Skip to the content

PolyU forum tackles cybersecurity issues

Rapid advances in digital technology are transforming most aspects of modern life, but they are also raising some well justified concerns.

As often as not, those doubts centre on the protection of data and guaranteeing the individual's right to privacy, issues which appear secondary in the general rush towards online commerce, fintech, and social media culture in the virtual world.  

However, the importance of addressing such matters and finding the best way forward was the subject of a recent double feature which brought together some leading names in the field.

Billed as the University of Waterloo dean's public lecture cum the Hong Kong Polytechnic University's Knowledge Transfer Forum on Cybersecurity and Privacy, the evening's keynote speaker explained how blockchain developments are helping to make certain types of data transfer more secure.

But the experts taking part in the subsequent panel discussion also made no secret of the fact that, as things stand, regulatory controls are lacking and, generally speaking, there are all kinds of holes in the system.

In particular, it is important to have clear new standards at a time when ever more organisations are adopting core business models which look to monetise data from users. And with so many   instances of data leaks and hacker attacks hitting the headlines, taking the right steps to maintain or rebuild trust with stakeholders should be seen as a top corporate priority.

Delivering the main lecture, Professor Florian Kerschbaum, executive director of the Waterloo Cybersecurity and Privacy Institute, spoke about the challenge of creating an absolutely "interference-free" system where people can only see or know what they are allowed to.

Professor Florian Kerschbaum

His chosen topic was "Secure computation of the k-th ranked element on the blockchain", using as illustration the example of a "sealed bid" online auction where individual bidders can see their offer and nothing else except information essential to the process.

With blockchain, it is possible to do this. The challenge, though, is to compute everything in the least number of "blocks", while guaranteeing speed and required output and tackling any factors which limit efficiency or scalability.

To achieve this type of secure multi-party computation, Kerschbaum touched on considerations like generic protocols, zero-knowledge proofs (ZKPs), key generation, encryption, evaluation and decryption. 

He also explained the approach his team has developed for using public and private keys and sending ciphertext, thereby reducing the total number of steps involved and allowing for the inclusion of unique elements.  

"It leads to something that scales quite well," said Kerschbaum, who worked as a software architect with SAP in Germany before switching to academia. "It also allows the construction of new applications on the blockchain." 

For the panel discussion which followed, Kerschbaum was joined by moderator Gabriel Chan, secretary general of the Hong Kong Blockchain Society and Dr Allen Au, assistant professor in PolyU's Department of Computing.

The panelists

Also taking part were Jason Lau, chief information security officer for Crypto.com; Jack Poon, professor of practice in the School of Accounting at PolyU; and Frederic Lau, chief executive of capital markets and advisory at AMTD Group.    

They expressed broad consensus that, in the digital age, the imperatives for those overseeing data include confidentiality, integrity, and developing trust with customers. 

Unfortunately, the growing list of large-scale mishaps tends to show that "the devil always gets his way". Sometimes, this can be traced to a failure in due diligence, poor impact assessment, or an inherited risk from, say, a merger or acquisition, which was never adequately addressed. In such respects, organisations have a responsibility to take action and step up vigilance accordingly.   

Worryingly, though, the panel also emphasised that there is an ongoing cybersecurity war between attackers and defenders. All it takes is one ill-intentioned hacker - and a single weakness in the defences - to break into an apparently robust system and potentially sow havoc.  

"Most organisations should assume they have been hacked and, starting from that assumption, think about what to do next," said Poon, who also highlighted the importance of finding the right balance between ease of use and data privacy.

Due mention was made of issues like awareness training, authentication without passwords, the "right to be forgotten", biometric-based encryption, and possible problems resulting from people having so much data on their cell phones.   

Kerschbaum, though, pointed out that no one should be holding out hope for easy answers or all-in-one solutions. 

"It is discouraging how bad we [in general] are at implementing security in newly developed systems," he said. "It seems we wait for attacks and then try to fix things as an afterthought. People used to say build in security from the start, but it is not really happening." 

Regarding the possibility of better regulations, fit for purpose and broad in scope, progress seemed to be slow at best. 

"There are all sorts of regulations and some efforts with international traction to take care of these issues, but there is nobody governing it," Kerschbaum said. "Every government needs to agree to follow [one set of] regulations."