LCQ8: Cyber security
********************
Question:
It has been reported that as shown by the findings of a survey, Hong Kong had the highest occurrence of cyber security incidents in the Asia-Pacific region last year. Also, as many as 71 per cent of the surveyed Hong Kong enterprises indicated that cyber security incidents had occurred in their companies last year. In January last year, the Hong Kong Police Force upgraded the Technology Crime Division to the Cyber Security and Technology Crime Bureau (CSTCB) to step up efforts to prevent and combat technology crimes and cope with cyber security incidents. In June this year, the Government proposed to the Establishment Subcommittee (ESC) of the last Legislative Council (LegCo) the creation of a permanent post of Chief Superintendent of Police to head CSTCB, but the proposal had not been dealt with before the prorogation of the previous term of LegCo. In this connection, will the Government inform this Council whether:
(1) the authorities are acquainted with the findings of the aforesaid survey; if so, whether they have taken follow-up actions; if they have, of the details; if they have not, how the authorities reduce the occurrence of cyber security incidents among Hong Kong enterprises;
(2) the authorities conducted any investigation in the past five years in respect of the cyber security situations faced by Hong Kong enterprises (especially for small and medium enterprises) and how such enterprises had handled the cyber security incidents; if they did, of the details; if not, how the authorities offer appropriate support to enterprises in light of the actual circumstances;
(3) the authorities will consider putting under one single department, all the cyber security work currently taken up respectively by CSTCB, the Hong Kong Computer Emergency Response Team Coordination Centre under the Hong Kong Productivity Council, and the Government Computer Emergency Response Team under the Office of the Government Chief Information Officer, so as to pool resources on co-ordinating and handling cyber security issues;
(4) it has compiled statistics on the respective average time taken, from the occurrence of cyber security incidents to the issue of alerts, by the three work units mentioned in (3), in each of the past five years; whether the authorities have set relevant performance indicators for the three work units; and
(5) it has assessed the impact on the work of the Police on preventing and combating technology crimes and coping with cyber security incidents, made by the situation that the aforesaid post of Chief Superintendent of Police has not been created so far; of the arrangements by the Government for submitting to this Council again the proposal to create the post, as well as the details of the work plans drawn up for the post?
Reply:
President,
The Government attaches great importance to information security and has been closely monitoring the trends of cyber attacks and the associated security threats. Government bureaux and departments (B/Ds) implement multiple layers of security measures to monitor, detect and block potential malicious attacks on their information systems and networks and take counter-measures promptly to protect Government's information systems and prevent intrusion into Government networks. The Office of the Government Chief Information Officer (OGCIO), in collaboration with the Hong Kong Police Force (HKPF) and the Hong Kong Computer Emergency Response Team Co‑ordination Centre (HKCERT) have been actively providing and disseminating information and advice on cyber security to enterprises and the public through different channels, so that they can have a better understanding of various potential security risks and the corresponding mitigation measures, thereby enhancing the cyber security capabilities of Hong Kong as a whole against the challenges of emerging cyber threats.
Having consulted the Security Bureau, my reply to each part of the question is as follows:
(1) The Government has been keeping track of global information security trends and developments, including relevant survey reports. As pointed out in the aforementioned report, 71 per cent of the respondents in Hong Kong experienced security incidents in their enterprises last year. The report also indicated that the higher number of cyber attacks detected in Hong Kong is attributable to the higher ability of our enterprises to detect such attacks ‒ the time taken by 34 per cent and 43 per cent of the respondents in Hong Kong to detect an intrusion is a few minutes and several hours respectively, which is higher than the respective average value for the Asia-Pacific region. This shows that Hong Kong enterprises have achieved a certain level of security capability. Besides, surveys show that while denial-of-service attack remained to be a major means of attack in the past few years, ransomware has now become a popular form of attack.
To further raise the awareness of information security among small and medium enterprises (SMEs) and enhance their capabilities to guard against cyber security threats (including ransomware attacks), the Government and HKCERT co-operate with the industry and various organisations to hold thematic seminars, produce radio programmes and distribute leaflets from time to time, reminding enterprises and members of the public to strengthen cyber security measures to protect their information systems and data asset.
