. To give continuity, we will consider inviting the retiring directors to the CAP. Separately, we will implement open and transparent means of monitoring the company's activities based on a new Memorandum of Understanding with the company.
We will continue to update the ITB Panel periodically on the details and progress of implementation of the changes.
Ends/Wednesday, June 25, 2008
Issued at HKT 15:50
NNNN