Charles Mok 可圈可點

It is my honor and privilege to be able to speak to you today in this INSEC forum on information and network security. I try today to speak from the perspective of the IT industry, which our Hong Kong Information Technology Federation strives to represent in Hong Kong, and the users, which our Internet Society Hong Kong also represents.

We all know and acknowledge that we are now in the Internet 2.0 age. Most if not all of the information and knowledge that we share, business and transactions we conduct are carried out on, over or via the Internet. Much has been said, discussed and contemplated about Web 2.0 – the phenomenon most notably marked by the importance of the user created content, or user generated content. I always like to summarize the Web 2.0 characteristics by these three descriptions: interactive, sharing, and free – and I note, free in both senses of the word, being about freedom, and free of charge.

But in this trend of growing openness and sharing, our users – both corporate and individuals – as well as the applications we develop and deploy, are increasingly challenged by numerous security incidents and infringement on privacy. For the individuals, users that are often not very sophisticated in knowing about protecting themselves find themselves giving up a lot of their personal information, unfortunately in many cases only too late when they realize these risks. Corporations are also struggling with updating their policies and guidelines regarding information security and privacy, in order to keep up with the challenges, but they often find it most difficult in educating their staff to take the necessary care in dealing with sensitive information in their day to day work, and establishing the right culture in the organization. I have been through this process, somewhat painstakingly, in my volunteer “work” with the Hospital Authority, as one of their board members, only a year or two ago when we had to deal with an angry public and a frantic media when we tried to rectify these organizational, cultural and to a much lesser extent, technical problems.

So, as we always say in IT, the problem isn't technical at all, or, if we can solve it with technology, then it isn't a problem at all. I guess people in finance would say the same about money, that any problem that can be solved with more money isn't a problem at all. But anyway...

Let's look at a few of the major sources of challenge to security and privacy the way that I see it, today and in the near future to come. First, quite obviously, the problems associated with the social media. Almost no single day passes by without yet another news story or two that would come out about privacy problems of facebook, Google and the likes. Almost no single month passes by without facebook in particular would come out to announce or discretely put in place some new privacy measures that are being criticized as not enough, or too difficult for the average users to handle. And this doesn't just have to do with the young kids at home using facebook or the other average users, but also corporations, as they are increasingly trying to seek ways to take advantage of these social media platforms. Their problems become the problems of the merchants and companies trying to use their platforms. These problems are indeed our problems. How do we ensure that, for example, the marketing departments that dominate the decision making of the use of social media have the knowledge and foresight to take into account the potential risks in personal privacy and security issues?

From the corporate IT vantage point, however, the cloud computing phenomenon seems to be the biggest challenge of all in the area of security and privacy. The cloud, whether private or public – how do we keep it secure? What can go in it or not, and how? This is the core problem and question facing almost all major IT infrastructure or large-scale software or project development, and the one problem that cannot be ignored, and indeed, should be put at the highest priority. I give you the example in Hong Kong for the upcoming development of the Electronic Health Records, probably the largest single IT project by the Hong Kong SAR Government in this decade, which targets to make the health records of all citizens of Hong Kong accessible to healthcare providers and related institutions or corporations, and of course the persons themselves and maybe their families too. How to keep it open – for many obvious benefits in providing better treatments and patient safety – but at the same time making it secure and private? Again, this calls for a balance and focus put on both technology and policies – including possible legislations and compliance control.

The other upcoming challenge in the very near future that I like to point out, is about IPv6. Many of you have heard of it, and if you haven't heard much about it before you are going to hear a lot more of it in the coming two years. Let me say again that according to the statistics of the Regional Internet Registries of the world that gives out IP addresses to Internet service providers, new IPv4 addresses will run out by late 2011. That means a switch to IPv6 will be imminent and unavoidable, if any of you still want to expand your network, let alone going to what some people talk about as Internet of things, or Internet on all things. No longer can corporations wait and see. In the last two years, Internet Society Hong Kong has carried out numerous trainings in Hong Kong in association with the Asia Pacific Network Information Center (APNIC) that allocates these IP addresses. More than a thousand people, especially front line engineers have been changed. That's good but not enough. Somehow, corporations are still waiting and mostly unwilling to make the switch. We worry that by the time they have to switch, they may find it too late, first, in not having enough people with experience to run and tackle the new issues relating to the dual stack network with both IPv4 and IPv6 traffic. And, of course, the new security issues that comes with IPv6. This is an area that I like to use this opportunity to call your attention to.

Finally, some words on where to find the balance. In order to find the balance between security and privacy, we need to start by finding the right point of balance between technology and policy, compliance and complacency. If we can ever reach a balance, then it would be one based on shared responsibility between those who are stakeholders in it all – the corporation's management, technology developers and administrators, and the users. And that in turn requires a baseline or foundation of awareness, understanding and a culture in the organization and society. And with these in hand, hopefully our community as a whole can develop the ability to make the right choices.

I look forward to sharing with you in this forum and on the Internet.