Following is a question by Dr Hon Elizabeth Quat and a written reply by the Secretary for Innovation and Technology, Mr Nicholas W Yang, in the Legislative Council today (June 7):

Question:

     It has been reported that WannaCry, a ransomware programme targeting on computer systems which use old-version Microsoft Windows operating systems, has earlier caused havoc on a global scale, affecting the computer systems of the relevant organisations in at least 150 countries, including the Russian central bank and a number of hospitals in the United Kingdom. Some members of the information and technology sector are worried about whether the institutions in Hong Kong, including government departments and public organisations, are capable of coping with major computer security incidents. In this connection, will the Government inform this Council:

(1) whether it has assessed if the various government departments and public organisations are capable of coping with major computer security incidents at present; if so, of the outcome;

(2) of the number and percentage of the government departments currently holding the ISO 27001 certificates for information security management systems (certificates), which are jointly issued by the International Organization for Standardization and the International Electrotechnical Commission; among the government departments holding the certificates, of the number and percentage of those which have been granted a certificate for the second time upon the expiry of the three-year validity period of the original certificates; among such certificates, of the respective numbers of those which have been and have not been updated to the 2013 edition;

(3) whether it has assessed if the internal information security management systems of those government departments currently holding the certificates are capable of coping with major computer security incidents; if so, of the outcome;

(4) whether the Government Chief Information Officer (GCIO) has assessed if there are inadequacies in the information security management systems of those government departments currently holding the certificates; if GCIO has assessed and the outcome is in the affirmative, of the ways to make improvement; whether the various government departments have introduced the security incident management platform system to strengthen information security;

(5) of the measures in place to ensure that the financial institutions in Hong Kong are capable of coping with major computer security incidents; whether it knows if the various financial institutions have carried out regular drills in this regard; if regular drills have been carried out, of the details; and

(6) whether it has formulated contingency measures (including technical support) to assist small and medium enterprises and members of the public in coping with computer security incidents; if so, of the details; if not, the reasons for that?

Reply:

President,

     The Government attaches great importance to information and cyber security and has all along been closely monitoring the trend of cyber attacks and related security threats. Having made reference to the latest information security management system standards published by the International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) (the ISO/IEC 27001: 2013 edition), the industry best practices (e.g. COBIT5, etc.) and the internal information security needs of the Government, the Government has formulated a comprehensive set of Government IT Security Policy and Guidelines (Policy and Guidelines), setting out the requirements for establishing, implementing, maintaining and continually improving the information security management system for compliance by all bureaux and departments (B/Ds).

     After consulting the relevant policy bureaux, our reply to the various parts of the question is as follows:

(1) For protecting government information systems and networks, the Government has put in place the overall management framework, technical measures and security mechanisms to closely monitor the operation of government information and network systems, so as to detect and defend various kinds of potential cyber attacks. All B/Ds should comply with the Policy and Guidelines, taking appropriate and effective measures to ensure the security and normal operation of government information and network systems. The Government has also issued the Policy and Guidelines to public organisations for their reference, so that they can take appropriate protective and preventive measures based on their IT security policy and business needs.

     All B/Ds should regularly conduct third-party security risk assessments and audits for their information and network systems to ensure compliance with the Policy and Guidelines and the relevant security requirements, and have adequate defensive capability to respond to large-scale computer security incidents so as to protect government systems and data assets.

     To enhance the protection of the information systems of B/Ds and their capabilities in handling cyber security incidents, the Office of the Government Chief Information Officer (OGCIO) and the Hong Kong Police Force (HKPF) co-ordinated in January 2017 an Inter-Departmental Cyber Security Drill (the Drill) involving 30 B/Ds. The Drill aimed at allowing B/Ds to experience how to mitigate effectively cyber security incidents in a simulated environment, thereby enhancing B/Ds' capabilities in protecting their information systems as well as handling cyber security incidents.

(2) In addition to complying with the Policy and Guidelines, individual departments may obtain the ISO/IEC 27001 information security management system certification for specific scopes according to their respective business needs. Currently, a total of five government departments as well as the Government Cloud Platform service have obtained the ISO/IEC 27001 information security management system certification for their specific scopes, of which four have obtained the certification for more than three years and their certificates have been renewed after the three-year validity period. All aforementioned certifications obtained are of the latest 2013 edition.

(3) and (4) We have implemented multiple layers of security measures within the government to guard against cyber security threats, including firewalls, intrusion detection and prevention systems, spam filtering systems, anti-virus solutions, real-time monitoring tools, etc. In addition, according to the Policy and Guidelines, B/Ds should back up important data frequently and keep the backups in safe custody, apply the latest security patches to the software in use, and install and enable anti-malware function on all computer devices with regular update of its signatures, etc.

     To strengthen the capability to prevent, detect and respond to cyber attacks, the Government Cloud Platform, the Central Internet Services and critical network systems have established corresponding security information and event management systems to monitor the utilisation of such networks and services on a 24-hour basis, perform real-time scan and prevent malicious cyber attacks.

