**************

The following is a speech by Secretary for Information Technology and Broadcasting, Mrs Carrie Yau,at E-Security and WAP Solution Symposium today (September 28):

Dr Ho, Distinguished Guests, Ladies and Gentlemen,

It is my great pleasure to be here today to address this Symposium. Today's theme is e-security and WAP. They are both important and topical issues in the electronic world. I will first of all outline the Government's work in providing and promoting a secure infrastructure and environment for the conduct of electronic transactions. Then I will talk about the potential of mobile commerce in Hong Kong and the importance of security in the development of mobile commerce.

E-security

Security is a critical factor in the adoption of electronic commerce. Imagine if there are no ways to authenticate the identity of other parties who take part in electronic transactions, ensure the integrity and confidentiality of the information exchanged during the transactions or prevent the parties taking part in the transactions from repudiating the commitments made, who would be willing to exchange important information, enter into agreement or make payment through electronic means? Recognising the importance of e-security, the Government is making a lot of efforts in creating a trustworthy environment and providing a secure infrastructure for the conduct of electronic transactions.

Government's efforts in this regard include the establishment of a local public key infrastructure, the pursuing of mutual recognition of certification authority service, review of legislation against computer crime, establishment of a computer emergency response centre and promoting public awareness on e-security.

Establishing a local PKI

The Government is committed to developing Hong Kong into a leading digital city and a pre-eminent e-commerce hub in the Asia Pacific Region. Key to the realisation of this vision is the establishment of a regulatory framework which will support and encourage the development of electronic transactions within Hong Kong and internationally, and the provision of a secure environment for the conduct of electronic transactions. To instil trust in the security and integrity of electronic transactions, we have established a local public key infrastructure (PKI) to facilitate the use of digital certificates and certification authority services, which allow parties taking part in electronic transactions to authenticate the identity of other parties to the transactions, and ensure the integrity and confidentiality of the information exchanged during the transactions.

This PKI is supported by the Electronic Transactions Ordinance, which was enacted in January this year. Not only does the Ordinance give electronic records and digital signatures the same legal status as that of their paper-based counterparts, it also provides the legal framework for the local PKI by establishing a voluntary scheme of recognition for certification authorities operating in Hong Kong. The main purpose is to provide trust and security in electronic transactions and to enhance consumer protection. Since Government recognition will only be given to those certification authorities which have attained a level of security and trustworthiness accepted by the Government, the general public will have a greater confidence in accepting digital certificates issued by certification authorities recognised by the Government.

An important component of the Government's initiative in building a local PKI is the setting up of a public certification authority through the Hongkong Post. The main purpose is to ensure the access of local businesses and members of the public to quality and high trust certification authority service. I am pleased to see that since its establishment in January this year, the Hongkong Post Certification Authority has spurred the use of PKI technology in new online services provided by both the public and private sectors, including online stock trading and Internet banking services.

Pursuing mutual recognition of certification authority service

With the no-boundary nature of electronic transactions, there is a need to establish a mechanism for the mutual recognition of certification authority services internationally so that it is secure to conduct electronic transactions with parties outside Hong Kong.

This is, however, not easy as regulatory regimes in various economies are vastly different. Some economies, such as Malaysia, have put in place a mandatory licensing scheme for certification authorities. Others, such as the US and Canada, do not impose any regulatory requirements. Hong Kong itself has developed a voluntary recognition scheme. It will be a great challenge to work out a mutual recognition mechanism on a multilateral basis. This will require considerable international co-operation. We are pursuing cross recognition of certification authority services both in multilateral forum such as the Asia Pacific Economic Co-operation (APEC) and on bilateral basis through discussions with certification authorities operating in our major trading partners.

Review of legislation against computer crime

We also fully recognise that our legislation needs to cope with the advances of technology and the emergence of computer related crime. In order to strengthen the framework within which law enforcement against computer crime can be effectively and efficiently carried out, the Government has established an inter-departmental working group led by the Security Bureau to study the problem and to make recommendations on the way forward. We expect that the recommendations of the working group will be available before the end of this year so that we can take a major step forward in our efforts to combat computer related crime.

Establishing a Computer Emergency Response Centre

Capabilities in making emergency response are also an important element of a secure environment for the conduct of electronic transactions. In this regard, the Government is committed to facilitating the establishment of a local Computer Emergency Response Centre to provide e-security support to the industry and the community. We understand that there is already momentum in the industry to establish such a centre. We believe that the establishment of a local Computer Emergency Response Centre will help provide useful information on computer security to the community and the industry, and strengthen our ability to cope with computer emergency incidents. We expect that such a centre will be set up within next year.

