Keynote Speech by Mr. Stephen Mak, Deputy Government Chief Information Officer, at the (ISC)² seminar on "SecureHongKong"
22 July 2008

Prof. (Jill) Slay, Chester, Ladies and Gentlemen,

Opening

Good morning!

For our overseas participants, a warm welcome to Hong Kong! I am very glad to see so many information security experts from all over the world here today, with such a packed programme covering such a wide range of topics. It is indeed my honour to have the opportunity to address you.

Defining risks and threats in today's environment

The main theme of today's seminar, "SecureHongKong", is on mitigating risk and threats in today's environment. Traditionally, branding a country or city as a 'safe place to live and do business' has certain connotations. With ubiquitous networks, advances in mobile and wireless technology, and the sheer growth in the use of the Internet, 'safe place' has indeed taken on a new meaning and many more dimensions of information security. These security dimensions include the physical, social, commercial and interpersonal aspects affecting our daily lives.

The explosive growth of the use of the Internet, the underlying technologies and business models that support it have given rise to risks that may lead to much dire consequences if not handled properly and in a timely way. The advent of Web 2.0, mobility of the workforce and exponential growth in searchable content, intended or otherwise, we are constantly under threats and risks that can cause havoc in the most untimely or disastrous way. Let me share a few examples.

Several months ago, a security flaw was found in a famous online social networking platform that made it possible to access private files that were supposed to be secure. Just earlier this month, a vulnerability was found in a popular mobile solution, such that a malicious user can cause arbitrary code to execute on the backend server. The American newspaper "USA Today" also estimated that more than 162 million records were lost or stolen in 2007 from companies and government agencies in the U.S., triple the figure of 49.7 million just a year before.

Mitigating risk and threats in today's environment

While these statistics or incidents may sound commonplace or remote, depending on your own position, it is generally recognized that we need to step up efforts to strengthen people's awareness and capability in mitigating the risk and threats in today's environment.

First of all, top management's attention and buy-in is important and they need to provide the steer and sponsorship for defining organisational policies, approving management framework and allocating resources to information security. They need to exercise the duty of care in the design of their products, services and staff management processes with a clear and sharp focus on information security issues.

In the past, identification of risks and threats and mitigation measures has largely been focusing on anti-virus systems to protect our desktop devices, a firewall or similar intrusion detection system to protect our network perimeters. Rapid advances in the downsizing and ubiquity of malware, however, have caused a re-think of the adequacy of these measures. I am pleased to observe that, at least in today's event, there is increasing awareness and interest in developing more holistic and robust solutions that handle information security in a more integrated way. At the technology level, I am also interested to know that solutions are being provided that make use of the public key infrastructure to encrypt sensitive, valuable data stored on electronic portable storage devices, and facilitate digital signing and encryption in electronic transactions and storage in a much more user-friendly way.

Besides spending effort to protect our valuable information assets against attack, we also need to plan for the worst. Business continuity plans need to be in place so that the organisation can be more prepared for combating any disruptions caused by security incidents. The last and the most important aspect is of course the people factor. Any well-implemented measures cannot have their full potential for success if staff are not aware of them and have not been trained up to use them properly.

On what we need to protect, while it may vary from place to place, it is quite common that the ICT infrastructure is getting more prominent and is treated as part of the critical infrastructure. This critical infrastructure may well include the physical carriers, the Internet exchanges, domain name servers and other peering facilities, sector-specific networks, and general purpose, consumer-level platforms. In protecting the critical infrastructure of a given economy, Government action alone is therefore usually not enough, because of the many combinations in which the parts of this infrastructure will interoperate. In this regard, topics that we shall cover today, such as Process Control Security (exemplified by SCADA) and Computer Emergency Response Centre (or CERC, exemplified by HKCERT) at the community level are very relevant.

Information Security is an ongoing process for everyone

Information Security is no longer one-off or ad-hoc exercise in response to individual incidents. To build up and sustain the momentum in identifying and mitigating security risks and threats, professional education, people's awareness and compliance checking are very important. The HKSAR Government is keenly aware of these and corresponding long-term measures are being implemented.

As we develop and grow our information security talent pool, we need to have qualified professionals who can stay abreast of global and technological developments and apply them to the local situation. I am pleased to see that, in Hong Kong, already a number of institutions are providing certification for information security staff. One of the better known examples is the widely recognised Certified Information Systems Security Professional (CISSP) provided by (ISC)². Government encourages such industry efforts in continually refining the relevant certification services and processes. I would also like to take this opportunity to express our appreciation to (ISC)² for its continual support in the promotion of information security to the general community.

A million-dollar security system will be no more secure than a ten-dollar padlock if the user does not protect the keys properly. We see the need for ongoing efforts in making people aware of information security issues and their mitigation or management. The recent spate of data leakage incidents in the community have prompted us to consider the need to design a communication programme for all levels of staff in the Government. We expect this to be well worth the effort in the private sector, too.

While Government has established comprehensive policies, guidelines and procedures for ensuring information security, we believe compliance checking is still required to ensure these are effective and current. Apart from requiring all departments to undertake risk assessments, we have also introduced a centrally managed security audit mechanism in 2007 to independently assess the proper conduct of the security risk assessments and rectification measures.

Closing

Ladies and gentlemen, I will not load you with more Government measures, and I'm sure you are eager to get on with today's programme and discover the many ways to SecureHongKong.

I wish you a very informative and productive seminar. Thank you.

- END -