*************************************************
Following is a question by the Hon Sin Chung-kai and a written reply by the Secretary for Economic Development and Labour, Mr Stephen Ip, (in the absence of Secretary for Commerce, Industry and Technology) in the Legislative Council today (May 9):
Question:
The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT), established and managed by the Hong Kong Productivity Council (HKPC), is tasked to coordinate the efforts in handling local incidents relating to computer or network security, and has been in operation for six years. In this connection, will the Government inform this Council:
(a) whether it knows why the report on Information Security Survey published annually since 2001 has ceased publication after 2004; whether HKCERT currently has channels to understand the standard, current status and trends of information security in Hong Kong, as well as to collect the relevant data; if so, of the details; if not, the reasons for that;
(b) whether it knows in each year since 2005, the number of requests for assistance (broken down by the types of information security incidents such as hacker intrusion and viruses) handled by HKCERT, the average response time, the number of various types of security alerts disseminated, as well as the number of applications for SMS Alert Service provided by HKCERT;
(c) of the respective amounts of money allocated to HKCERT by the government departments concerned and HKPC each year since the establishment of HKCERT;
(d) whether it knows if HKCERT had launched new measures in each of the past three years to disseminate news on its own initiative for more members of the public to know more clearly the latest information on information security; if so, of the details; if not, the reasons for that; and
(e) given that the number of security incidents is on the rise according to the data released by HKCERT in the end of 2006, whether it knows if HKCERT will follow the practice of other major computer emergency response team coordination centres in the Asia-Pacific region to introduce a monitoring system on network threats, so as to proactively monitor potential risks; if it will, of the details, as well as the estimated costs involved and the implementation schedule; if not, the reasons for that?
Reply:
Madam President,
Regarding the question raised by the Hon Sin Chung-kai, my reply is as follows:
(a) Since 2005, the Hong Kong Productivity Council (HKPC) has re-prioritised its services/activities and categorised the information security survey as a non-core function of the Hong Kong Computer Emergency Response Team / Coordination Centre (HKCERT) and ceased the conduct of surveys on the information security status of Hong Kong. According to HKCERT, it currently makes use of the data of incident reports processed by the centre and those provided by other information security organisations to keep track of the level, status and trend of information security in Hong Kong.
(b) Statistics of the number of information security incidents reported to HKCERT, the number of various security alerts it disseminated and the total number of subscribers as provided by HKCERT are tabulated below. According to HKCERT, it did not keep the response time of each handled case which could involve many rounds of discussion, investigation and analysis.
2004/05 2005/06 2006/07
(1) Number of
security incidents
reported
- Hacking & 614 287 436
Intrusion
- Phishing 99 250 567
- Spamming 96 81 40
- Spyware 89 839 212
Total 898 1,457 1,255
(2) Number of computer
virus incidents reported 2,815 805 527
(3) Security alerts published 94 115 206
Virus alerts published 16 4 1
(4) Subscribers receiving alerts
- via email 8,202 8,800 9,250
- via SMS 1,010 1,156 1,257
(c) In July 2000, HKPC submitted an application to the Innovation and Technology Fund for a total amount of $10.744 million for the setting up and operation of HKCERT for 3 years. In December 2000, HKPC's application was approved and HKCERT was launched in February 2001. In November 2003, the Government and HKPC discussed the funding arrangement for the ongoing operation of HKCERT. The Government suggested that HKPC should explore ways to generate revenue to cover part of the operating expenses of HKCERT beyond 2004. To allow more time for both parties to work out the longer term funding arrangements for HKCERT, the Government provided a one-off sum of $3.7 million to HKPC for the operation of HKCERT in 2004/05.
Since 2005/06, HKPC has been funding the operation of HKCERT via the overall government subvention. The government subventions to HKPC were $174.5 million in 2005/06, $173.8 million in 2006/07 and estimated to be $172.8 million in 2007/08. According to HKPC, its expenditures in connection with HKCERT were $3.2 million in 2005/06 and $3.7 million in 2006/07 respectively. For 2007/08, HKPC estimates that it would require $4 million to operate HKCERT, which is around 2.3% of the government subvention provided to HKPC. HKPC has approached the Government to seek additional funding for the operating expenses of HKCERT. We are actively discussing with HKPC on the need and approach regarding the request.
(d) In 2003, HKCERT started to use telephone short messages and a commercial information portal to disseminate information security alerts to the public. Together with other existing channels including the HKCERT website, electronic mails and press releases, HKCERT considers that the information dissemination channels are adequate.
(e) According to HKCERT, it is considering to conduct a feasibility study to understand the practice of other major computer emergency response team coordination centres in the Asia Pacific region in monitoring network threats and issuing security alerts, and making recommendations on whether there is need for a similar mechanism in Hong Kong. Details of the estimated cost and schedule of implementation of such a mechanism are not yet available.
Ends/Wednesday, May 9, 2007
Issued at HKT 14:51
NNNN