引 言
目前,香港尚未对关键基础设施的网络安全制定任何法定要求。全世界的关键基础设施均面临网络攻击的风险,此类攻击的后果可能极为严重。
近年来,中国内地、澳大利亚、英国和欧盟均相继推出相关法律以保护关键基础设施的电脑系统安全。最近,香港也提交了一份立法提案,法案名称暂定为《保护关键基础设施(电脑系统)法案》。
规管对象
拟议法案的规管对像为
- 为香港社会提供以下八个领域的必要服务:(a)能源、(b)资讯科技、(c)银行和金融服务、(d)陆上交通、(e)航空交通、(f)海运、(g)医疗保健、以及(h)通讯和广播;或
- 维持重要的社会和经济活动,如大型体育及表演场地、科研园区,的关键基础设施营运者。
新法例只规管与关键基础设施的正常运作相关的电脑系统,不论其实际位置,而相关营运者的其他系统则不在该法例规管范围。
由于政府内部已有一套详尽的内部信息技术安全政策和指引,新法案将不适用于政府运营的必要服务(如供水、排水和紧急救援)。因此政府部门将继续遵循现行的行政框架执行这些政策。
执行负责人
拟议法案提议成立一个隶属保安局的专责办公室负责执行拟议法案下的工作,包括执行以下职责:指定关键基础设施营运者(CIOs)和关键电脑系统(CCSs);制定实务守则并向CIOs就其应采取的措施提供建议;监察针对CCSs的保安威胁;帮助CIOs应对电脑系统保安事故;调查及跟进CIOs的违规行为和违法行为;协调各政府部门在制定政策及指引和处理事故方面的工作;以及向CIOs发出书面指示,解决潜在的保安漏洞。
关键基础设施的界定
对关键基础设施的界定将取决于该设施是否在香港提供必要的服务,或者维持重要的社会和经济活动,是否依赖信息技术,以及其遭到破坏、功能丧失或数据泄露时对社会造成的影响是否严重。
关键基础设施的指定营运者
专责办公室将明确指明哪些营运者为“关键基础设施营运者”。绝大部分营运者属于大型机构,但为防止关键基础设施成为网络攻击的目标,CIOs的名单不会公开。
CIOs的义务
CIOs必须履行的责任分为三大类: - 架构。CIO必须在香港设有地址和办事处;须报告关键基础设施的拥有权和营运权的变化;设有具备专业知识的电脑系统安全管理部门(可外包),并由CIO公司的专责主管负责监督。
- 预防。向专责办公室报告有关CCSs的重大变化,包括对其设计、配置、安全或运行的重大变化等;制定及实施电脑系统保安管理计划;至少每年进行一次电脑系统保安风险评估;必须至少每两年一次进行独立电脑系统保安审计;采取措施确保聘用的第三方服务提供者履行相关法定责任。
- 事故通报及应对。至少每两年一次参与电脑系统安全演习;制订应急计划;在指定时间内向专责办公室报告电脑系统保安事故(即未经合法授权在电脑系统上或通过电脑系统进行的破坏或不利于电脑系统安全的活动):(a)严重电脑系统保安事故(如对必要服务的连续性造成重大影响或导致个人信息大规模外泄的事故),在得悉事件发生后两小时内报告;(b)其他电脑系统保安事故,在得悉事件发生后24小时内报告。
应专责办公室在调查事故或与上述三类义务相关的罪行时所发出的要求,CIOs必须提交其可取得的相关资 料,尽管该等资料位于香港境外。
个别行业的指定监管机构
部分必要服务行业已受其他法定行业监管机构的全面规管。这些监管机构可负责监管相关行业的CIOs履行架构及预防的责任。现阶段,拟议法案建议指定: - 香港金融管理局监管银行和金融服务行业的服务提供者,以及
- 通讯事务管理局监管通讯和广播行业的服务提供者。
但专责办公室将全面掌握所有CIOs的事故通报及应对情况,以便协调应对工作,调查事故,防范事故扩散至其他CIOs。
违规的刑罚
CIOs需遵守拟议法案项下的法定责任及专责办公室发出的书面指示及要求,否则可能构成违法,罚款范围为港币50万至500万元不等。如果机构持续忽视合规义务,可能会被处以额外的每日罚款。
CIOs即使因第三方服务提供者的行为(或不作为)而不合规,仍需为违规行为负责。这特显CIOs须严谨地审查和管理外部合作伙伴,以降低违规风险。
拟议法案采取“机构为本”的方式,涉事人员或员工一般不会面临个人罚款。可是,如违规行为涉及如欺诈活动或向专责办公室提供虚假陈述等香港刑事法律,相关人员可能会面临个人刑事责任。
法律将设立上诉机制,以允许CIOs对专责办公室有关CIOs或CCSs的指定或其书面指示提出上诉。
实务守则
专责办公室将发布《实务守则》列出相关要求,比如:
报告CCSs的重大变更;
独立电脑系统保安审计;
电脑系统保安风险评估;
电脑系统保安管理计划,以及
事故应对义务。
未来路向
政府计划在2024年年底将拟议法案提交立法会审议。拟议法案通过后一年内将成立专责办公室并预计在之后六个月内生效。
对营运者的影响
拟议法案将要求CIOs独自负责保障它们的CCSs的安全,而政府亦不被准许获取这些系统中的个人数据或商业信息。
可能被指定为CIOs的机构应评估及提高CCSs的网络安全水平,认真研读法律要求,包括拟议的实务守则,并准备合规预算。此外,与外包承包商的合作对于全面履行即将出台的法律义务也至关重要。
然而,招聘合格的网络安全专家、监督者以及其他所需人员是一个亟待解决的挑战,因此CIOs及其外包承包商应慎重考虑此问题。
Hong Kong proposes critical infrastructure cybersecurity law
Introduction
Hong Kong does not have statutory requirements on critical infrastructure cybersecurity. However, critical infrastructure around the world is at risk of cyberattacks and the repercussions of such malevolent actions can be extremely severe.
