As technology rapidly evolves, the systems we use need to be able to keep up with the constant risk of cyber threats. This is all the more important when it comes to securing critical infrastructure that entire countries and communities rely on to function effectively. This is why the Hong Kong LegCo is now proposing a new legislature to enhance the computer security of critical infrastructure. In this blog article, we delve into the details of the new legislature and what it entails for critical infrastructure operators (CIOs) and their Critical Computer Systems (CCSs). We’ll also look at why the HK LegCo legislature is so important in today’s dynamic digital landscape.
What Is the Proposed LegCo Protection of Critical Infrastructure Framework?
On the 25th of June 2024, the Hong Kong government proposed a new cybersecurity legislation which was tentatively titled the “Protection of Critical Infrastructure (Computer System) Bill”. This new law and its proposed legislative framework were detailed in a paper submitted by the Hong Kong Government to the Legislative Council – or LegCo - for its discussion on the 2nd of July 2024. The document was jointly prepared by the Security Bureau, the Office of the Government Chief Information Officer, and the Hong Kong Police Force.
Within the document, a framework was proposed to regulate Critical Infrastructure Operators (CIOs) and Critical Computer Systems (CCSs) to reinforce and fortify the computer systems against cyber threats – which have become a growing concern in the country. According to the South China Morning Post, Hong Kong police have received more than 18,000 reports of cybersecurity attacks in the first quarter of 2024 alone.
The proposed legislation would ensure that CIOs fulfill specific statutory obligations and follow certain practices to strengthen their cybersecurity posture. This would ultimately prevent cyber-attack disruptions to critical infrastructure operations and processes – preventing an already vulnerable sector from being taken advantage of. For the formation of this bill, the Security Bureau consulted over 110 stakeholders since 2013 - including organizations designated as Critical Infrastructure Operators, cybersecurity service providers, auditing companies, and sector regulators.
This HK LegCo proposed legislation seeks to regulate operators of crucial infrastructure that are necessary for the continuous delivery of essential services or the maintenance of important societal and economic activities in Hong Kong. As a result, this bill will mostly impact large organizations - small and medium enterprises and the general public will likely not be affected.
On the 1st of November, Secretary for Security Tang Ping-keung hosted a briefing on the consultation report on the proposed legislative framework to enhance the protection of the computer systems of critical infrastructures. In this meeting, he briefed over 200 stakeholders on the outcomes of the consultation conducted months earlier and the way forward. These included local and foreign chambers of commerce, potential organizations to be designated as CIOs, cybersecurity service providers, cybersecurity audit firms, proposed designated authorities under the proposed legislation, sectoral professional bodies, and statutory bodies.
While responding to the major concerns from the submissions received during the consultation period, the secretary stressed that the Government would continue to organize working meetings with the stakeholders from different sectors to maintain communication and listen to their views. He noted that support for the legislature was mostly positive and responded to concerns and reiterated that the legislation has no extraterritorial effect and does not target personal data and commercial secrets.
The Proposed Legislation, once enacted, would likely be implemented in a staged approach, and be fully realized by 2026. This forms part of the global trend to enforce cybersecurity legislation. With the passing of this law, Hong Kong joins the ranks of Mainland China, Macao, Australia, Singapore, Malaysia, Thailand, the UK, the EU, the US, and Canada. Now, let’s get a more rounded overview of what the legislature entails.
Key Features of the Proposed Protection of Critical Infrastructure Bill
- The proposed legislation only covers expressly designated Critical Infrastructure Operators (CIOs) and Critical Computer Systems (CCSs). However, the list of CIOs will not be publicly available.
- A new Commissioner's Office will be established under the Security Bureau.
- The Commissioner's Office will have extensive investigative powers, such as the power to compel a CIO to provide information (even if such information is located outside Hong Kong) or access to their premises.
- CCSs physically located outside of Hong Kong may also be regulated.
- CIOs will be obligated to follow organizational, preventive, and incident response protocols.
- CIOs will be required to report serious computer system security incidents within 2 hours and other computer system security incidents within 24 hours.
- Specific sector regulators – like the Hong Kong Monetary Authority (HKMA) - will be designated as authorities to monitor compliance with the respective CIOs' organizational and preventive obligations.
- The new legislation will introduce offenses and fines for non-compliance that may be imposed on CIOs but not individuals.
While any form of cybersecurity reinforcement is a good idea generally, for a country to take legislative action is an indicator of positive social reform. However, seeing the details of this proposed law begs the question of why such drastic steps need to be taken at all.
