Nov 14, 2008

IT Voice response to consultation on CERC Review

IT Voice response to consultation on CERC Review

Date: 14--Nov-2008


1. We, IT Voice and Charles Mok had expressed our concern in the past few years abut the information security development of Hong Kong.
  • When the ITC's 3 year funding for HKCERT ended in 2004, the future of HKCERT had been a mystery. There is no answer to the direction of HKCERT and no clear funding sources. The obscurity had impacted the sustainable and continuous development of information security incident response service in Hong Kong.
  • This was worsen by a sharp increase in information security threats like botnet and cyber crimes in the past few years.
  • Under the mega trend of globalization, Hong Kong is facing keen competitions with neighbouring and farther economies. The fact that our CERC development was brought to a standstill for several years had impacted our competitiveness.
  • In a recent global information security survey 2008 conducted by McAfee, “.hk” is posed as the most risky domain space in the world. The reputation of Hong Kong was at stake! We recalled that when HKCERT was funded by ITC several annual security surveys were made available to track the progress of the industrial information security development. However, in recent years, Hong Kong has no relevant survey to verify such third party claims.
  • Furthermore, Hong Kong lacks proactive monitoring of security threats to preempt attacks targeting Hong Kong. It was reported in the APCERT Conference 2008 that many CERT teams in Asia Pacific economies have very mature security threat monitoring system and malware analysis capabilities. Hong Kong has been left behind.


1. We welcome Government admitting the essence of a CERC in Hong Kong (para. 12) and has expressed explicitly to commit to the financial support for CERC. (para. 14).

2. We agree that the current CERC in Hong Kong, namely HKCERT, to continue to operate under HKPC which is a non-profit making entity. (para. 13)

3. We agree to the service scope of HKCERT (para. 15) but also like to point our insufficiencies.
  • We propose that HKCERT should keep up with the advancement of CERTs in the world. There should be more investment in security threat monitoring in Hong Kong to collect information of attacks targeting Hong Kong and also use the information to preempt any attacks. We emphasize the implementation of security monitoring or study should not jeopardize privacy.
  • Due to the increasing complexity of security attacks, Government should conduct much more information security awareness activities to the public and SMEs. HKCERT should be one of the Government's major partners in the promotion campaign.

4. We agree that there should be transparency on the operation of HKCERT to the industry sector and the public (para. 17(a)) by publishing business reports periodically to the HKCERT web site.

5. Contrary to the proposal in para 17(b), we think that the Government should be giving strategic direction the HKCERT and set our performance metrics. HKPC senior management should only be the operation management of the activities as directed by the Government. CERC service should be regarded as crucial part of the municipal security defense strategies. It is not appropriate to leave the CERC service in the hand of the operating organization.
  • We propose that the Bureau heading the strategies of HKCERT, with input from the D21 Strategic Committee which is advised by the Information Security Working Group. The D21 Strategic Committee comprises of different stakeholders and the Information Security Working Group comprises of experts in the area.
  • The Information Security Working Group should hold regular meetings and advise the Government strategies and directions of information security development in Hong Kong.
  • There should be transparency on the information security development strategies (which includes the part for CERC) to the public.

No comments: