For Discussion Paper No. 9/2011 on 3 November 2011 DIGITAL 21 STRATEGY ADVISORY COMMITTEE. Cyber Security



Similar documents
Legislative Council Panel on Information Technology and Broadcasting. Information Security

立 法 會 Legislative Council

Legislative Council Panel on Information Technology and Broadcasting. Information Security

Legislative Council Panel on Information Technology and Broadcasting. Hacking and Virus Activities and Preventive Measures

Legislative Council Panel on Information Technology and Broadcasting. Information Security

Information Security Seminar 2013

Cyber Security Threats and Countermeasures

Information Security Summit 2005

Global Cybersecurity Index Good Practices

2 Gabi Siboni, 1 Senior Research Fellow and Director,

National Cyber Security Policy -2013

Infocomm Security Masterplan 2

ASEAN Regional Forum Cyber Incident Response Workshop Republic of Singapore 6-7 September Co-Chair s Summary Report

CYBER SECURITY GUIDANCE

Control Systems Security: Australian Government Activities. Dr. Jason Smith Asst. Director, Operations CERT Australia Attorney-General s Department

The UK cyber security strategy: Landscape review. Cross-government

REPUBLIC OF MAURITIUS NATIONAL CYBER SECURITY STRATEGY

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for Institutions of Higher Education (IHEs)

Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record

The Office of the Government Chief Information Officer INFORMATION SECURITY INCIDENT HANDLING GUIDELINES [G54]

Commonwealth Approach to Cybergovernance and Cybersecurity. By the Commonwealth Telecommunications Organisation

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

GLOBAL BUSINESS DIALOGUE ON ELECTRONIC COMMERCE CYBER SECURITY AND CYBER CRIME SEPTEMBER 26, CEO EDS Corporation

CYBER SECURITY LEGISLATION AND POLICY INITIATIVES - UGANDA CASE

ASEAN s Cooperation on Cybersecurity and against Cybercrime

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education

Cyber Security & Role of CERT-In. Dr. Gulshan Rai Director General, CERT-IN Govt. of India grai@mit.gov.in

Security and Prosperity Steering Group Draft Report

NATIONAL CYBERSECURITY STRATEGIES: AUSTRALIA AND CANADA

A Guide to the Cyber Essentials Scheme

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Submission of the.au Domain Administration Ltd (auda) to the Australian Government's Cyber Security Review

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

E-SECURITY REVIEW 2008 DISCUSSION PAPER FOR PUBLIC CONSULTATION

1. This report outlines the Force s current position in relation to the Policing of Cyber Crime.

Trends and Tactics in Cyber- Terrorism

Hong Kong Internet Registration Corporation Limited

Critical Infrastructure Security and Resilience

Written Statement of Richard Dewey Executive Vice President New York Independent System Operator

Cyberspace Situational Awarness in National Security System

Middle Class Economics: Cybersecurity Updated August 7, 2015

Preventing and Defending Against Cyber Attacks November 2010

CAPACITY BUILDING TO STRENGTHEN CYBERSECURITY. Sazali Sukardi Vice President Research CyberSecurity Malaysia

NEW ZEALAND S CYBER SECURITY STRATEGY

Standing Council on Police and Emergency Management

DHS, National Cyber Security Division Overview

National Cyber Threat Information Sharing. System Strengthening Study

H. R SEC DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION.

Cyber Incident Annex. Cooperating Agencies: Coordinating Agencies:

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

NSW Government Digital Information Security Policy

U.S. Cyber Security Readiness

IT Security. Securing Your Business Investments

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

Making our Cyber Space Safe

Cybersecurity Strategy in Japan

The Policy Approaches to Strengthen Cyber Security in the Financial Sector (Summary) July 2, 2015 Financial Services Agency

GOVERNMENT OF THE REPUBLIC OF LITHUANIA

Korea s s Approach to Network Security

Executive Director Centre for Cyber Victim Counselling /

HKCS RESPONSE COMMONLY ACCEPTED AUDIT OR ASSESSMENT MECHANISM TO CERTIFY INFORMATION SECURITY STANDARDS

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release February 12, February 12, 2013

