The Security Bureau of the Hong Kong government revealed the details of the long-awaited proposed Protection of Critical Infrastructure (Computer System) Bill in a paper that it submitted to the Legislative Council in early July. Given the escalating global risks of cyberattacks, including ransomware in particular, it is arguably reasonable for the the government to take measures to enhance the preparedness of the territory’s critical infrastructure.
However, this is not to say that the cybersecurity of critical infrastructure has been ignored in Hong Kong up until now. The Internet Infrastructure Liaison Group was set up by the Office of the Government Information Officer in March 2005 to coordinate with internet infrastructure stakeholders to share threat information, coordinate rapid response and perform contingency planning. The Cyber Security Centre under the Cyber Security and Technology Crime Bureau of the Hong Kong Police Force conducts cyber threat audits and analyses to prevent and detect cyberattacks and cybercrimes against critical infrastructure in the sectors of government, banking, finance, transportation, communications and public utilities.
But these government-led measures, while welcomed and supported by industry, lack statutory power. That is what the newly proposed legislation aims to introduce. Yet, the first questions that the government should answer must be what deficiencies are observed in the current regime, and why such statutory requirements are now deemed necessary. Why is a centralized regulatory approach, as proposed now, better than a sectoral regime?
What is in the New Law?
Citing precedents in many other jurisdictions, from Mainland China and Macau to Singapore and a number of Western countries, the new law will seek to regulate critical infrastructure operators (CIOs), which are responsible for “continuous delivery of essential services” and “maintaining important societal and economic activities” in Hong Kong, in the course of their undertaking of the responsibility to secure their critical computer systems (CCSs). A Commissioner’s Office will be set up under and within the Security Bureau to enforce the new law. Obligations for these CIOs under the new law will fall under three categories:
- Organizational: including maintenance of a Hong Kong presence, and establishing a dedicated unit to manage the security of its computer systems and follow up with the directions of the Commissioner’s Office.
- Preventive: keeping the Commissioner’s Office informed on the changes or updates to CCSs operated by the CIOs, “including those changes to design, configuration, security, operation, etc.,” submitting a “computer system security management plan,” conducting security risk assessments and independent audits, etc.
- Incident reporting and response: formulating and submitting an emergency response plan, participating in drills organized by the Commissioner’s Office, and notifying the Office of any security incidents by a specified time frame.
Failure by the CIOs to comply with any of these obligations will subject them to be liable for fines to their respective organizations, but not to their individual officers. The fines range from HK$500,000 to HK$5 million ($64,000 to $640,000).
However, a number of questions naturally arise from an examination of the details released so far.
Why “Information Technology”?
First, who will be regulated? The government states that operators subject to the law will be “mostly” large organizations, and not small and medium enterprises. Those that operate infrastructure for delivering essential services, Category 1, seem obvious at first glance, falling into eight sectors of essential services: energy; information technology; banking and financial services; land transport; air transport; maritime; healthcare services; and communications and broadcasting. But, it should be noted, while most of these sectors are relatively well-defined and often regulated and licensed under various regulatory jurisdictions, one of them is not so well-defined — what is really meant by “information technology” (IT)?
Since communications (or telecommunications) operators, which are licensed by the Communications Authority, already fall under the last sector of “communications and broadcasting,” what are the other “information technology” firms that provide essential services in Hong Kong? The paper clearly mentions that third-party service providers to the CIOs are not themselves regulated under the proposed law, with the CIOs themselves bearing the responsibility to ensure compliance. That seems to imply that common IT service providers such as vendors, system integrators, and even data centers and cloud service providers, are not among the “IT” companies that will be regulated by this law. Who, then, are they? Are they, for example, the .hk domain name registry (the Hong Kong Internet Registration Corporation), or the Hong Kong Internet Exchange?
On the other hand, will social media or popular messaging platforms, such as Facebook, YouTube, WhatsApp, WeChat, and the like be deemed to be providing essential “information technology” services, because millions of people in Hong Kong use their apps? This is unlikely. However, the Commissioner’s Office retains the sole power to “ascertain whether an organization should be designated as a CIO,” and whether its computer systems should be designated as a “CCS.” But the names of those CIOs covered by the new law will not be made public, out of a fear of their “becoming targets of terror attacks.” In fact, other than the more obvious sectors in Category 1, there is also a vaguely defined Category 2, which includes “other infrastructures for maintaining important societal and economic activities,” such as “major sports and performance venues, research and development parks,” whose “damage, loss of functionality, or data leakage may have serious implications on important societal and economic activities in Hong Kong.”
Such broad and vague arrangements may make companies in some sectors, including information technology, worry whether or not they may be suddenly made subject to the responsibility and liability under this law, and may not be conducive to supporting Hong Kong’s supposedly clear and well-defined operating environment for all businesses.
Downplaying the Privacy Regulator?
