FCR(1999-2000)4

For discussion
on 23 April 1999

CAPITAL WORKS RESERVE FUND
HEAD 710 -- COMPUTERISATION
Information Technology Services Department
New Subhead "Secure Central Internet Gateway System"

Members are invited to approve the creation of a new commitment of $21 million to establish a Secure Central Internet Gateway System for use by Government bureaux and departments.

PROBLEM

At present, the Government Information Centre (GIC) which provides access to the web sites of all Government bureaux and departments is hosted by an Internet Service Provider (ISP). The existing GIC capacity constraint cannot meet new hosting demands. In addition, many officers in various Government bureaux and departments maintain separate dial-up Internet connections to ISPs for communication and transaction of business with the public over the Internet. This arrangement is neither efficient nor cost-effective. The level of services provided by the ISPs and the security standards they adopt also vary.

PROPOSAL

2. The Director of Information Technology Services, with the support of the Secretary for Information Technology and Broadcasting, proposes to establish a Secure Central Internet Gateway System to enable Government bureaux and departments to gain access to the Internet, and to disseminate information, communicate and transact business with the public over the Internet through a secure and centrally managed gateway.

JUSTIFICATION

Background

3. In 1995, we established the GIC, using the facilities and services provided by an ISP, for hosting homepages of Government bureaux and departments. Since late 1997, all Government bureaux and departments have set up their own homepages. While some of these homepages are hosted by different ISPs, all of them are accessible through the GIC. The GIC now hosts the majority of Government homepages and operates a dedicated bilingual search engine which covers all Government homepages. With the increasing volume of new content and the use of multimedia elements, the existing GIC capacity cannot satisfy new hosting demands. This capacity limitation also constrains the capability of the GIC to disseminate Government information in a more interactive manner.

4. Apart from setting up their own homepages, all Government bureaux and departments have established connections, either through dial-up connections or dedicated connections, to various ISPs for gaining access to information on the Internet, developing applications for providing Government services and communication with the public over the Internet. As of February 1999, about 7 000 Government officers were provided with their own Internet accounts. Amongst them, about 3 300 officers in 74 bureaux/departments were provided with their own Internet dial-up access accounts and the rest had access to the Internet through departmental gateways established by their respective departments. There are at present 17 such departmental gateways, each managed by the concerned department. Many of these gateways have been developed to cater for departmental-specific applications or customised with project-specific features. The concerned departments are required to follow the network security standards laid down by the Information Technology Services Department (ITSD). For individual users with their own dial-up Internet accounts, however, the security and support services they receive from the ISPs vary. On the completion of the Government Office Automation programme scheduled for end 2000, we expect that the number of Government officers who will be equipped with individual Internet accounts will increase by some 70% to around 12 000. The distribution of Internet users by type as of February 1999 and the anticipated distribution by end 2000 are set out in Enclosure 1. Given the open environment of the Internet and the anticipated expansion in the user-base, there is a need to establish a system to ensure security for Government's internal networks which are connected to the outside world through the Internet.

Secure Central Internet Gateway

5. ITSD proposes the establishment of a secure central Internet gateway to provide web hosting services for Government web sites now centrally hosted by an ISP through the GIC and to provide a secure gateway, in substitution of the current dial-up Internet access connections to ISPs, for Government bureaux and departments to gain access to the Internet. The proposed central Internet gateway will provide the following Internet services -

1. web hosting service for Government web sites now centrally hosted by an ISP through the GIC;

2. central management and administration of Government web sites, with the provision of indexing and searching functions and web-site visitor statistical services;

3. enhanced capability to develop interactive contents for the GIC and the provision of authentication services which will strengthen the protection for the public in their communication with the Government over the Internet;

4. Internet mail service for Government bureaux and departments;

5. Internet access gateway service for Government bureaux and departments; and

6. the establishment of web-based bulletin board system within Government with controlled access for internal communication purposes.

With the establishment of the proposed gateway, we can provide direct and centralised management and administration for Government web sites, which will be more efficient and cost-effective. We can also enhance our capability to develop interactive and innovative applications on the Internet for communication both with the public and within the Government.

6. The proposed central gateway system will be equipped with security devices to prevent and detect irregular activities. The following security features will be provided to protect Government's internal networks -

1. firewall system;

2. computer viruses detection system;

3. network intrusion detection system; and

4. network intrusion recognition and response system which enables responsive action to be taken against intrusion activities.