In light of the surge in ransomware infection cases in Hong Kong this year, OGCIO, HKPF and HKCERT have since this March jointly conducted a number of seminars with the theme of "Protecting Data from Ransomware Attacks" for critical infrastructure operators, enterprises and organisations, as well as schools and the public. The seminars enable participants to better understand the infection paths, impacts and processes of infection, while at the same time learn about the strategies and techniques to tackle ransomware attacks for effective guarding against such attacks. OGCIO has also developed some infographics on "Beware of Ransomware Infection" and a learning programme entitled "Protect Yourself against Ransomware" to disseminate messages about ransomware attacks to SMEs and the public through the Cyber Security Information Portal, newspapers and the electronic media. Relevant practical advice and information on risk mitigation measures are also provided to remind the public to take necessary precautions against ransomware attacks.
Furthermore, to enhance the long-term competitiveness of SMEs, the Innovation and Technology Commission launched a $500 million Technology Voucher Programme under the Innovation and Technology Fund on November 21 to subsidise SME's use of technological services and solutions (including information technology for enhancing the information security of enterprises) with a view to improving productivity or upgrading and transforming their business processes. The programme provides funding up to $200,000 on a 2:1 matching basis for each eligible SME, while the SME concerned must contribute no less than one-third of the project cost.
The Police established the Cyber Security and Technology Crime Bureau (CSTCB) in January 2015 to strengthen their capability in combating technology crimes and handling cyber security incidents in Hong Kong. The Cyber Security Centre (CSC) under CSTCB even operates around the clock to strengthen communication and co-ordination between the Police and various stakeholders, with a view to preventing possible attacks and responding to them more effectively. Regarding publicity and education for prevention of cyber security incidents and technology crimes, CSTCB has been liaising and conducting intelligence exchanges with various stakeholders, as well as organising relevant seminars and events from time to time to raise the awareness of the public and enterprises on cyber security and technology crimes.
(2) OGCIO has commissioned the Census and Statistics Department to conduct the biennial "Survey on Information Technology Usage and Penetration in the Business Sector", which includes compilation of statistics on information security incidents experienced by the business sector. The last survey, conducted between March and December 2015, covered around 275 900 establishments using computers/smartphones/the Internet. Among these establishments, about 16 per cent experienced information security incident(s) in the 12 months before the survey. About 73 per cent of them encountered "computer virus" attacks. This was followed by "denial-of-service attack" (31 per cent) and "hacking" (8 per cent). In response to the cyber attacks, the majority (around 85 per cent) of these establishments adopted measures such as regular update of virus signature file/anti-virus software and the setting up of firewalls. Furthermore, around 72 per cent put in place security measures including "regular backup of data critical to the business's operation" and "regular update of operating system patches".
(3) At present, the Government Computer Emergency Response Team (GovCERT.HK) under OGCIO, CSTCB of the Police and HKCERT provide cyber security-related information and support to different stakeholders, including government departments, critical infrastructure operators, public and private organisations and the general public, respectively.
GovCERT.HK is responsible for co-ordinating the handling of information and cyber security incidents within the Government. Its work includes responding to, co-ordinating and handling information security incidents within the Government; issuing security alerts and warnings; and providing advice on security measures. HKCERT, on the other hand, is tasked with providing information on security incidents, preventive guidelines, incident response and support services to local enterprises and Internet users, as well as promoting information security awareness. It has also established ties with regional and international computer emergency response teams for timely sharing of security information. As for CSTCB, it is set up to strengthen the Police's ability to protect the information systems of critical infrastructure and enhance its capability to prevent and combat technology crimes.
At present, there is a clear division of responsibilities among the three parties, and their functions and stakeholders are different. Moreover, they have already established a sound co-operation mechanism which is operating effectively and capable of providing appropriate support to different stakeholders. We have no plan to change the existing arrangement.