In recent years, legislation to protect the security of computer systems of critical infrastructure has been enacted in P.R.China, Australia, the UK and the EU. Following in these footsteps, Hong Kong proposes to enact a new legislation tentatively titled the Protection of Critical Infrastructure (Computer System) Bill.
Regulation targets
The proposed legislation seeks to regulate the operators of critical infrastructure that are necessary for: - the continuous delivery of essential services in Hong Kong across eight sectors (energy, information technology, banking and financial services, land transport, air transport, maritime, healthcare services, and communications and broadcasting); or
- maintaining important societal and economic activities in Hong Kong, like major sports and performance venues, and research and development parks.
The new law will regulate only computer systems that are related to the normal functioning of critical infrastructure, regardless of their physical location, but not the operators’ other systems.
The legislation will not apply to essential services operated by the government – like water supply, drainage and emergency relief – as the government already has comprehensive internal information technology security policies and guidelines. Consequently, government departments will continue to be regulated by the existing administrative framework.
Administration
A new commissioner’s office will be established under the Security Bureau, to implement the proposed legislation, including the performance of the following duties: designating critical infrastructure operators (CIOs) and critical computer systems (CCSs); establishing code of practice and giving advice on the measures to be adopted by CIOs; monitoring security threats against CCSs; assisting CIOs in responding to computer system security incidents; investigating and following up on non-compliance and offences committed by the CIOs; coordinating with various government departments in formulating policies and guidelines and handling incidents; and issuing written instructions to CIOs addressing potential security loopholes.
Designation
Whether a piece of infrastructure is designated as a critical infrastructure will depend on factors such as whether it provides essential services or maintains important societal and economic activities in Hong Kong, its reliance on information technology, and the severity of societal impact in the event of damage, loss of functionality or data leakage.
