Editorial | To stop cyberattacks and secure systems in Hong Kong, legislation needs teeth

A surge in malicious cyberattacks in Hong Kong has caused concern not only about the leaking of personal data but also the potential for essential services to be disrupted. The government has warned that attacks on key computer systems could bring “the whole society to a standstill”. The threat requires urgent attention.

Unlike many other parts of the world, the city lacks a law dedicated to the protection of computer systems needed for critical infrastructure. The city is lagging behind. The mainland introduced such legislation in 2016 and Macau in 2019. Britain, Australia and Singapore did so in 2018. Now, Hong Kong is following suit.

A one-month consultation is under way on legislative proposals to “enhance the protection of the computer systems of critical infrastructure”. A bill is being drafted with the intention to put it before the legislature this year. There is no time to waste.

Hong Kong has suffered a disturbing increase in cyberattacks, including a theft of data from government-funded tech hub Cyberport last year and a recent targeting of a private hospital. Numerous government departments have fallen victim. More than 9,000 cybersecurity incidents were reported between June 2023 and May this year.

The new law will not cover government departments as their guidelines and policies were updated in April. All departments were required to review the systems’ security and report to the top information technology unit in May. The work must continue as improvements are clearly needed.