[Targets]
To improve security and reliability over Japan's advanced information and telecommunications networks to a level befitting the world's most advanced IT nation, Japan makes it a target to eliminate possibilities of service suspension due to threats arising from inadequate IT security, including unauthorized access, computer viruses and Denial-of-Service (DoS) attacks, over advanced information and telecommunications networks, in particular, regarding those elements of an electronic government, electronic commerce, critical infrastructures, etc., which may have a great influence upon everyday life of the Japanese and their socioeconomic activities. |
1. Current Status and Tasks
Information and telecommunications networks such as the Internet are always exposed to threats like unauthorized access, computer viruses and Denial-of-Service (DoS) attacks1. When ultra high-speed Internet is diffused, the Internet for 24-hour connection is realized, e-commerce is progressed, and e-government is realized, those threats will appear as a real and imminent danger not only to the governmental organizations and companies, but also to all the people, in the form of crises such as a fraud, or violation of privacy.
Also, many of services related to critical infrastructures that have a huge impact on people's daily lives and their socioeconomic activities, such as energy supply, transportation and governmental/ administrative services, are becoming increasingly dependent on information systems. Given the prospect for accelerated digitization and networking in the future, the threat of so-called "cyber-terrorism " is becoming a reality. Such a situation also applies to the crisis management in the event of a natural disaster and other issues concerning national security. Thus, to ensure security and reliability of overall society and economy, it is critical to build a secure and reliable information and telecommunications network.
However, as the installation rate of firewall2, which is considered one of the most effective methods for blocking unauthorized access, lags at about 50% (about 80% in the U.S.), the current IT security level of Japan is not at all up to the world's highest level. Thus, it is necessary to bring it up to a level befitting a leading-edge IT nation of the world.
For this purpose, with a free information flow and unrestricted activities in the private sector as absolute prerequisites, all possible measures will be taken to ensure security and reliability over information and telecommunications as well as privacy protection. At the same time, due considerations shall be given to international collaboration, maintenance of public order, disaster prevention and national security. In addition, the use of fiber-optic cables shall be considered to backup systems for information networks and other systems requiring a high level of security at the outbreak of a disaster.
<Major indicators (as of December 1999)>
IT security policy formulation at the government and companies | 18.9% |
Firewall installation at the government and companies | 50.7% |
Backup system installation at the government and companies | 24.3% |
1 DoS attack: An attack to a computer or network by unauthorized overloading or exploiting of security holes, disabling business activities2 Firewall: A system installed at the border between an internal network and an external network (such as the Internet) to prevent unauthorized/illegal access and protect the internal network
2. Significance of Policy Measures
The promotion of IT security measures is essential to the development of advanced information and telecommunications networks. However, with the fast pace of technological innovation in the IT field, attacking techniques have also experienced a rapid evolution. Besides, due to the nature of a cyberspace where no national borders exist, anybody can be attacked instantly and secretly not only from Japan, but also from anywhere in the world, which makes this problem even more complicated. Because of this, a constant review of security measures is necessary to cope with it. Thus, ensuring of security and reliability over advanced information and telecommunications networks is a foundation for building the world's most advanced IT nation, and also a prerequisite for every Japanese to use the network with peace of mind.
3. Priority Policies
1) Preparation of Regulatory Frameworks and an Infrastructure concerning IT Security
Preparation of regulatory frameworks and an infrastructure concerning IT security, including a basic criminal justice system, objective criteria for IT security, etc. are to be promoted.
i) Preparation of frameworks in basic criminal justice system (MOJ)
For basic criminal justice system in the IT-based economic society, legal foundations will be established in order to contribute to ensuring the security and reliability of an advanced information and telecommunications network society.
a) Within CY2001, a bill for partial amendments to the Criminal Code concerning appropriate penal provisions against crimes, including forgery of cards for payment, will be submitted to the Diet.
b) BY CY2005, in order to ensure appropriate penalty, necessary legislation will be prepared regarding penal provisions against various high-tech crimes and investigation procedures into information and telecommunications networks.
ii) Measures for ensuring security and reliability of mobile communications networks (MPHPT)
Within CY2001, in order to cope with new threats, etc. attendant on a sharp increase in usage of the Internet from mobile communications terminals, a study will be made on measures to ensure security and reliability of the next-generation mobile communications networks, and necessary frameworks will be prepared.
iii) Promotion of standardization of cryptographic technologies (MPHPT and METI)
By FY2002, to adopt cryptographic technology of which security is evaluated objectively and which is excellent in mounting thereof, evaluation and standardization will be made on cryptographic technology conducive to the use in an electronic government, etc. through discussions at a meeting of experts, taking into consideration the progress in international standardization activities on cryptographic technology at the International Organization for Standardization (ISO)3, ITU, etc.
iv) Establishment of IT security management standards (METI)
Within FY2001, security and reliability of information and telecommunications networks are to be ensured by incorporating international standards concerning IT security management (ISO/IEC4 13335, ISO/IEC17799) into JIS standards and by creating Information Security Management System intended for the information processing service industry.