Second, the critical infrastructure regulatory regime may risk overlapping with parts of the regulatory power currently under the Privacy Commissioner for Personal Data (PCPD). Among the critical infrastructure incidents cited in the paper, “data leakage” has been mentioned frequently. Although it was spelt out rather clearly in the paper that the proposed legislation will “in no way” involve the personal data in these critical computer systems, the fact remains that when an incident occurs with a CIO, and it involves personal data leakage, then who should the company call? Apparently, both the new Commissioner’s Office, as well as the PCPD. Who can investigate the incident and issue directives to correct the situation as regard to the computer system involved? Again, it seems to be both commissioners. Needless to say, such overlaps may cause confusion, and the wastage of resources.
For decades, the PCPD, under the jurisdiction of the China and Mainland Affairs Bureau, has sought, mostly unsuccessfully, more investigative and enforcement power, mandatory incident notification requirements, as well as higher penalties for offenses for privacy violations. But now, the new Commissioner’s Office, under the Security Bureau, will have more investigative and enforcement power right away, and can impose higher penalties for non-compliance to the CIOs than the PCPD can. Coupled with the overlapping jurisdiction for CIOs from at least two sectors with existing cybersecurity guidelines – banking and finance, regulated and licensed by the Hong Kong Monetary Authority, and communications and broadcasting, regulated and licensed by the Communications Authority – companies in those sectors will have to report incidents to and observe certain compliance from three regulators.
In addition to the concern for increased compliance costs expressed by the stakeholders during previous consultation, mentioned in the paper, there is also the possibility of conflicting directives issued by multiple regulators on the same incident, about the same technical infrastructure, and so on. These concerns may point to potential disadvantages with such a centralized regulatory approach, all under the Security Bureau, compared to a sectoral approach.
Letting the Government Off the Hook?
Third, the proposed new law will not hold some of the most essential services offered by government, such as water supply, a variety of registration and licensing services, immigration control, tax services, and various law enforcement agencies, to the same level of scrutiny and penalty for non-compliance. The government says it will continue to rely on its existing internal administrative guidelines – the Government Information Technology Security Policy and Guidelines.
Even with these longstanding guidelines, the government has not been immune from cybersecurity incidents. If the logic for stricter control holds for the essential services sectors, there appears to be little reason why the same should not apply to the government. In addition, consider the potential embarrassment if a serious cybersecurity incident occurs in a government department or statutory body providing an essential service. The public will question why the government has not policed itself more rigorously and apply the same yardstick for penalties, just as those in regulated private sectors will undoubtedly feel to be treated unfairly, or even under a double standard.
What about Operational Technology?
The proposed new law focuses entirely on the concept on “computer systems” and the use of “information technology,” and the associated cybersecurity risks and concerns. Beyond that, the paper only referred to concerns for the physical security of critical infrastructure, which does not fall within the scope of this law, and that the Infrastructure Security Coordination Centre of the Hong Kong Police Force is tasked with overseeing the physical infrastructure aspect.
But such a definition and focus on IT-based computer systems may have overlooked a critically important emerging area of concern, operational technology (OT), which was not mentioned in the paper. While IT focuses on software, computers, and data networks, OT is more about controlling physical processes, machines, and equipment, and is particularly crucial for efficiency, safety, and security in sectors such as energy, transportation, and manufacturing.
OT malware attacks target specific industrial control systems and machinery that function quite differently from typical IT systems used in service industries, and mitigating OT risks often calls for different knowledge and skill sets. This may be another reason why a centralized regulatory approach may not be the best to handle all the nuances in the differences in technology and systems used in different industries, yet critical to the continuation of operations for both the IT and OT systems, particularly in some sectors.
Does Sharing Secrets with Government Make You Safer?
In addition, the paper lacks important details about the investigation powers of the Commissioner’s Office. Statements such as “each of these powers is regulated in terms of specific conditions, officers can exercise the powers and authorizing authority (including whether magistrate’s warrants are needed), etc., to ensure that these investigation powers are kept to the minimum extent necessary” are vague. The paper only says that the proposed legislation details will be produced later to the legislature, and only then the conditions and procedures for exercising these powers will be set out.
But one other important question remains. The office’s vast power to collect critical computer system design and operational details may involve significant confidential business information for these critical infrastructure companies. Are they safer by sharing all such highly sensitive technical information and secret trade and commercial knowledge about their own companies with the government, and certain officials working in the government but outside their own organizations? Or, will such information become a honeypot for hackers with malice? For the government to regulate compliance, how much do they really need to know?
Finally, the government may be well advised not to call such critical infrastructure operators “CIOs,” as the acronym is too commonly used to mean “Chief Information Officer.” It may give people the wrong impression that liabilities are imposed on individuals rather than organizations. The paper has called such entities “operators of critical infrastructure” at certain places too. So, just call them “OCIs,” please.