Why Is Protection for Critical Infrastructure Legislature Necessary?
Another report by the Security Bureau was released on the 8th of October after a month-long consultation on the proposed legislative framework to enhance the protection of the computer systems of critical infrastructure. Within this report, the agency found that the rapid development in information and communication technologies has heightened the need for the secure and smooth operation of critical infrastructures – especially in a time of rising cyber-attacks.
The report further states that any disruption or sabotage to critical infrastructure computer systems may have ripple effects across society - seriously jeopardizing the economy, people’s livelihoods, public safety, and even national security.
Sourced from the Security Bureau
The key reasons for the legislature can seamlessly be boiled down to minimizing the risk of essential services being disrupted or compromised due to cyber-attacks – ensuring a fully functional society while enhancing the overall computer system security in Hong Kong. The new law will ultimately promote proactive cybersecurity practices and preventative management systems by CIOs to give the people of Hong Kong stable, secure, and reliable critical services.
The original paper with the proposal for the legislature also went on to cite global cyber-attacks on critical infrastructure that led to severe and even life-threatening ripple effects for the general public. This included the 2021 Colonial Pipeline ransomware attack which hindered nearly half of the fuel supply on the east coast of the US. The paper also cited a 2024 ransomware attack on a private hospital in Hong Kong that caused computer systems to malfunction and affected medical services. The paper further goes on to properly define the term “critical infrastructure” as used in the proposed legislature.
Defining Critical Infrastructure
The proposed LegCo legislature paper defines critical infrastructure as “facilities that are necessary for the maintenance of normal functioning of the Hong Kong society and the normal life of the people.” These include banks, financial institutions, telecommunications service providers, electricity supply facilities, railway systems, and more. According to the Security Bureau, critical infrastructure can be divided into two categories. The first category will denote essential services in Hong Kong and will ultimately cover the following eight sectors:
- Energy
- Information Technology
- Banking and Financial Services
- Land Transport
- Air Transport
- Maritime
- Healthcare Service
- Communications and Broadcasting
The second category would pertain to those facilities used to maintain and platform important social and commercial events. This includes sports and performance venues, research and development parks, and more - where damage, loss of functionality, or data leakage may have serious implications on crucial societal and economic activities in Hong Kong. It should be noted that this term will not cover government departments as they have their own regulation policies for cybersecurity in place.
Sourced from the Security Bureau
The Security Bureau further highlighted that these critical infrastructure facilities and their operators need to consider the implications of disruptions, data loss, and damage to their essential services. They also need to fully understand their level of dependence on technology to carry out processes – allowing them to have a functional response plan in place. Lastly, these organizations need to be fully aware of the importance and sanctity of the data entrusted to their infrastructure. To gather the full reach of this legislature, let’s now look at the scope of the new law as indicated.
Scope of Critical Infrastructure Protection Legislation
In the initial proposal paper, the agency references the cybersecurity practices of the UK and Australia and therefore put forward that the new legislation should clearly state that only expressly designated CIOs and CCSs will be regulated. This means that only the CIOs and CCSs designated by a new Commissioner’s Office will be regulated under the new law. However, this list of CIOs will not be made publicly available – an approach consistent with those adopted in other jurisdictions, such as China and Singapore. Also similar to the scope of cybersecurity laws in Singapore, CCSs physically located outside of Hong Kong may be regulated by the proposed legislation.
The proposed legislation will also only require CIOs to bear the responsibility for securing their CCSs and will not involve the personal data and business information contained in those systems.
The paper defines a Critical Infrastructure Operator – or CIO – as an organization operating an infrastructure deemed by the Commissioner’s Office to be a critical infrastructure – while also considering the organization’s level of control over the infrastructure.
Sourced from the Security Bureau
Furthermore, Critical Computer Systems will also be designated as such only if they are "relevant to the provision of essential service or the core functions of computer systems, and those systems which, if interrupted or damaged, will seriously impact the normal functioning of the CIs". This means that other computer systems that are not designated as CCSs will not be subject to the Proposed Legislation. The Commissioner’s Office will also engage in discussions with organizations to be designated as CIOs – allowing them to object to such designation and appeal to an independent board. Now, let’s get into what would be required of CIOs under the proposed law.
Three Obligations from Operators of Critical Infrastructure Under the Proposed Legislation
The designated Operators of Critical Infrastructure will need to fulfill three types of obligations to stay within the parameters of the new legislature.
Sourced from the Security Bureau
These are necessary for any CIO to be in full compliance with the new proposed legislature. The obligations can be easily broken down into three categories:
1. Organizational
- Ensuring that the organization maintains an address and office in Hong Kong.
