LCQ9: Information security of government departments, public bodies and organisations involved in public works projects
***************************************************************

     Following is a question by the Hon Charles Peter Mok and a written reply by the Secretary for Innovation and Technology, Mr Nicholas W Yang, in the Legislative Council today (May 31):
      
Question:
      
     In March this year, the computer system of a consultancy firm engaged in a related project of the Hong Kong-Zhuhai-Macao Bridge was attacked by ransomware, causing a large number of its files being encrypted and locked. Moreover, WannaCry, a ransomware program targeting at the old versions of the Microsoft Windows operating system, caused havoc on a global scale early this month, and quite a number of users in Hong Kong were affected as well. Regarding the information security of government departments, public bodies and organisations involved in public works projects (i.e. works contractors, consultancy firms and suppliers of materials), will the Government inform this Council:
      
(1) of the respective numbers of reports on computer system and information security incidents received last year by the authorities from (i) government departments, (ii) organisations involved in public works projects and (iii) public bodies; among such reports, the number of those involving ransomware and the resultant monetary losses (if any); the respective mechanisms whereby these three types of organisations should report incidents on computer system and information security, and the respective contingency measures to be taken by them;

(2) whether it knows the contingency measures taken by the aforesaid consultancy firm after its computer system was attacked by ransomware; whether the process through which the firm reported the incident to the Government was in compliance with the existing procedure and the relevant details; of the types and quantities of the information contained in the locked files of the firm, and whether there were files deleted in the end; if so, of the types and quantities of the information contained in the deleted files, and whether such files had backed-up copies; whether the incident has caused any monetary losses to the Government and the firm;

(3) whether the contract signed between the Government and the aforesaid consultancy firm has specified the requirements in respect of the firm’s computer system and information security (e.g. mandatory installation and regular updating of computer security software); if so, of the details; if not, whether the Government has issued guidelines on computer system and information security to the firm after the incident, and required the firm to install or update anti-malicious code software and firewall software;

(4) whether the Government has drawn up standard requirements in respect of the computer and information security systems and anti-virus software to be used by organisations involved in public works projects and public bodies; if so, of the details, including (i) whether such requirements include timely updating of computer system and information security software and hardware, and (ii) whether the contracts signed between the Government and the organisations involved in public works projects and the guidelines issued to public bodies contain such requirements;

(5) whether the Government has, after the incident of the aforesaid consultancy firm's computer system having been attacked by ransomware, assessed the computer system and information security risks of organisations involved in public works projects, and formulated arrangements for third-party audits; if so, of the details; if not, whether it will immediately take such actions;

(6) of the respective numbers and percentages of computers, among the computers currently used by various government departments, that are using the following versions of the Microsoft Windows operating system: (i) Windows 10 containing the latest and free anti-virus software but the system updating function has not been activated, (ii) Windows 7 not installed with the security update patch KB4012215, which is available for download, (iii) other old versions (including Windows XP, Windows 8 and Windows Server 2003 (set out the details of such versions));

(7) of the number of offline computers currently used by government departments, and the names and versions of the operating systems that such computers are using;

(8) whether it has drawn up internal guidelines to require various departments to regularly update their computer software and hardware, and whether it has plans to update those outdated computer operating systems; if so, of the details; if not, the reasons for that; and

(9) of the measures taken by the Government so far to deal with the threats posed by WannaCry ransomware, so as to prevent computer system and information security incidents; whether it will assess afresh Government's capability to deal with various types of computer system and information security incidents, and assist private enterprises and public bodies in strengthening their capability to guard against information security incidents?

Reply:
      
President,

     The Office of Government Chief Information Officer (OGCIO) has all along been closely monitoring the daily operation of government network systems to scan, detect and defend them from any potential malicious attacks. The OGCIO has also formulated the Government IT Security Policy and Guidelines (Policy and Guidelines) for compliance by all bureaux and departments (B/Ds). When necessary, the OGCIO will provide B/Ds with immediate technical support and advice on preventive measures, such as updating the operating system software and strengthening the backup of computer data in order to enhance B/Ds' capabilities to guard against malicious software.

     After consulting relevant bureaux, my reply to the various parts of the question is as follows:

(1) When an information security incident occurs, B/Ds have to act in accordance with the security incident management requirements set out in the Policy and Guidelines and report the incident to the Government Information Security Incident Response Office (GIRO), as well as take appropriate responsive measures, including identifying the incident type, assessing the scope, damage and impact of the incident, containing the damage and rectifying the problem, etc. When using outsourcing services, B/Ds should, in accordance with the Policy and Guidelines, stipulate security measures and requirements that are applicable to the outsourced service providers. If any information security incident occurs with outsourced service providers (including organisations involved in public works projects), they are required to report the incident to the B/D concerned and take appropriate response according to the relevant security measures and requirements. We have also issued the Policy and Guidelines to public organisations for reference, so that they can take appropriate responsive measures based on their IT security policy and business needs.

