Assistant Government Chief Information Officer provides insight
As stated in the Hong Kong Smart City Blueprint, the mission of the Hong Kong Government in respect of cyber security is to “enhance the Government’s cyber security capability to address new security risks and facilitate collaboration among stakeholders to promote awareness and incident response capability in the community”.
To implement the mission, the Office of the Government Chief Information Officer (OGCIO) together with its strategic partners adopt a multi-pronged strategy to provide support to the community, nurture talents, collaborate with stakeholders and fortify internal protection within the Government, with the ultimate aim to strengthen the cyber security capabilities of Hong Kong as a whole.
Assistant Government Chief Information Officer, Jason Pun shared Hong Kong’s cyber security capabilities from three perspectives; which include breach detection, early warning signals and strategy.
Detecting cyber security breaches in an organisation is no easy task. Attackers use different methods to circumvent detection and hide in your system environment or network infrastructure to collect as much system information as possible before launching an attack. Therefore, it is important to identify the breaches or intrusions as early as possible to reduce the impact, for example by monitoring suspicious activities and anomalies in the systems or networks. Effective communication among all stakeholders on detected breaches is also crucial in taking quick remedial actions to contain damage and rectify problems.
Framework for information security management
Incident response is an important area in Information Security Management to prepare organisations against security incidents and resuming interrupted services in a more organised, efficient and effective manner. It involves assigning appropriate personnel and responsibilities, reserving resources, and planning for the handling processes. For the Government, the OGCIO has published an organisation framework for information security management and incident response. According to the framework, each government department established its own Information Security Incident Response Team (ISIRT) to handle its incidents. The Incident Response Office (GIRO) is also crucial in coordinating responses to incidents, in particular in handling multiple-point attacks in which more than one department may be affected.
For the wider community, the OGCIO and the Hong Kong Internet Registration Corporation Limited (HKIRC) jointly run the “Cybersec Infohub” partnership programme to facilitate closer collaboration among local information security stakeholders by sharing threat intelligence. The programme also provides a platform that enables the efficient exchange of mitigation strategies, best practices and insights from experts in tackling emerging cyber threats.
“As of June 2022, we had over 1 100 public and private organisations with over 2 100 representatives joining the programme,” he said. “They are from a wide spectrum of industry sectors including finance, insurance, public utilities, transports, medical care, telecommunications, innovation & technology, education, etc.”
According to Pun the success of the programme is built on four pillars: trust, collaboration, sharing and support. Working in silos is not conducive to building a safe cyberspace. We count on the concerted efforts from each and every one of you here to fortify the overall cyber resilience of Hong Kong. If you have not joined the programme yet, please join today and get the most from it.
Timely dissemination of alerts
“To get well prepared for cyber-attacks, we should have a clear picture of the global cyber security landscape,” he said. “The Government Computer Emergency Response Team Hong Kong (GovCERT.HK) established under the OGCIO has been closely working with the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) and other Computer Emergency Response Teams (CERTs) in the Asia-Pacific region and around the globe.”
This not only helps with the gainful exchange of cyber threat intelligence, but also enables the timely dissemination of alerts and advice to government departments and to the general public, helping them stay on top of emerging cyber-attacks.
Early detection and warning of cyber threats are of paramount importance. In the face of increasingly sophisticated and frequent attacks, GovCERT.HK and HKCERT have been working closely to monitor the feeds and updates from major product vendors and other CERTs. We also issue timely alerts to government departments and the general public about vulnerabilities of products and emerging security threats so that they can take early precautionary actions.
“We also utilise big data analytics to collect and analyse threat intelligence from different sources, enabling us to issue cyber threats, warnings and recommendations in a more efficient and effective manner,” stated Pun.
In the first half of 2022, the OGCIO issued over 110 security alerts to government departments, together with recommended mitigating measures. During the same period, HKCERT also published over 190 security bulletins and advisories to the public. Notwithstanding this, HKCERT received some 4 000 reports of security incidents over the same period. Botnet and phishing attacks topped the list of cyber threats, with these two types of attacks accounting for more than 90 per cent of the total number of reported cases.
An ounce of prevention is better than a pound of cure. According to a report published in 2021, the average cost of a data breach globally rose from $US3.86 million to $US4.24 million. The loss of business, including business disruption, revenue loss, reputation loss and diminished goodwill, accounted for 38 per cent of the cost. Installing early warning signals for efficient detection not only saves the effort of responding to attacks but also helps uphold the organisations’ reputation and goodwill.
Working with partners
To help the community enhance the cyber security posture, the Government works with various strategic partners to render support in respect of detecting, preventing and responding to cyber-attacks.
Small and medium enterprises (SMEs) have limited resources and generally lack the necessary security know-how. To help with this, HKCERT publishes the “Seven Habits of Cyber Security for SMEs” and provides the “Check Your Cyber Security Readiness” tool for them to examine and enhance their preparedness against cyber threats.
HKIRC also provides free in-depth website security scan services to SMEs with “.hk” domain name to assist them in identifying and mitigating issues on their websites. Since the launch of the services in 2019, HKIRC has already inspected over 4 500 websites of local enterprises.
