Search Menu
Language Menu
Mobile Menu

Opening Keynote Speech by Mr. Jason PUN, Assistant Government Chief Information Officer (Cyber Security & Digital Identity) at the “Total Security Conference Hong Kong 2021”

Distinguished guests, ladies and gentlemen,

Good morning everyone. I am honoured to be invited to the “Total Security Conference 2021”, and am delighted to have this opportunity to talk about how to establish the defence-in-depth strategy to prevent cyber attacks and ensure cyber resilience, by making reference to some of the Government’s work on cyber security in the face of the ever-changing cyber landscape. This Conference, I am sure, will serve as an excellent platform for senior executives, IT leaders and security professionals to come together and share their insights in cyber security strategies.

Let me begin with COVID-19, which has affected us all significantly. The outbreak of the epidemic has created new challenges to cyber security and reshaped its landscape worldwide. From the adoption of work-from-home to the gradual resumption of office life, many organisations have been continuously transforming their modes of operation to adapt to the changes and making great effort to manage the associated risks.

Nowadays, cyber threats are increasingly complex with ever more sophisticated techniques. Various cyber attacks, including the attacks against remote access facilities, ransomware including the double-extortion or even multiple-extortion, malware, phishing, DDoS attacks and advanced persistent threats, are becoming more prevalent than ever before around the world.

According to the statistics from the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT), which is sponsored by the Office of the Government Chief Information Officer (OGCIO) to provide support to local enterprises and Internet users in respect of cyber security and incident handling, over 4 100 local security incident reports were received in the first half of 2021. Although this represents a drop of around 5% when compared with that of the same period last year, there is no reason to relax because the drop is only due to the attackers switching their main targets from the general public to enterprises.

Among all types of cyber attacks, phishing and botnets were again the main cause of information security incidents. Compared to the same period in 2020, there was an increase of over 20% in phishing attack cases. Moreover, many hackers took advantage of public concern over the epidemic situation by disseminating false information that lured the victims into visiting malicious websites and disclosing sensitive information, or even deceived money from them.

As cyber attacks are constantly changing, organisations should therefore adopt a comprehensive strategy to defend against cyber attacks and ensure cyber resiliency. To protect government information systems and data assets, we implement multiple layers of defence to protect government network against outside intrusions. For instance, we implement content delivery network service and DDoS scrubbing to mitigate the risks of DDoS attacks; we deploy anti-malware software and up-to-date security patches at the endpoints to prevent vulnerabilities that may lead to exploitation.

At the application level like email services, security measures such as spam filtering are adopted to defend against malicious email attacks, especially phishing. Moreover, government Internet mails to the public have been protected by prevailing email authenticity standards, such as Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol to enforce the authenticity.

During application development, we exercise not only DevOps, but also DevSecOps (i.e. Development, Security and Operations) in some applications, with security by design taken into consideration at the early stage, and at every subsequent stage of the system development life cycle. DevSecOps emphasises that everyone is accountable for security with the objective of implementing security decisions and actions at the same scale, speed and time as development and operations decisions and actions.

Even though we have implemented various technical measures to protect our systems, such protection is by no means fool proof. Prevention is only the first line of defence. When the prevention safeguards are defeated, we should have detective measures in place which identify malicious activities and security incidents rapidly. Zero-trust is the keyword, perimeter defence alone is no longer sufficient. The defence and detection mechanism should be put in place with the assumption that your defence perimeter has already been breached or penetrated. Organisations need to detect incidents promptly and respond to them quickly.

Within the Government, we deploy endpoint and network detection solutions and established an incident response mechanism with a host of measures with an aim to ensure the capability of government departments in responding to cyber security incidents. We also manage a platform to assist government departments in conducting security vulnerability and penetration testing for their Internet-facing systems and websites to identify potential vulnerabilities and fix them as early as possible.

Furthermore, human has often been the weakest link along the information security processes. To tackle this, we organise various training to promote the knowledge of information security among government staff, including seminars, workshops, drills, professional certification, etc. Most notably is the annual “Interdepartmental Cyber Security Drill” that aims to improve all the government department’s capability to response to cyber attacks.

To increase the situational awareness and boost our responsiveness to various kinds of cyber attacks, OGCIO and HKCERT have been actively participating in global and regional organisations of computer emergency response teams to keep abreast of cyber security trends, obtain information and intelligence of cyber threats, and exchange views on response measures in order to disseminate timely warnings to government departments and to the community. OGCIO also participates in the annual international drill organised by APCERT to enhance the Government’s capability to take prompt actions to combat cyber attacks.