CYBER SECURITY STRATEGY AN OVERVIEW

Working Party on Information Security and Privacy

CYBER LIABILITY RISKS SEMINAR Programme overview. THURSDAY 1 OCTOBER am 1.00pm Green Park Conference Centre, Reading

Business Plan 2012/13

Department of Homeland Security Federal Government Offerings, Products, and Services

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

Pacific Islands Telecommunications Association

National Cyber Security Strategies

Cyber Security solutions

For Discussion Paper No. 11/2012 on 22 November DIGITAL 21 STRATEGY ADVISORY COMMITTEE International IT Fest 2013

Council Conclusions on a Concerted Work Strategy and Practical Measures Against Cybercrime

Cyber Security Operations Centre Reveal Their Secrets - Protect Our Own Defence Signals Directorate

SUMMARY OF THE ESTONIAN INFORMATION SYSTEM S AUTHORITY ON ENSURING CYBER SECURITY IN 2012

ISOO Notice : Update on Recent Cyber Incidents at OPM

Cybersecurity Strategy of the Republic of Cyprus

National Cyber Security Strategy of Afghanistan (NCSA)

Legislative Language

Cyber security. Cyber Security. Digital Employee Experience. Digital Customer Experience. Digital Insight. Payments. Internet of Things

Viewpoint: Implementing Japan s New Cyber Security Strategy*

Department of Homeland Security

Major IT projects currently undertaken by Bureaux/Departments (B/Ds) with project details and staff deployment

Final Draft/Pre-Decisional/Do Not Cite. Forging a Common Understanding for Critical Infrastructure. Shared Narrative

Department of the Premier and Cabinet Circular. PC030 Protective Security Policy Framework

Cyber security in an organization-transcending way

ESTABLISHING A NATIONAL CYBERSECURITY SYSTEM IN THE CONTEXT OF NATIONAL SECURITY AND DEFENCE SECTOR REFORM

NSW Government Digital Information Security Policy

Cyber security Indian perspective & Collaboration With EU

Thirteenth Meeting of Guangdong/Hong Kong Expert Group on the Protection of Intellectual Property Rights (IPRs)

Safety by trust: British model of cyber security. David Wallace, First Secretary, Head of of the Policy Delivery Group British Embassy in Warsaw

ISO27001 Controls and Objectives

Cyber Security. A professional qualification awarded in association with University of Manchester Business School

Of Citadels And Sentinels: State. Tim Legrand and Jeff Malone

An Overview of Large US Military Cybersecurity Organizations

SENATE STANDING COMMITTEE ON LEGAL AND CONSTITUTIONAL AFFAIRS AUSTRALIAN FEDERAL POLICE. Question No. 100

CyberSecurity Solutions. Delivering

Cyber-safety for Senior Australians. Inquiry Submission

Transcription:

For Discussion Paper No. 9/2011 on 3 November 2011 DIGITAL 21 STRATEGY ADVISORY COMMITTEE Cyber Security Purpose This paper briefs Members on the global cyber security outlook facing governments of some countries and their strategy and efforts in addressing cyber security challenges. It also briefs Members on the cyber security posture in Hong Kong as compared to these countries. Background 2. Like other countries and economies, the Government, businesses and citizens in Hong Kong rely heavily on information and communications technology (ICT) and the Internet in their business operations and daily lives. At the same time, cyber criminals or malicious attackers are also employing advanced technologies to carry out illegal or illicit activities. The cyber space, which comprises the telecommunications infrastructure, critical information infrastructure and systems, becomes a domain that should be better protected for public security and economic prosperity. Global Cyber Security Outlook 3. Cyber crime, or computer crime, in general refers to any crime in the cyber space that involves a computer and a network. Various statistics on cyber crime show a rising trend. For example, the number of measured web-based attacks in the world increased by - 1 -

