Hong Kong needs to strengthen its defences against cyberattacks if it is to ensure its position as a major international financial centre. Businesses need to do more to build resilience, develop expertise and keep up to date, and the city’s vibrant hacker community could help. George W. Russell reports.
Illustrations by Simone Altamura
The silence is as chilling as the air-conditioning in the conference room in Edinburgh Tower, part of the PricewaterhouseCoopers suite of offices in the Landmark complex in Central. How can 30 Hong Kong university students make no sounds? The answer is that they’re dedicated computer science majors huddled around their laptops.
They represent the University of Hong Kong, Hong Kong University of Science and Technology, Hong Kong Polytechnic University and Chinese University of Hong Kong. Just five are women and, despite the fierce blast of the air-con, only two wear hoodies. All are focused on a six-hour challenge set by PwC computer experts: the city’s first student hacking competition.
Their tasks included trying to exploit networks, probing web service vulnerabilities and using analytical thought processes. The contest, the brainchild of Kok Tin Gan, Cybersecurity Partner at PwC in Hong Kong, gives the firm a unique look at rising tech talent. “It helps us expand our horizons, build our talent pool and presents collaborative opportunities with institutions,” he says.
PwC is one of many organizations – including banks and regulators – looking to boost their technology practices in the wake of worsening computer security breaches across the world, including “ransomware” that freezes computers and extorts payment for the restoration of data.
Gan says recent cyberattacks have galvanized organizations across the region and his firm is eager to grab top tech talent to add to its 40-strong cybersecurity team in Hong Kong. “There’s a lot of gaps in the industry right now not just in PwC, but in clients and in regulators,” he says. “There is actually demand for these people in the market.”
Hong Kong’s position as an international financial centre makes it a high-risk location. Since January 2016, at least 12 companies licensed by the Securities and Futures Commission have reported cybersecurity incidents, causing losses of more than HK$110 million. In January, several securities brokers suffered distributed denial of service attacks, in which multiple machines target a website, freezing legitimate traffic.
As a result, authorities have taken measures to strengthen Hong Kong’s defences. In May, the SFC issued a consultation paper inviting comments on its latest proposals to reduce cyberattack risks on Internet trading. (The consultation ended on 7 July).
This follows the Hong Kong Monetary Authority’s 2016 launch of its Cybersecurity Fortification Initiative, which introduced a risk assessment framework, an intelligence platform for financial institutions and a training programme to develop qualified professionals.
The tipping point for many in Hong Kong was the WannaCry ransomware attack that struck 150 countries in May. At least 25 local computer systems were affected, according to the Hong Kong Free Press. For Eva Kwok, Risk Advisory Partner at Deloitte China, a visit to her local medical clinic brought home the city’s vulnerability.
“One of the doctors says the entire clinic went back to manual procedures, filling in forms and taking records by hand,” she says. “Immediately the entire business process slowed down because of this cyberattack. So therefore the actual impact is very close to us now and everybody in Hong Kong has to address this new cybersecurity landscape.”
Given that information technology is often a responsibility of the chief financial officer and finance teams at companies in the Greater China region, Hong Kong Institute of CPAs members may well find themselves in the front lines of cyberwar.
“Breaches are no longer a matter of if, but when and to what extent. [They] call for deeper – and perhaps very different – conversations in the boardroom today.”
“Cybersecurity is a shared responsibility across an organization,” says Alan Lee, Advisory Services Executive Director at EY and an Institute member. “The board needs to support the efforts being made, and every employee needs to learn how to stay out of trouble by not opening suspicious emails or losing mobile devices,” he says.
Lee says many Hong Kong organizations have learned to better defend and respond, moving from very basic measures and ad hoc solutions to sophisticated, robust and formal processes. He describes the optimal response as a combination of “sense, resist and react.”
“First, sharpen your senses,” Lee advises. “Can you see the cyber attacker approaching your perimeter? Second, upgrade your resistance. What if the attack was a new and more sophisticated technique? Third, what is the organization’s plan and what is your role in it? Are you going to focus on repairing damage or collecting evidence for law enforcement?”
One unique aspect of WannaCry – apart from its rapid propagation – was the recovery time for companies. “It was from three days to a week, which is a long time for a company’s systems to be down,” says David White, Cybersecurity and Information Governance Practice Group Leader at AlixPartners in New York.
“The event demonstrates the need for proper preparation and awareness,” he adds, suggesting employee training regarding phishing and malware; good security hygiene and controls; proper backup and disaster recovery planning; containment; and recovery execution planning.
One of the ongoing difficulties in countering cyberattacks is new vulnerabilities posed by emerging technologies, such as the sensor-driven Internet of Things, corporate mergers and acquisitions and expansion into new geographies, new product development, and third-party relationships with suppliers and customers.
“The cybersecurity risk landscape is evolving rapidly,” says Greg Bell, Global Cybersecurity Practice Co-leader at KPMG in Atlanta. “Breaches are no longer a matter of if, but when and to what extent. [They] call for deeper – and perhaps very different – conversations in the boardroom today.”
One IoT challenge on the horizon arises from Hong Kong’s ambitious plan to become a “smart city.” In 2015, the government announced that the Kowloon East development – Kowloon Bay, Hung Hom and the old airport site at Kai Tak – would be included in the Smart City Development Blueprint. Last year, the Office of the Government Chief Information Officer commissioned PwC to conduct a study of the blueprint.
