[Provisional Translation]

Action Plan for Building Foundations of Information Systems Protection from Hackers and Other Cyberthreats

Adopted by the Interagency Director-Generals' Meeting on IT Security
on 21 January, 2000

I. Introduction

The work and activities of business and government have become heavily dependent upon information technology, especially including IT networks in recent years, and that dependency is expected to increase acceleratively. This gives rise to various issues of concern related to IT security, such as unauthorized access by hackers1 and computer viruses (hereafter referred to as "viruses").

Considering the current situation, further efforts are required to achieve appropriate levels of IT-security, both in the public and private sectors, that reflect the development of information and network technologies.

II. Current Measures

1. Measures within the Government

Government ministries and agencies have already taken various measures to protect their own systems from such IT-related threats as intrusion by hackers and viruses. (Hereafter, throughout this document, the term "measures within government" refers to measures for government to protect its own systems.)

Following are major measures that have been taken so far, by the information-systems departments in the ministries concerned.

In this connection, the "Guideline for Government Information Systems security" was approved by the Inter-ministerial Meeting of Government Information Systems Division-Directors in 1999.

(1) Administrative System

(2) Measures Related to Users (Internal Staff Members), etc.

(3) Measures for the Construction and Maintenance of Systems

(4) Other Measures

2. Raising Private Sector Awareness

Several government ministries and agencies are also trying to raise private sector awareness by establishing standards and guidelines to help private sector take measures such as those listed above.

(for reference)

Standards and Guidelines Published by Related Ministries and Agencies (There are various types, depending on the fields and industries.)

Not only do agencies try to raise awareness, but they also establish legal standards in some cases (e.g., Technical Standards concerning Telecommunications Equipment in the Telecommunications Industry Law, a certification system for the compliance to the Technical Standards, etc.).

3. Promotion of Research and Development

In order to contribute to the protection of public and private information systems, the ministries and agencies involved are actively promoting various types of technologies for IT security, such as methods to control unauthorized access (including automatic detection and back-tracking of unauthorized access, etc.), anti-virus measures, and cryptography.

4. Improving Laws and the Investigation Structure

While these preventive measures are being taken, laws and the investigation structure are being improved in order to punish acts of unauthorized access and other illegal activities.

(1) Legislation (penal provisions)

(i) Revising the Criminal Law regarding computer crimes.
The 1987 revision of the Criminal Law made the following illegal fraudulent acts using computers, obstruction of Business by Destroying a Computer and illegal production of electro-magnetic records.

(ii) Establishing the Unauthorized Access Prohibition Law
On August 6, 1999, the Diet passed the "Unauthorized Computer Access Law." This law was promulgated on August 13 (it came into force on February 13, 2000, with the exception of some parts.). This law prohibits "acts of unauthorized computer access," defined as follows; any acts of making available a "specific computer" (connected to telecommunication line) use of which is restricted by "access control function", through inputting another person's "identification code", or any information or command, via telecommunication line.

(2) Investigation Structure

In what can be referred to as "Cyber-Police Force," a structure is being built to strengthen the prefectural police force; e.g., by establishing a national center in the National Police Agency to fight against high-tech crimes.

5. International Cooperation

The government participates in international forums such as the OECD (Security Privacy subcommittee2 ) and the G8 Senior Experts' Group on Transnational Organized Crimes(the "Lyon group"). In addition, each ministry and agency is making efforts toward international cooperation.

III. Basic Philosophy regarding a Strengthened Approach

1. Approaches within the Government

As the government plans to construct a foundation for an electronic government by fiscal year 2003 (the "Policy Measures for Economic Rebirth" on November 11, 1999 at the Cabinet Meeting on economic policies), it is important for this electronic government to achieve and maintain a high level of IT security so as to earn the trust of the citizens in and out of Japan and nations abroad.

The measures which the government has taken thus far is limited mainly to measures by the information systems department in each agency. From now on, however, inter-ministerial cooperation should be promoted, so that the government can effectively incorporate new measures within the government itself, such as incorporating IT security evaluation that is currently being studied and utilizing results of R&D efforts. It is hoped that these new approaches will raise the level of security standards.

To this end, in this action plan, we note that the protection of governmental IT systems is an issue to be dealt with by the entire government as a whole, not only by the information systems division in each agency, and call for further actions, setting fiscal year 2003 as the immediate target date.

2. Approaches in the Private Sector

In principle private businesses, local public organizations, and any other bodies than the national government (hereafter referred to as "the private sector") have responsibility to determine what IT security measures they take. However, from the viewpoint of enhancing the social benefits as a whole, the government has taken certain actions to support these private organizations so that they can initiate measures on their own (for example, providing information, such as disseminating various standards and guidelines).

In this action plan, following two perspectives are underlined to strengthen efforts by the government.

(1) Information on further approaches and measures within the government, such as those outlined in Point 1 above, will be provided, as models, to the private sector.