     In 2016-17, the GIRO received a total of 22 information security incident reports involving government departments, 11 of which were related to ransomware. In all cases, the Government did not have any monetary losses. The OGCIO does not keep such data related to organisations involved in public works projects and public organisations.

(2) According to the information provided by the Transport and Housing Bureau (THB), on March 2, 2017, the Highways Department (HyD) received a notice from the Resident Site Staff (RSS) of the consultant employed by the HyD, who supervised contract no. HY/2011/09 (Hong Kong-Zhuhai-Macao Bridge Hong Kong Link Road - Section between HKSAR Boundary and Scenic Hill), that the computer servers at the site office were attacked by ransomware. Some files in the servers were encrypted and a ransom was demanded. The RSS immediately cut off the Internet connection of the concerned servers and approached the Hong Kong Police Force for help. According to the information submitted by the consultant to the HyD, the encrypted files were mainly related to the daily supervision work of the RSS. No confidential file or file that contained personal data was involved. The consultant has recovered the encrypted files through regular backup data of the servers. The incident did not affect the day-to-day operation of the RSS nor the works progress of the contract. Neither the consultant nor the contractor paid any ransom to the hackers.

(3) According to the THB, the requirements of the information security stipulated in the Hong Kong Link Road contract no. HY/2011/09 were set out in accordance with the requirements of the Development Bureau (DEVB) and the OGCIO, which specified that the contractor must install and regularly update anti-virus software, and set up a firewall in the computers of RSS's office to protect the information stored in the system. After the incident, the HyD has requested all RSS and contractors to immediately strengthen the network security of all computers in their offices, in order to prevent the recurrence of similar incident.

(4) According to the information provided by the DEVB, government departments are required to include provisions in the works contracts requiring the organisations involved in public works projects to install security softwares and hardwares, such as firewall and anti-virus software, and to keep them updated in a timely manner in accordance with the Government's information security specifications. As for public organisations, they may refer to the Policy and Guidelines and develop appropriate preventive measures based on their own IT security policy and business needs.

(5) According to the DEVB, the organisations involved in public works projects should, in accordance with the relevant government information security specification requirement as stipulated in the contracts, update the relevant information security softwares and hardwares in a timely manner to cope with emerging security threats. To ensure thorough implementation of the requirement to keep the security software and hardware properly updated, the organisations are also required to conduct security risk assessments and independent security audits by a third party on their computer and information systems at least every two years.

(6) and (7) At present, the versions of the Microsoft Windows installed in government computers include Windows 10, Windows 8.1, Windows 7, Windows Server 2008/2012/2016, and a small number of Windows Vista, Windows XP, etc. The offline computers are mainly installed with Windows Vista and Windows XP. The OGCIO has urged B/Ds to ensure that the patch used to guard against the WannaCry ransomware and other updates have been installed on all Microsoft Windows computers.

(8) The Policy and Guidelines stipulates that departments should apply the latest security patches and adopt other effective security measures in a timely manner to protect their information systems against known vulnerabilities. The OGCIO has also published the Reference Guide on Software Asset Management and the Practice Guide for Software End-of-Support Management for reference by B/Ds in preparing upgrade or replacement plans. With regard to Microsoft Windows systems, the Government has commenced the upgrade exercise for Windows 7 with a view to completing the relevant work before Microsoft ends its support for this version in 2020.

(9) The Government has all along been closely monitoring the trend of cyber attacks and related security threats. Within the Government, we have implemented multiple layers of security measures to safeguard cyber security, including firewalls, intrusion detection and prevention systems, spam filtering systems, anti-virus solutions, real-time monitoring tools, etc.

     To guard against the threats from the WannaCry ransomware, the OGCIO has issued several reminders to all B/Ds, including the requirements of backing up important government data immediately and ensuring that the latest security updates have been installed. The Government Computer Emergency Response Team Hong Kong also maintains close liaison with local and other regional Computer Emergency Response Teams to exchange information on cyber security threats, with a view to enhancing the alert capability.

     In view of the increasing number and complexity of cyber security threats, the Government will continue to strengthen its capabilities to handle information security incidents. The OGCIO reviews and updates the Policy and Guidelines in a timely manner, with the current version promulgated in end 2016. This version has strengthened the information security requirements in various aspects by making reference to the latest international standards and industry best practices.

     As regards the general public and the public/private organisations, the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) will continue to disseminate information on security incidents, guidelines on preventive and responsive measures, as well as to provide support services. The HKCERT will also continue its liaison with local and overseas organisations to collect and disseminate information and alerts about cyber threats. The OGCIO, the HKCERT and the Hong Kong Police Force will continue to work together to tackle cyber security threats.

Ends/Wednesday, May 31, 2017
Issued at HKT 16:45

NNNN