on 12 April 1999
LEGISLATIVE COUNCIL PANEL ON
INFORMATION TECHNOLOGY AND BROADCASTING
SECURE CENTRAL INTERNET GATEWAY SYSTEMINTRODUCTION
This paper briefs Members on a funding application which will be made by the Director of Information Technology Services to the Finance Committee for a new commitment of $21 million under the Capital Works Reserve Fund Head 710 Computerisation to establish a Secure Central Internet Gateway System for use by Government bureaux and departments in gaining access to the Internet, and in disseminating information, communicating and transacting business with the community over the Internet.
2. In 1995, we established the Government Information Centre (GIC), using the facilities and services provided by an Internet Service Provider (ISP), for hosting the homepages of Government bureaux and departments. Since late 1997, all Government bureaux and departments have set up their own homepages. While some of these homepages are hosted by different ISPs, all of them are accessible through the GIC. The GIC now hosts the majority of Government homepages and operates a dedicated bilingual search engine which covers all Government homepages. With the increasing volume of new content and the use of multimedia elements, the existing GIC capacity cannot satisfy new hosting demands. This capacity limitation also constrains the capability of the GIC to disseminate Government information in a more interactive manner.
3. Apart from setting up their own homepages, all Government bureaux and departments have established connections, either through dial-up connections or dedicated connections, to various ISPs for gaining access to information on the Internet, and developing applications for providing Government services and communication with the public over the Internet. As of February 1999, about 7 000 Government officers were provided with individual Internet accounts. Amongst them, about 3 300 officers in 74 bureaux/departments were provided with their own Internet dial-up access accounts and the rest had access to the Internet through departmental gateways established by their respective departments. There are at present 17 such departmental gateways, each managed by the concerned department. Many of these gateways have been developed to cater for department-specific applications or customised with project-specific features. The concerned departments are required to follow the network security standards laid down by the Information Technology Services Department (ITSD). For individual users with their own dial-up Internet accounts, however, the security and support services they receive from the ISPs vary. On the completion of the Government Office Automation programme scheduled for end 2000, we expect that the number of Government officers who would be equipped with individual Internet accounts will increase by some 70% to around 12 000. The distribution of Internet users by type as of February 1999 and the anticipated distribution by end 2000 are set out in Appendix 1
. Given the open environment of the Internet and the anticipated expansion in the user base, there is a need to establish a system to ensure security for Government's internal networks which are connected to the outside world through the Internet.
Secure Central Internet Gateway
4. ITSD proposes the establishment of a secure central Internet gateway to provide web hosting services for Government web-sites now centrally hosted by an ISP through the GIC and to provide a secure gateway, in substitution of the current dial-up Internet access connections to ISPs, for Government bureaux and departments to gain access to the Internet. The proposed central Internet gateway will provide the following Internet services -
- web hosting service for Government web sites now centrally hosted by an ISP through the GIC;
- central management and administration of Government web sites, with the provision of indexing and searching functions and web site visitor statistical services;
- enhanced capability to develop interactive contents for the GIC and the provision of authentication services which will strengthen the protection for the public in their communication with the Government over the Internet;
- Internet mail service for Government bureaux and departments;
- Internet access gateway service for Government bureaux and departments; and
- the establishment of web-based bulletin board system within Government with controlled access for internal communication purposes.
With the establishment of the proposed gateway, we can provide direct and centralised management and administration for Government web sites, which will be more efficient and cost-effective. We can also enhance our capability to develop interactive and innovative applications on the Internet for communication both with the public and within the Government.
5. The proposed central gateway system will be equipped with security devices to prevent and detect irregular activities. The following security features will be provided to protect Government's internal networks -
- firewall system;
- computer virus detection system;
- network intrusion detection system; and
- network intrusion recognition and response system which enables responsive action to be taken against intrusion activities.
6. With the establishment of the proposed system, we will be able to adopt and apply comprehensive Internet security standards across Government. There will be better monitoring and control of the security risks as we will deal with a central gateway instead of several thousand different access points. We will also be able to conduct regular security assessments to verify the effectiveness of the proposed system and to make improvements where necessary in order to cope with the rapid advancement in Internet technologies. All communication interfaces of the proposed system will be regularly checked and closely monitored. The proposed system will have resilience built into it, thus allowing rapid recovery upon close down in emergency situation to minimise disruption to the GIC activities and the Internet access services for bureaux and departments.
7. Existing users who are connected to the Internet through departmental gateways will gradually migrate to the proposed central gateway when it is established, except in cases where the Internet use is related to the departmental gateways which are developed with applications or project-specific features that will not be available at the central gateway. In such cases, we shall require the concerned bureaux and departments to adopt the same security standards and practices as those under the proposed system for their departmental gateways so that we can achieve the same level of security for all network connection points between the Internet and Government's internal networks.
8. We have set out the operational benefits of the proposed system in paragraphs 4-6 above. We shall also derive financial benefits of about $15m on an annual basis upon the establishment of the proposed system as a result of the following -
- savings derived from the hosting of Government web sites by ITSD and the use of a central Internet access gateway instead of subscribing to the Internet dial-up access services provided by ISPs;
- cost avoidance for expanding hosting capacity, providing interactive contents, and strengthening user authentication services;
- cost avoidance for providing Internet connections for 5 000 new Government users; and
- cost avoidance for developing web-based bulletin board system within Government.