Promoting awareness on e-security

We can enhance the security of information systems, for example, by installing firewalls, virus detection software or by making use of PKI and encryption technologies. However, information security is not solely a technical question. It is also a question of procedures, management practices and culture. We believe that the awareness of the potential risk and the taking of preventive measure will go a long way in enhancing information security in Hong Kong.

Various Government agencies, including the Police, the Information Technology Services Department (ITSD) and the Office of the Telecommunications Authority (OFTA), and industrial support organisations such as the Hong Kong Productivity Council (HKPC) have been working together to raise the public awareness on computer security. For example, the ITSD has been disseminating anti-virus information, guidelines and alerts through the media as well as in the Government web sites for public information. It has also co-organised seminars and training courses on information security with the HKPC and the Hong Kong Computer Society. The Hong Kong Police Force has also been giving talks to students, parents and teachers on computer crime as well as visiting companies to help them develop good staff and management practices and security policies. There are also many other publicity and education efforts which include exhibitions, TV commercials, road shows, distribution of pamphlets and industry guidelines.

Mobile Commerce

I now wish to turn to mobile commerce. With the convergence of mobile technology, the Internet and handheld computing, we can now have the information we need at our finger tips wherever we go, and we are able to conduct transactions while we are on the move with the use of small, convenient and compact devices. We will shortly be able to access the Internet through our mobile phones to check e-mails and to carry out serious browser-based transactions like buying a book, booking a flight, trading stock, finding the location of a restaurant or accessing the office's information system for checking the status of an order. Indeed, within the constraints of what can be displayed on a pocket-size screen, we can probably do anything that we currently do at the desktop.

Wireless Access to the Internet

The mobile Internet is taking shape, and observers are predicting a paradigm shift greater than the arrival of the personal computer. Internet connectivity is increasingly built into mobile phones, pagers and other portable devices, allowing easy access to the Internet without the need for a PC connected by wires. Industry analysts predict that by the end of 2004, there will be more than 1.5 billion mobile phones, PDAs, and Internet appliances equipped with wireless capabilities in circulation. This is expected to bring the number of people using wireless data technology from about 170 million world wide in 2000 to more than 1.3 billion by 2004.

What then is the situation in Hong Kong? Wireless Internet access service was introduced in Hong Kong in December last year, and now all six mobile operators are offering such a service to their customers. So far, these services have yet to gain widespread popularity. However, given Hong Kong's high mobile penetration rate at 69% and with the increase in transmission speed of 2.5G and 3G networks, and as more and more local content and applications specifically designed for wireless devices are available, we believe that the number of users accessing the Internet through mobile devices will increase rapidly in the near future. This will, in turn, drive the development of e-commerce in Hong Kong, which is expected to reach US$70 billion by 2004.

Security in the Mobile World

The mobile world has the same security concerns as the computer world. All this call for the need to develop secure environment in order to instil the public confidence in mobile commerce transactions.

I am pleased to see that the local mobile operators are responding very positively to the establishment of the local PKI. In fact, mobile phone companies are already working with Hongkong Post to provide secure mobile commerce services. For instance, the mobile stock trading service to be launched later this year will be making use of digital certificates issued by Hongkong Post for authenticating the identity of traders and ensuring the integrity and confidentiality of the transaction information. In addition, all six mobile phone operators in Hong Kong have formed a forum recently to discuss the adoption of a common standard for digital certificates for use in all types of mobile commerce services. All these are encouraging indicators leading to a more secure environment for mobile transactions in Hong Kong, which will be conducive to the building of public confidence.

The Government's role is to provide a legislative framework and appropriate infrastructure for electronic and mobile commerce to flourish. The industry also has a significant role to play in developing the specifications and standards that meet the security needs. And a symposium like what we have today adds momentum to all these developments.

Concluding Remarks

Ladies and Gentlemen, I have outlined the major Government initiatives in creating a secure environment for the conduct of electronic and mobile commerce in Hong Kong. But Government efforts alone are not enough. Hong Kong has a lot of potential in developing electronic and mobile commerce, but whether we can make these transactions secure will depend on the close co-operation between Government, the industry and the community.

Thank you.

END/Thursday, September 28, 2000 NNNN