LCQ19: Information security in Hong Kong
****************************************
Question:
In recent years, information security incidents and cybercrimes, which involved increasingly sophisticated modus operandi and technology, have occurred frequently in Hong Kong, thus putting the networks of government departments, financial system and enterprises under threats. In the first eight months of this year, the Police have received 49 reports of blackmails using encryption ransomware, and the total monetary loss involved in five of such cases was nearly $70,000. In addition, the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) under the Hong Kong Productivity Council received 247 reports of blackmails using encryption ransomware over the first nine months of this year, representing a more than threefold year-on-year increase. Regarding the enhancement of the information security of government departments, the financial system and the business operations of enterprises in Hong Kong, will the Government inform this Council:
(1) whether it knows the respective numbers, in each of the past three years, of reports of incidents in which computers or websites of (i) government departments and (ii) other organisations were subject to cyberattacks and encountered information security incidents, with a breakdown by name of the department/organisation and type of incident (including web defacement, intrusion of networking and information systems, distributed denial-of-service (DDoS) attacks and blackmails using encryption ransomware);
(2) given that the computers of the Harbour Patrol Section of the Marine Department and the Office of the Centre for Food Safety of the Food and Environmental Hygiene Department had, one after another, fallen victims to implantations and intrusions by hackers in October this year, of the respective monetary losses suffered by the Government as a result of such incidents; whether the authorities have reviewed if the computer systems and anti-virus software in use by various government departments are adequate to guard against cyberattacks, such as phishing websites, botnets, malicious software and DDoS attacks;
(3) given that the server of the Immunisation Record System of the Clinical Information Management System (CIMS) of the Department of Health was earlier suspected of having been intruded into by hackers, how the authorities will enhance the security of CIMS to protect the personal data and privacy of members of the public;
(4) given that the Office of the Government Chief Information Officer (OGCIO) has indicated its plan to strengthen its efforts to defend against cyber threats by forming a new team in the middle of this year, (i) whether that team has been formed, (ii) what specific tasks the team has undertaken and has planned to undertake respectively, and (iii) whether the team will conduct information security assessments and audits for various government departments; if the team will, of the timetable; if not, the reasons for that;
(5) of the number of cyber security drills conducted by the Government Computer Emergency Response Team Hong Kong in collaboration with the Hong Kong Police Force (HKPF) since its establishment, and the respective categories and scales of the simulated cyberattack incidents (set out separately in chronological order);
(6) of the scope of work of the Cyber Security and Technology Crime Bureau (CSTCB) of the HKPF in addressing cybercrimes; whether CSTCB has participated in the various types of information security work of the Security Bureau, the Innovation and Technology Bureau and OGCIO, including (i) the conduct of security risk assessments and audits, (ii) the implementation of technical security solutions, and (iii) the upgrade of security infrastructures;
(7) how many organisations participated in the SME Free Web Security Health Check Pilot Scheme organised by the authorities through HKCERT this year; whether and how the authorities have assessed the effectiveness of the scheme, and whether they will expand the scheme to enable more small and medium enterprises (SMEs) to participate; given that SMEs face higher information security risks, whether the Government will provide SMEs with extra funding and support to help them strengthen the security of network infrastructure and enhance information security;
(8) given that a large-scale cyberattack launched by hackers in the United States in October this year has rendered a number of major local websites paralysed, whether the authorities have formulated an information security strategy in relation to the promotion of smart city development in Hong Kong, so as to address cyberattacks targeting household, personal and mobile network devices, merchant point-of-sale systems and Internet-of-Things systems;
(9) given that incidents of hacker intrusions into automatic teller machine systems of banks have occurred successively in Thailand and Taiwan recently, whether the authorities have specific measures in place to safeguard the information security of the financial system of Hong Kong so as to ensure that the system has adequate protection against similar incidents of hacker intrusions; whether they will conduct comprehensive risk assessments on the current information security of government agencies, financial institutions, industry bodies (such as telecommunication companies) and their infrastructures;
(10) whether the authorities have assessed Hong Kong's long-term needs for information security personnel to tie in with the direction of smart city and financial technology development in Hong Kong; whether they have plans to formulate policies to nurture information technology personnel and network security experts, so as to address various types of information security threats; and
(11) since the review of the current legislation and the relevant administrative measures in 2000, whether the authorities have plans to establish afresh an inter-departmental working group for the enhancement of information security work to study ways to address the new challenges posed by the application of cloud technology?
