Speech by Mrs Carrie Yau, Secretary for Information Technology and Broadcasting The Commonwealth of Virginia Information Technology Conference
 |
Secretary Upson, Distinguished Guests, Ladies and Gentlemen, |
 |
It is a great pleasure to address such a large audience in Virginia via video conferencing. First of all, good morning everybody, although this is night-time in Hong Kong. The fact that I am talking to you now is proof enough that advances in information technology have removed geographical and time barriers, and are bringing everyone in the world closer together. And Hong Kong has always been a 24-hour international city so we relish opportunities such as these to communicate with the people in Virginia.
Just a few months ago, in June, I had the opportunity of meeting Governor Gilmore and Secretary Upson in Hong Kong. We discussed IT development and what our two governments are doing to promote it. I must say I was very impressed with the aggressive programme undertaken by the State of Virginia. |
 |
I was particularly interested to learn that Virginia is building a digital signature framework. I believe this is a most vital element in providing a secure environment within the digital world. The Hong Kong Special Administrative Region Government has devoted a lot of efforts and resources over the past couple of years to build a similar framework. We now have in place the necessary infrastructure for the conduct of secure electronic transactions. So, I would like to take this opportunity to share with you some of our experiences in building the digital signature framework, the challenges that we face and the ways we address these challenges. |
| Digital 21 IT Strategy |
 |
Our Chief Executive, Mr Tung Chee Hwa, set out his vision of turning Hong Kong into a leading digital city in his 1997 Policy Address. To realise that vision, the Hong Kong Government in 1998 formulated a comprehensive IT strategy known as the 'Digital 21 Information Technology Strategy'. The strategy set out the initiatives, targets and milestones on how the Government, businesses, industry and academia could join hands and co-operate to make IT a core competency in Hong Kong and help Hong Kong develop into the pre-eminent e-commerce hub for the Asia Pacific Region. |
 |
This all-encompassing strategy covers the development of high-quality communications infrastructure, establishing an open and secure common interface for electronic transactions, empowering our people with the know-how to use IT, and nurturing a culture which stimulates creativity and welcomes advances in the use of IT.
A key component in implementing this strategy is the development of a regulatory framework which can support and encourage the development of electronic transactions - within Hong Kong and internationally - and the provision of a secure environment in which to conduct electronic transactions. As far as the latter is concerned, we have worked hard to establish a local public key infrastructure (PKI) based on the use of digital signature to facilitate the development of IT and e-commerce. |
| Three-pronged Approach |
 |
In doing this, we have adopted a three-pronged approach. First, by putting in place the necessary legislation; second, by establishing a public certification authority; and third, by making sure the Government uses and promotes these facilities to help drive greater IT use within the private sector and the community.
Provision of Legislative Framework
In order to promote the widespread use of digital signatures, there needs to be a clear legal framework. This provides the certainty needed to conduct electronic transactions and gives legal recognition to digital signatures. These safeguards, in turn, enhance public confidence in the adoption of electronic transactions.
|
 |
The US Federal Government has enacted the Electronic Signatures in Global and National Commerce Act. President Clinton signed the bill into law a few months ago to facilitate the use of electronic signatures and records in interstate and international commerce. In Hong Kong, we have the Electronic Transactions Ordinance which was enacted in January this year. Following the United Nations e-business model law, the Hong Kong law gives electronic records and digital signatures the same legal status as that of their paper-based counterparts. The Ordinance also guarantees that electronic records can be used to draw up contracts and that such records can be admissible as evidence in court. |
 |
The Electronic Transactions Ordinance also provides the legal framework for the development of PKI. It establishes a voluntary scheme of recognition for certification authorities operating in Hong Kong. The main purpose is to provide trust and security in electronic transactions and to enhance consumer protection. With the use of certification authority services and digital signatures, we can address the four major concerns in electronic transactions, i.e. authentication, integrity, confidentiality and non-repudiation. Under our system, Government recognition will only be given to those certification authorities which have attained a specified level of security and trustworthiness. And the general public will be more confident in accepting digital certificates issued by recognised certification authorities.
