Please scroll down for English version

譚偉豪議員：主席， 局長剛才在答覆中一直提及過去10年、8年所做的資訊保安工作，而我認為這方面非常不足。因為，現時談論的不是單打獨鬥，不是個別人士對電腦的攻擊，而是國際黑客的攻擊。美國奧巴馬政府已有指引，把黑客攻擊界定為等同國際襲擊，可視為等同軍事行為。所以，如果以這個層面來說，這不是商務及經濟發展局可以應付的。我希望局長可以參考外國政府的做法，想想如何可以提升至國防或保安局的層次。

主席， 我想問， 既然政府還未有想法， 而雲端電腦又這麼重要，是大勢所趨，各國亦採用，那麼，我較關注的是哪些資料適宜放置於進雲端平台， 哪些資料不適宜放置於平台？

局長在主體答覆中提到，對於高度敏感的資料，政府會將之放在“內部私有雲端平台”。就此，我想問政府，如何界定“高度敏感資料”的定義？ 至於放在“內部私有雲端平台”的資料，政府會否告訴市民，讓市民得知有哪些資料已被放置於網上？

商務及經濟發展局局長：主席，我先回應譚偉豪議員的第一項意見。在保安方面， 我們的確要與國際組織合作， 我剛才在答覆中亦已提到，政府當局已設有恆常機制，與其他國際組織合作打擊黑客入侵。我剛才在主體答覆中亦提到， 因應資料的敏感性， 我們有3種模式，分別有3個不同的平台。

我們現正處於制訂政策的過程中，是設計階段。現時的大方向是把最敏感的資料放置於私有雲端平台，而一般性的公眾資料則會放置在公共雲端平台。任何市民均可以在公共雲端平台看到這些公眾資料，它們所涉及的範疇亦非常廣泛。當然，敏感資料自有其敏感性，我們在制訂政策時會考慮不同的因素， 作出適當的安排。

譚偉豪議員：局長表示還未界定哪些是敏感資料， 哪些是非敏感資料。我的補充質詢的其中一部分是詢問，待當局作出界定後，會否向市民作出公布，讓他們得知其個人資料會被放置於內部的雲端電腦？

商務及經濟發展局局長：主席，涉及市民的資料其實十分廣泛，要告訴市民資料的放置地方......市民在應用雲端技術時， 我們認為如果內部的保安措施做得足夠， 市民在瀏覽時......雲端的定義是， 知道你的資料在雲端電腦的妥善安排是如何，所以，這方面有一定的技術性難度。我們認為，在整體政策中，能在保安層面採取適當措施，這已是一個適當的安排。

資料來源：頁面編號9603-9604

http://www.legco.gov.hk/yr10-11/chinese/counmtg/hansard/cm0706-translate-c.pdf

********************************************************************

DR SAMSON TAM (in Cantonese): President, in his replies just now, the Secretary has mentioned repeatedly work initiatives on information security done in the past 10 or eight years, yet I consider them to be highly inadequate because instead of stand-alone attacks from individual persons, we are now facing attacks from international hackers. Guidelines have already been issued by the OBAMA administration that hack attacks are classified as a form of international threats and deemed as acts of war. Hence, if considered from this perspective, this is not a matter the Commerce and Economic Development Bureau can handle. I hope the Secretary will make reference to the practice of foreign governments and consider how this matter can be escalated to the level of national defense and security.

President, my question is: Given that the Government's stance is still open, and cloud computing is so important as a major trend adopted by many countries, I am more concerned about the types of information that are suitable or not suitable to be placed in the cloud platform.

In his main reply, the Secretary said that highly sensitive information would be placed in the "In-house Private Cloud". In this connection, I would like to ask the Government what the definition of "highly sensitive information" is? Regarding information placed in the "In-house Private Cloud", will the Government inform the public of the same so that they know what sort of information has been uploaded on the Internet?

SECRETARY FOR COMMERCE AND ECONOMIC DEVELOPMENT (in Cantonese): President, I will first respond to the first part of Dr Samson TAM's question. In terms of security, we must indeed co-operate with international organizations. As I replied just now, an established mechanism is available for the Government to join hands with other international organization in combating hack attacks. I have also mentioned in the main reply earlier that three modes or three types of Government Cloud environment will be available to cater for information of varying degrees of sensitivity.

We are now in the process of policy formulation, that is, at the design stage. The general direction envisaged is that the most sensitive information will be placed in the private cloud, and general public information will be placed in the public cloud. Any members of the public can access the public information which covers a wide range of areas in the public cloud. Of course, due to the privy nature of sensitive information, we will consider different factors in the process of policy formulation so that suitable arrangements can be made.

DR SAMSON TAM (in Cantonese): The Secretary said that a decision on the classification of sensitive and non-sensitive information has yet been made. Part of my supplementary question is about whether the Administration will make public its classification decision after a decision has been made, so that members of the public will know that their personal data has been placed in the In-house Cloud?

SECRETARY FOR COMMERCE AND ECONOMIC DEVELOPMENT (in Cantonese): President, in fact, many different kinds of data is related to members of the public. If they are informed of the location of storing such data …… When members of the public access the cloud computing environment, we consider that if there are adequate internal security measures and when they browse …… In the application of cloud computing, it will be important to ensure the proper storage of data in the cloud platform. Hence, certain technical difficulties are involved. We opine that from the perspective of the overall policy, it will be an appropriate arrangement if suitable security measures are adopted.

Source: Pages numbered 13528-13529

http://www.legco.gov.hk/yr10-11/english/counmtg/hansard/cm0706-translate-e.pdf