Reply:
President,
With the rapid development of information technology (IT) and increasing popularity of smart devices, information security and the threats posed by cyber attacks have brought impacts on internet users. The Government has been closely monitoring the trend of cyber attacks and related security threats. The Office of the Government Chief Information Officer (OGCIO) has been collecting cyber threat information disseminated by the cyber security industry and computer emergency response teams around the world, and issue timely security alerts and reminders to Government bureaux and departments (B/Ds), as well as assist government IT management staff and Information Security Incidents Response Teams in B/Ds to make prompt response and strengthen their precautionary measures.
Having consulted the Security Bureau (SB), the Commerce and Economic Development Bureau (CEDB), the Financial Services and the Treasury Bureau (FSTB) and other relevant departments, the reply to each part of the question is as follows:
(1) In the past three years, OGCIO received a total of 31 information security incident reports from government departments, while the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) received a total of 13 517 such reports from local enterprises and users over the same period. The relevant incidents by type are set out in Annex.
(2) Regarding the hacker intrusion incident at the Harbour Patrol Section of the Marine Department and the office of the Centre for Food Safety of the Food and Environmental Hygiene Department, the departments concerned have promptly and properly dealt with the incidents in accordance with the established information security incident response mechanism and procedures. As the intrusions were caused by ransomware, OGCIO also immediately issued reminders and guidelines on strengthening ransomware prevention to B/Ds, requesting them to step up checks on the computer systems and anti-malware softwares, so as to ensure the information security defensive capabilities within the Government. The Government has not suffered any monetary loss as a result of the relevant incidents.
On protecting government information systems and networks, the Government has put in place overall management framework, technical measures and security mechanisms to closely monitor the operation of government information and network systems, so as to detect and block various kinds of potential cyber attacks. B/Ds should abide by the Government's information security policies and guidelines, take appropriate measures to ensure the safe and normal operation of the Government's information and network systems, including the implementation of multiple layers of security such as the use of firewalls, intrusion detection and defensive systems and anti-malware softwares. B/Ds should also ensure the correct set-up of systems and the timely installation of security patches to prevent any security vulnerabilities from posing threats against the Government's information systems. Moreover, they should conduct regular security risk assessments and third-party audits on their information and network systems, to ensure that the systems comply with the relevant security requirements and regulations, and have adequate defensive capabilities to protect government systems and data assets.
In addition, OGCIO has been closely monitoring the trends of cyber attacks and the associated security threats, providing timely technical assistance and recommending precautionary measures to B/Ds. It also issues technical guidelines, security alerts and reminders and organises seminars to strengthen their information security awareness and capabilities to prevent, detect and respond to cyber attacks.
(3) In July 2016, the Department of Health (DH) discovered that the Immunisation Record System of its Clinical Information Management System had been intruded by hackers. DH handled the incident in accordance with the established procedures, reported the incident to OGCIO and the Office of the Privacy Commissioner for Personal Data, and referred the case to the Police for investigation. The DH also sent letters to all those who might be affected, advising them to be vigilant against any illegal use of their personal information.
On the protection of personal and classified information, the Government has put in place very stringent information security requirements and responsive measures, stipulating that the access to and use of relevant application systems and data should be restricted to authorised persons and that data access rights should be clearly defined and reviewed periodically. It is also required that sensitive data and documents, when being saved or transmitted, should be encrypted in accordance with recognised industry standards to ensure the proper protection of government data assets.
In 2016, OGCIO conducted a comprehensive review on the Government IT Security Policy and Guidelines, by making reference to the latest ISO 27001 international standards and other industry best practices, in order to strengthen the security requirements in individual areas, including the confidentiality requirements for storing sensitive information and departmental management capability to respond to information security incidents.
