Following is a question by the Hon Charles Mok and a written reply by the Secretary for Innovation and Technology, Mr Nicholas W Yang, in the Legislative Council today (November 29):
Earlier on, hackers broke into the computer system of a local travel agency, encrypted the personal data of 200 000 customers stored therein and then blackmailed the agency. There are views that the crimes of hacker attacks have become increasingly serious, but the information security awareness of local enterprises is inadequate. On the other hand, quite a number of countries and regions have put in place cyber security strategies with a view to building a secure cyberspace. In this connection, will the Government inform this Council whether:
(1) the authorities will review the existing cyber resilience of the various regulated industries (e.g. banking, tourism and public utilities) and require operators of those industries to attain ISO/IEC 27001 information security management system certifications for the specific scopes of their business;
(2) whether the authorities will (i) assist local enterprises (especially small and medium enterprises) in assessing the adequacy of their information security measures and provide them with the relevant technical support, and (ii) provide them with more comprehensive training on information security, so as to enhance the levels of the information security management of those enterprises;
(3) the authorities have, for the sake of nurturing more information security talents, plans to (i) encourage more information technology practitioners to join the information security profession, (ii) collaborate with industry associations in subsidising employees to receive on-the-job training on information security and providing relevant job-matching service, and (iii) introduce measures to increase the interest of local students in joining the information security industry;
(4) the authorities will review if the Personal Data (Privacy) Ordinance (Cap. 486) is still up-to-date amid the rapid development of information technology; whether they will increase the liabilities of data users in guarding against the leakage of personal data, and introduce a mandatory requirement for reporting data leakage incidents; and
(5) the authorities will, for the sake of enhancing the cyber resilience of local enterprises, adopt the following strategies: (i) formulating the short, medium and long term specific action plans, (ii) advising and assisting various organisations to enhance their cyber security defence frameworks and recruit more information security professionals who have attained the certifications, (iii) requiring the enterprises concerned to conduct information security risk assessments, (iv) providing enterprises with training to develop their information security incident response capability, (v) strengthening information security of the supply chain, and (vi) continuously monitoring and conducting risk assessments of the information security of local enterprises?
The Government attaches great importance to information security and cyber security. The Office of the Government Chief Information Officer (OGCIO) and its Government Computer Emergency Response Team (GovCERT) have been closely monitoring the overall cyber security situation in Hong Kong; and, in collaboration with the Cyber Security and Technology Crime Bureau (CSTCB) under the Hong Kong Police Force (HKPF) and the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) under the Hong Kong Productivity Council (HKPC), providing different stakeholders with support in relation to cyber security.
After consulting relevant bureaux and departments, our reply to the various parts of the question is as follows:
(1) Based on the business characteristics of a particular industry, relevant regulatory agencies stipulate the regulatory ambit and measures of the information system, including information and data security, risk management, response to cyber threats, contingency arrangement, recovery of business operation, etc. The OGCIO provides public and private organisations with information on internationally recognised standards on information security and practice guides through its InfoSec website, in order to facilitate them to take protective and preventive measures as appropriate according to their business needs. The OGCIO also actively keeps in view the latest development of the standard of information security management system ISO/IEC 27000 series, and regularly publishes and updates the article “An Overview of ISO/IEC 27000 family of Information Security Management System Standards” on its website for reference by the public and private organisations.
Moreover, the CSTCB is dedicated to combating technology crime, increasing the capability for handling incidents of major cyber security or large-scale cyber attacks, and conducting timely cyber threat audits and analyses so as to prevent and detect cyber attacks on critical infrastructure.
(2) and (5) Being the supporter and facilitator of information security in the community, the OGCIO has been actively collaborating with different stakeholders to provide local enterprises (including small and medium enterprises (SMEs)) with assistance in responding to information security incidents, security threat alerts, preventive guidelines and security education.
In regards to risk assessment, the HKCERT launched the SME Free Web Security Health Check Pilot Scheme jointly with various local trade associations in 2016, to help SMEs check the security measures of their websites, suggest improvement measures, and verify the effectiveness of the measures after implementation.
The Innovation and Technology Commission rolled out the Technology Voucher Programme in November 2016 to assist local SMEs in using technology services and solutions, including those targeting cyber security. SMEs can apply for subsidy for solutions defending against cyber attacks so as to minimise the risk associated with information loss and cyber security.
On the other hand, the CSTCB has been adopting a multi-agency approach in strengthening the reliability of enterprises’ information system networks, as well as enhancing Hong Kong’s capability of protecting relevant information system networks and resisting cyber attacks. The CSTCB will continue to detect syndicated and highly sophisticated technology crimes; carry out timely cyber threat audits and analyses; and conduct relevant thematic researches. The CSTCB also rolls out various types of projects to boost enterprises’ awareness of cyber security. Examples include regularly hosting quarterly cyber security seminars since April 2016 covering different types of emerging cyber threats, as well as inviting cyber security experts to share on relevant counter-measures; partnering with the Hong Kong Monetary Authority and the Hong Kong Applied Science and Technology Research Institute to co-organise the Cyber Security Summit 2016 in which the latest local and global trends of cyber attacks were discussed; jointly launching the Cyber Security Professionals Awards Scheme with the GovCERT and the HKCERT to recognise individuals in the cyber security field for their excellent performance and promote the importance of cyber security.
(3) The Government is committed to working with the industry to nurture information security talents. We encourage tertiary institutions to provide information technology (IT) practitioners with more information security programmes; work with professional information security associations to promote professional accreditation; train up more IT practitioners with professional knowledge and skills in information security; and encourage them to join the information security profession.
Regarding on-the-job training, the HKPC, the HKCERT and the GovCERT have from time to time organised conferences, thematic seminars and workshops, including certificate courses on information security and the annual Information Security Summit, in order to enhance IT practitioners’ skills and knowledge of information security.
The Government has also been actively nurturing the interests of the youth in information security through organising various activities. For example, teaming up with professional associations and Radio Television Hong Kong to conduct school visits and InfoSec Tours since 2008 to disseminate information security messages to over 62 000 teachers, students and parents; organising the Cyber Security Competition jointly with the University of Hong Kong in 2016 and 2017 to arouse students’ interest in the information security profession and identify computer technology talents; and partnering with the HKPF and the HKCERT to organise the promotional event Build a Secure Cyberspace each year to enhance public understanding on information security.
(4) According to the Constitutional and Mainland Affairs Bureau, the Office of the Privacy Commissioner for Personal Data (PCPD) has been keeping a close watch on the requirements pertinent to the reporting of personal data leakage and the obligations of data processors in different jurisdictions. It is understood that, at present, only a small number of jurisdictions have mandatory requirements for data processors to report data leakage to authorities responsible for privacy or data protection. The Government has sought the public’s views on the reporting mechanism for personal data leakage when conducting a review of the Personal Data (Privacy) Ordinance in 2009. Of the views received, the majority considered a voluntary reporting mechanism more preferable. The PCPD subsequently issued the Guidance on Data Breach Handling and the Giving of Breach Notifications in June 2010, which was updated in October 2015. The PCPD will continue to keep in view the effectiveness of the current voluntary reporting mechanism.