- Reporting any changes in ownership and operatorship of the critical infrastructure.
- Setting up a computer system security management unit with professional knowledge - that may be outsourced – that is supervised by a dedicated supervisor of the CIO.
2. Preventive
- Informing the Commissioner’s Office of material changes to Critical Computer Systems – such as designs, configurations, security, or operation.
- Formulating and implementing a computer system security management plan.
- Conducting a computer system security risk assessment at least once every year.
- Conducting a computer system security audit at least once every two years.
- Adopting measures to ensure that third-party service providers comply with the relevant statutory obligations.
3. Incident Reporting and Response
- Participating in a computer system security drill at least once every two years.
- Formulating an emergency response plan.
- Notifying the Commissioner’s Office of the occurrence of any computer security incidents affecting Critical Computer Systems.
Mandatory Incident Notification
Under the proposed new legislature, the Mandatory Incident Notification obligation forces CIOs to report computer system security incidents to the Commissioner’s Office. This will allow the Commissioner to instruct a timely response as needed. These computer system security incidents refer to unauthorized and unlawful activities carried out on or through a computer system that will ultimately jeopardize or adversely affect its security.
The time frame for the Mandatory Incident Notification depends on the seriousness of the incident.
- Within 2 Hours After Becoming Aware of the Incident – CIOs must report serious computer system security incidents. These are incidents that have or are about to have a major impact on the continuity of essential services and normal operations of the critical infrastructure in question. This also includes incidents that might lead to a large-scale leakage of personal information and other data.
- Within 24 Hours After Becoming Aware of the Incident – CIOs must report all other computer system security incidents.
If the initial report is made by telephone or text message, the CIO will need to submit a written record within 48 hours after the initial report has been made. The new proposed legislation also contemplates the use of a subsequent written report within 14 days after becoming aware of an incident - to provide further details of the incident, such as cause(s), impact, and remedial measures. The entirety of the proposed legislature will ultimately lay within four legislative principles, which we’ll now explore further as well.
A key purpose of the legislation is to cause operators of critical infrastructure to enhance the security of their computer systems, not to punish them. Regardless, organizations will be fined for violations - with maximum fines ranging from HK$500,000 to HK$5 million. However, if the relevant violations involve a breach of some existing criminal legislation - such as making false statements, using false instruments, or other fraud-related offenses - as is the current situation, the officers involved may be held personally criminally responsible.
The Four Legislative Principles
According to the paper detailing the proposed legislature, the legislative purpose of the new law is to require CIOs to fulfill certain statutory obligations and take appropriate measures on various fronts, to strengthen the security of their computer systems and minimize the chance of essential services being disrupted or compromised due to cyberattacks - thereby enhancing the overall computer system security in Hong Kong. The Security Bureau sets up four legislative principles as the core of the proposed law.
Sourced from the Security Bureau
- The proposed legislation will seek to regulate only CIOs that are necessary for the continuous delivery of essential services or the maintenance of important societal and economic activities in Hong Kong. This means that large organizations will be regulated while small- to medium-sized enterprises and the general public will not be affected.
- While the proposed legislation will refer to legislative approaches of other jurisdictions and countries, it will only regulate operators with offices based in Hong Kong.
- The proposed legislation will only require CIOs to bear the responsibility for securing their Critical Computer Systems and will not involve the personal data and business information therein.
- The statutory obligations are meant to create a baseline for positive and proactive cybersecurity practices that can be built up. Ultimately, the proposed legislature is not there to punish and penalize CIOs, but to ensure effective implementation and enforcement of the proposed law.
The Hong Kong LegCo proposal for a new legislature to regulate the computer systems of critical infrastructure is a much needed and well-received move on the part of the government. To ensure that critical infrastructure and computer systems remain safe, investing in robust cybersecurity is essential. Sangfor Technologies offers advanced, innovative, and affordable cybersecurity solutions and cloud infrastructure that seamlessly caters to regulatory and legislative conditions.
- Sangfor’s cybersecurity solutions are built on a robust framework of Platform + Components + Services. This comprehensive approach not only addresses the evolving challenges of cybersecurity but also provides easy management and scalability to meet the growing demands of organizations.
- With Sangfor Cyber Command (NDR) and Omni-Command (XDR), powered by Artificial Intelligence, organizations can effortlessly monitor and detect cyber threats while managing their IT assets. This includes identifying weak passwords and other vulnerabilities, ensuring a proactive defense against potential breaches.
