The Gemalto revelations brought mobile security into the spotlight. The Hong Kong government’s patchwork approach to mobile security may leave Hong Kong officials and citizens exposed. (Available to non-subscribers until April 24th)
Gemalto, the world’s leading SIM cards vendor, was hacked by the US’s National Security Agency (NSA) and the UK’s Government Communications Headquarters (GCHQ). The agencies stole the telecom-security giant’s encryption keys designed to protect mobile device communications. Harbour Times readers may recall a previous investigation into the Hong Kong Government’s response to the Heartbleed flaw and the discontinuation of support for WindowsXP (“Is our data secure”). A year after Microsoft announced it would discontinue support for WindowsXP, our government still had a third of computers using WindowsXP and struggles to compel Bureaux and Departments (B/Ds) to make the upgrade.
Security concerns are back, this time on the telecoms front.
From Snowden to Gemalto
The Snowden leaks and now the Gemalto fiasco demand the public asks if the HK Government is securing critical government data that may be exposed through senior officials’ mobile devices.
Last month, Gemalto made a statement regarding the scandal. “In the case of an eventual key theft, the intelligence services would only be able to spy on communications on second generation 2G mobile networks…3G and 4G networks are not vulnerable to this type of attack.”
Data records breached jumped by 78% from 575 million in 2013 to over one billion in 2014
Mr Charles Mok (莫乃光), LegCo Member representing the IT functional constituency, explains that 3G and 4G are the dominant network technologies in Hong Kong. “If Gemalto was telling the truth, only 2G users were affected,” says Mok. “In which case our officials can feel more secure than the debates would suggest.” An expert on cyber technology who requested anonymity told Harbour Times that the attacks were targeting countries that are still using 2G networks as well as “those who think they are clever and pick the good old Nokia over Apple or Android.”
Nonetheless, there are many reasons for concern. Gemalto states in the Breach Level Index Annual Report 2014 that the number of data records breached jumped by 78% from 575 million in 2013 to over one billion in 2014. Meanwhile, the Snowden files show the US Government has numerous ‘backdoors’ to obtain digital information through both software and hardware.
Guidelines aren’t rules
In Hong Kong, The Office of the Government Chief Information Officer (OGCIO) is responsible for promulgating the Baseline IT Security Policy, guidelines and measures for all government B/Ds to follow. It acts as “the central point of contact with regard to security incident reporting and coordination for responding to information security incidents.”
the Government is like a huge corporation, too complex to enforce IT security policies under a single authority – Dr Lucas Hui
Regarding telecommunications security, all mobile devices for official duties are provided by respective government departments. Each department has its own process of implementation of mobile device management (MDM) tools and other security measures. According to the OGCIO, end-to-end encryption technologies are being deployed to protect the communication of sensitive information between government users. Government users are not allowed to access the government network with their personal mobile phones and no mobile applications can be installed on official devices without proper authorisation. However, gaps remain.
A major issue is that the OGCIO lacks the authority to compel. The Security Bureau is responsible for promulgating security regulations, but the OGCIO only provides guidelines for individual B/Ds. Bureaux and departments execute on separate IT security policies with additional measures according to their own priorities.
Dr Lucas Hui (許志光), founder and Honorary Director of the University of Hong Kong’s Center for Information Security and Cryptography, points out that the Government is like a huge corporation, too complex to enforce IT security policies under a single authority. Just as departments under a corporation can deploy their own policies, in accordance to the sensitivity of the information held to meet their business requirements, government B/Ds are also offered a certain level of autonomy to allow room for fine-tuning.
The maximum level of security may be too heavy-handed for non-critical data. Flexibility allows departments to efficiently allocate resources in a manner appropriate for their needs. But it can also lead to gaps in security, leaving data exposed. With no central authority monitoring compliance with best practice, slippage can occur. No one really knows what each bureau is up to.
The quasi-governmental Hospital Authority, for example, with sensitive information of patients stored in its system, is not bound by the OGCIO – although it pays lip service to following OGCIO guidelines. This further increases uncertainty, at least from the perspective of the public, on how impregnable government and quango mobile security is.
Recent history is not encouraging. All B/Ds are required to upgrade their operating systems from WindowsXP to a newer version by 31st March 2015. The actual compliance rate remains unavailable and citizens’ data remains exposed in many instances, years after Microsoft announced they would discontinue support for WindowsXP.
CYOD
Once upon a time, best practice in security meant BlackBerry. It is still the gold standard for many banks and governments around the world. Modern tastes however, mean politicians are demanding their own preferences be respected when choosing mobile devices.
Accordingly, the Hong Kong Government is allowing pols and senior civil servants to ‘CYOD (Choose Your Own Device)’. A source told Harbour Times that senior officials who must use a government-issued mobile device can now choose between various brands including BlackBerry, Samsung and Apple. “Our lifestyle has been transformed to a point that it is infeasible to go back to the BlackBerry days,” says Mr Erwin Huang (黃岳永), President of the Hong Kong Information and Technology Federation. “And it is hard to draw a clear line as to what communications can be done in personal mobile devices and what can’t.” No government offices were able or willing to give Harbour Times details as to which brands the top officials use.
China in charge?
HT Law and Order columnist, Bill Majcher is a former senior officer with the Royal Canadian Mounted Police and specialised in the intelligence branch of the force. He suspects Beijing plays a key role in the security of public officials. “Hong Kong is a city-state. It doesn’t have a military, it doesn’t have an intelligence unit other than those related to Police activities,” says Majcher. “People would be extremely naive to believe that the Chinese authorities aren’t monitoring, or in many cases probably running, the secure communications of people of interest to them.” Presumably that includes Hong Kong government officials.
No one really knows what each bureau is up to.
As Mr Majcher put it, “the use of a lot of high-tech communications equipment and devices falls into the category of national security. Hong Kong doesn’t have that sort of establishment, so they would rely on Big Brother – the Chinese Government.”
It is difficult to test Mr Majcher’s hypothesis. Considering the sensitivity of the topic, it would be foolish for whichever body is in charge to expose its security practices to potential enemies.
Open question
It is difficult to determine whether our top officials communication is secure. Government departments are rather cagey when asked to share details regarding mobile security practice and mechanisms to address incidents where security may have been breached.
It is unclear if it is because they have no clue or don’t want to show their hand. If government officials in Hong Kong are using mobile devices to communicate regarding sensitive matters or transferring citizens’ data, there seems to be no one in charge of ensuring this data remains secure. It may be, if Mr Majcher’s conjecture is correct, the Chinese authorities that are providing world class security. However, until someone goes on the record to explain the basics of officials’ mobile security, Hongkongers can but hope their officials are doing the right thing – whatever that may be.