Nevertheless, there is no mandatory licensing requirement in Hong Kong. Certification authorities, local or overseas, are free to provide services here and can apply for Government recognition on a voluntary basis. We hope this open market approach will encourage more private sector initiatives in the provision of quality certification authority services in Hong Kong.
|
| |
Establishment of a Public Certification Authority |
 |
The second prong is to establish a public certification authority. Prior to the enactment of the Electronic Transactions Ordinance, the certification authority services available in Hong Kong were either used in a closed system or provided by a certification authority located outside Hong Kong via the Internet. In order to ensure local access to quality and high-trust certification authority services, the Government decided to take the lead in establishing a public certification authority through our Post Office, Hongkong Post. To maintain a level playing field, the public certification authority established by Hongkong Post has to operate based on prudent commercial principles and has to compete with other certification authorities in the private sector.
The Hongkong Post Certification Authority was established in January this year. It provides services to both individuals and businesses. Its operation is based on a high-trust model, which incorporates face-to-face authentication for subscribers and the use of strong encryption technology. Digital certificates issued by the Hongkong Post Certification Authority support key lengths of 1024 bits and carry a reliance limit of around US$130,000, and the fee per certificate per year is less than US$7.
|
| |
Other Certification Authority Operation in Hong Kong |
 |
In addition to the Hongkong Post Certification Authority, two other certification authorities now operate in Hong Kong. One is the Tradelink Electronic Commerce Limited, a joint venture between the Government and various private sector shareholders including banks, shipping companies and chambers of commerce in Hong Kong. The company's mission is to help Hong Kong's trading community adopt e-commerce. One of its main services is to enable local enterprises to submit trade-related documents, such as trade declarations and certificates of origin, to the Government through electronic means. The company now has more than 52,000 corporate clients and has issued over 150,000 digital certificates, making it the largest certification authority in Asia. An indication of Tradelink's reputationand trustworthiness is that its digital certificates are accepted by US Customs as a valid means of authenticating the identity of Hong Kong exporters. |
 |
The other private certification authority in Hong Kong is operated by Jetco, an electronic service company established by a major group of banks. The main function of this certification authority is to support the group's Internet banking services. Both Tradelink and Jetco are preparing to seek Government recognition under the voluntary certification authority recognition scheme. |
| |
Government Adoption by Example
The third prong is for the Government to adopt PKI technology in the delivery of public services. We believe this will not only set a good example for the private sector to follow, it will also drive the use of digital signatures by the community in their transactions with the Government.
|
 |
A good example is the Government's Electronic Service Delivery (ESD) Scheme. This is the Government's flagship G2B and G2C online service. Scheduled for launch later this year, the ESD scheme will provide various types of public services on-line 24 hours a day, seven days a week via the Internet and other electronic devices like public information kiosks installed at convenient public locations. Through the ESD scheme, members of the public will be able to pay Government fees, submit tax return, register to vote, renew their driver's licences or search for jobs on-line.
The ESD information infrastructure makes use of digital signatures and cryptographic technology to authenticate the identity of users and to ensure the integrity and confidentiality of information transmitted.
|
 |
Another example of how Government is pump-priming the use of IT is the Electronic Tendering System (ETS). Launched in April this year, the ETS is one of the world's first web-based Government procurement systems. It covers Government non-works tenders with value up to around US$1.3 million each. It allows suppliers from all over the world to receive notification of our tenders, submit tender offers and receive notification of tender awards through the Internet. So far, more than 330 tenders worth an estimated US$60 million have been awarded through the ETS. This system makes use of PKI and digital signature technology to authenticate the identity of suppliers and ensure the confidentiality of tender information submitted. |
| |
Use of PKI Technology by the Private Sector |
 |
With Government taking a leadership role, I am delighted to say the private sector in Hong Kong has responded very positively to the establishment of the local PKI. Companies have been racing to bring new digital signature-based e-commerce applications onto the market. A major telecommunications company has launched a secure electronic courier service in partnership with the Hongkong Post Certification Authority. The Hong Kong Stock Exchange will use PKI technology to ensure the security of online stock trading when it implements a new trade matching system later this year. So will the Hong Kong Jockey Club when it introduces online betting for horse racing shortly. The banks in Hong Kong have also very actively adopted PKI technology for Internet banking services.
