Does Hong Kong need cloud standards?

Panelists at the security standards panel dicussionDespite the highly mature infosecurity standards of today's IT industry, it may be some time before Hong Kong develops its own cloud computing standards, let alone cloud certification.

Commenting on the blurred distinction between the terms "Internet" and "cyber," Chair of the standards working group, ISO/IEC, Edward J Humphreys (pictured, far left) said the term "cyber" is not meaningless, because "we do have issues with Internet security and data privacy."

Humphreys spoke at a panel discussion on "Standards Supporting Cyber Security" at an earlier Hong Kong IT Fest 2014 event called "International Conference on Information Security Standards" held at the Hong Kong Cyberport in April.

Michael Gazeley (pictured, far right), managing director, Hong Kong-based IT security company Network Box, noted the potential dilemma that IT security vendors face between ensuring standards compliance and protecting customers.

"The fact that cyber threats are moving at the speed of the Internet reminds me of a guy who designs jet fighters," he said. "In the aviation industry, jet fighter designers changed from trying to build jet fighters that were stable in the air, to jet fighters that were deliberately designed to be unstable."

"This seems really counter-intuitive," said Gazeley. "But if you have a stable aircraft, and someone is firing a missile at you and you need to change direction quickly, your stability can kill you."

"When you look at certain ISO standards, It's scary how often we are faced with the choice of standards compliance versus protecting the customer," said Gazeley. "I think the world has fundamentally changed, and it poses a huge challenge for standards."

Heartbleed and QR code alert

At the China CITIC Bank, security alerts were raised not just against the infamous security bug "Heartbleed" but also QR codes.

Soon after "Heartbleed" was discovered, the Hong Kong Monetary Authority informed all the banks in Hong Kong to report back on progress against the malware within a day. Accordingly, the bank's IT team had to "dig deep into the systems and trying to find out whether the HeartBleed' bug would actually affect us," said Michael Leung (pictured, second from right), CIO & COO, China CITIC Bank.

In mainland China, the bank regulator CBRC (China Banking Regulatory Commission) recently banned the use of QR codes in the banks' mobile payment channels. This is despite the fact that QR codes had developed wide usage in the country as a means of mobile payment.

"The public had been accustomed to scanning QR codes provided by the merchants when making mobile payment transactions," Leung explained. "But what can stop fraudsters from forging a QR code and direct consumers to a fraudulent website, which requests users to key in their IDs, passwords, and everything else?"