93% in 2010 compared to 2009 1. The number of malicious websites increased by 111.4% from 2009 to 2010 2. According to the Hong Kong Police Force (HKPF), 391 online business fraud cases were reported in the first half of 2011, representing an increase of 33% as compared with the same period the year before. 4. Cyber attack refers to a form of cyber crime using special software to cause the malfunctioning of targeted computer systems or networks resulting in information leakage, identity theft and/or disrupted businesses or services. A notable example was a series of cyber attacks targeting Estonia in 2007 which swamped websites of Estonian organisations, including the Estonian parliament, banks, ministries, newspapers and broadcasters. As a result, the public services in Estonia were affected for a few weeks. Cyber Security Strategy 5. A number of countries or economies have formulated their cyber security strategy and are taking positive actions to respond to the cyber security threats. While different countries/economies are having different strategies and adopting different measures in tacking cyber security challenges, there are six common aspects that they have been pursuing. These include National Cyber Security Organisational Framework, Critical Infrastructure Protection, Legislation on Cyber Crime, Computer Emergency Response Team, Awareness Promotion for the Public and Capability Development. In the Annex, we have made a brief comparison of Hong Kong among several countries including Australia, Japan, the U.K. and the U.S. with reference to each of these individual aspects. 1 investor.symantec.com/ko/kr/phoenix.zhtml?c=89422&p=irol-newsarticle&id=1546585 2 http://www.websense.com/content/threat-report-2010-web-security.aspx - 2 -

Cyber Security Posture of Hong Kong and Countries under Study (a) National Cyber Security Organisational Framework 6. Some countries, such as the U.S. and the U.K., have established a special government agency or office with direct roles and responsibilities on cyber security. In the U.S., the Department of Homeland Security (DHS) plays an important role in countering cyber security threats. In the U.K., the Office of Cyber Security & Information Assurance (OCSIA) provides strategic direction and coordinates action relating to enhancing cyber security and information assurance. 7. The cyber security organisational framework and strategy in a country are developed according to their specific environment, culture and individual requirements. In some cases, the cyber security organisational framework and strategy are pitched at the national security level, with strong military and defense emphasis. For example, the U.S. Government has placed cyber security threats on equal footing with military and economic threats. Under Japan s National Defense Program Guidelines for FY 2011 and beyond, the country will strengthen its posture and response capability to deal with cyber attacks. 8. In Hong Kong, the national and military angles are clearly not applicable. The Security Bureau (SB) and the Office of the Government Chief Information Officer (OGCIO) provide guidance and advice to bureaux and departments (B/Ds) on information security. SB and OGCIO work closely to keep surveillance on any emerging cyber security threats, examine and tackle cyber security issues and continue to introduce additional measures to strengthen our cyber security posture. (b) Critical Infrastructure Protection 9. The definition of critical infrastructure varies amongst the economies studied. In general, it refers to those infrastructures - 3 -

which when incapacitated or destructed would have a debilitating impact on the economy s security and socio-economic well-being. All the economies under study recognise the importance of public-private partnerships in critical infrastructure protection. Such partnerships may be government-led, private sector-led, or joint initiatives. A major challenge is to strike a proper balance between security requirements and business efficiency imperatives. While governments often put emphasis on the risks brought about by cyber crimes, the private sector running the infrastructure may consider measures to mitigate such risks as a financial burden in operating costs. 10. In Hong Kong, the critical infrastructures are either owned by the Government or under the governance of respective regulatory mechanisms. Since regulatory bodies are the domain experts of their respective regulated sectors, it would be most effective and appropriate for them to determine the extent of the regulatory measures including those in relation to information security and cyber threats. On the protection of the local Internet infrastructure, the OGCIO set up the Internet Infrastructure Liaison Group 3 (IILG) in 2005 to provide a platform for communication and exchanges on issues concerning the stability, security, availability and resilience of the local Internet infrastructure. The IILG collaborates among the relevant stakeholders during major events or situations with emerging information security threats. The HKPF and the OGCIO stand ready to render advice and assistance to B/Ds as and when necessary on information security enhancement measures for regulated bodies/sectors under their purview. (c) Legislation on Cyber Crime 11. In the economies studied, it is often the case that cyber crimes are considered adequately dealt with under existing legislation albeit with some necessary modifications in their language and terms, particularly relating to their scope of application 3 The IILG comprises members from Hong Kong Internet Exchange, Hong Kong Internet Registration Corp. Ltd., Hong Kong Internet Service Providers Association, Hong Kong Computer Emergency Response Team Coordination Centre, Office of the Telecommunications Authority, HKPF and OGCIO. - 4 -