7. With the establishment of the proposed system, we will be able to adopt and apply comprehensive Internet security standards across Government. There will be better monitoring and control of the security risks as we will deal with a central gateway instead of several thousand different access points. We will also conduct regular security assessment to verify the effectiveness of the proposed system and to make improvements where necessary in order to cope with the rapid advancement in Internet technologies. All communication interfaces of the proposed system will be regularly checked and closely monitored. The proposed system will have resilience built into it, thus allowing rapid recovery upon shutdown in emergency situation to minimise disruption to the GIC activities and the Internet access services for bureaux and departments.

8. Existing users who are connected to the Internet through departmental gateways will gradually migrate to the proposed central gateway when it is established, except in cases where the Internet use is related to the departmental gateways which are developed with applications or project-specific features which will not be available in the central gateway. In such cases, we shall require the concerned bureaux and departments to adopt the same security standards and practices as those under the proposed system for their departmental gateways so that we can achieve the same level of security for all network connection points between the Internet and Government's internal networks.

Cost Savings

9. Other than the service benefits mentioned above, a central gateway system is also a more cost-effective means to meet the users' requirements. Upon the implementation of the proposed system, we expect to achieve realisable savings of $5.89 million a year. This includes the avoidance of estimated expenditure at $5.3 million for the existing 3 300 Government users to obtain dial-up services individually from their ISPs and the current maintenance charge for the central web hosting services at $0.59 million.

10. In addition, the new system can provide Internet connections for the projected 5 000 new Government users who will not need to subscribe to commercial ISP services in order to gain access to the Internet, thus avoiding an annual cost of about $8 million. Furthermore, it will achieve cost avoidance amounting to $1.43 million, which are the costs otherwise needed to expand the existing web hosting capacity for providing Internet services, to enhance interactive content, and to strengthen user authentication services to cope with identified demands, and to develop web-based bulletin board system within Government.

11. The detailed breakdown of the cost savings of $15.32 million is set out as follows -

	1999-2000 ($'000)	2000-01 and annually thereafter ($'000)
(a) Realisable savings
(1) arising from the hosting of Government web sites by ITSD	-	590
(2) arising from existing 3 300 Government users switching from Internet dial-up access services provided by ISPs to the proposed system	-	5,300
(b) Cost avoidance
(1) for expanding capacity, providing interactive contents, and strengthening user authentication services	5,400	1,300
(2) for providing Internet connections for 5 000 new Government users	-	8,000
(3) for developing web-based bulletin board system within Government	-	130
	________	________
Total annual savings	5,400	15,320
	________	________

Cost and Benefit Analysis

12. We have carried out the usual cost and benefit analysis applicable to computer projects as shown in Enclosure 2, taking into account the above realisable savings and cost avoidance. The analysis shows that the proposed system will break even in year 2003-04.

FINANCIAL IMPLICATIONS

Non-recurrent expenditure

13. The capital cost to Government of establishing the proposed system is estimated at $21 million. Details of the cost estimates are set out below -

14. As regards paragraph 13(a), the estimated cost of $8.7 million is for the acquisition of computer hardware and software, and networking equipment for the dedicated GIC web servers, servers for the web-based bulletin board system and the establishment of central security and administration services for the web sites of Government bureaux and departments.

15. As regards paragraph 13(b), the estimated cost of $7.3 million is for the acquisition of computer hardware and software, and networking equipment for the establishment of a secure Internet access gateway system to provide Internet access services for Government bureaux and departments.

16. As regards paragraph 13(c), the estimated cost of $2.3 million is for the hiring of professional services for the design, development, and implementation of the proposed system.v

17. As regards paragraph 13(d), the estimated cost of $0.5 million is for the acquisition of data communication services.

18. As regards paragraph 13(e), the estimated cost of $1.2 million is for site preparation work and the acquisition of associated services.

19. As regards paragraph 13(f), the estimate of $1 million represents a 5% contingency in respect of the items set out in paragraph 13(a) to (e) above.

20. ITSD will redeploy existing staff resources to undertake overall project management, contract management, and co-ordination with bureaux and departments. These comprise staff efforts of 0.5 man-month of Senior Systems Manager, 12 man-months of Systems Manager and 12 man-months of Analyst/ Programmer I.

