Following is a reply by the Secretary for Security, Mr Lai Tung-kwok, to a question by the Hon Charles Peter Mok in the Legislative Council today (June 26):
It has been reported that the National Security Agency of the United States (US) has been hacking into a number of computer network backbones on the Mainland and in Hong Kong since 2009. Some people of Hong Kong have expressed worries that their communication information may have been acquired by the US Government as they have used the services of such computer networks. Regarding information security in Hong Kong, will the Government inform this Council:
(a) whether it has assessed if there is sufficient professional expertise or capability within the Hong Kong Government to detect any activities of the governments and organisations of foreign countries (e.g. the US) attempting to hack into the Government’s or personal computer systems in Hong Kong; if the assessment outcome is in the affirmative, of the details; if it is in the negative, whether the authorities concerned will conduct a review of the level of information security in Hong Kong; given that a large number of Hong Kong people have been using Internet services (e.g. social networking web sites) the servers of which are located in the US, whether the authorities concerned will follow up if the US Government has acquired the information of such users;
(b) whether government departments have previously requested any local or foreign Internet service providers to allow them to get hold of information directly from the servers, systems or network of such service providers, and whether those departments have ever obtained Hong Kong people’s information on the Internet (e.g. photos, audio and visual messages, e-mails, voice, files, login accounts, etc.) on their own or through cooperation with the governments or organisations outside Hong Kong (e.g. those of the US); if they have, of the reasons for that and the details; if not, whether the Government can guarantee that it will not collect such information in any form in future; and
(c) as some members of the public have pointed out that the existing Interception of Communications and Surveillance Ordinance has never been amended and is fraught with loopholes (e.g. the definition of public security being too wide, the absence of penalty for illegal interception of communications by public officers, etc.), which have caused worries about personal privacy, of the timetable set by the Government for introducing legislative amendments to this Ordinance; if a timetable is not available, of the reasons for that; whether the Government has assessed if the existing legislation is adequate for regulating acts of interception of communications (e.g. industrial espionage, etc.) by non-governmental organisations or individuals; if the assessment outcome is in the negative, whether the Government has any plan to amend the existing legislation or enact new law to regulate such acts; if it has, of the details; if not, the reasons for that?
There are several areas of concern raised in the Member’s question, including expertise and competence of government departments in information security, their capability in combating technology crimes, and regulation of acts of interception of communications and covert surveillance by non-public officers. These issues are related to the policy areas of the Security Bureau, the Commerce and Economic Development Bureau and the Constitutional and Mainland Affairs Bureau. Our consolidated reply is as follows:
(a) The Government attaches great importance to information and data security, and has implemented various measures for the security of computer systems within the Government and personal computer systems, as well as combat of technology crimes.
The Office of the Government Chief Information Officer (OGCIO) has implemented the following measures to maintain its network security and protect against cyber intrusions and attacks:
(i) In accordance with international standards and industry best practices, bureaux and departments (B/Ds) have formulated and implemented their departmental information security policies, strictly carried out system security management procedures, conducted regular security risk assessments and third party audits, and continuously enhanced their security management systems and facilities.
(ii) For the Government’s Central Internet Gateway System, apart from adopting advanced information security technologies in the industry, we also implement stringent security control, monitoring and detection procedures and measures to ensure its normal operation as well as prevent cyber attacks and intrusions. OGCIO also conducts incident response and system recovery drill exercises on a regular basis to ensure that the relevant systems and personnel have the response capability to promptly and effectively tackle security and service incidents including cyber attacks. In case intrusion attempt is detected, OGCIO will immediately conduct investigation and take action to combat the attack.
(iii) The Government places heavy emphasis on the on-going enrichment of its professionals’ knowledge and skills so that they can perform their work effectively. At present, relevant professionals working in various B/Ds have already obtained internationally-recognised information security professional certificates (such as the Certified Information Systems Security Professional of the International Information Systems Security Certification Consortium, Inc. and the Certified Information Systems Auditor of the Information Systems Audit and Control Association).
(iv) OGCIO actively participates in the activities of international organisations, including the Asia-Pacific Economic Cooperation, the International Organization for Standardization and the Forum of Incident Response and Security Team, so as to keep abreast of the global intelligence, the latest trends of protection solutions and the best practices of information security.
Regarding the security of personal computer systems, the OGCIO actively works with the industry and stakeholders to promote the importance of protecting computer systems and cyber security among the business sector and the community, and raise public awareness and knowledge on the protection of computer systems and information. Moreover, the Hong Kong Computer Emergency Response Team Coordination Centre provides the local Internet community with computer security incident related services, including coordinating actions in response to computer security incidents and enhancing public awareness on Internet security by disseminating the latest information security news and alerts via different channels, such as web sites, emails, mobile applications, etc.
In respect of combat of technology crimes, the Hong Kong Police Force (the Police) possess the expertise and competence of international standards.
To further strengthen Hong Kong’s defence against various types of cyber attacks, the Police set up the Cyber Security Centre in December 2012. Through strengthening communication and coordination between the Police and relevant stakeholders, conducting thematic researches and auditing network security measures, the Centre aims to prevent and enhance the response to possible attacks against the information system network of critical infrastructures. We believe that the Centre is able to step up our response to and defence against cyber attack incidents.
Same as other members of the public, we are very concerned about the extensive media coverage of the hacking of local computer systems. The HKSAR Government has formally written to the US Government requesting explanation on earlier media reports about the hacking of computer systems in Hong Kong by US government agencies. It will continue to actively follow up on any incidents related to intrusion of the rights of institutions or individuals in Hong Kong.
(b) B/Ds did not request any local or foreign Internet Service Providers (ISPs) to allow them to get hold of information directly from the servers, systems or network of such providers. In carrying out their duties, B/Ds may request information or solicit co-operation from relevant persons or organisations (including ISPs) as and when necessary in accordance with the relevant laws and established procedures or guidelines.
(c) This question concerns local information security and overseas hackers’ intrusion into our computer systems and protection of personal privacy as well as regulation of interception conducted by non-government organisations or individuals. Section 161 of the Crimes Ordinance (Cap 200) (access to computer with criminal or dishonest intent) and section 27A of the Telecommunications Ordinance (Cap 106) (unauthorised access to computer by telecommunications) are laws in Hong Kong which are primarily used for tackling hackers’ illegal intrusion into computer systems.
The Interception of Communications and Surveillance Ordinance (ICSO) is unrelated to the concern raised in the question. The purpose and designated scope of the ICSO is to regulate lawful interception of communications by law enforcement agencies (LEAs) in Hong Kong for the prevention and detection of serious crimes and the protection of public safety. The ICSO makes stringent provisions for a complicated and sophisticated mechanism, and LEAs are required to comply with such stringent procedures and requirements by filling in documents, submitting applications to panel judges and carrying out such activities according to the authorisations granted. The ICSO, however, is not applicable to non-public officers.
If non-public officers conduct interception, such acts may constitute an offence under section 24 of the Telecommunications Ordinance (wilfully intercepting a message by a telecommunications officer) or section 27 of the Telecommunications Ordinance (damaging a telecommunications installation with intent by any person). Cases involving personal data collection will also be subject to the Personal Data (Privacy) Ordinance.
On regulating acts of interception of communications by non-governmental organisations or individuals, relevant policy bureaux of the HKSAR Government will consider whether there is a need to strengthen protection on top of the existing legal basis, taking into account other policy considerations such as safeguarding freedom of the press.