(2) In such sectors, as critical private infrastructure and local public organizations, which in an emergency situation, could severely affect the civil life (in other words, there is the danger of "cyberterrorism"); additional special measures will be promoted on top of the usual policy of "creating an environment for self initiated measures."

3. International Cooperation

In promoting measures by the entire government, as mentioned above, each ministry or agency will further strengthen already existing international cooperation, and will also seek interagency coordination to establish a necessary cooperative structure with other countries.

4. Other Measures

(1) Legislation

Illegal acquisition or disclosure of information processed by or stored in a computer (here in after referred to as "computer information") is, to a considerable extent, legally punishable under current laws, and subject to the corresponding types of penalties3. when illegal action causes in someone else's economic loss to others, it is of course subject to loss/damage compensation under Civil Law. However, there is no law or regulation which criminalize unauthorized acquisition or disclosure of computer information per se.

On the other hand, there is considerable discrepancies in other countries' punitive legislations for the protection of computer information. They do not necessarily criminalize unauthorized access to computer information in general.

When the Penal Code was revised in 1987, the issue of whether or not to create such provisions was discussed. Conclusion was that it was necessary to further consider how to treat various kinds of information, how to balance the treatment of computer information and that of non-computer information, etc.4 Based on this we continue to discuss this Issue.

(2) Measures against Cyberterrorism

Concerning measures to prevent cyberterrorism, fundamental policies will be promoted in accordance with this action plan, and the discussions will be conducted with a view to finalizing a "Special Action Plan Concerning Measures to Combat Cyberterrorism" by December 2000.

IV. Specific Actions for Reinforcing the Approaches

1. Reinforcing Approaches within the Government

(1) Building a Government Systems with Highly-reliable Security


We will build government computer systems with more reliable security, are to be build by introducing new methods such as security evaluation and fruits of R&D efforts.

[Specific Actions]

(i) Use of Secure Products and Technologies

(ii) Development of Secure Products and Technologies

(2) Building and reinforcing monitoring systems and response capabilities in case of emergencies


To cope with emergencies such as unauthorized access and virus infections, monitoring systems and responsiveness, including sharing urgent information, intrusion detection, system-closure, should be built and strengthened.6

[Specific Measures]

During the roll-over period from 1999 to 2000, an information network was created to share such emergency information as unauthorized access and virus infections, among government agencies and private sectors, as a part of Y2K information networks. That information network was operated by the ministries of the Prime Minister's Office, with the support of IT experts outside the government.

(3) Study on Comprehensive and Systematic IT Security Measures


Study should be conducted on how to ensure that IT security measures are formulated in a more comprehensive and systematic manner, well beyond the extent of specific, technical measures that have been taken by information-systems divisions of ministries and agencies.7

[Specific Measures]


Items Expected to Be Included in the Guidelines

(4) Other Measures

[Specific Measures]

2. Promotion of Measures in the Private Sector

(1) Information Dissemination to the General Public

[Specific Measures]

(2) Promotion of Measures for Critical Infrastructure in the Private Sector

[Specific Measures]

3. Strengthening International Cooperation


[Specific Measures]

4. Follow-Up of The Action Plan

*1 The term "hacker" now has a wide variety of meanings, but throughout this document it refers to a person who gains unauthorized access to a computer or computers.

*2 The Security Privacy Subcommittee of the OECD is a working group under the auspice of the Committee for Information, Computer and Communications Policy (ICCP). Its official name is the "Working Party of Information Security and Privacy (WPISP)."

*3 For instance, if one conducts an act of unauthorized computer access and then obtains information, that party is subject to punishment under the "Unauthorized Computer Access Law." In addition to this law, there are other laws aiming at protecting computer information.

*4 Following are issues in creating provisions to punish acts of illegally acquiring or disclosing in general,

*5 For the last ten years or so, several European and American nations (such as the United States) have been creating and carrying out security evaluation and certification scheme (systems by which the security level of information-related machines and devices are evaluated and certified), basing the systems on the military procurement standards. This has led to a movement toward an international mutual recognition arrangement of the certified results. ISO/IEC 15408 is recognized with this background as the international standard in issues relating to security evaluation.

*6 In the United States, the federal government, in cooperation with various executive agencies within the government and with the private sectors, has been working on establishing a system for disseminating warnings, detecting intrusions, etc. in emergency situations. In addition, the military already has established systems which constantly monitors and handles emergencies Defense Information Systems Agency, etc.).

*7 Measures for IT security are not limited to isolated measures such as "building a system" and "monitoring and emergency response."
It is critical to establish comprehensive and systematic methodology, covering the following issues, with the dynamic cycle of security measures in mind.

In addition to ISO/IECl5408, ISO/IEC is conducting a discussion about overall management of IT security, which may lead to a guideline.

*8 In the United States, an "Experts, Review Team" from various government departments and bureaus has been set up in order to review the promotion of measures in various government organizations.