**********************************************
Following is a question by the Hon Ma Fung-kwok under Rule 24(4) of the Rules of Procedure and a reply by the Secretary for Security, Mr Lai Tung-kwok, in the Legislative Council today (June 19):
Question:
Edward Snowden, a former analyst of the Central Intelligence Agency of the United States (US), disclosed in a recent interview with the South China Morning Post that the US Government had been hacking into the computer systems in both Hong Kong and the Mainland since 2009 and had acquired huge quantity of communications information, and the targets included the computer systems of The Chinese University of Hong Kong, local public officers, enterprises and students. In this connection, will the Government inform this Council:
(a) whether the authorities have taken immediate and effective measures since the aforesaid report was published in the newspapers to ensure that the overall network and computer systems in Hong Kong will not be hacked; if they have, of the details; if not, how the authorities ensure that information security in Hong Kong will not be threatened;
(b) whether the Government has immediately followed up the aforesaid report with the relevant authorities of the US and taken immediate and necessary remedial and preventive measures in respect of information security; if it has, of the details; if not, the reasons for that; and
(c) as it has been reported that the aforesaid person is now in Hong Kong, and that he has indicated that he worries about his personal safety because he has received reliable information that the US Government has requested for extraditing him to the US, whether the authorities have received any relevant request from the US Government, and whether they have assessed if the personal safety of the person is under threat; if they have received such request or the assessment outcome is that the person's personal safety is under threat, of the immediate follow-up measures to be taken by the authorities?
Reply:
President,
The major issues raised in the Member's question concern network security, information security and combating technology crimes such as hacker intrusion into local computer systems. These issues are related to the policy areas of the Security Bureau and the Commerce and Economic Development Bureau. Our consolidated reply is as follows:
(a) To promote information system security and combat technology crimes, the Office of the Government Chief Information Officer (OGCIO) and the Hong Kong Police Force (Police) have adopted a series of measures in collaboration with the industry and relevant stakeholders to promote the importance of protecting computer systems and network security. The Administration is also very concerned about recent media reports which alleged that local computer systems had been hacked. The departments concerned have already taken immediate actions to review the relevant information security arrangements.
Information security within Government
-------------------------------------
Regarding the information security within Government, the OGCIO has formulated comprehensive information security policies and guidelines for compliance and reference by bureaux and departments (B/Ds), so as to ensure that they have taken appropriate and sufficient measures to protect the security of their systems and data, with a view to minimising the risk of information security attacks and hacker intrusion as well as enabling B/Ds to take appropriate response in case of incidents. To protect against information security attacks and intrusion by hackers, B/Ds have implemented the following specific measures:
(i) install firewalls, anti-virus software, and intrusion detection/prevention systems on Internet gateways to protect critical systems against security threats;
(ii) timely update systems software and patches and use latest virus signature files to prevent infection of malware;
(iii) encrypt all confidential data during storage and transmission; and
(iv) conduct regular security risk assessment and audit for critical information technology (IT) systems.
In response to newspaper reports mentioning that Hong Kong and Mainland computer systems had been hacked, the OGCIO has taken the following measures to ensure that there are proper security arrangements for government network and systems to prevent, detect and protect against cyber attacks and intrusion:
(i) continue to monitor the network facilities, servers, firewalls, intrusion detection and prevention system, etc. of the Government Central Internet Gateway System, so as to ensure normal system operation;
(ii) conduct daily checks on the system status at regular intervals, including the system service utilisation, network traffic, system log, alerts of suspicious activities, etc., so as to rigorously prevent cyber attacks and intrusion; and
(iii) issue information security reminder to all B/Ds to alert them on the issue.
Information security in the community
-------------------------------------
On raising the awareness of information security in the community, the OGCIO keeps abreast of global information security trend and development at all times, and provides the public with abundant references and latest news on information security through the one-stop INFOSEC website (www.infosec.gov.hk). Given the rapid technological developments and the ever-changing information security threats, we will continue to work with all sectors of the community to enhance the awareness of information security among organisations and members of the public.
The Hong Kong Computer Emergency Response Team Co-ordination Centre (HKCERT), established with funding support from the Government, provides computer security incident related services for the Internet community, including co-ordinating actions in response to computer security incidents, issuing alerts, and raising public awareness on Internet security. The HKCERT is responsible for receiving security incident reports, and offering assistance to the community by providing technical support in response to security incidents. It organises annual security drill exercise with relevant stakeholders to ensure they have the response capability to tackle cyber attacks.
On another front, the Police are committed to preventing and combating technology crimes. As far as crime detection is concerned, a three-tier investigation framework is currently adopted by the Police with investigation units at the levels of the Headquarters (the Technology Crime Division of the Commercial Crime Bureau), Regions (Technology Crime Units) and Police Districts to ensure optimal resource utilisation for effective and efficient investigation of such crimes. Furthermore, a round-the-clock Cyber Security Centre was set up by the Police in December 2012. Through strengthening communication and co-ordination between the Police and relevant stakeholders, conducting thematic researches and auditing network security measures, this Centre aims to prevent and enhance the response to possible attacks against information systems of critical infrastructures in Hong Kong.
Regarding the concern over the information security of the Hong Kong Internet Exchange (HKIX) of the Chinese University of Hong Kong, the OGCIO and the Police have contacted the HKIX to understand the case and provide support. The HKIX has checked its system setup. The network security and network traffic of HKIX has all along been closely monitored by designated personnel round the clock. There is no sign of irregular network traffic or systems being hacked and everything is under normal operation. Also, the Police did not receive any report from the relevant stakeholders on any sign of their information systems being hacked. The Police will monitor the situation and continue to maintain close liaison with various stakeholders, and will offer assistance when necessary in respect of auditing network security and contingency measures of the relevant facilities.
(b) & (c) The Administration is very concerned about the media reports which alleged that the local computer systems had been hacked. We will continue to monitor and ascertain the facts in relation to network security in Hong Kong, and will actively follow up on any incidents related to intrusion of the rights of institutions or individuals in Hong Kong.
The HKSAR Government will handle this case strictly in accordance with the law and procedures of Hong Kong. However, we cannot disclose any details of the operations that we have taken or will be taking. In addition, the Police are committed to protecting the safety of the people in Hong Kong. Any person who considers that his/her life is at risk may seek help from the Police.
Conclusion
----------
To conclude, network security is a matter which the whole community should be concerned with. The Government, the industry as well as all stakeholders should stay highly alert and adopt necessary measures to ensure network security. In addition, this case is highly complicated. We hope that members of the public would understand the Administration's position of not disclosing or discussing any details of this case.
Ends/Wednesday, June 19, 2013
Issued at HKT 16:43
NNNN