(4) OGCIO set up a new team in July this year to step up actions against cyber security threats. The team is establishing a pilot cyber threat information sharing platform, which will collate and evaluate cyber threat information and data from different sources using big data analytics technology, so that more targeted cyber threat alerts can be issued to B/Ds and provide them with advice on counter measures. Moreover, OGCIO will launch a new round of "security compliance audits" by the end of this year to assess B/Ds’ compliance with the Government IT Security Policy and Guidelines. During the course of assessment, OGCIO will assist relevant B/Ds to continuously improve their security management systems and to cope with emerging security threats.
(5) Since 2014, the Hong Kong Police Force (HKPF) has conducted various types of cyber security drills together with industry stakeholders and local critical infrastructures. In 2014, a total of 14 organisations of critical infrastructures participated in the drills. In 2015, the number of participating organisations increased to 28. Through various simulated incident scenarios, cyber security drills test the capabilities of incident analysis, the standing incident response procedures and the communication protocol of the participants. The simulated cyber attacks incidents include the most common scenarios with profound impacts, such as distributed denial-of-service attacks, web defacement, intrusion of network and information systems, ransomware, malware and sensitive data breaches.
The Police will, in collaboration with OGCIO, conduct a large-scale cyber security drill involving 30 government departments in January 2017 to enhance government departments' capability to protect information systems and handle cyber security incidents.
(6) The Cyber Security and Technology Crime Bureau (CSTCB) of HKPF is responsible for a wide range of duties in tackling cyber crimes. Its major functions include:
(a) detecting syndicated and highly sophisticated technology crimes and conducting proactive intelligence-led investigations;
(b) providing assistance to critical infrastructures by conducting timely cyber threat audits and analyses to prevent and detect cyber attacks against them;
(c) enhancing incident response capability to major cyber security incidents or massive cyber attacks;
(d) strengthening thematic researches on cyber crime trend and mode of operation, vulnerabilities of computer systems and development of malware;
(e) strengthening co-operation with local and overseas stakeholders and law enforcement agencies to counter prevalent technology crimes and cyber threats; and
(f) conducting trainings on cyber security and technology crimes.
Since its establishment, CSTCB has been collaborating with various government departments and stakeholders of different trades to strengthen the reliability of the information system network of critical infrastructures, as well as to enhance Hong Kong's capability to protect relevant information system networks and guard against cyber attacks.
(7) To enhance the cyber security awareness among local small and medium enterprises (SMEs) and strengthen their defensive capabilities against cyber attacks, HKCERT launched the SME Free Web Security Health Check Pilot Scheme jointly with a number of local trade associations early this year to check the health status of SMEs' websites and suggest improvement measures, and to verify the effectiveness of the measures upon implementation. The first round of checks under the scheme was completed in the middle of this year, and website security check reports and free consultation services were provided to 30 participating SMEs. In August, seminars were held to share the findings and improvement suggestions. A second round of checks has also been completed. Through the scheme, participating SMEs can have a better understanding of the security risks of their websites and the best practices in website security, thereby enhancing the protection for their websites. OGCIO will continue to work closely with HKCERT to explore activities which will further raise the cyber security level of local SMEs.
The Innovation and Technology Commission launched a $500 million Technology Voucher Programme on a pilot basis under the Innovation and Technology Fund on November 21 to subsidise the use of technological services and solutions by SMEs, including IT that assists enterprises to enhance cyber security.
(8) In the process of promoting the development of smart city, it is imperative to develop relevant IT security and technical standards. When considering the options for implementing Internet of Things, the Government will evaluate the security risks in the relevant segments, including terminal devices, network systems, information management, etc, in order to comply with the requirements under the security regulations and policies of the Government. We are conducting a consultancy study for formulating a Smart City Blueprint for Hong Kong, including the development of IT security and technical standards. The study is expected to complete in mid-2017.
