[Official Document Included] Introduction to "Legislative Framework to Enhance Protection of the Computer Systems of Critical Infrastructure”
This article introduces the proposed legislative framework by the Legislative Council Panel on Security on "Enhance Protection of the Computer Systems of Critical Infrastructure”. This document details the legislative background, objectives, proposed contents, and implementation plans of the framework.
Legislative Background
Critical infrastructure refers to facilities essential for maintaining the normal functioning of society, such as banks, financial institutions, communication networks, power supply facilities, and railway systems. If the computer systems of these facilities suffer cyberattacks, it could have severe societal impacts. Therefore, strengthening the security of these facilities' computer systems is crucial.
Global Legislative Trends
As cyberattacks targeting critical infrastructure continue to occur globally, many countries and regions have enacted corresponding laws to enhance protection. For instance, Mainland China, the Macao Special Administrative Region, Australia, the European Union, Singapore, the United Kingdom, and the United States have all established relevant legislation to protect critical infrastructure security.
Legislative Needs in Hong Kong
Currently, Hong Kong has no statutory requirements for protecting the computer systems of critical infrastructure. However, with the rapid development of information and communication technology, these facilities increasingly rely on the internet and computer systems, making them more susceptible to cyberattacks. Therefore, it is necessary to enact relevant laws to strengthen the protection of these facilities, thereby enhancing the overall security of Hong Kong's computer systems.
Proposed Legislative Framework
Based on Hong Kong's specific situation and referencing practices from other jurisdictions, the Legislative Council Panel on Security proposed drafting a new law, tentatively named the "Critical Infrastructure Protection (Computer Systems) Bill." The primary objective of this bill is to mandate that operators of critical infrastructure assume statutory responsibility and take appropriate measures to enhance the security capabilities of their computer systems, thereby reducing the impact of cyberattacks on essential services.
Regulatory Scope and Targets
The Legislative Council Panel on Security propose that the proposed bill should cover the following two major categories of critical infrastructure:
Infrastructure Providing Essential Services: such as energy, information technology, banking and financial services, land transport, aviation, maritime, healthcare, and communication and broadcasting.
Infrastructure Supporting Important Social and Economic Activities: such as large sports and performance venues, research parks, etc.
Only operators of clearly designated critical infrastructure and their critical computer systems will be regulated. Operators must establish a professional computer system security management department responsible for developing and implementing a computer system security management plan.
Responsibilities of Operators
The responsibilities of operators are primarily divided into three categories:
Structure: Operators must have an address and office in Hong Kong, report changes in ownership and operational rights of the infrastructure, and establish a dedicated department responsible for computer system security.
Prevention: Operators must develop and implement a computer system security management plan, conduct regular risk assessments and security audits, and ensure their critical computer systems comply with relevant statutory requirements.
Incident Reporting and Response: Operators must participate in regular computer system security exercises and promptly report and respond to computer system security incidents.
Conclusion
By enacting the "Critical Infrastructure Protection (Computer Systems) Bill," Hong Kong will be able to enhance the security of critical infrastructure computer systems, ensuring the stable operation of essential services, thereby consolidating its good business environment and status as an international financial center.
For any cybersecurity issues or inquiries, please contact UD Network Security Experts.
UD offers professional and reliable cybersecurity solutions and services. Our team of network security experts hold certifications such as OSCP and GWAPT, and have many years of experience in the field. We have provided services to major enterprises, financial institutions, NGOs, and other organizations.