Welcome Remarks by Mr. Stephen Mak, Deputy Government Chief Information Officer, at the 10th Info-Security Conference

21 May 2009

Honourable Samson Tam, Distinguished Guests, Ladies and Gentlemen,

Good morning! I am honoured to address you at this 10th Info-Security Conference 2009. Ten years is a long time in ICT and Internet developments. Over the past decade, information security has become a serious agenda item on any sizeable organisation and certainly high on the list of issues of interest in public administration. Today’s theme of "Converging Risk and Security to Better Manage Uncertainty" provides a great platform for us to take stock of the opportunities and threats brought about by Information Security and, more importantly, how these are amplified in times of uncertainty, as in the case of a global recession. While the early promoters of the 21st Info-security Project may not have conceived this particular theme 10 years ago, today it certainly provides the impetus for more informed discussions, decisions and actions.

Advancement in technologies and constant changes in the business environment have brought both new opportunities and challenges, and one of the latter is the emergence of new security threats. The top news on information security back in 1999 was the worldwide attack of the Melissa virus. Despite security alerts and anti-virus patches had been issued for some time, Melissa was rapidly spreading from company to company, flooding mail servers, disrupting systems and causing the deletion of data or the unintentional release of sensitive documents. The bigger threat was that a single person, or a small group, could use the Internet to rapidly attack thousands and even millions of computers and disrupt business operations. Most importantly but fortunately, the global virus attack had finally raised the public awareness of the dangers of computer viruses and brought the issue of information security home to the masses.

Today, history seems to have repeated itself by putting on a new appearance. A similar incident actually occurs very recently – the widely reported activation of the Conficker worm on April Fool's Day this year. According to IT security firms, the Conficker worm has infected several million computers around the world. What is even worse is that many computer users may not notice that their computers have been infected although the worm might be operating as a background program acting maliciously on several illicit tasks such as massively sending out spam emails, infecting other computers, stealthily disclosing the victim’s credential information or spying on activities of the person. Again, security alerts and anti-virus patches had been issued for some time but people are still slow to take protective actions. There is of course a subtle but important difference between the two cases 10-years apart – the speed and pervasiveness of today’s attacks are riding on. The famous Metcalfe’s Law has taken on some new dimensions, by factoring in ‘connectivity’ and ‘affiliation’, which have stirred enough debates over the validity of the Law when applied to the Web 2.0+ scenario. That would have been the subject of another major conference, if indeed there is industry and academic interest for it.

Today’s working environment is rapidly changing. The network perimeter has dissolved to such an extent that it is virtually unidentifiable. Yesterday’s architecture -- with its office-based desktops and servers protected by a gateway firewall -- has gradually crumbled. In addition, increasingly complex networks must accommodate not just employees, but also outside contractors, vendors and customers.

According to the "2009 Verizon Business Data Breach Investigations Report" released in mid-April 2009, More electronic records were breached in 2008 than the previous four years combined." The use of endpoint devices such as USB sticks, always-on Internet access and the rapid emergence of Web 2.0 technologies have redefined how employees and other remote workers interact with an organisation’s systems.

I need not impress you how vulnerable information can be exposed on the Internet via P2P file sharing or social networking connections. Gartner estimates that more than 200 P2P programs are used by more than 20 million unique P2P file-sharing users everyday. For those who are using P2P programs, please make sure you have the right configurations and be very careful not to leak out any sensitive data via such channels.

So what are the opportunities and threats in an economic downturn situation that are relevant to information security? I can think of the following 7 things, not in any particular order –

1 Channel Management – media reports on corporate budget cuts on business travel and major events abound. IT managers and CIOs have been given the new requirement of facilitating business while minimising the need for travel. Technologies and processes like Tele-presence have taken on new meanings and perceived advantages. The question is – how should information security feature in assessing new channels of communication with customers and among staff?

2 Information Hunger – Almost as a corollary of the above, in a downturn situation businesses have a dire need for information – be it market supply/demand information, pricing data or customer buying behaviours and plans. The security challenge is how to get hold of relevant data and information without being exposed to hoax messages and false claims of business leads?

3 Staff Turnover – In the wake of staff turnover of a substantial scale, either voluntary or forced, what (additional) information security safeguards need to be put in place to counter the temptation or real threat of data loss?

4 Budget Squeeze – How should the organisation prioritise budgets for information security vis-à-vis other, often higher claims?

5 Brand Protection – In a highly competitive market situation where everyone is scrambling for attention and market share, how does information security feature as a brand-differentiator?

6 Mergers and Acquisitions – In a typical M&A scenario, can one expect uniformity in information security policies and practices? If not, how do we take advantage of the combined effects of the networks and users on the one hand and avoid the erosion of security principles on the other?

Last but not least,

7 Recession-proofing information security investments and value propositions – how do we make security compliance a willing and natural requirement on the part of both management and staff?

These are not hypothetical but real questions that I suggest we need to be concerned about. I’m pleased to note that today’s programme covers many of these issues and the audience can certainly look forward to a highly rewarding experience.

Like all other enterprises, Government is not immune to risks, security issues and uncertainty. But I’m pleased to say that we will uphold our information security policies and practices and will not hesitate to take forward proposals that would enhance the level of trust that citizens have inherently given us in maintaining their personal and sensitive data.

Let me end my speech with a quotation from Tom DeMarco , a guru in software development in the 1980s. According to DeMarco, "risk is usually an indicator of value; when there is no risk there is no value. We need to learn to run toward risk, not run away from it. If a project has no risks at all, don’t do it! But when you‘re running toward risk you also need to take certain reasonable precautions. These precautions make up the heart of the discipline called risk management."

I thank the organiser for giving me the opportunity to address you, and hope you enjoy the rest of this conference.

Thank you.

- ENDS -