as determined by their definition and interpretation. For example, in the U.S., the Homeland Security Act 2002 was enacted with a purpose related to cyber security. It also led to the establishment of the DHS and other security provisions. 12. Hong Kong does not have a targeted piece of legislation to counter cyber crimes. Most of the existing legislation is technology neutral and can apply equally to activities in a cyber environment. Relevant ordinances are reviewed and amended as necessary from time to time to take account of the changing environment. (d) Computer Emergency Response Team 13. The economies under study have established Computer Emergency Response Team (CERT) services such as warnings, alerts and assistance in resolving security incidents to the public sector. CERT usually plays an active role in drill exercises that simulate cyber security events and attacks. For example, the United States-Computer Emergency Readiness Team (US-CERT) participates in the Cyber Storm drill hosted by the DHS. The Asia Pacific Computer Emergency Response Team (APCERT) has been conducting annual drills since 2004 to test the timeliness and response capability of its members. 14. The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT), operated by the Hong Kong Productivity Council (HKPC), plays a key role in the protection of the local cyber environment. One of the core functions of HKCERT is to serve as a focal point in Hong Kong for computer security incident reporting and response. HKCERT also provides assistance to the community in the protection against computer security threats, in the prevention of hacking attacks and in recovery actions for computer security incidents. The OGCIO and HKPC jointly review and enhance the service of HKCERT according to cyber security trends and public needs from time to time. 15. The HKCERT has also organised local information security - 5 -

incident response drills annually since 2009, to ascertain the responsiveness by local key Internet stakeholders against cyber attacks. Through the exercise the participants can gain experience on how to respond to emergency conditions and the organiser can gain insights on how to coordinate and improve communication amongst the stakeholders during major incidents. HKCERT also participated in some of the APCERT drill exercises 4. (e) Awareness Promotion for the Public 16. Just as governments must be aware of the potential for a cyber attack to occur, businesses and individuals must also take steps to protect their computer and information assets from cyber attacks. All of the economies under study have set up public websites providing information security related information for reference by the community. They also have established annual awareness promotion programmes for the public. 17. In Hong Kong, the OGCIO has set up the INFOSEC website (www.infosec.gov.hk) in 2002 to provide a one-stop portal facilitating the public to access various information security related resources and updates. To raise public awareness on information security and strengthen the protection of their computer and information assets from cyber attacks, the OGCIO, HKPF and HKCERT have jointly organised an annual promotion campaign Hong Kong Clean PC Day 5 since 2005. The theme of the 2011 campaign is Mobile Security with a variety of activities including public seminars, stakeholders symposium, contests, and school visits which are being conducted throughout the year. (f) Capability Development 18. There are various security certifications that organisations can seek to demonstrate their compliance to internationally 4 The APCERT drill 2011, with the theme "Critical Infrastructure Protection", was held in February 2011 and participated by 15 economies including Australia, India, Japan, Korea, the Mainland of China, Malaysia, Singapore and Hong Kong. 5 The campaign in the brand name of Hong Kong Clean PC Day will be renamed tentatively to Build a Secure Cyber Space starting from 2012 in light of the evolving nature of security threats. - 6 -

