You read it in Computerworld Hong Kong: the Hong Kong Police have launched a Cyber Security Center to provide round-the-clock services. The HKP made an investment of HK$9 million in hardware and software for the new facility.
"Commercial Crime Bureau Chief Superintendent Chung Siu-yeung said there will be 27 police officers working in the center, which is expected to strengthen the co-ordination between police and government departments," said the CWHK article, "as well as both local and overseas stakeholders when major information systems come under attack."
"The center will only monitor network data traffic rather than the content on networks," Chung said. "The facility will also analyze intelligence related to cyberattacks and respond when needed." Chung also said the center would "conduct network security validation and research to help detect and prevent technology crime."
That sounds wonderful, but realistically, what can a dedicated facility do to "detect and prevent technology crime"?
"Attacks on infrastructure are a genuine threat, so any monitoring of HK's Internet connectivity for malicious behavior will be of help," said Richard Stagg, managing consultant at Hong Kong-based security consultancy Handshake Networking. "The real question is whether the HKP will provide opportunities for businesses (or other owners of Internet-based assets) to interact with them."
Stagg urges the HKP to liaise with the potential victims of cybercrime, and he's right. Good cybersecurity is not only based on "locking down" assets. Accurately assessing risk means thinking like a criminal.
Companies will often hire a "white-hat hacker": someone who tries to break their security, like a burglar who checks every possible entrance to a warehouse. The difference is that the white-hat reports vulnerabilities to his or her employer, who then deploys means of protection against security risks they wouldn't otherwise discover.
The HKP can't provide this service, nor do they have a stellar track record on cybercrime, according to Stagg. "Historically, the ability of global police forces to deal with Internet-based crime has been fairly poor," he said. "Imagine you get beaten up, call the police, and are told: 'Well, we don't really know how to deal with that--can't you sort it out for yourself?' That's often what it's like if you're a victim of a DDoS attack."
The new center aims to change this for Hongkongers. "If a system comes under attack," said Chung in the CWHK article, "we can help [operators] resume normal service, trace the hacking source, and warn other operators to launch contingency plans."
Stagg sees the positive potential of this new facility as a development. "Having a cyber-security center like this is potentially a great opportunity to give some confidence back," he said. "Businesses can go to them with their online infrastructure complaints and expect a proactive response coupled with action. At least, this is what I hope will happen."
I have the same hope. Hong Kong firms learn from their mistakes--after the Miss Hong Kong online-voting debacle, we've learned that failing to provide effective scalability is a sure way to hit the headlines and dent your brand-equity.
But the government can do more. There's a lot of "PEBCAK" in Hong Kong: Problem Exists Between Computer And Keyboard--yes, that's the user. We know readers of CWHK are security-savvy. But many Netizens still use "123456" or "password" on Hotmail, post their personal details on Facebook, click on Web links in an e-mail titled "celebrity weight-loss," or other nonsense.
Here's my Christmas present to all our readers, and if you know this already, please pass this on to your friends, children or neighbors. Good Internet security practices aren't the responsibility of the HKP.
They're YOUR responsibility. Be responsible.
" Use a strong password. It should be 16 characters if possible: the advice about mixing upper/lower case letters with numbers is good, but even better, use non-English words, accented characters (é/ü/ç for example), and don't rely on the top-row of characters alone (!/@/#/$/%/^/&/*/(/)/_/+).
" E-mails should be checked carefully. Any that deal with financial matters (banks/PayPal/credit cards/loans etc) are immediately suspect. So too are any related to current events (celebrity scandals, accidents, school-shootings etc). Examine the sender's e-mail address carefully. And never click on links within e-mails. Just don't do it.
" Keep your private details PRIVATE. Check the Hong Kong PDPO (Personal Data Privacy Ordinance), never give out your passwords to anyone, if you receive an e-mail or Facebook message from a "friend" who's suddenly in need of funds, call that person. The telephone is a weapon against cyberfraud--if someone calls you and says they're from your bank or they're the Romanian police and your friend is in a Bucharest jail, ask for their name and number and see what happens. You can easily find your bank's actual phone number, right?
"According to police numbers," said Chung in the CWHK article, "there were 761 incidents of illegal access to computers and systems--up 34.2% from last year--resulting in a loss of HK$135 million, 2.3 times higher than the amount in 2011." And the year's not over yet.
Let's do better. Help the Hong Kong Police in their new initiative: don't be a PEBCAK.