Speech by Acting Government Chief Information Officer at Information Security Showcase 2009 (English only)
*********************************************************

     Following is the opening address by the Acting Government Chief Information Officer, Mr Stephen Mak, at the Information Security Showcase 2009 today (August 12) (English only):

Honourable Dr Samson Tam, distinguished guests, ladies and gentlemen,

     Good morning! It gives me great pleasure to address you at this Information Security Showcase 2009. The topic, "A Safer Internet Environment for the Community" stimulates a lot of my thoughts about the impact of the Internet on our modern society, that goes beyond the opportunities and threats of technology adoption, but also touches on user behaviours and regulatory regimes. Nowadays, Internet users are commonly called "Netizens", suggesting that the Internet has become an inseparable entity in both personal and business activities. In particular, the Web 2.0 paradigm has facilitated Netizens unprecedented access, flexibility and usability in the Internet environment.  

     The range of issues on information security that need to be addressed spans from education and awareness, to protection and anti-fraud measures at the enterprise level, all the way to community-wide enhancements to our security infrastructure.

     The sophistication of tools used in malicious or criminal acts is increasing as we speak. Today, hackers can launch security attacks that not only exploit computer vulnerabilities of system software but also compromise systems and whole platforms through loopholes of insufficient protection measures such as weak access control or unencrypted transmission.

     According to the "Q1 2009 Web 2.0 Hacking Security Report" published by the Secure Enterprise 2.0 Forum, Web 2.0 sites like Social Networks, Wikis and Community Blogging are the premier targets for hacking and represent 21% of all reported hacking incidents. The other frequently attacked websites are financial, auction and e-commerce platforms from which criminals can harvest sensitive information and turn it into money gaining opportunities. I am sure our distinguished speakers today will have a lot more stories to share with you throughout the day.

     During the past few months, I have spoken on a number of occasions about security strategies and managing security risks. I would not try to repeat the messages here. Instead I would like to give a short account of some of the things the Government is doing, namely íV
- The "Be Netwise" Campaign;
- The Hong Kong Clean PC Day 2009;
- Enhancements to the GovHK portal; and
- Measures to facilitate better protection against cyber-crime in certain sectors.

     To maintain a safe Internet environment, Netizens need to be aware of the contemporary development of cyber threats and promote responsible Internet behaviour. On this, public education plays a key role and the Government has undertaken a wide range of initiatives to enhance the awareness and knowledge of businesses and educate our citizens to protect their information assets, especially on information security and the safe and healthy use of the Internet.

     Last month, the Office of the Government Chief Information Officer (OGCIO) launched the "Be NetWise" campaign. With a budget of $63 million, this one-year territory-wide education programme will teach Internet users, especially young users, how to use the Internet appropriately and safely. We are at the stage of engaging about 500 ambassadors, leaders and programme officers for the job. Through the fostering of a better Internet culture, the "NetWise" aims to help young people, their parents and teachers give full play to their potential on the Internet as well as Hong Kong to be a knowledge-based economy and a digitally inclusive and healthy society. The topics covered will include respect for personal data privacy and intellectual property rights, avoidance of Internet addiction, and protection against computer virus attacks. There will be large-scale promotions, roving exhibitions, training courses, school talks and inter-school activities, and provide enquiry hotline services and home visit technical support.

     I also take this opportunity to mention the coming launch of the fifth annual "Hong Kong Clean PC Day" campaign which is a collaboration programme among the OGCIO, the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) of the Hong Kong Productivity Council and the Hong Kong Police Force. Riding on the objectives of raising public awareness of information security and strengthening the protection of their computers from cyber attacks, this year the campaign will focus on information security when conducting electronic transactions. There will be a series of seminars in August and November targeted at the general public.

     We are taking forward a number of enhancements in functionality and look-and-feel of the GovHK portal. On security, we are developing a feature called MARS (Multiple Application Registration Service) that aims at striking a balance between user convenience, ease of access and authentication requirements of e-government transactions.

     In view of major electronic business initiatives in the community, for example those on e-health, e-procurement and e-banking, we have been working with the relevant stakeholders in reviewing information security measures, both existing and planned, to facilitate secure transactions and authentication of transacting parties. Under Supplement V of the Closer Economic Partnership Arrangement (CEPA), we recently signed a Memorandum of Understanding (MoU) with our Mainland counterparts in the Guangdong Provincial government and the Ministry of Industry and Information Technology on mutual recognition of recognised digital certificates between Hong Kong and the Mainland. We hope that these facilitation measures will further enhance Hong Kong's overall security posture and infrastructure.  

     That said, we are all too mindful about the problems with over-reliance on technology measures on protection, and the human factor is still very key. As Dr Taher Elgamal who is credited as the inventor of Secure Sockets Layer (SSL) technology has said, algorithms do not stay secure forever and he advises that more need to be done to address the potential danger of man-in-the middle attacks, where hackers sit in the middle of a conversation between Internet users, impersonating one to the other. Likewise, quoting one of the world's best known cryptographers, Adi Shamir, whose name is the "S" in the RSA cryptosystem, he has said: "Cryptography is typically bypassed, not penetrated". It is often other security parameters that are not up to par and the weakest link that becomes the target. Our protection relies on better risk scenarios and assessments rather than merely technology.

     Ladies and gentlemen, I thank you and the Hong Kong Productivity Council for giving me the opportunity to share with you these messages. I wish the Showcase a great success. Thank you.

Ends/Wednesday, August 12, 2009
Issued at HKT 12:12

NNNN