For the industry, community and organisations, what can you do to take part in the threat intelligence exchange and sharing? Taking this opportunity, I would like to invite you to join CyberSec InfoHub, if you have not done so. CyberSec InfoHub is a cross-sector partnership programme co-run by OGCIO and the Hong Kong Internet Registration Corporation Limited (HKIRC). Apart from receiving security advisory, alerts, news and vulnerability information, member organisations of the programme may exchange their views and insights through the sharing platform established under the programme, i.e. “”.

The programme now has about 650 member organisations across a wide spectrum of industry sectors, including finance and insurance, public utilities, transport, healthcare, telecommunications, innovation and technology, information security, tertiary education institutions, etc. In particular, more than 125 banks have joined the programme with the support of the Hong Kong Monetary Authority and the Hong Kong Association of Banks.

Well-defined policies and procedures are essential to rolling out proper security protection and measures. The Government reviews its IT security policies and guidelines on a regular basis to address the challenges of evolving security threats posed by emerging technologies.

In March 2021, we published an updated version of the IT security policies and guidelines for government departments to follow. In this updated version, we aim to tie in with the development of international standards, industry best practices in information security management, cyber security trends as well as technology advancement. There are several major updates I would like to talk about today.

First, the Government strongly supports and encourages the adoption of international information security standards. When developing and revising the IT security policy and guidelines, we made reference to ISO/IEC 27000 family of standards, especially ISO27001 and ISO27002. In view of people’s growing concern over personal data protection in past few years, the guidelines have also made reference to ISO 27701 specifically on privacy information management in order to enrich the guidance on personal data protection of government systems.

Second, about protecting critical systems. It is crucial to have a more stringent protection of these systems, including but not limited to encryption and network segmentation within the organisational infrastructure. Moreover, strong password policy, with multi-factor authentication, should be adopted especially for privileged accounts in order to protect the access to critical systems.

Furthermore, the security risks of software vulnerabilities should not be overlooked. To prevent attacks exploiting known vulnerabilities of software, security patches should be deployed in all systems in a timely manner. Besides, regular system health check should be conducted to ensure that adequate security measures are adopted, and identified vulnerabilities and improper system configurations are addressed with proper remediation in a timely manner.

For local small and medium enterprises (SMEs), they are encouraged to approach HKIRC, which has been providing free-of-charge web scanning service to scan the websites with “.hk” top level domain to identify potential security vulnerabilities the soonest possible. So far, over 3,000 SMEs have used this free service. I encourage more SMEs to approach HKIRC to apply for this service.

The fourth point is about the proliferation of the use of remote access services. During the epidemic, more and more organisations allow their employees to work remotely. While this is a convenient and effective way to maintain business operation continuity, imminent cyber threats have also come along with it, such as hidden vulnerabilities in network connection, insufficient protection against unauthorised access to the organisation networks, and so on. Therefore, implementing proper security controls for remote access is indispensable to reduce the attack surface in the organisation’s IT environment.

For those local enterprises and organisations which wish to seek financial support for enhancing their cyber security set up, they are encouraged to apply to the Technology Voucher Programme (TVP) in order to strengthen their security protection. Since the launch of TVP, more than 330 projects involving upgrading of information systems and cyber security were approved with funding amount of about $45 million.

As a remark in passing, the Government also launched last year the Distance Business Programme (D-Biz Programme) under the Anti-epidemic Fund to subsidise enterprises to use IT solutions for developing remote business to support them to continue operation during the epidemic. The D-Biz Programme has approved more than 3 000 IT solutions related to cyber security, involving a funding amount of around $82 million.

Last but not the least, I would like to talk about the use of emerging technologies, in particular Internet of Things (IoT). With the proliferation of IoT connectivity to the organisation network, it is important to manage the security risks of using Internet-connected devices in office. To mitigate the exploitation of IoT-related vulnerabilities, you need to understand what IoT devices have been installed or used within the organisation. “You cannot manage what you cannot measure”. Similarly, you cannot manage what do not know. The discovery process is the prerequisite to all other actions and measures. With that knowledge, you will then assess whether sufficient measures have been implemented to protect the office and its IT environment.

You may wish to note that we publish the government IT security policy and guidelines on the OGCIO website for reference by the IT industry, organisations of different sectors and the general public. You are welcome to go to our website “” to download them. Nowadays, the use of technologies is extensively expanding and cyber attacks are constantly evolving. We must continuously enhance our defence-in-depth strategy with stronger security measures to protect against the increasingly unprecedented cyber threats. Let us join hands and build a stronger security posture in Hong Kong.

I believe you will all enjoy a fruitful and insightful conference today. Thank you.

- ENDS -