LCQ20: Security of government sensitive information
Following is a question by the Hon Paul Tse and a written reply by the Secretary for Commerce and Economic Development, Mrs Rita Lau, in the Legislative Council today (January 5):
WikiLeaks has been disclosing confidential files relating to defence and foreign affairs of various countries continuously. It has been reported that a recently-unveiled cable sent from the Embassy of the United States in Beijing, which revealed that Hong Kong was the target for terrorist attacks by some former East Turkestan groups during the equestrian events of the 2008 Beijing Olympic Games hosted by Hong Kong, even put the Secretary for Security in a very embarrassing position. Departments taking charge of defence, internal affairs and foreign affairs of various countries have been urgently finding counteractions and means to prevent further leakage of sensitive information. In this connection, will the Government inform this Council:
(a) what policies and measures are in place to immediately raise the security level of communications and messages/information exchanged within the Hong Kong SAR Government and those exchanged between it and the Central Government as well as government organisations of various countries; and
(b) whether it has any contingency mechanism to facilitate it to take immediate contingency measures when Hong Kong-related sensitive information is further disclosed by WikiLeaks?
WikiLeaks describes itself as a not-for-profit media organisation that provides a secure and anonymous way for sources to leak information to its journalists. It accepts restricted or censored material of political, ethical, diplomatic or historical significance. It claims to verify the authenticity of submitted material before publishing it alongside a news story that explains the significance of the material submitted. In terms of technology usage, WikiLeaks does not disclose information about the location of its servers. It claims to protect its sources by keeping no logs and by using military-grade encryption.
Regarding the questions raised by the Hon Paul Tse, my reply is as follows:
(a) Protection of classified information, including personal data, is the personal responsibility of every government staff. The Government Security Regulations cover all sources of information, including documents, photos, videos and electronic records and have specified the arrangements for the storage, processing and transmission of classified information. In view of continued technology advancements, the Government has developed a comprehensive set of information security regulations, policies, procedures and guidelines for bureaux/departments (B/Ds) to follow so that classified information will receive proper protection from malicious or unintentional leakage to unauthorised parties. They were developed with reference to international best practices and are reviewed from time to time to reflect changes in business requirements, technology and security threats. B/Ds should put in place effective security management procedures, practices, controls and measures commensurate with the security classification of the information, data or communication involved. These requirements apply equally to both manual and automated systems, including computer information systems and networks. Information security is a mandatory requirement in all Government IT systems and is typically incorporated as part and parcel of the requirements of the relevant systems. Specific security requirements cover storage, processing and transmission of classified information; management of cryptographic keys; marking of documents; destruction of classified information; physical security and handling of breaches of security. Certain classes of sensitive information are prohibited from transmission over public networks.
A committee led by the Office of the Government Chief Information Officer (OGCIO) and comprising core members from OGCIO and the Security Bureau oversees information technology (IT) security within the Government, reviewing and endorsing changes to the government IT security related regulations, policies and guidelines, and providing guidance and assistance to departments in enforcing them. This committee is underpinned by a working group led by OGCIO comprising representatives from OGCIO, the Security Bureau, Hong Kong Police Force, Chief Secretary for Administration's Office, among others.
Training, education and awareness are vital in the overall security framework. The Government continues to promote a culture of information security at all levels including arranging training and education to relevant staff to enable them to understand and follow the policies, guidelines and procedures. In the wake of media reports on WikiLeaks, OGCIO had issued another reminder on December 2, 2010 advising all B/Ds to stay vigilant of the risks of any unauthorised disclosure or unintended leakage of government information. The reminder advised all B/Ds to critically review their procedures for protecting classified information, and to put in place effective information security controls and safeguard measures for their information systems. B/Ds were also reminded to provide ongoing staff awareness training on the importance of data protection. The above committee and working group will continue to keep abreast of international IT security developments with a view to maximising the protection afforded to sensitive government information.
(b) Under prevailing Government security regulations and related procedures, in case exposure of sensitive government information does occur, individual B/Ds are responsible for conducting initial investigation in the first instance. They are required to report the incident to a central incident response office (with membership from the Security Bureau, OGCIO, and Hong Kong Police Force) if the incident involves information in electronic form which is classified or includes personal data.
Depending on different scenarios of information exposure, the contingency mechanism may involve but is not limited to the following actions -
(i) Identifying the root cause of the incident;
(ii) Assessing the impact and damage of the incident;
(iii) Collecting evidence to support subsequent case investigation;
(iv) Escalating and alerting all related parties;
(v) Minimising the impact to other systems;
(vi) Strengthening the security protection to prevent re-occurrence; and
(vii) Reviewing and updating departmental security policies and procedures as needed.
In the case of incidents involving other public or regulated organisations, the responsible B/Ds which have purview over those organisations will be responsible for liaising with the organisations on their respective contingency and remedial actions.
Wednesday, January 5, 2011