“There are a number of security challenges in smart cities and insecure hardware is one of the major concerns,” says Marin Ivezic, Enterprise Resilience, Cybersecurity and Privacy Partner at PwC. “Owing to the lack of standardization of IoT devices, the sensors are prone to hacking where the hacker might feed fake data, causing signal failures and system shutdown.”
In addition, the proliferation of IoT devices – as would be expected in a smart city – increases the attack surface. “Any connected device is vulnerable to being hacked and the number of potential entry points is multiplied in smart cities,” says Ivezic. “A simple software bug could have huge impact as smart cities will run on hundreds of systems and devices.”
An important deficiency in Hong Kong is the high level of pirated software – it is installed on about 41 percent of all computers, according to the Business Software Alliance. While lower than many other Asia Pacific jurisdictions, it is a relatively large proportion for a developed economy.
“The WannaCry ransomware exploited a vulnerability in pirated software, which does not receive security patches,” Ivezic observes. “‘Herd immunity’ is an indicator of risk, because 41 percent of computers in Hong Kong are vulnerable. They will get infected in similar attacks and they will start looking for others to infect.”
Kwok at Deloitte notes the need for authorities to offer guidance. “Companies may not have a systematic or pragmatic approach to tackle it. Organizations need to manage governance, people, processes and knowledge, so they get that resilience level rather than check-mark their compliance needs.”
Hong Kong needs to bolster cybersecurity if it is to become a leader in financial technology and other emerging disciplines, warns Hannah Cassidy, Partner at the Herbert Smith Freehills law firm who focuses on financial services regulation.
“Regulators need to encourage FinTech innovation and growth on one hand and ensure system and customer protection on the other,” she told a June conference organized by the Asia Securities Industry and Financial Markets Association, a regional securities industry lobby group.
Cassidy – who co-wrote ASIFMA’s FinTech best practice guidelines for regulators – is concerned that cybersecurity fears could overwhelm FinTech growth, particularly when high-profile attacks can already affect even the most critical and well-protected financial systems.
Ultimately, skilled people will be the core of Hong Kong’s cybersecurity defence strategy. The HKMA’s FinTech Facilitation Office launched a professional development programme in December 2016. “The structured training and certification programme is expected to be able to train and enlarge the pool of qualified cybersecurity professionals in Hong Kong,” says Howard Lee, the authority’s Senior Executive Director.
The HKMA initiative is aimed partly at updating and upgrading the skills of existing financial sector workers, but many employers will, like PwC, be looking at Hong Kong’s active hacker community for on-the-ground expertise.
“Testing the resilience of your systems is an integral part of any successful cybersecurity programme,” says White at AlixPartners. “This is impossible without properly trained and credentialed ‘ethical hackers’ or ‘white hats’ who approach the challenge from the very same perspective of malicious hackers.”
While many companies, including the Big Four accounting firms, have their own cybersecurity teams that deploy in-house hackers, few companies engage the resources of Hong Kong’s independent hacking community. “I would argue that they are very helpful,” says Ivezic at PwC, adding: “I don’t think we are using them in the best way.”
Ivezic points to WannaCry as an illustration of the benefits of independent computer security research. “One researcher, who almost by accident and with US$11 of investment, managed to activate the kill switch and significantly reduce the spread of WannaCry, is a good example of what independent researchers can achieve.”
Gan, his colleague, says the white-hat hackers, like undercover police officers, cannot admit their role among the city’s hacking community. “Hackers are lonely cybersecurity specialists,” he says. “You can’t just announce, ‘Hey I’m ethical,’ because they need to fight real hackers.”
Encouraging them in a chilly room in Central could be part of the answer to solving some of Hong Kong’s looming cybersecurity issues.
China passes new cybersecurity law
Breaches of China’s new cybersecurity law, which came into effect on 1 June, could carry penalties of up to 1 million yuan and leave violators open to criminal prosecution – but nobody yet really knows how the law can be broken.
The new legislation is designed to protect critical information infrastructure in public communications and information services, energy, finance, transportation, water conservation, public services and e-governance, according to an analysis by Henry Shek and his colleagues at KPMG China. Under the law, network providers must report any security breach or flaw to the government as well as take remedial action immediately and inform users.
“Individuals and organizations bear the responsibility for the use of their networks,” says Shek, the firm’s Technology Risk Advisory Partner and a member of the Hong Kong Institute of CPAs Information Technology Interest Group.
Companies will have to implement data protection measures, while sensitive data – for instance, information on Chinese citizens – must be stored within China. “This law has the potential to significantly change how businesses in China operate,” says Marin Ivezic, Enterprise Resilience, Cybersecurity and Privacy Partner at PwC Hong Kong.
In some cases, companies will need to undergo a security review before moving data out of China. “One of the biggest impacts is on trans-border data transfers,” says David White, Cybersecurity and Information Governance Practice Group Leader at AlixPartners in New York. “To comply, companies need to understand their data flows from creation or capture until final disposition.”
White says much of his work for clients has been helping companies understand and map data flows, and to operationalize their policies. “This includes not only those involved in daily operations, but also data transfers for legal and regulatory compliance.”
Some multinational corporations might have to completely redesign their data storage facilities. “Many MNCs with a regional scope have deployed cloud solutions,” points out Eva Kwok, Risk Advisory Partner at Deloitte China. “They will have to revisit the architecture to understand what should be sited where.”
The law follows a February draft guideline issued by the State Internet Information Office, which would require any governmental body or “key industry” to stop buying products and services that have not passed a SIIO cybersecurity review. “If the objective is to reduce risks of espionage and cyber warfare, guidelines like these would be quite effective,” says Ivezic. ◆