Recurrent expenditure

21. The estimated recurrent cost of operating the proposed system in 1999-2000 is $0.91 million. On a full-year and fully rolled-out basis, an annually recurrent expenditure of $10.71 million will be required in 2003-04. Details of the cost estimates are set out below -

Recurrent expenditure	1999-2000 $ million	2000-2001 $ million	2001-2002 $ million	2002-2003 $ million	2003-2004 $ million
(a) Maintenance cost and consumables	-	2.70	2.70	2.70	2.70
(b) Data communications rental	0.34	2.20	2.42	2.67	2.93
(c) Professional service	-	1.65	1.65	1.65	1.65
(d) Contract staff	0.57	3.43	3.43	3.43	3.43
	_____	_____	_____	_____	_____
Total	0.91	9.98	10.20	10.45	10.71
	_____	_____	_____	_____	_____

22. As regards paragraph 21(a) above, the annual estimated cost of $2.7 million is for hardware and software maintenance and the acquisition of consumables for system backup for the Internet servers and the Internet access gateway system.

23. As regards paragraph 21(b) above, the annual estimated costs of $0.34 million, $2.20 million, $2.42 million, $2.67 million and $2.93 million for the five years from 1999-2000 to 2003-04 are the rental charges for the data communication lines (with a projected 10% annual traffic growth). The estimated cost for 1999-2000 is for a two-month period, on the basis that the data lines will be installed in end January 2000 for the commencement of system integration test and overall system assessment by February 2000.

24. As regards paragraph 21(c) above, the annual estimated cost of $1.65 million is for the outsourcing of external professional service to perform preventive security assessment for the proposed system and all the Internet servers on an annual basis. The estimated cost also covers the subscription for access to security bulletin services in order to keep ITSD up-to-date with the latest developments of security-related technologies in the rapidly changing Internet environment.

25. As regards paragraph 21(d), the estimated cost of $0.57 million for 1999-2000 and an annual expenditure of $3.43 million from 2000-01 onwards is for the hiring of contract staff to support round-the-clock operation of the proposed system and to provide centralised user administration and support services to all bureaux and departments. The first year estimate of $0.57 million covers two months of services to meet our plan to establish the proposed gateway in early 2000.

26. Moreover, ITSD will redeploy existing staff resources to oversee the work of the contract staff, undertake outsourcing arrangement for preventive security assessment, and provide on-going support and advice to user bureaux/departments on the proposed system. The resources will also be used to keep ITSD updated on the latest Internet technologies in order to continuously improve the service of the proposed system. These comprise staff efforts of 0.5 man-month of Senior Systems Manager, 12 man-months of Systems Manager and 12 man-months of Analyst/Programmer I.

Implementation plan

27. Our plan is to establish the proposed gateway in early 2000. The implementation timetable is as follows -

Activity	Timetable
(a) Funding approval	April 1999
(b) System design	April to May 1999
(c) Equipment and service tendering	June to October 1999
(d) Site preparation	July to October 1999
(e) Network centre installation	November to December 1999
(f) Content hosting equipment installation	December 1999 to January 2000
(g) Data communication lines and Internet connection installation	January 2000
(h) Internet services implementation	February 2000
(i) System integration test and overall security assessment	February to March 2000
(j) Service roll-out	March 2000

BACKGROUND INFORMATION

28. The Information Technology and Broadcasting Bureau announced the "Digital 21" Information Technology Strategy in November 1998. The objective of the strategy is to enhance and promote Hong Kong's information infrastructure and services so as to make Hong Kong a leading digital city in the globally connected world of the 21st century. The establishment of the proposed Secure Central Internet Gateway System for Government bureaux and departments is an initiative under the strategy to enhance Government's own information infrastructure. We aim to establish the proposed gateway in early 2000.

Information Technology and Broadcasting Bureau
April 1999

Enclosure 1 to FCR(1999-2000)4

Bureaux/Departments	Internet Users	Type of Internet Access
74	3 300	Dial-up to Internet Service Providers (ISPs)
17	3 700	Direct network connection to ISPs via departmental Internet gateway

Bureaux/Departments	Internet Users	Type of Internet Access
91*(all bureaux/departments will be connected to the Government backbone network by end 2000)	8 500	Through dial-up or direct network access via the Government backbone network to the proposed Secure Central Internet Gateway
16 *(with departmental Internet gateway)	3 500	Access via departmental Internet gateway

* Some of the Internet users in the 16 bureaux/departments with departmental Internet gateway will migrate to the proposed Secure Central Internet Gateway if their Internet use is not related to the departmental-specific applications or project-specific features for which the departmental gateways are developed.

Enclosure 2 to FCR(1999-2000)4