Is Hong Kong safe from Advanced Persistent Threats?

My past week has been dominated by Hong Kong’s 13^th Info-Security Conference on Tuesday and Wednesday and interviews with the Special Administrative Region’s CIO Daniel Lai and high profile IT legislator Samson Tam.

What I found out about the SAR is that when it comes to cyber security, many of the same key trends and themes discussed the world over are present here – perhaps with one notable exception, state-sponsored, APT-based cyber espionage.

Backtracking slightly, Tam is a Legislative Councilor for the functional constituency of Information Technology, which means in practice that he is not one of Hong Kong’s elected leg councillors but that he does know what he is talking about, having been chosen for the role based on his experience in the tech biz.

As in the UK, various political hot potatoes include digital copyright – the Copyright (Amendment) Bill 2011 is currently being considered – data breach notification laws – also being considered – and more funding for the region’s high-tech crime unit.

If anything, Hong Kong is a little way behind the UK and US in terms of the maturity of its cyber crime and digital copyright laws, and has only recently decided to plough more resources into IT, with the launch of a Technology and Communications Bureau.

What I’m wondering, though, is whether Hong Kong organisations – public and private – are at risk from quite the same threats as their counterparts in the UK.

There could be an argument for saying – as I alluded to in my last post – that to an extent Hong Kong institutions and enterprises are shielded from the kind of state-sponsored, or at least sanctioned, attacks which have caused so many problems for Western organisations because they are technically part of China.

In the past six months, the only major security incident that has really made the headlines here has been a DoS attack on the Hong Kong Stock Exchange. Now either I’m not paying enough attention, the English language media isn’t interested, firms are not reporting such incidents, or there are indeed fewer to report.

Not so said Tam, who claimed that HK has its fair share of problems to deal with, although interestingly he said most attacks came from “smaller countries with looser local controls”, and he played up the importance of cross-border police co-operation to combat such attacks.

“These attacks are mainly financially focused because Hong Kong is a small region which doesn’t have many political, cultural or religious tensions,” he added. Read into that what you will.

Earlier at the conference, Lai explained to me that his department – the Office of the Government CIO – works closely with the Hong Kong CERT to develop policy and best practice, but he was more vague on the nature of the threat landscape.

“We don’t really see espionage as such – it’s difficult sometimes to guess a hacker’s motives. Awareness raising and diligence are key,” he added.

I’m hoping to speak to the HK CERT next week so I may have more insight into this space then, but even if there was a degree of protection offered to the region when it comes to state-sponsored cyber espionage attacks, multinationals in Hong Kong and China certainly can’t afford to let their guard down.

Ian Christofis of Verizon and the Cloud Security Alliance argued at the event that China-based multinationals are increasingly under threat from IP theft thanks to malicious insiders. Perhaps looking at the whole scenario as China vs the rest of the world is overly simplistic.