From our experience, the establishment of a public certification authority has been instrumental in driving the use of digital signatures and PKI technology by the private sector in Hong Kong. With the ready-made services of the Hongkong Post Certification Authority, companies can save the time, efforts and money needed to establish their own certification services. This has made the introduction of PKI-based services a much more viable proposition.
Another potentially major development in Hong Kong is the application of PKI technology for mobile telephone services. Mobile phone companies are working with Hongkong Post to provide secure mobile e-commerce services. With a penetration rate of 69%, the highest in the world outside Scandinavia, Hong Kong's mobile phone market has tremendous e-commerce growth potential.
|
| |
Adoption by the Community |
 |
One of our most important tasks has been to provide a secure environment to conduct electronic transactions. This has given rise to one of our greatest challenges - convincing the public that e-commerce is safe and secure. If we can do this then we can encourage a greater uptake of PKI technology within the community. The technology is relatively new for the majority, so public education is very important. In this regard, the Hong Kong Government has embarked on a comprehensive publicity and public education programme to actively promote the use of digital certificates.
There is another challenge, not only from the point of promoting the use of PKI or e-commerce but, most importantly, in helping to avoid creating the 'digital divide' in the community. In promoting PKI, we are acutely aware of the need to ensure that no one is deprived of the chance to participate in secure electronic transactions because of a lack of understanding of PKI technology. We have placed a lot of emphasis on reaching out to the elderly, housewives and the disabled through community IT training and awareness programmes. This will enhance their understanding of information technology and e-commerce. We will also hold workshops at schools to teach students the basic concepts and operation of PKI.
User-friendliness is another important issue. By making PKI-based services easy to use, we can encourage IT novices to make use of the technology. The Hongkong Post Certification Authority has been striving to constantly improve its services in order to make them as user-friendly as possible.
|
| Mutual Recognition of Certification Authority Services |
| |
Another significant challenge is mutual recognition of certification authority services. With the no-boundaries nature of electronic transactions, there is a need to establish a mechanism for the mutual recognition of certification authority services internationally so as to facilitate cross-border e-commerce. |
 |
Regulatory regimes in various economies are vastly different. Some economies, such as Malaysia, have put in place a mandatory licensing scheme for certification authorities. Others, such as the US and Canada, do not impose any regulatory requirements. For Hong Kong, there is only a voluntary recognition scheme. It will be a challenge to work out a mutual recognition mechanism on a multilateral basis. This will require considerable international co-operation. We welcome the efforts on cross recognition of certification authority services now being undertaken by the Electronic Authentication Task Group of the Asia Pacific Economic Co-operation (APEC). We will continue to give strong support to this work.
Hong Kong is also actively pursuing mutual recognition arrangements on a bilateral basis with our major trading partners. Hongkong Post is actively seeking co-operation with the certification authorities in the UK, Malaysia and Singapore. We are convinced that these work will take us a step closer to cross-recognition arrangements and encourage the development of e-commerce between Hong Kong and the economies concerned. This is certainly an area that can be explored further between the State of Virginia and Hong Kong.
|
| Concluding Remarks |
| |
Ladies and gentlemen, the establishment of a PKI supported by the use of digital signatures has been a very positive experience for Hong Kong and one that has greatly facilitated our e-commerce development. It has certainly contributed significantly towards realising our vision of becoming a leading digital city and a regional e-commerce hub and represents a major step forward in the new Information Age. I hope our experiences will provide a useful reference for Virginia. And finally, I wish you all a most fruitful conference. |
 |
Thank you |
|