Publications and Press Releases - Speeches and Presentations

Office of the Government Chief Information Officer, The Government of the Hong Kong Special Administrative Region | Brand Hong Kong

Archive > Year 2004 > OGCIO > Speeches and Presentations in Year 2004

Opening Speech by Mr. Alan CK Wong, Government Chief Information Officer, at the Information Security Summit 2004
11 - 11 - 2004

Distinguished Guests, Ladies and Gentlemen,

Good morning! I am delighted to be invited to deliver the opening speech for the Information Security Summit 2004. This is an important event for IT professionals and industry players to exchange expert views and share knowledge and experience on best practices in information security.

The electronic mode of information dissemination and performing transactions is now a commonly available channel for providing customer services both in the private sectors and for government. Many people pay their bills, bank online and run businesses over the Internet. Indeed, e-business provides more choice, lower cost and better service to customers, and accounts for 2.1% of global retail transactions.

The HKSAR Government is increasingly offering the electronic channel for access to information and services by citizens and its employees. Our e-Government services portal (ESDlife) is currently processing some 190,000 transactions a month. Through this service channel, citizens and businesses can access to information and perform transactions with the government electronically, e.g. for filing tax returns and booking of recreation facilities. According to a recent survey conducted by AC Nielsen, about 70% of Hong Kong Internet users have used e-government services.

With the intensive use of inter-networking and more offering of electronic services, the momentum of business activities going online will continue to increase at a rapid pace. However, there are both opportunities and new threats in the cyberspace. It is necessary to protect information security while opening up more access and services through the electronic channels.

In the cyber world, computer networks and information systems are attacked by computer viruses, worms and spam emails, aiming to interfere their normal operations. Besides, hackers are constantly finding ways to intrude into systems by exploiting software vulnerabilities, and to implant Trojan Horse codes in the victim's computer or hijack Internet access to fake websites. A recent survey reveals that about seven new software vulnerabilities are reported everyday and 70% of them are easily exploitable. It is concerning that the techniques employed by cyber attackers are more and more sophisticated and the number of attacks also breed like rabbits.

To deal with these problems, it is necessary to employ a combination of protective measures to beef up the security of our information assets. Proper patch management must be performed consistently to ensure that the latest virus protection is in place, and plug the loopholes of faulty patches or where a patch is not available. Some organisations even proactively perform tests to find out their own vulnerabilities and fix them before the malicious codes and hackers discover them. Carnegie-Mellon University's CERT/CC had advised that patch management can help installations avoid as much as 95% of network intrusions.

Spam emails account for about 75% of e-mail traffic. Everyday there are millions of spam emails wasting organizations about US$2000 per employee to deal with them annually. Many of these emails bear falsified sender identities and carry malicious codes such as Spyware (Trojan Horse), replacement browser and Adware (keyboard logger). Through email spamming or bogus websites, they have succeeded to implant malicious codes in the victim's computer (Zombie), waiting to be activated and connected to a bogus site. It is not exaggerating to mention that a spying computer worm (Rbot-GR) can turn on web cams and microphone of PCs to view activities in bedrooms, unknown to the victim. To help combat spam emails, computer users may install email filters, discipline the usage of e-mails and take steps to stop and track down suspected intruders on their websites.

The Internet has many bogus websites that look like the genuine websites or even pretend to be promoter of anti-fraud purposes. This is the trick of “Phishing” which by sending spam emails, tries to cheat people to access fraudulent websites and then inadvertently disclose their credential information, often leading to the illegal transfer of money. According to surveys done by the industry, some two million people had been victimized globally and the number of phishing scamp websites is rising by roughly 50% month on month.

The rate of frauds utilizing the cyber channels to cheat people and steal money has increased drastically. In June this year, a victim (a lawyer) in Hong Kong was cheated away HK$57,000 by a (Nigerian) spam email. Various kind of reported cyber crimes were also reported, such as gambling, theft, online game offences, cheating with fake credit cards in supermarket orders or failure to deliver goods in Internet shopping after payment is made.

To protect their business, enterprises should ensure that their e-services are implemented with appropriate protective measures, quality assurance and auditing procedures that are commensurate with their security requirements. They should also pay attention to avoid intended or inadvertent human errors, including staff integrity so that loopholes discovered in the business applications are rectified rather than exploited by staff. Recently, staff of a bank sold off some 900 e-banking customers information resulting in nine customer accounts intruded. It is not exaggerated to warn that one bad user can easily erode the best security we put in place.

Government has put in place a security management framework to ensure and enhance internal IT security. Bureaux and departments are required to implement security measures and conduct regular security risk assessment and review for individual information systems to verify the effectiveness of the security implementations.

Government is committed to raising public awareness and promoting ethics in information security. We set up the INFOSEC ( 資訊安全網 ) website (www.infosec.gov.hk), in September 2002 to provide citizens and businesses with relevant advice for the protection of their business IT infrastructure as well as useful references and sample security policy, guidelines and solutions. We have also widely distributed promotional material and designed radio episodes and TV features to educate the public and businesses on information security.

Government also places much effort in helping citizens in handling security incidents. The HKCERT/CC serves as a centralized contact and enhances the coordination in the reporting, response and handling of information security related incidents for local computer users. It issues security and computer viruses alerts to the public and handles IT security related incidents reported by the local community.

To combat cyber attacks requires the concerted efforts of the community. We have to be up-to-date and on the alert constantly on information security as well as discipline ourselves to follow the best practices and be a good citizen of the cyber world. It is most encouraging to see a large number of reputable industry players to gather together today for the promotion of IT security to the community. I wish the Summit a great success.

- END -

Top

End of page