- By leveraging a suite of Sangfor’s stellar cybersecurity products—including Sangfor Network Secure (NGFW), IAG (SWG), Endpoint Secure (EPP), ZTNA, as well as HCI and VDI—organizations gain granular control over network access, enabling secure remote connections without compromising security.
- Additionally, Sangfor’s services, such as Cyber Guardian MDR, Incident Response (IR), and TIARA among other Security services, empower organizations to conduct vulnerability assessments, penetration tests, and other security drills, ensuring their networks remain secure against emerging threats.
For more information, contact Sangfor today or visit www.sangfor.com to see how you can steadily comply with cybersecurity legislation in your area.
Frenquently Asked Questions
The purpose of the proposed legislation is to regulate and strengthen the security of the computer systems of critical infrastructure. This will ultimately minimize the risk of essential services being disrupted or compromised due to cyber-attacks - enhancing the overall computer system security in Hong Kong.
- Fostering good preventive management systems by operators of critical infrastructure.
- Reducing the risk of supply chain issues and disruptions to critical services.
- Enabling the smooth operation of essential services.
- Consolidating Hong Kong’s favorable business environment and status as an international financial center.
- Promoting a positive image of Hong Kong in the global community for adherence to critical cybersecurity protocols.
The proposed legislation seeks to regulate operators of crucial infrastructure that are necessary for the continuous delivery of essential services or maintaining important societal and economic activities in Hong Kong. Only CIOs will be regulated - meaning mostly large organizations. Small and medium enterprises and the general public will not be affected.
No, the proposed legislation will only require operators of critical infrastructure to bear the responsibility for securing their Critical Computer Systems - without targeting or accessing the personal data or commercial secrets therein.
Critical infrastructure can be categorized into two groups under the proposed legislation:
- Infrastructure for delivering essential services in Hong Kong, covering the following eight sectors: energy, information technology, banking and financial services, land transport, air transport, maritime, communications and broadcasting, and healthcare services.
- Other infrastructures for maintaining important societal and economic activities, such as major sports and performance venues, research and development parks, and more.
Critical infrastructure under the new proposed law will not cover the Government and the government has already put in place a set of detailed internal Government Information Technology Security Policy and Guidelines.
Designated operators of critical infrastructure ("CIO") will need to fulfill three types of obligations:
- Organizational
- Preventive
- Incident Reporting and Response
Under the proposed legislation, operators of critical infrastructure will need to report to the Commissioner’s Office computer system security incidents so that the Commissioner may instruct timely response as needed.
- Reports on serious security incidents need to be made within 2 hours after becoming aware of the incident.
- Other computer system security incidents need to be reported within 24 hours after becoming aware of the incident.
The proposed offenses include:
- CIOs' non-compliance with statutory obligations.
- CIOs' non-compliance with written directions issued by the Commissioner's Office.
- Non-compliance with requests of the Commissioner's Office under the statutory power of investigation.
- Non-compliance with requests of the Commissioner's Office to provide relevant information relating to a CI.
While the legislative intent is to cause operators of critical infrastructure to enhance protection of the security of their computer systems and not to punish them, organizations will still be fined for violations - with maximum fines ranging from HK$500,000 to HK$5 million. However, if the relevant violations involve a breach of some existing criminal legislation, such as making false statements, using false instruments, or other fraud-related offenses, as is the current situation, the officers involved may be held personally criminally responsible.
Yes, an appeal board will be established to allow CIOs to appeal against a CIO or CCS designation or a written direction issued by the Commissioner's Office.
Some of the essential service sectors to be regulated are already comprehensively regulated by statutory sector regulators. The new legislature proposes to designate certain sector regulators as designated authorities to monitor the discharging of organizational and preventive obligations by these essential services sectors.
This approach allows the designated authorities to establish sets of standards and requirements, on organizational and preventive obligations, under their existing regulatory regimes that best suit the sectors’ needs. Operators of critical infrastructure in these sectors will not need to fulfill additional requirements of the Commissioner’s Office concerning these two types of obligations.
At this stage, the agency proposes to designate (1) the Monetary Authority as the authority responsible for regulating some service providers in the banking and financial services sector, and (2) the Communications Authority as the authority responsible for regulating some service providers in the communications and broadcasting sector.
Yes, the new legislation refers to the legislative direction of other jurisdictions in formulating a regulatory regime that is suitable for Hong Kong – such as Mainland China, Macao Special Administrative Region, Australia, the European Union, Singapore, the United Kingdom, and the United States.
