LCQ3: Information security
Following is a question by the Hon Andrew Leung and a reply by the Secretary for Commerce and Economic Development, Mr Gregory So, in the Legislative Council today (July 6):
It has been reported that the breakdown of cloud computing service of a large-scale technology corporation in April this year not only brought thousands of web sites to a halt for two days, but also resulted in the permanent loss of some customers' data. There have also been reports that hackers were suspected to have made use of the cloud computing server of this corporation to launch attacks on the payment platforms for online games and entertainment services of a well-known Japanese technology corporation and its subsidiaries in April this year, causing leakage of the personal data (including name, date of birth and email address) of nearly a hundred million users across the globe, and it was believed that the data of over 11 million credit cards had probably been leaked. In this connection, will the Government inform this Council:
(a) given that the Government will progressively re-provision its central information technology services through adoption of cloud computing technology in the next five years, whether the authorities have re-assessed the information security risk of adopting cloud computing by the Government and strengthened its information security in response to the aforesaid incident; if they have, of the specific details; and
(b) whether or not the legislation on computer crimes have been updated since 1997; of the provisions in such legislation by which information security is regulated; whether the authorities have planned to review and amend the legislation regarding computer crimes; if they have, of the timetable and details of the amendments; if not, the reasons for that?
Regarding the attacks on the payment platforms for online games and entertainment services of a well-known Japanese technology corporation in April 2011, causing leakage of personal data, the Privacy Commissioner for Personal Data has met representative of the corporation to find out the detailed accounts of the incident and the remedial measures taken. The relevant update has been provided to the Legislative Council on June 22, 2011 in a written reply.
Cloud computing is a global trend and it offers opportunity to improve business outcomes through increasing agility, enhancing productivity and providing information technology (IT) services at a potentially lower cost. The Government's adoption of cloud computing is an enabler for business transformation and continuous improvement of public service delivery and support implementation of the underpinning Government policies. It offers the opportunity for the Government to increase the value that the community enjoys from the more extensive use of IT in the Government, and also addresses the rising expectations of different stakeholders.
Regarding the questions raised by the Hon Andrew Leung, my reply is as follows:
(a) The Government attaches great importance to information security. We have established comprehensive security regulations, policies, and guidelines on information security to ensure that when bureaux and departments launch their IT systems and services, they have the appropriate security risk management in place and they can meet the Government's information security requirements. In adopting cloud computing technology to re-provision Government central IT services, we will ensure compliance with all related regulations, policies and guidelines.
The proposed Government Cloud environment will include the following three types:
(i) "In-house Private Cloud" owned and operated by the Government;
(ii) "Outsourced Private Cloud" comprising facilities dedicated to the Government in secure data centres operated by contractors; and
(iii) "Public Cloud" provided by contractors offering services for use by the public. This type is suitable for generic services where Government does not have much concern on how the contractors provide the services.
We will conduct security risk assessment for the central IT services to be re-provisioned. Based on the importance and sensitivity of the application systems or information, as well as the prevailing information security risks, we will determine whether the application systems and information are to be placed in the "In-house Private Cloud", "Outsourced Private Cloud" or "Public Cloud". For highly sensitive information, the Government would place it in the "In-house Private Cloud" to strengthen security controls. After launching of the IT systems and services, we will periodically conduct security risk assessment and audit to gauge the latest security posture under the ever-changing environment with emerging security threats. In conclusion, the requirements in information security and privacy protection under a cloud computing environment will not be less than a non-cloud computing environment.
(b) The Government from time to time reviews the existing regulatory framework to fight against computer related crimes. Currently, there are already a number of legislations in relation to computer related crimes. For example, the Telecommunications Ordinance (Cap. 106) prohibits unauthorised access to computer by telecommunications; the Crimes Ordinance (Cap. 200) combats access to computer with criminal or dishonest intent; the Theft Ordinance (Cap. 210) combats offences of destroying, defacing, concealing or falsifying records kept by computer; the Personal Data (Privacy) Ordinance (Cap. 486) protects personal data privacy; and the Unsolicited Electronic Messages Ordinance (Cap. 593) tackles illegal activities related to the sending of commercial electronic messages with the intent to deceive or mislead recipients as to the source of such messages.
Wednesday, July 6, 2011