9. There will also be cost avoidance in terms of non-recurrent expenditure, which is estimated at $5.4m.
10. The capital cost to Government of establishing the proposed system is estimated at $21 million. Details of the cost estimates are set out below -
|Non-recurrent expenditure||1999-2000$ million
|(a) Web hosting and Internet servers||8.7
|(b) Secure Internet access gateway||7.3
|(c) Implementation services||2.3
|(d) Data communications implementation||0.5
|(e) Site works||1.2
11. As regards paragraph 10 (a), the estimated cost of $8.7 million is for the acquisition of computer hardware and software, and networking equipment for the dedicated GIC web servers, servers for the web-based bulletin board system and the establishment of central security and administration services for the web sites of Government bureaux and departments.
12. As regards paragraph 10(b), the estimated cost of $7.3 million is for the acquisition of computer hardware and software, and networking equipment for the establishment of a secure Internet access gateway system to provide Internet access services for Government bureaux and departments.
13. As regards paragraph 10(c), the estimated cost of $2.3 million is for the hiring of professional services for the design, development, and implementation of the proposed system.
14. As regards paragraph 10(d), the estimated cost of $0.5 million is for the acquisition of data communication services.
15. As regards paragraph 10(e), the estimated cost of $1.2 million is for site preparation work and the acquisition of associated services.
16. As regards paragraph 10(f), the estimate of $1 million represents a 5% contingency in respect of the items set out in paragraphs 10(a) - (e) above.
17. ITSD will redeploy existing staff resources to undertake overall project management, contract management, and co-ordination with bureaux and departments. These comprise staff efforts of 0.5 man-month of Senior Systems Manager, 12 man-months of Systems Manager and 12 man-months of Analyst/Programmer I.
18. The estimated recurrent expenditure of establishing the proposed system for the first year is $0.91m, rising to a full year amount of around $10m in 2000-01, which is necessary to cover the costs of maintenance and consumables, data communications rental, professional service and contract staff.
19. Moreover, ITSD will redeploy existing staff resources to oversee the work of the contract staff, undertake outsourcing arrangement for preventive security assessment, and provide on-going support and advice to user bureaux/departments on the proposed system. The resources will also be used to keep ITSD updated on the latest Internet technologies in order to continuously improve the service of the proposed system. These comprise staff efforts of 0.5 man-month of Senior Systems Manager, 12 man-months of Systems Manager and 12 man-months of Analyst/Programmer I annually.
20. The cost-benefit analysis for the implementation of the proposed system is set out in Appendix 2
. We expect to achieve a positive benefit starting from the 4th year after service roll-out.
21. Our plan is to establish the proposed gateway in early 2000. The implementation timetable is as follows-
"DIGITAL 21" INFORMATION TECHNOLOGY STRATEGY
|(a) Funding approval||April 1999
|(b) System design||April- May 1999
|(c) Equipment and service tendering||June - October 1999
|(d) Site preparation||July - October 1999
|(e) Network centre installation||November - December 1999
|(f) Content hosting equipment installation||December 1999 - January 2000
|(g) Data communication lines and Internet connection installation ||January 2000
|(h) Internet services implementation||February 2000
|(i) System integration test and overall security assessment ||February - March 2000
|(j) Service roll-out||March 2000
22. The Information Technology and Broadcasting Bureau announced the "Digital 21" Information Technology Strategy in November 1998. The objective of the strategy is to enhance and promote Hong Kong's information infrastructure and services so as to make Hong Kong a leading digital city in the globally connected world of the 21st century. The establishment of the proposed system for Government bureaux and departments is an initiative under the strategy to enhance Government's own information infrastructure. We aim to establish the proposed gateway in early 2000.
23. We will submit the funding application for the proposed system to the Finance Committee for consideration on 23 April 1999.
Information Technology Services Department
Internet Users Distribution
Internet Users Distribution as of February 1999
|Bureaux/Departments||Internet Users||Type of Internet Access
|74||3,300||Dial-up to Internet Service Providers (ISPs)
|17||3,700||Direct network connection to ISPs via departmental Internet gateway
Anticipated Internet Users Distribution by end 2000
|Bureaux/Departments||Internet Users||Type of Internet Access
(all bureaux/ departments will be connected to the Government backbone network by end 2000)
||Through dial-up or direct network access via the Government backbone network to the proposed Secure Central Internet Gateway
(with departmental Internet gateway)
||Access via departmental Internet gateway
* Some of the Internet users in the 16 bureaux/departments with departmental Internet gateway will migrate to the proposed Secure Central Internet Gateway if their Internet use is not related to the department-specific applications or project-specific features for which the departmental gateways are developed.
Cost-benefit Analysis of the Secure Central Internet Gateway System
(at 1999-2000 prices)
|A. Non-recurrent costs
|B. Recurrent costs||910
|Total costs (A + B)
|C. Realisable savings||-||5,890
|D. Cost Avoidance
|Total benefits (C + D)
|III. Net costs/benefits
|IV. Cumulative benefits