Cybersecurity legislation essential for Smart City development – Deloitte

Enforcing the new local cybersecurity law requirements is fundamental in Macau’s development of Smart City initiatives and their integration into national development, Deloitte cybersecurity consultants told Macau News Agency (MNA).

In 2017, local authorities signed a four-year partnership agreement with the Alibaba Group to help Macau transform itself into a ‘smart city’ via cloud-computing technology in two phases, the first having been completed last year.

The first phase included collaboration on cloud computing, smart transportation, smart tourism, smart healthcare, and smart city governance, as well as talent development.

Then, in late December 2019 a new Macau Cybersecurity Law was enacted, demanding that public and private critical infrastructure operators across various industries meet obligations aimed at protecting the information network and computer systems of critical infrastructure.

“The Macau government has been working together with Alibaba to focus on the four main – smart governance, smart tourism, smart healthcare, and transportation. All these initiatives require an enhanced level of digitalization, increasing the use of online-based platforms to execute the plan”, Sidney Cheng, Deloitte’s Macau Office Managing Director, told MNA.

This year, the Legislative Assembly (AL) has also approved a new e-government law aimed at using better software and hardware integration in public services to provide one-stop electronic services to residents and businesses.

Alibaba has assisted local authorities with the development of a centralized cloud-based platform that connects different government departments to enhance the efficiency of the city’s governance.

According to Cheng – who has been consulting closely with local authorities – different government departments have different levels of digital transformation, one of the main challenges being the need for a high level of collaboration within the government, with the inevitable security concerns coming from this transition to the online world.

“For the public sector, based on our knowledge, various governmental departments have obtained a cybersecurity certification (e.g. ISO27001), and they have a certain level of cybersecurity awareness and controls in place. With the cybersecurity law enforcement, departments will conduct assessments to evaluate compliance levels and develop cyber improvement plans”, Deloitte Risk Advisory Partner, Eva Kwok, told MNA.

Ms. Kwok also noted that, as better IoT progress is achieved in the city, through initiatives such as a new smart transportation network, cybersecurity demands also increase.

Internet of Things (IoT) refers to a system of interrelated, internet-connected objects that are able to collect and transfer data over a wireless network without human intervention.

“We observe that with many other regions when they push out this kind of initiatives. Smart devices or IoT penetration testing demand is very important so that experts can check if there are any cybersecurity loopholes, coding issues that can potentially cause data leaks before these devices roll out of production.”

Such cybersecurity concerns could also exist in initiatives such as the ‘Eye in the Sky’ video surveillance initiative by local security forces, which plans to implement a total of 4.200 surveillance cameras in local public areas by 2028, some equipped with facial recognition capabilities.

In February of this year, the IT and Telecommunications Coordination Department of the Judiciary Police (PJ) told Macau News Agency (MNA) that police authorities already started reinforcing cybersecurity measures to prevent a possible attack by hacker activist group Anonymous to local video surveillance systems, but the attack did not take place.

According to Deloitte, Mainland China Cybersecurity Law and Macau’s Cybersecurity Law, both focus on critical infrastructure security rather than only on personal data, when compared to the EU General Data Protection Regulation enforced in 2018, which focuses more on personal data scope and protection.

Local legislation is also said to have a larger emphasis on the enhancement of the maturity of cybersecurity through the enforcement of its requirements, rather than emphasizing on harsher penalties included in the EU GDPR.

“We’ve seen a surveillance system put together. I think it is for the best […] Of course with the cybersecurity law we now have a framework to work with, and that’s good for Macau as a whole”, Cheng noted to MNA