(4) In response to security vulnerabilities and security incidents, GovCERT.HK will issue timely security alerts and reminders to B/Ds to assist them in taking effective and prompt measures with a view to preventing and reducing the risks and impacts of cyber attacks on their computer systems. HKCERT will also issue security bulletins to enterprises and the public in respect of security vulnerabilities associated with computer systems and programmes. Since each security vulnerability or incident is unique, it will be necessary to gather relevant details, conduct analyses, assess its scope of impact, investigate its source and formulate effective solutions or mitigation measures before any effective warnings and advice can be issued to government departments, organisations or members of the public likely to be affected. Once all the relevant information has been gathered, GovCERT.HK and HKCERT will immediately issue security alerts to relevant stakeholders so that they can implement viable preventive measures as soon as possible. Although neither GovCERT.HK nor HKCERT has statistics on the time taken to issue a security alert, they have generally been able to issue an alert within several hours after a security vulnerability or incident has been identified.
The numbers of alerts issued by GovCERT.HK and HKCERT in each of the past five years are listed in the table below. Issuing security warnings is one of the measures to prevent security incidents. We will issue alerts on a need basis and there is no relevant performance indicator.
| Year | 2012 | 2013 | 2014 | 2015 | 2016 (As at October ) |
| High-threat security warnings issued by OGCIO to B/Ds | 71 | 76 | 71 | 82 | 72 |
| Security bulletins issued by HKCERT to enterprises and the public | 429 | 470 | 348 | 352 | 292 |
Furthermore, since CSTCB's CSC operates around the clock, the Police may also render immediate assistance in case of cyber security incidents involving critical infrastructures. The Police does not keep the relevant statistics.
(5) Following the establishment of CSTCB in January 2015, HKPF is committed to enhancing and expanding its capability in different areas, including detecting syndicated and highly sophisticated technology crimes; conducting timely cyber threat audits and analyses; enhancing response capability to major cyber security incidents or massive cyber attacks and strengthening relevant thematic researches; and strengthening partnership and information exchange with local stakeholders and overseas law enforcement agencies.
CSTCB shoulders the mission of co-ordinating measures against technology crimes and cyber attacks in Hong Kong, but there has been a lack of focused leadership by a Chief Superintendent of Police (CSP). Having been established for almost two years, CSTCB has a pressing need for the creation of a permanent CSP post. Should CSTCB continue to operate without a focused steer at directorate level, it will be difficult to sustain efforts in responding to the increasingly complex challenges, formulate and implement effective strategies, and ensure their smooth implementation. If the current situation persists, this may even hamper CSTCB's capability on various fronts, which include:
(i) engaging other police formations with dedicated functions in operations during major cyber attacks against critical infrastructures in Hong Kong;
(ii) stipulating objectives, policies and long-term strategies for policing technology crimes;
(iii) co-ordinating the work of police districts and government departments in tackling technology crimes and cyber attacks; and
(iv) making high-level and time-sensitive decisions on such matters as resources allocation and formulation of development strategies.
As a matter of fact, since cyber security and technology crimes are fast evolving and transcend traditional jurisdictional boundaries, CSTCB must enhance co-operation with local and overseas stakeholders in cyber security, promote education and publicity, and where necessary, provide information to assist in case investigation. In developed overseas countries, heads of law enforcement units similar to CSTCB are usually pitched at a rank at least equivalent to a CSP of HKPF to reflect the importance these countries attach to tackling cyber security threats and combating technology crimes. HKPF similarly requires a directorate officer at CSP rank to build close ties with local and overseas law enforcement agencies as well as to join hands with various partners and stakeholders in combating technology crimes and maintaining cyber security.
The CSP(CSTCB) post carries comprehensive, professional and crucial functions. Any further delay in creating the CSP post will seriously impede HKPF's and Hong Kong's response capability to cyber attacks, making Hong Kong extremely vulnerable to cyber criminals launching cyber attacks. In this connection, the Security Bureau and HKPF have consulted the Panel on Security on the creation of the CSP(CSTCB) post on December 6, and hoped that the Establishment Subcommittee and the Finance Committee would approve the proposal as soon as possible.
Ends/Wednesday, December 7, 2016
Issued at HKT 15:01
Issued at HKT 15:01
NNNN