SearchLanguageMobile menu

OGCIO

13-01-2017

Keynote Speech by Mr. Victor Lam, JP, Deputy Government Chief Information Officer, at the “Gazing Through the Crystal Ball: Cyber-Security 2017 - Predicting the Good, the Bad and the Ugly” Seminar


Dr. Ng (Nam), Dr. (P.T.) Ho, distinguished guests, ladies and gentlemen,

Good afternoon. It is my great pleasure to join you at this technical seminar co-organised by the Hong Kong Next Generation Internet Society (HKNGIS) and the University of Hong Kong (HKU). I would like to extend my sincere gratitude to HKNGIS and HKU for their continuous efforts in promoting the development and use of the Next Generation Internet in Hong Kong.

Today, the Internet has become an essential part of our daily life and Internet technology in various domains has been developing rapidly in recent years. We all agree that the advancement of Internet technology relies on a robust ICT infrastructure. Therefore, the Government is committed to developing and maintaining a world-class ICT infrastructure in Hong Kong. Here, I would like to share with you some figures about our local ICT infrastructure. As of September 2016, the fixed broadband penetration rate in Hong Kong is over 94% while the mobile penetration rate is over 232%. Both are among the highest in the world. Moreover, the fixed broadband service in Hong Kong is the second fastest in the world. According to the report from an Internet content delivery provider in Q3 2016 , Hong Kong’s average peak connection speed was ranked second globally with 116.2 megabits per second. Our telecommunications infrastructure is also among the most sophisticated and advanced in the world, providing a wide range of services at the most affordable prices.

Such solid foundations provide us with an excellent environment and favourable opportunities to boost innovation and new business. The advancement of technology also brings forth opportunities to improve our standard of living and support economic growth. However, we, on the other hand, should also pay attention to the potential threats that might be brought to us if the security aspects in the use of technology are not properly managed, in particular for those new digital products and services that are seamlessly connected to the Internet.

Today, we are living in a highly connected world. No businesses can be performed effectively and successfully without interactions with other parties and information sharing. Cyber threats are no longer a localised issue and have become more diversified and sophisticated. According to multiple reports recently published by the information and cyber security industry, malware was spreading quickly around the globe in 2016 and has increased drastically in quantity, variety, performance and complexity. In today’s interconnected world, it would be inevitable for Hong Kong to face such risks and all of us should stay vigilant against all possible cyber threats.

Over the years, the Government has been striving to maintain Hong Kong as a safe cyber society. However, withstanding cyber threats is not the sole responsibility of a single party. To make Hong Kong a digitally safe economy, the Government, the academia, the industry, professional bodies and the general public must join hands to enhance our capabilities to guard against cyber security threats. I would like to take this opportunity to share with you the IT security measures adopted by the Government. I will also highlight some salient points related to the recent review of the Government IT Security Policy and Guidelines.

The Government attaches great importance to the security of IT infrastructures. Internally, we aim to ensure all government IT systems and information are securely protected with proper resilience. Externally, we co-operate with local and international parties to promote cyber security situational awareness so as to maintain a robust and secure cyber environment for the public to conduct e-business and various online activities. Moreover, we strive to raise the awareness of cyber risks among the general public and businesses so that they can take necessary actions to secure their IT systems and protect their data assets and privacy. Let me provide you with a brief overview on some measures adopted within the Government to strengthen the security of our IT infrastructures.

We have implemented multiple layers of security measures in government networks, including firewalls, intrusion detection and prevention systems, and real-time monitoring tools to guard against cyber attacks. Our technical staff monitor IT systems round-the-clock so that immediate actions can be taken to defend against intrusions into government computers and networks when they come under cyber attacks.

To maintain proper security control, we have identified two different risk management processes that are very important. One is security risk assessments and audits. All government bureaux and departments (B/Ds) are required to conduct security risk assessments and audits for their IT systems at least every two years or upon major enhancements and upgrades to ensure the effectiveness of their technical measures.

The other risk management process is security compliance audits. In the Government, an independent information security compliance monitoring and audit mechanism has been established in 2010 to assess the compliance status of every B/D. The Office of the Government Chief Information Officer (OGCIO) is responsible for carrying out these audits and we have assisted B/Ds to continuously improve their security management systems to cope with emerging security threats.

Protecting critical IT infrastructures is not a stand-alone task. In Hong Kong, critical IT infrastructures are either owned by the Government or governed by respective regulatory mechanisms. To effectively guard against cyber attacks, we need to co-operate closely with external parties and experts. In this regard, public-private collaboration plays a crucial role in protecting all the critical IT infrastructures in Hong Kong. The Government has built up effective communication channels with the regulatory bodies which have the domain knowledge of the respective sectors under regulation and fostered a strong partnership with all stakeholders in the interest of information security.

To raise the situational awareness within the Government, OGCIO has been closely monitoring the trends of cyber attacks and related security threats. By gathering and analysing cyber threat information issued from various reliable sources, OGCIO timely disseminates security alerts and reminders to B/Ds for their strengthening of precautionary measures. For example, to address imminent ransomware threats, OGCIO has reminded B/Ds to regularly use anti-malware software to scan their computer systems and perform data backup, and store the backup copy offline. Moreover, we have requested B/Ds to take effective and prompt responsive measures, and reminded all staff not to open suspicious emails and their attachments and links to prevent their computers from being infected.