HKCERT is now developing an Incident Response Guideline for SMEs and it will be available in the coming months. The guideline will provide practical guidance for organisations to build and implement an incident response plan, including preparing for, responding to and taking remedial action against security incidents in an efficient manner.
Detection of early warning signals, however, should not totally rely on IT staff of the organisations. It is of equal importance on the user side for all staff members to pay attention to warning signals such as sudden changes of account passwords, suspicious financial transactions, warnings given by anti-malware tools, etc. On the system side, organisations should consider deploying technical solutions such as Security Information and Event Management (SIEM), Network Detection and Response (NDR), Endpoint Detection and Response (EDR) to detect suspicious network activities, suspicious files in IT systems, bulky data upload or download, intermittent performance issues, etc.
Early this year, the Cyber Security and Technology Crime Bureau (CSTCB) of the Hong Kong Police Force joined hands with the University of Hong Kong to launch a suspicious email detection system named V@nguard. It assists organisations in detecting suspicious emails and avoiding falling prey to phishing attacks. This tool has received an overwhelming response from SMEs. As at June 2022, it has recorded more than 13 600 downloads.
Apart from the technical support rendered to the community, the Innovation and Technology Commission administers the Technology Voucher Programme (TVP) to provide financial support to eligible enterprises and organisations for, among others, upgrading their systems and improving the cyber security resilience to defend against cyber-attacks.
Countering security threats
To counter the increasing security threats, a sustainable strategy needs to be in place. Organisations should review their security strategies regularly on the continuity, suitability, adequacy and effectiveness of security measures. As an example, the OGCIO facilitates the growth of the Government’s security capabilities from four perspectives. They are governance & organisation, process, technology and people.
The framework of information security management and incident response mentioned before helps manage the growing complexity of the security capabilities of the Government by clearly defining the roles and responsibilities of the OGCIO and various government departments. All departments need to observe the “Government IT Security Policy and Guidelines”, while the OGCIO regularly reviews and revises the policy and guidelines to keep abreast of the ever-changing cyberspace and advancement of technologies. To ensure the departments comply with the policy and guidelines, the OGCIO conducts a security audit for all departments every two years.
The OGCIO has developed a series of practice guides for government departments to address the security risks brought about by new technologies and emerging cyber threats. To tie in with the work-from-home arrangements for government staff in response to the epidemic, we have enriched the IT security guidelines to strengthen the requirements of securing remote access. Another practice guide on Internet of Things (IoT) Security was developed to provide comprehensive references and advice for departments to deploy IoT systems in various aspects, such as asset management, access control, physical and environmental security, communications security, etc.
Government departments are advised to adopt the “Privacy by Design” principle during the system design phase to avoid the excessive collection of personal data. Adoption of “Security by Design” principle will also help ensure that security considerations are integrated into their systems during design and implementation stages. These security policy, guidelines and practice guides also serve as good references for different organisations to develop their own IT security policy and guidelines.
From the technology perspective, the Government adopts multi-layered defence measures to protect websites and IT systems, including data encryption, firewalls, content delivery network, distributed denial of service (DDoS) scrubbing, intrusion detection and prevention systems, endpoint protection solutions, anti-spam filtering systems, real-time monitoring tools, etc. to detect, block and defend against cyber threats.
The latest work-from-home arrangement and IoT fade the conventional network perimeter. Organisations should consider deploying zero-trust architecture to protect their resources. According to the aforesaid data breach report, the average cost of data breach with zero-trust architecture is $US1.76 million lower than that without zero-trust architecture deployed.
“Human is the weakest link in cyber security”, as is often quoted. The OGCIO strives to improve the human factor by various means.
Pun noted the OGCIO encourages staff to pursue internationally recognised information security qualifications to strengthen their professional skills.
“We organise cyber security solution showcases, training courses and awareness seminars for government staff to keep abreast of the latest development in cyber security,” he said.
To enhance the awareness of phishing attacks among government staff, we have conducted two rounds of the Phishing Drill Campaign since 2019. We have observed a general improvement in staff’s awareness of phishing emails.
To build up staff’s capability in responding to incidents, externally GovCERT.HK actively participates in cyber security drills organised by the Asia Pacific Computer Emergency Response Team (APCERT), while internally GovCERT.HK conducts inter-departmental cyber security drills for government departments annually. The drills help paint a clearer picture of the potential problems one may encounter when dealing with an incident. They also help identify areas for improvements and streamline the incident response process.
The Government plays an active role in enhancing awareness of cyber security and nurturing talent among the youths. The OGCIO collaborates with professional associations to deliver talks for schools to enhance students’ security awareness and digital etiquette. We also support various programmes including the Cyber Youth Programme organised by HKIRC, and the New Generation Capture the Flag Challenge organised by HKCERT. These programmes not only help enhance the problem-solving and cyber security skills of the younger generation but also raise their interest in pursuing a career in information security. Riding on the success of the programmes, HKCERT and HKIRC will continue to organise similar programmes this year to reach out to more youngsters.
Cyber-attacks have been on the rise and becoming increasingly sophisticated in recent years. Organisations should formulate sustainable security policies and strategies, and implement them vigorously.