recognised security standards. For example, ISO-27001 of the International Organisation for Standardisation (ISO) is the formal international standard against which organisations may seek independent certification of their information security management systems. It specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System, using a continual improvement approach. Many countries around the world have adopted ISO-27001 as their framework for devising information security measures. Japan, being the most aggressive, has used ISO-27001 as a basic requirement for public contracts with IT systems. For individuals, there are professional security certifications, such as Certified Information Systems Security Professional (CISSP) of International Information Systems Security Certification Consortium, Inc. and Certified Information Systems Auditor (CISA) of Information Systems Audit and Control Association. 19. In Hong Kong, there are 32 organisations certified with ISO-27001 6 as at September 2011. For individuals, the Continuing Education Fund administered by the Student Financial Assistance Agency provides subsidy for relevant courses leading to certification (including CISSP and CISA). There are a number of local organisations or global organisations with Hong Kong chapters formed to promote technical, security and ethical standards in the IT industry. They organise various security seminars and conferences throughout the year for boosting local capability. In the Government, we promote the adoption of high security standards and take the lead to require IT outsourcing contractor staff to possess relevant security certifications and qualifications. We also give strong support to our staff (e.g. examination fees refund) in seeking these security certifications and qualifications. We will continue to encourage business organisations and IT professionals to acquire security certifications and qualifications and support organising local security events so as to develop our overall capability in addressing cyber security threats. 6 www.iso27001certificates.com/register%20search.htm. Government departments include HKPF and Customs and Excise Department have some organisational functions obtained the certification. - 7 -

Conclusion 20. Cyber crime and attacks are threats to our public security and economic prosperity. We will continue to keep surveillance on any emerging cyber security threats and consider additional measures to strengthen our cyber security posture. Advice Sought 21. Members are invited to note the contents of this paper and provide their comments. Office of the Government Chief Information Officer Commerce and Economic Development Bureau November 2011-8 -

Annex Comparison of Cyber Security Aspects among Different Economies Cyber Security Australia Japan U.K. U.S. Hong Kong Aspects 1. National cyber security organisational framework The Attorney-General s Department is the lead agency for cyber security policy across the Australian Government. It chairs the Cyber Security Policy and Coordination Committee, which is the interdepartmental committee that coordinates the development of cyber security policy for the Australian Government. The Information Security Policy Council (ISPC), established under the Cabinet Secretariat in 2005, sets basic strategies for information security policy. The ISPC comprises the National Public Safety Commission chairman, the defense minister and private-sector experts. The Office of Cyber Security and Information Assurance (OCSIA) was established in the Cabinet Office in 2009. The OCSIA has overall ownership of the cyber security strategy and provides strategic leadership across government for cyber security issues. The Department of Homeland Security (DHS) has the leading role in critical infrastructure protection and cyber security. In 2009, the U.S. President appointed a cyber security coordinator to coordinate cyber security policy across the federal government, from the military to civilian agencies. National organisational framework is not applicable. Security Bureau (SB) and Office of the Government Chief Information Officer (OGCIO) provides guidance and advice to bureaux and departments (B/Ds) on information security. - 9 -

Cyber Security Aspects 2. Critical infrastructure protection (CIP) Australia Japan U.K. U.S. Hong Kong The CIP Program was Action Plan on The Centre for the Homeland Security On the protection of created in 2003. Its Information Security Protection of Presidential Directive the Internet primary focus is to Measures for Critical National 7, which was issued in infrastructure, the share information and Infrastructures was Infrastructure December 2003, Internet Infrastructure best practice with the published by the ISPC (CPNI), set up in identified 17 critical Liaison Group (IILG) owners and operators in 2005 and revised in 2007, is the agency infrastructures and was set up in 2005 to of critical 2009. charged with key resources. The provide a platform for infrastructure, The Plan includes providing advice to National Infrastructure communication and strengthen and definitions of critical any entity within Protection Plan exchanges on issues improve their security infrastructure the U.K. that owns (NIPP) issued by the concerning the measures and help elements and threats, or operates services DHS in June 2006 stability, security, achieve better risk safety standards for or property critical provides an overall availability and management. information security, to commerce, framework for resilience of the local information-sharing public health or existing and future Internet infrastructure. systems in security. programs and public-private activities for the partnerships (PPP), protection of critical interdependency infrastructures and analyses, and key resources. development of various mechanisms. - 10 -