To keep abreast of the rapid changes in the global trends of cyber threats in a more effective manner, the Government Computer Emergency Response Team Hong Kong (GovCERT.HK) was established in April 2015 to coordinate the work in response to information and cyber security incidents for the Government, and to maintain effective communication with other CERTs around the world to share information and react to threats and attacks more efficiently.

To strengthen the readiness of key Internet players to defend against cyber threats, we organised information security drills for Internet service providers, mobile operators and domain name registrars in previous years. Through various simulated incident scenarios, the drills tested the participants’ capabilities of incident analysis, malware detection, malicious website tracking as well as their incident handling procedures.

The Government and the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) have co-operated with the industry and various organisations to raise the awareness of cyber security among the general users and businesses. We have reached out to small and medium enterprises (SMEs) and the general public through different publicity channels in order to increase their awareness and knowledge of the importance of information security. The channels include public seminars, school visits, broadcasting media, social media and thematic websites.

I would like to draw your attention to the thematic Cyber Security Information Portal (www.cybersecurity.hk) set up and maintained by OGCIO. Through collaboration with key partners, this portal provides practical tips and advice, as well as useful tools for the general users, SMEs and schools to protect their computing devices and websites. Expert advice and stories contributed by the professional organisations are also featured on the portal. With the information provided by the portal, businesses and individuals can gain a better understanding of the potential security risks in the cyber world and the security measures to guard against cyber attacks. You are cordially invited to visit this website to understand more about cyber security.

I have just shared some information security initiatives taken forward by the Government. Now I would like to share with you some highlights about our recent review of the Government IT Security Policy and Guidelines. In order to be more responsive and adaptive to the fast-changing environment and emerging technologies, the security requirements within an organisation need to be revised regularly to cope with emerging threats. In view of this, OGCIO and the Security Bureau had recently completed a review of the Government IT security documents. Through this review exercise, we aim to ensure that IT security-related regulations, policies and guidelines of the Government can keep pace with technological advancements as well as the local and global security trends.

As you may have already known, the Government IT security documents basically comprise the Security Regulations, the Baseline IT Security Policy and the IT Security Guidelines. During this review, we have not only examined these basic documents, but also enriched the document library with several practice guides which aim to provide more practical references for B/Ds in devising their own procedures related to IT security. There is no doubt that this library of practice guides will continue to grow as technologies emerge and evolve.

To cope with the changing environment and new technologies, it is important to keep our security level on a par with up-to-date international standards. Over the years, the Government has kept a close watch on the development of international security standards and best practices, and published them on the Government’s information security portal for public reference. The public and private sectors are encouraged to adopt international standards and best practices in managing their information security.

Here, I would like to make a special mention of two globally recognised security standards. They are ISO 27001 and 27002 published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Broadly speaking, ISO 27001 is the standard specifying the security requirements for information security management systems while ISO 27002 defines the code of practice for information security controls.

In our review exercise, we have benchmarked our security documents against international standards and those of seven economies worldwide. It was recommended that the security document layout should be restructured to align with ISO 27001 and 27002. We also made reference to these information security standards to strengthen security requirements in individual areas such as cryptography and asset management, and provide a framework to implement, monitor, manage and improve the security of IT systems.

During the review, we also focused on areas in relation to governance, risk management and compliance. In respect of governance, we advised and assisted B/Ds to improve the information and cyber security governance mechanism; in respect of risk management, we advised B/Ds to adopt a risk-based principle to protect their information systems in a consistent and effective manner; and in respect of compliance, we set up the information security compliance monitoring and audit mechanism so that a new round of security compliance audits would be conducted to assess the compliance status of B/Ds after the review.

I would like to elaborate on some enhanced security requirements in this review exercise. On the overall governance mechanism, let me first introduce the information security management framework in the Government. Centrally, it is headed by the Information Security Management Committee which oversees IT security within the Government. Individual B/Ds have established their security management structure under their purview. During this review, we advised B/Ds to strengthen their governance mechanism by defining more clearly the responsibilities and duties related to information security. A senior official should also be assigned to play a significant role in directing the mobilisation of resources within the respective B/D, and making quick responsive decisions if any high-threat events or security incidents occur.

On risk management, we have strengthened security controls over data protection and data encryption. To protect files from unauthorised access, it is intuitive to employ encryption to add a layer of protection. In our review, we further elaborated the requirements for government users to protect their sensitive data in mobile devices or removable media like USB storage drives by using encryption methods that align with industry practices. In fact, the Government has already adopted the PKI technology, which rides on the RSA algorithm, to secure e-government services delivered to the public. The digital certificates issued by the Hong Kong Post Certification Authority have also been supporting 2048-bit key length as of today. These encryption or equivalent methods have already been widely supported in commercial products. Having considered the technology maturity, government users are advised to adopt strong encryption in protecting their data assets.

Hong Kong is an international metropolitan city. We must stay vigilant against cyber attacks at all times. Cyber security is a shared responsibility and cannot be done solely by a single party. The Government, the academia, the private sector, international partners and individuals all have a vital role to play. We must join hands to enhance our capabilities to safeguard against cyber security threats. Lastly, as the Chinese New Year is just around the corner, I would like to wish you all a healthy and prosperous year of the Rooster.

Thank you!

- ENDS -

Presentation by Mr Victor Lam, JP, Acting Government Chief Information Officer at the “Gazing Through the Crystal Ball: Cyber-Security 2017 - Predicting the Good, the Bad and the Ugly” Seminar