************************************
Following is a question by Dr Hon David Li Kwok-po and a written reply by the Acting Secretary for Commerce and Economic Development, Mr Gregory So, in the Legislative Council today (March 17):
Question:
The Hong Kong SAR Government has taken a proactive approach to facilitate the digital economy and make Government services more accessible, through the Digital 21 Strategy. There are views that while this policy direction has been welcomed by people in Hong Kong, recent news reports about computer hacking activities have raised concerns about the vulnerability of computer networks connected to the Internet. In this connection, will the Government inform this Council:
(a) what procedures it had put in place in the past three years to counter hacking activities, and how often these procedures are reviewed to ensure that they are adequate to prevent the continually evolving threat posed by hackers; and
(b) whether any government computer had been subject to hacking activity in the past two years?
Reply:
President,
Regarding the questions raised by Dr Hon David Li Kwok-po, my reply is as follows:
(a) Computers and networks connected to the open Internet risk being the target of attempts at unauthorised access, commonly known as hacking. Government has put in place a set of comprehensive regulations, guidelines and procedures for bureaux and departments (B/Ds) to follow to minimise the risk and protect against possible attacks. These cover a host of measures relating to the development, operation, use and management of information technology (IT) systems and computers. The approach we have been adopting is based on the guiding principle of "Prevent, Detect, Respond and Recover". In this connection, B/Ds are required to designate appropriate personnel to manage IT security, have systems in place to review their information security incident handling procedures and facilities.
Specific measures by B/Ds to counter information security attacks and hacking include (i) observing the guidelines and best practices on software asset management; (ii) installing firewalls, anti-virus, intrusion detection and prevention systems against security threats; (iii) updating their software systems to incorporate the latest virus signature files and removing any other malicious software in a timely manner; and (iv) conducting formal security risk assessments and audits upon the initial introduction of critical IT systems and periodical reviews thereafter.
Given the open and global nature of the Internet, development and maintenance of a safe Internet environment requires the concerted effort of the Government, industry stakeholders, security experts and all our citizens. The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT), the establishment of which was funded by the Government, receives security incident reports and provides assistance to the community in regard to the prevention of, and protection against, computer security threats, including computer hacking, and in the recovery actions necessary after encountering security incidents. HKCERT conducts drill exercises regularly with relevant stakeholders to ascertain their responsiveness in case of cyber attacks.
According to our established Information Security Management Framework, we review and update the appropriate security protection measures and procedures from time to time to keep up with changes in technology, new standards and best practices in the industry in order to maintain a very high level of security in the Government's IT infrastructure and connections to the Internet environment. In addition, B/Ds are required to carry out their information security risk assessment and review their protection measures on a regular basis, and at least once every two years.
(b) Like all computers connected to the Internet, it is common for Government computers to receive unsolicited requests for access. It is likely that some, though not all, of these requests relate to attempted hacking activity. Such requests are routinely blocked by the firewalls that protect Government IT systems.
During the past two years (from March 2008 to February 2010), eight hacking related incidents were reported by B/Ds. All of these incidents affected web servers, rather than systems holding personal data or sensitive information. In no case was there any data leakage or any report of adverse impact on a member of the public. The problems affecting the relevant servers have all been rectified and their security protection has been strengthened according to established procedures.
Ends/Wednesday, March 17, 2010
Issued at HKT 12:15
NNNN
