2020 Review & 2021 Outlook of Cybersecurity Issues in Hong Kong

“The wide adoption of information technology (“IT”) can bring convenience to the public and improve quality of living. At the same time, the risks of the public, enterprises and the community being hacked have increased correspondingly…

For Hong Kong to become a secure smart city, the Government, different sectors of the community and the general public must have knowledge of cyber risks so as to become more vigilant and take appropriate measures to protect their information systems and data assets, with a view to continuously improving the  defence and response capability of the society as a whole.”

—Office of the Government Chief Information Officer (HK), circa January 2020


Whilst most people will remember 2020 as the year of lockdowns, the other face of 2020 is the great migration of humanity into the digital realm. Social distancing measures implemented to combat COVID-19 has caused many ordinary citizens (many of whom were not previously digitally attuned) to move their daily lives online. When face to face visits by grandparents are no longer possible, people resort to telecommunications as the next best alternative.

Whilst digital adaptation by the entire world can be seen as a leap forward, it has also highlighted the fact that the internet can still be a treacherous place.


According to statistics provided by the Hong Kong Computer Emergency Response Team Coordination Centre (“HKCERT”), it has been observed that there has been a sharp rise in the number of Defacement and Phishing attacks in 2020. Computers being infected by malicious software which will hijack the infected device into a Botnet is also on the rise. The risk posed by major forms of attacks elaborated as follows:

  1. Botnet Attacks: Computers may be hijacked/conscripted by cybercriminals into conducting illegal activities. This may in turn causes illicit activity to be traced onto an unknowing victim’s device.
  2. Phishing Attacks: One of the biggest trend in 2020 is the increased number of phishing/spoofing attacks. With disguised emails/unauthorized recipient renames, victims may be lured into disclosing credential, confidential information and more. Reputation damage and data loss (e.g. privileged data) may be substantial.
  3. Malware Attacks: Notable ransomwares, trojan horse, etc. In 2020, we have seen the first cases of cybersecurity manslaughter resulting in death occurring. Attacks manifested physically as cybercriminals were able to hijack devices worn by users resulting in physical lockups. Gone are the days when ransomware attacks are only within the realm of the digital.
  4. Defacement Attacks: These are intentional attacks (non-virus) where hackers intrude and alter information on legitimate sites/storage sites. Original content may as a result be lost with other information/data contaminated/corrupted.


As rightly pointed out by Hong Kong’s Chief Information Officer, whilst technology are meant to bring about convenience for the greater public, each advancement, if the technology is not rolled out in a quality manner, may give rise to risks. Here are a few of the major 2021 cybersecurity predictions that the greater public should pay attention towards:

  1. Dawn of the 5G Technology: Whilst 2020 saw 5G tech being at the forefront of diplomatic jousting between the United States and China, 5G tech is nevertheless becoming reality in everyday lives in 2021. Whilst this new technological breakthrough is likely to bring a never before seen level of digital convenience, 5G enabled swarm attacks, which requires the integration of multiple hijacked devices (see Botnet above) will mean that more efficient method of attacks will now finally be possible (greater network connectivity, intelligence from multiple devices, etc.) Swarm technologies require large amounts of processing power to enable individual Swarm-bots to act and the proliferation of 5G tech will enable just that.
  2. Exposed Application Programming Interface (“API”) Attacks: As mentioned above, 2020 saw the world’s first cybersecurity manslaughter case as well as hackers being able to lockup victims physically when they were able to exploit vulnerabilities in internet-connected accessories. Users who were caught wearing such device at the time of attack have been reported to suffer physical harm/scars. With APIs becoming ever more prominent in everyday devices, attacks are soaring. Developers are therefore reminded to secure their API less their client may suffer physical as well as digital damages.
  3. Remote Learning/Hearings Attack: As the first school took their classes online, the first casualty was already reported. Weak endpoints from users at home (who might not have implemented the best network security) will mean that hackers will have the opportunity to exploit vulnerabilities. The increased use of home devices for official matters will also mean that hackers can exploit legacy endpoints.
  4. Insider Attacks: With the ever-increasing number of ‘work from home’ (“WFH”) arrangements, in the absence of proper data control (as well as an insecure job market) as well as weak home network management (as indicated above), insider threats (both intentional and unintentional) are on the rise. Having a proper IT governance policy will be essential for companies in the days to come.


All in all, it can be easily concluded that the move to remote working environment can be seen as both a great boon for humanity as well as a wakeup call for many. Therefore, always remember:

  1. Secure ALL networks:  be it offsite or onsite, it is crucial for companies to assist their employees with implementing adequate cybersecurity so as to enable undisrupted workflow in this new era. Cybersecurity contingency plans are also essential. Whist office network can be secured in a centralized manner, WFH policies is a game-changer that companies must tackle.
  2. Secure ALL devices: many attacks both observed in 2020 and 2021 is the result of lapse by everyday users as they move remote. Home devices and other equipment must be brought up to company standard as time goes by.
  3. Educate ALL staff: of all the cyberattacks observed above, the weakest link is still the human mind. As rightly noted by Hong Kong’s Chief Information Officer: “the general public must have knowledge of cyber risks so as to become more vigilant and take appropriate measures to protect their information systems and data assets, with a view to continuously improving the defence and response capability of the society as a whole.”

Solicitor, ONC Lawyers

Joshua Chu is a Litigation Solicitor qualified to practice in Hong Kong. Before becoming a lawyer, Joshua worked in the healthcare industry serving as the IT department head at a private hospital as well as overseeing their procurement operations.

Since embarking upon his legal career, his past legal experience includes representing the successful party in one of Hong Kong’s first cryptocurrency litigation cases as well as appearing before the Review Body on Bid Challenges under the World Trade Organization Government Procurement Agreement concerning a health care industry related tender.

Today, Joshua’s practice is mainly focused in the field of dispute resolution and technology law.

Aside from his legal practice, Joshua is currently also a Senior Consultant with a regulatory consulting firm which had been founded by ex-SFC Regulators as well as being a management consultant for the Korean Blockchain Centre.

Partner, Ravenscroft & Schmierer, Hong Kong

Anna is a Hong Kong qualified lawyer and is responsible as a partner at Ravenscroft & Schmierer for the commercial litigation department. Aside from her legal background, Anna is also an advisor to the Ohkims Blockchain Centre in South Korea and Hong Kong qualified lawyer and a regulatory consultant specialized in IT control and compliance.  

Before starting her practice as a lawyer, Anna worked closely with the United States Patent and Trademark Office (USPTO) and US Food and Drug Administration (FDA) on intellectual property and FDA regulatory matters. 

​Since embarking on her legal career, Anna was part of the team that defended a party in Hong Kong High Court proceedings involving the jurisdiction’s first cryptocurrency cases where she leveraged her science and engineering skills extensively to help improve her client’s case’s position. This feat was repeated again shortly after when Anna again leveraged her science background in a healthcare-related tender dispute. 

​Today, Anna is proactively working on various Distributed Ledger Technology related projects where she combines her love for science and technology together with the logic behind regulatory framework.