Hong Kong Macau Zhuhai Bridge Project Hacked – A Case for Cyber Insurance

On May 8 2017 news emerged in Hong Kong media that the Hong Kong – Macau – Zhuhai Bridge Project was the victim of a Ransomware Attack during the month of March 2017. The Hong Kong Government was formally notified of the attack on March 2 2017, but failed to disclose the event to local media, the public, or other involved stakeholders prior to the May 8thannouncement.

According to Hong Kong Free Press a network server at the Bridge Project’s site headquarters was locked down by Hackers who demanded a ransom to release the server back to the contractors. When Hong Kong police were notified of the event the Hackers deleted some files before unlocking the system for use by the Highways Department and relevant contractors.

While the Highways Department has stated that no staff information was stored on the affected systems, the fact that cyber criminals were able to penetrate and ransom critical systems for one of Hong Kong’s largest ever infrastructure projects is extremely concerning.

Cyber Attacks Increasing in Hong Kong

The lock-down and ransom of the Bridge Project Server is just the latest in a string of Cyber attacks directed at Hong Kong based businesses and governmental departments.

The first in a series of high profile Hong Kong cyber-attacks occurred In December 2015 when digital Toymaker VTech Holdings suffered a severe data breach which exposed the personal information of an estimated 6.4 million children. In August 2016 BitFinex, a Hong Kong based Bit-coin Exchange, was the victim of a hack event which caused the loss of an estimated US$ 72 million in bitcoins.

According to HKCERT.org, a cyber watch NGO based out of Hong Kong, the number of malicious cyber events targeting local businesses and internet users has been increasing steadily since 2013 – the organization noted 15,365 unique security events in Q1 2017, up roughly 11% over Q4 2016.

Significantly, Botware and Botnet activity increased substantially in Hong Kong during Q1 2017 vs all quarters in 2016; this points to an extremely concerning situation where internet users in Hong Kong, both at the consumer and enterprise levels, are not taking appropriate steps to secure their systems. Unfortunately, the increase in cyber events and malicious attacks are also increasing in tandem with a decline in the availability of qualified cyber security specialists in Hong Kong and across the Asia Pacific Region.

Cyber Security Manpower and Knowhow Lacking

With Hong Kong’s flagpole infrastructure project, which cost HK$ 12.9 Billion (US$ 1.6 B), becoming the latest high profile victim of cyber criminals there is clear evidence that Hong Kong’s cyber security systems are not up to par with the ecosystem of emerging cyber threats.

In fact, according to the HK Free Press, this is not the first time that an organization associated with the project has run into cyber security issues – a consulting firm working on the bridge was last year caught using restricted government data without authorization. This points to an ugly gap in the government’s cyber security and data handling processes, but also to a concerning lack of oversight with regards to contractors working on high-profile high-risk projects who have already displayed a lack of finesse with regards to cyber issues; Oriental Daily reported it was the same consultancy firm who misused restricted data which was also involved in the Bridge-project hack.

With cyber security issues only being regulated within MFA-associated industries in Hong Kong, and a large majority of industries and businesses having no regulatory oversight outside of the Personal Data (Privacy) Ordinance there is a major concern that more Hong Kong businesses will fall victim to cyber criminals simply because in most cases there is no legal requirement to protect their digital assets properly.

This, coupled with the fact that qualified cyber security experts are in extreme shortage, presents a very difficult landscape for Hong Kong businesses when it comes to ensuring they are adequately protected against the myriad threats presented by an always-on digital business environment. And it should be noted that there is a cautionary tale to be told in the fact that the Hong Kong-Macau-Zhuhai bridge project was the latest victim of a cyber-attack; no organization is safe from ongoing threats.

With the increasing number of tools and attack vectors available to cyber-criminals in the modern world, it is becoming more of a challenge to properly secure an organization against all potential threats, and the types of threats facing companies are developing faster than many businesses can cope with them. From Bot-nets, Spear Phishing, and DDOS events through to simple social engineering, many companies are either ignoring the potential outcomes of a successful attack by not investing properly in their digital security infrastructure, or are unable to implement a holistic security regime due to an absence of budget or manpower; and this doesn’t even begin to get into the issue of governmental regulation which, as was previously noted, is sorely lacking in Hong Kong outside of MFA/SFC regulated industries.

Cyber Security First, Crisis Preparation Second?

Securing your computing systems, mobile computing devices, and other digital business processes against attack or intrusion should always be the first step in cyber due-diligence, and companies (from small startups to established MNCs) will look to their IT security preparations as part of their day-to-day operations.

But, as has been shown by the Hong Kong Bridge Project hack, even the best laid plans can go astray – it would be ludicrous to think that there were absolutely no security features on the Highway Department servers (although a full reporting of the incident has yet to be provided by the Hong Kong government).

The question, then, is what should be done in a cyber crisis event?

Most organizations, outside of specialist IT and Security companies, will not be experts in Cyber Attack Crisis management – there are other business concerns that they need to pay attention to first. Because of this it is extremely worrying to see a lack of preparedness within the Hong Kong and Asian business communities when it comes to dealing with the aftermath of an attack; a lack of preparedness which is exemplified by both the Highways Department and the managing consultant in relation to communication and resolution of the Bridge Project hack.

We have already highlighted the issue of a lack of available expertise for IT security within the Hong Kong human resources market, and the dynamic evolution of cyber-criminals in the scope of their attack activities, so a case could be made that a paradigm shift needs to occur and that a core essence of corporate due diligence in a modern business environment should be preparation for a successful attack.

Sitting alongside sophisticated IT security solutions, internal device usage guidelines, and employee access management should be a concrete action plan for the resolution of a cyber event when it occurs. Because make no mistake, every business will be the target of a cyber threat in the modern world and the sophistication of the attackers in the global digital ecosystem means that at least some of those attacks will be successful.

Cyber Insurance and Crisis Resolution Support

According to current insurance industry statistics, less than 2 percent of Hong Kong companies hold some form of Cyber Insurance coverage.

With the increasing level of activity by cyber criminals locally, and the growing number of high-profile successes (including the recent Bridge Project ransomware event), choosing not to obtain coverage for the management and resolution of a successful attack leaves companies dangerously exposed when a threat is realized.

There are gaps in the Hong Kong digital ecosystem which strongly point to an increased need for the uptake of comprehensive cyber insurance products – and the worrying trend of choosing to ignore the issue means that more and more businesses, and governmental departments are at risk of significant financial and reputational exposure to sophisticated and dedicated criminal elements.