Cyber Security Aspects 3. Legislation on cyber crime Australia Japan U.K. U.S. Hong Kong The Cybercrime Act The Unauthorised The main cyber The Homeland Hong Kong does not 2001 - An Act to Computer Access Law crime law is the Security Act of 2002 have a targeted piece amend the law relating No. 128 of 1999 Computer Misuse is the foundation for of legislation to to computer offences, prohibits acts of Act, which many other initiatives counter cyber crimes. and for other purposes. unauthorised includes offences including the setting In June 2011, the computer access of unauthorised up of the Department Australian (Article 3) as well as access to computer of Homeland Security, Government acts that facilitate material and of the Critical introduced cyber crime unauthorised unauthorised Infrastructure legislation to the computer access modification of Information Act of Parliament to combat (Article 4). computer material. 2002, and the Cyber global cyber attacks. The Act was Security Enhancement amended in 2008. Act of 2002. - 11 -

Cyber Security Aspects 4. Computer Emergency Response Team (CERT) Australia Japan U.K. U.S. Hong Kong CERT Australia is the JPCERT/CC was The GovCertUK US-CERT is HKCERT serves as a national coordination established in 1992. provides warnings, responsible for focal point for point for the provision The center has been alerts and analysing and computer security of cyber security gathering information assistance in reducing cyber threats incident reporting and information and advice on computer incidents resolving serious and vulnerabilities, response. It provides for the Australian and vulnerabilities, IT incidents for the disseminating cyber assistance to the community. CERT issuing security alerts public. threat warning community in the Australia provides and advisories, and information, and protection against their citizens with providing incident coordinating incident computer security access to information responses as well as response activities. threats, in the on cyber threats and education and training US-CERT has prevention of hacking vulnerabilities, and to raise awareness of participated in the attacks and in information on how to security issues. Cyber Storm drill recovery actions for better protect JPCERT/CC has hosted by the DHS. computer security themselves. CERT participated in the incidents. HKCERT Australia has APCERT drill. participated in some participated in the of the APCERT drill APCERT (CERTs in exercises. Asia Pacific) drill. - 12 -

Cyber Security Aspects 5. Awareness promotion for the public Australia Japan U.K. U.S. Hong Kong National Cyber Information Security Get Safe Online Since 2004, October OGCIO, HKPF and Security Awareness Month campaign has Week will be held has been designated HKCERT jointly Week is held each been held since 2010. in the 2 nd week in National Cyber collaborate with the IT year in partnership Events on information November 2011. Security Awareness industry to promote with industry and security, such as The Cabinet Office Month. security awareness to community seminars, were held supports raising the public. Since organisations. It aims nationwide by related awareness of cyber DHS hosted a website 2005, the Hong Kong to educate home and government agencies security through a www.dhs.gov/files/c Clean PC Day small business users on and corporations. partnership ybersecurity.shtm campaign is arranged the simple steps they programme with where citizens can annually with a can take to protect www.npa.go.jp/cyber the private sector access cyber security particular theme. their personal and police/english is an as well as law tips, identify Internet financial information Internet Security enforcement hoaxes, protect The one-stop portal online. Portal Site which agencies. Get Safe themselves online, and www.infosec.gov.hk provides information Online website learn how privacy provides latest news www.staysmartonline. gathered by the police www.getsafeonlin protections are and up-to-date gov.au is a website on information e.org provides integrated into cyber reference on for cyber security security to Internet security security activities. information security information for users, and aims at information for matters for reference Australian home users increasing security citizens and by the public. and small businesses. awareness. businesses. - 13 -

Cyber Security Aspects 6. Capability development Australia Japan U.K. U.S. Hong Kong Australia has obtained Japan has 3,862 477 U.K. ISO-27001 There are 32 29 ISO-27001 ISO-27001 certificates companies have certification in the organisations certified certifications. (out of a worldwide achieved U.S. is gradually with ISO-27001. For total of 7,346). This is ISO-27001 increasing due to individuals, subsidy is due to the fact that the certification so far. commercial desire to provided for relevant Japanese Ministry of meet the expectations courses leading to Economy, Trade and of stakeholders. The certification Industry (METI) number increased (including Certified mandates that from 69 in 2006 to Information Systems companies that do 101 at present. Security Professional business with the and Certified Japanese government Information Systems need to be ISO-27001 Auditor) under the certified. Continuing Education Fund. - 14 -

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information