(9) The Hong Kong Monetary Authority (HKMA), the banking industry and HKPF have been monitoring the crime cases related to ATMs, including the cases involving overseas ATMs being intruded by hackers, causing them to dispense cash automatically.
According to information provided by HKMA, these cases involved the planting of malwares into the overseas ATMs in respect of which no protective measures against malwares have been implemented. In Hong Kong, effective security measures against malwares have been implemented in all ATMs in accordance with HKMA's guidelines. In light of these cases, HKMA, the banking industry and HKPF have earlier reminded banks to review their security controls, so as to further reduce the risk of local ATMs being hacked.
To strengthen the cyber resilience of the banking sector in Hong Kong, HKMA announced in May 2016 the launching of Cybersecurity Fortification Initiative (CFI), which is underpinned by three pillars:
(a) Cyber Resilience Assessment Framework: the assessment framework aims at assessing an authorised institution (AI)'s cyber risk exposure and cyber resilience. The results will form a basis for an improvement plan for cyber resilience. It also allows HKMA to get a holistic view of the preparedness of individual AIs, as well as the entire banking sector, in cyber security;
(b) Professional Development Programme: the Professional Development Programme is a localised certification scheme and training programme developed by HKMA together with the Hong Kong Institute of Bankers and the Hong Kong Applied Science and Technology Research Institute (ASTRI). The aim of launching this integrated and well-structured programme is to train and nurture cyber security practitioners in the AIs and the IT industry, so as to enhance their cyber security awareness and technical capabilities to conduct cyber resilience assessments and simulation testing; and
(c) Cyber Intelligence Sharing Platform: the Cyber Intelligence Sharing Platform is jointly implemented by HKMA and the Hong Kong Association of Banks (HKAB) to support the implementation of simulation testing and facilitate the sharing of cyber intelligence among AIs. Relevant cyber intelligence sourced from different reliable channels will be collected, analysed and shared on this platform together with detailed cyber-threat analysis report and recommendations. Through this platform, member banks of HKAB will be able to tap the latest threat scenarios and get prepared accordingly.
With the support of the banking industry and other stakeholders, the HKMA has made good progress in implementing the CFI. The three pillars are expected to be formally rolled out in December 2016.
Furthermore, CSTCB has been endeavouring to facilitate the sharing of cyber-attack intelligence in the financial sector of Hong Kong. CSTCB is planning to establish a Cyber-attack Intelligence Sharing Platform to address dynamic cyber threat and the increasingly complex cyber attacks, as well as to share intelligence on cyber attacks.
In May this year, HKPF, HKMA and ASTRI co-organised Cyber Security Summit 2016, which was a three-day event with supervisors of financial institutions, regulatory bodies and technology solution providers among its guests. The summit shared the latest local and global trends of cyber attacks, and enhanced the awareness and preparedness of important professional bodies and critical infrastructures in Hong Kong in response to cyber security incidents and hacker attacks.
As regards telecommunications operators, according to information provided by CEDB, they are required to ensure the effective operation of their networks to maintain and provide satisfactory services in accordance to the licence conditions.
(10) According to the statistics by the Information Systems Audit and Control Association, there are 2 327 Certified Information System Auditors and 474 Certified Information Security Managers in Hong Kong as at September 2016. Moreover, information of the International Information Systems Security Certification Consortium, Inc shows that a total of 1 413 local practitioners have acquired the qualification of Certified Information Systems Security Professional. To address the information security threats faced by Hong Kong, the Government will continue to collaborate with schools and the education sector (including tertiary institution) to enrich IT-related disciplines with information security programmes. The Government will also work with professional associations of information security to promote professional accreditation for IT practitioners so as to train up more IT practitioners with professional knowledge and skills in information security, and to facilitate the development of relevant manpower resources.
(11) The Government has formulated a set of comprehensive Government IT Security Policy and Guidelines which is subject to regular reviews, in order to address challenges brought by the Government's use of cloud and other IT developments.
Ends/Wednesday, December 14, 2016
Issued at HKT 16:15
Issued at HKT 16:15
NNNN