【Exclusive Interview】 Establish Cybersecurity Standards and Prevent Ruthless Hackers

Wen Wei Po

David Ip hopes the SAR government will draw on practices from mainland China and other regions to enact orderly legislation safeguarding critical infrastructure against cyberattacks. Photo by Huang Xue, Hong Kong Wen Wei Po

Professionals advocate referencing Mainland Chinese refining compliance to prepare for safety emergencies 

Cybersecurity is the cornerstone of social stability and a vital part of national security. The HKSAR Government is expected to submit the Cybersecurity (Critical Infrastructure) Bill to the Legislative Council in the second half of this year (2024), aiming to strengthen protection through legislation. Veteran cybersecurity expert David Ip, who has long promoted the alignment of Hong Kong and mainland cybersecurity and industry standards, said in a recent interview with Hong Kong Wen Wei Po that cyberattacks can cause damage of varying scales and should not be underestimated. However, Hong Kong has long lacked relevant regulations, leaving local companies with weak cybersecurity awareness and frequent incidents. He hopes the government will learn from the practices of the mainland and other regions, legislate in an orderly manner to protect critical infrastructure from hacker attacks, and tailor suitable cybersecurity guidelines and standards for different industries. This would allow members of society to carry out risk assessments, data audits, emergency responses, and attack defense drills, raising vigilance and preventing incidents to achieve maximum security. 

In recent years, Hong Kong has suffered repeated serious ransomware incidents. For example, Cyberport was hacked last year, resulting in the leakage of personal data of more than 13,000 employees and job seekers. Ip noted that whether government departments or private enterprises, services provided to citizens or customers rely heavily on the internet, such as booking public hospital appointments, purchasing airline tickets, or managing bank accounts, are all available through mobile apps. Yet global cyber intrusions are becoming rampant, ranging from theft of personal privacy or property to disruptions of financial, power, and water systems. The consequences of neglecting cybersecurity are alarming. 

“Cyberattacks are unlike traditional crimes such as robbery. Hackers have many ways to conceal themselves. Even experts in law enforcement often find it difficult to trace the source of intrusions. Solving such cases is extremely challenging,” he said. 

Ip pointed out that the mainland, Macau, and many other countries and regions already have well-developed laws and measures to safeguard cybersecurity. For example, governments in several mainland provinces and cities arrange ‘red teams’ to conduct penetration tests on major enterprises or institutions, simulating real-world hacker attacks. This requires organizations to identify vulnerabilities and defense methods, and if intrusions succeed, penalties such as fines may follow. Such training is highly effective in improving cybersecurity. “Just like gaming, if you want to be good, you must play a lot.” 

However, Hong Kong’s regulations have long lagged. “Although the financial sector has clear and rigorous cybersecurity guidelines set by the Monetary Authority, industries such as telecommunications and travel agencies, which handle large amounts of personal data, still lack strict guidelines and oversight. Without legal regulation, many Hong Kong companies have weak cybersecurity awareness, often making ‘basic mistakes’ such as employees clicking on hacker links, leading to serious intrusion incidents.” 

Companies earning billions spend only thousands on antiviruses 

Ip bluntly stated that many Hong Kong companies, even those with annual revenues exceeding hundreds of millions, only consider return on investment when budgeting for data security. Some may spend just a few thousand dollars a year on antivirus software; a level of investment is completely disproportionate to their operating scale, leaving countless vulnerabilities. 

Amid U.S.–China tensions and complex geopolitical relations, Ip said some large Hong Kong enterprises have recently paid more attention to enhancing cybersecurity. For example, the Hong Kong China Network Security Association (HKCNSA) learned that some members engaged in large-scale property development projects have grown concerned about using European or American cybersecurity products in mainland projects, fearing the equipment might contain “backdoors.” Industry knowledge suggests such risks are possible, though difficult to prove. “To be safe, we usually advise avoiding certain countries’ products when handling sensitive departmental data or storage.” 

He stressed that enterprises and institutions in mainland Greater Bay Area cities generally use domestically produced cybersecurity products. In contrast, Hong Kong organizations often prefer European, American, or Israeli brands. He noted reports last year that a government department, in tender documents for server firewalls, specified that the firewalls must meet U.S. ICSA certification standards. Yet under the U.S.–China trade war, almost no mainland-made firewalls can obtain such certification, effectively excluding them from bidding. 

Hopes to establish standards that align with the mainland and connect globally 

“Cybersecurity standards vary worldwide. The HKCNSA has established an independent committee to gather stakeholder opinions and support the HKSAR Government in exploring and establishing a set of standards that can align with the mainland while connecting globally. Tailored guidelines for different industries would safeguard cybersecurity, facilitate coordinated development between Hong Kong and the mainland, and at the same time ensure that regulations do not hinder the operations of foreign enterprises or the innovation and technology sector in Hong Kong,” Ip said. 

 Source of Information 

This content is sourced from an exclusive interview by Wen Wei Po.

Original article link:  https://www.wenweipo.com/a/202404/19/AP66218137e4b009ba853790b6.html

The above is translated based on the original article. If any part is inconsistent with the original meaning or requires amendment, please contact the Association.