     As all B/Ds, irrespective of whether they possess ISO/IEC 27001 certification, are required to comply with the requirements of the Policy and Guidelines, coupled with the above multiple layers of security measures, the Government is capable of coping with large-scale computer security incidents. In relation to the recent threats of WannaCry ransomware, there is no report of security incident in the Government, and the Government's information systems have been working properly.

(5) The Financial Services and the Treasury Bureau indicated that to enhance the cyber resilience of the banking sector, the Hong Kong Monetary Authority (HKMA) launched the Cybersecurity Fortification Initiative (CFI) last year. Under the CFI, banks should assess their cybersecurity and related business continuity and contingency plans and make use of a common sharing platform to obtain cyber threat information. Banks may also take part in the Professional Development Programme to enhance staff's professional expertise. The HKMA has all along been reminding the banking industry of emerging cyber attack trends and risks.

     In March 2017, the HKMA and Securities and Futures Commission (SFC) hosted industry briefing sessions for the second industry-wide crisis simulation which is scheduled to take place on October 27, 2017. Over 30 leading financial institutions have signed up for the planned drill to improve their cyber and risk management awareness.

     The SFC completed, with the support of an external consultant, a cybersecurity review in late 2016. Based on the result of the review and the feedback from the industry, the SFC launched on May 8, 2017 a two-month public consultation on the proposals to reduce and mitigate hacking risks associated with Internet trading. The SFC's proposals primarily include (i) introducing guidelines such as two-factor authentication for system login, prompt notification to clients, etc.; (ii) expanding the application of relevant provisions of the SFC's Code of Conduct to cover the Internet trading of securities that are not listed or traded on the stock exchange; and (iii) clarifying that an Internet-based trading facility may be accessed through a computer, mobile device or other electronic devices.

     The SFC has reminded licensed firms the importance of security precautions against cyber risks via its circulars. Licensed corporations are expected to take immediate actions to critically review and assess the effectiveness of their cybersecurity controls in place. In addition, under the requirement of the SFC's Code of Conduct, licensed firms are required to report to the SFC immediately upon happening of any material system security incident.

     As the regulator of the Hong Kong Exchanges and Clearing Limited (HKEX), the SFC has been working closely with the HKEX to ensure that it has implemented appropriate measures to monitor and address the cybersecurity risks based on international standards.

     Besides, the Office of the Commissioner of Insurance (OCI) has laid down regulatory requirements for authorised insurers to identify cybersecurity threats arising from network, email and relevant devices and that they should have mitigation measures in place to prepare for possible cybersecurity threats. Authorised insurers should also conduct periodic testing on the mitigation measures to ensure their ability to deal with cybersecurity threats timely and effectively. The OCI and the Insurance Authority will conduct inspections on authorised insurers to check their compliance with relevant regulatory requirements.

     The HKPF conduct the e-Security Audit and the Cyber Security Drill with the banking and finance sector. Details are as follows:

(i) e-Security Audit: With the consent of the participating organisations, the HKPF would arrange officers to visit the respective information technology departments of the organisations and to assess their capabilities in defending cyber attacks (including assessment on the organisation's relevant human resources, equipment and policies). The HKPF would then render appropriate advice to the organisations; and

(ii) Cyber Security Drill: Through simulating different cyber incident scenarios, the Cyber Security Drill could assess the analytic abilities, the established incident response procedures as well as the communication protocol of the participating organisations. The simulated cyber incident scenarios cover the most prominent cyber attacks with far-reaching impact, including the distributed denial-of-service attack, web defacement, network and information systems intrusion, ransomware, malware, sensitive data leakage, etc.

     In addition, the HKPF has been working closely with the HKMA to monitor the modus operandi of different types of commercial crimes as well as to facilitate intelligence exchange targeting the banking and finance sector. The HKPF and the HKMA have been reminding the financial sector to review the relevant security measures to minimise the threats of system intrusion. To enhance the readiness of the financial sector in defending cyber attacks, the HKPF, the HKMA and the Hong Kong Applied Science and Technology Research Institute co-organised the Cyber Security Summit 2016 in May last year, which was a three-day event attended by supervisors of financial institutions, regulatory bodies and technology solution providers among its guests. The summit discussed the latest local and global trends of cyber attacks, and enhanced the awareness and preparedness of important professional bodies and critical infrastructures in Hong Kong in response to cyber security incidents and hacker attacks.

(6) The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) provides services relating to information security incident responses, security threat alerts, preventive guidelines and educational activities for local enterprises (including small and medium enterprises) and Internet users.

     To further promote information security awareness among enterprises and the general public, and strengthen their capability to prevent cyber security threats and respond to computer security incidents, the OGCIO, in collaboration with the HKPF and the HKCERT, will continue to collaborate with the industry and different organisations in launching various publicity and educational activities, reminding them to strengthen their cyber security measures and protect their information systems and assets. At the same time, the OGCIO also provides enterprises and the general public with the latest information and advice on cyber security through the InfoSec and Cyber Security Information Portal websites, as well as various promotional channels, so that they can have a better understanding of the potential security risks and the corresponding mitigation measures, thereby helping them handle computer security incidents.

Ends/Wednesday, June 7, 2017
Issued at HKT 17:05

NNNN