Operators
The commissioner’s office will expressly designate certain operators as CIOs. These operators will mostly be large organisations but the list of designated CIOs will not be made public to protect their critical infrastructure from potential cyberattacks.
CIOs’ obligations
Designated CIOs will be required to fulfil three types of obligations: - Organisational. To maintain an address and office in Hong Kong; to report changes in the ownership and operation of the critical infrastructure; and to set up a computer system security management unit with professional knowledge (may be outsourced) supervised by a dedicated supervisor of the CIO.
- Preventive. To inform the commissioner’s office of material changes to their CCSs like design, configuration, security and operation; to formulate and implement a computer system security management plan; to conduct a computer system security risk assessment at least once every year; to conduct a computer system security audit at least once every two years; and to adopt measures to ensure that third-party service providers comply with relevant statutory obligations.
- Incident reporting and response. To participate in a computer system security drill at least once every two years; to formulate an emergency response plan; and to notify the commissioner’s office about computer system security incidents (activities carried out without lawful authority on or through a computer system that jeopardise or adversely affect its computer system security) : (a) within two hours of becoming aware of a serious computer system security incident (one that has a major impact on the continuity of essential services, large-scale leakages of personal information), and (b) within 24 hours of becoming aware of other computer system security incidents.
Upon request by the commissioner’s office in the course of investigating an incident or offence related to the three types of obligations above, CIOs must submit relevant information available to the commissioner’s office, even if such information is located outside Hong Kong.
Sector regulators
Certain essential service sectors are already comprehensively regulated by statutory sector regulators. These regulators can monitor the discharging of CIOs’ organisational and preventive obligations. At this stage, it is proposed that: - the Hong Kong Monetary Authority will be the designated authority to regulate service providers in the banking and financial services sector; and
- the Communications Authority will be the authority responsible for regulating service providers in the communications and broadcasting sector.
Nevertheless, the commissioner’s office will fully grasp any incident and the response arrangements of all CIOs to co-ordinate, investigate and prevent incidents from spreading to other CIOs.
Penalties for non-compliance
CIOs are expected to adhere to the statutory obligations under the proposed legislation and written directions and requests issued by the commissioner’s office. Failure to do so may constitute an offence and result in fines ranging from HK$500,000 to HK$5 million. If an organisation continues to disregard certain compliance obligations, additional daily fines may be imposed.
CIOs will also be held accountable for non-compliance even if it stems from the actions (or inactions) of third-party service providers. This emphasises the need for CIOs to thoroughly vet and manage their external partners to mitigate risks of non-compliance.
The proposed legislation adopts an organisation-focused approach in terms of the bearing of statutory obligations, and thus generally individual officers or staff members involved will not face personal penalties under the proposed legislation. That said, if certain non-compliance scenarios intersect with existing criminal laws in Hong Kong, for example, involving fraudulent activities or making false statements to the commissioner’s office, the individuals involved may face personal criminal liability.
An appeal mechanism will be established to allow CIOs to appeal against designations of CIOs or CCSs or directions issued by the commissioner's office.
Code of practice
The commissioner’s office will issue a code of practice with requirements such as:
reporting of material changes to CCSs;
independent computer system security audits;
computer system security risk assessments;
computer system security management plans; and
incident response obligations.
Way forward
The government plans to present the proposed legislation to the Legislative Council by the end of 2024. After the bill is passed, the commissioner’s office will be established within a year. The legislation will come into effect within the following six months.
Impact on operators
The proposed legislation will require CIOs alone to bear responsibility for securing their CCSs. It does not permit the government to obtain personal data or business information from such systems.
Organisations that are potential CIOs should evaluate and enhance the cybersecurity of their CCSs, understand legal requirements including the proposed code of practice, and allocate a budget for compliance. It is essential for them to collaborate with their outsourced contractors to effectively comply with the forthcoming statutory obligations.
However, a challenge ahead is the recruitment of competent cybersecurity experts, supervisors and other required personnel. This issue deserves careful consideration by both the CIOs and their outsourced contractors.
