The Telecommunications Network Security Committee of the Hong Kong China Network Security Association (HKCNSA) has been closely monitoring the escalating global risks of network attacks. The Hong Kong Special Administrative Region (HKSAR) government plans to establish a legal framework for the Network Security (Critical Infrastructure) Bill within this year. Our committee offers the following preliminary recommendations:
1) Necessity of Network Security Legislation: We firmly believe that enacting network security laws is essential. In recent years, cybercrime cases have proliferated, and their severity has increased. Existing legal provisions often fall short in effectively combating such crimes. As an international metropolis, Hong Kong requires comprehensive legal statutes and industry standards to adequately safeguard its critical infrastructure. Furthermore, considering that other developed countries and neighboring regions have already implemented relevant network security laws, the urgency and necessity for Hong Kong to enact such legislation are further underscored.
2) Setting Standards for Critical Infrastructure: We recommend that the Network Security (Critical Infrastructure) Bill establish standards necessary to meet network security requirements for critical infrastructure. This will enable relevant organizations to adequately prepare and adhere to reasonable network security standards. Currently, apart from specific regulated industries, Hong Kong does not mandate that companies meet specific network security standards. This situation places an asymmetric burden on network security professionals in the event of security incidents. Regarding the formulation of industry standards, we suggest referencing existing standards both domestically and internationally, as well as those applicable to specific regulated industries in Hong Kong. We believe this approach will facilitate successful compliance within the industry.
3) Balancing International and Domestic Standards: Hong Kong’s network security industry tends to align with international standards. We have achieved a certain level of expertise and technology in talent development. It is crucial to leverage these capabilities. Given the rapid technological advancements globally, Hong Kong should actively embrace cutting-edge technologies rather than remaining stagnant. We also believe that integrating both Eastern and Western approaches will be a unique advantage for Hong Kong’s talent pool.
4) Legal Responsibility and Professional Certification: Regarding legal accountability, our committee believes that institutional entities should bear responsibility. Past major network security incidents often trace back to senior management’s lack of awareness of the importance of network security or their negligence in investing in it. While network security professionals also share some responsibility, establishing a legally competent professional certification for institutions is a long-term solution. Network security practitioners should obtain recognition to serve as the highest responsible personnel (such as Chief Information Security Officers, CISOs) within organizations. If their professional competence is found lacking, they should be disqualified from holding such positions for a specified period.
5) Collaboration with Industry Regulators: Given that specific requirements for network security in Hong Kong’s critical infrastructure (including energy, communications, transportation, financial institutions, etc.) are mostly set by industry regulators based on the risk levels faced by each sector, we recommend that the government enhance communication and cooperation with various industry regulators during the consultation process for the Network Security (Critical Infrastructure) Bill. Understanding existing industry regulatory measures related to network security, especially in well-regulated sectors, will prevent unnecessary duplication of oversight and excessive compliance costs for infrastructure operators.
Additionally, the Cybersecurity Evaluation Committee of HKCNSA offers the following opinions:
1) Minimum Security Standards: We recommend combining overseas and domestic standards for network security. Simultaneously, reference existing industry standards, such as the Hong Kong Monetary Authority’s Control, Rating, and Audit Framework (CRAF). The ultimate minimum standards should balance essential security requirements while minimizing redundant security audit efforts for future modifications and educational initiatives.
2) Enhancing Defense Capabilities: To bolster critical infrastructure’s ability to defend against cyberattacks, we propose not only strengthening routine network assessments and red-blue team exercises but also providing more support for the development of local white-hat vulnerability detection services in Hong Kong. Regularly offering vulnerability testing services to critical infrastructure or relevant organizations will enhance security, improve incident detection capabilities, and continuously elevate local network security professionals’ skills and awareness.