3 ISO: An international organization aiming at the development of worldwide standardization, etc., in order to facilitate international exchange of goods and services and to encourage international cooperation in the intellectual, scientific, technological and economic activities4 International Electrotechnical Commission (IEC): An international body aiming at promoting international mutual understanding by encouraging international cooperation on all issues of electrotechnical standardization and related matters in the fields of electric and electronics technologies.
2) Establishment of IT Security Measures within the Government
Continued assessment and review of IT security policies5 will be implemented at each office and ministry to improve an IT security policy level further. In addition, an infrastructure for IT security evaluation and authentication that helps build an infrastructure for the electronic government will be built.
Besides, an effort will be made to build the electronic government that is trusted by the people, by using products with a high level of IT security, establishing a back-up system of critical systems and conducting assessment of IT security levels including ethical hacking.
i) Evaluation and review of IT security policies (Cabinet Secretariat and all the office and ministries)
In line with the "Guidelines for IT Security Policy" (decided upon in July 2000 at the IT Security Promotion Committee), by FY2003, all the office and ministries will implement execution/ assessment/review of IT security policies. At the same time, through necessary back-up of critical systems and IT security evaluation such as ethical hacking, all the office and ministries will raise the security level sufficient to ensure the secure e-government.
ii) Promotion of the use of products with a high security level in the government (All the office and ministries)
From FY2001, in order to build a highly reliable system concerning IT security in the government, government procurement will be conducted in accordance with the "guideline for adopting products with a high security level in procurement by each office and ministry" (adopted in March 2001 at the Inter-Ministerial Council for Promoting the Digitization of Public Administration).
iii) Implementation of an IT security technology evaluation/authentication project (METI)
METI will start an evaluation/authentication project based on the "Common Criteria for Information Technology Security Evaluation" (ISO/IEC15408) for information equipment within FY2001; and METI will aim to participate in the international mutual recognition agreement scheme at a government level relating to authentication by FY2003.
5 IT security policy: A set of rules including a basic concept on how to protect what information assets from what threats, and a scheme, organization and operations for ensuring IT security.
3) Protection of Personal Information
<Ditto. See "IV. Facilitation of e-Commerce">
4) IT Security Measures and Raising of Public Awareness in the Private Sector
Through support measures such as tax incentives and financing for the promotion of IT security, IT security levels in the private sector will be further improved. In addition, the government's functions will be enhanced for consultation, information exchange and provision regarding information security measures.
i) Raising awareness concerning IT security (NPA)
Within FY2001, "IT Security Community Centers" (tentative name) will be established at all prefectural polices for training and asking views about IT security to the people. Also, by FY2004, IT security advisors responsible for consultation and public relations on high-tech crimes6 will be arranged to prefectural polices; and these advisors will gain training aimed at honing their skills.
ii) Strengthening of collaboration with industry (NPA)
Within FY2001, to strengthen close collaboration with industry, a meeting with participants from the industrial sector will be held at NPA in order to formulate a guideline for collaboration with industry. Together with this, conferences with participants from ISPs and private businesses will be established at all prefectural polices to exchange information on the actual status and modi operandi of high-tech crimes.
iii) Strengthening of support for introducing facilities to improve reliability of telecommunications systems (MPHPT)
Within CY2001, in order to ensure communications means in emergency situations, e.g., natural disasters, and to improve IT security against computer viruses, etc., a bill to amend the Provisional Measures Law for Telecommunications Infrastructure will be submitted to the Diet. By adding "computer virus monitoring equipment" to the list of "reliability improvement facilities" within the said law, tax incentives will be provided to those private companies selling such facilities.
iv) Establishment of IT security evaluation methods for information and telecommunications networks (MPHPT)
By FY2003, IT security evaluation items for information and telecommunications networks will be discussed, tailored to the size of telecommunications carriers. Based on the study results, MPHPT will make a proposal to ITU to contribute to the establishment of international standards. In addition, IT security evaluation methods to judge precisely the level of IT security measures of each carrier will be established.
v) Strengthening of information services on countermeasures against unauthorized access and computer viruses, etc. (METI)
By FY2003, the Information-technology Promotion Agency, Japan (IPA) and the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC), these being specifically responsible for collection/analysis of unauthorized access and computer viruses, will be empowered and encouraged to collaborate with the relevant organizations overseas as well as between themselves. Thus, with improved functions to deliver information on IT security, a wide range of general users will be enabled to enjoy information services.
6 High-tech crime: Crimes committed through the abuse of telecommunications and computer technologies, including computer-based fraud, network-based distribution of pornographic materials and violation of the Unauthorized Computer Access Law
5) Countermeasures against Cyber-terrorism for Critical Infrastructures
In line with the "Special Action Plan on Countermeasures to Cyber-terrorism of Critical Infrastructure" (Decision in December 2000 by the IT Security Promotion Committee), risk assessment, formulation of IT security policies and IT security measures based on the security policies will be implemented concerning information systems that serve as key components of critical infrastructures. Besides, efforts will be made to prepare a system for communicating/collaborating with private businesses, in addition to improving capabilities to cope with emergencies.
i) Establishment of a system of communicating/collaborating between the public and private sectors (Cabinet Secretariat and all the office and ministries)
To overcome vulnerability of existing information and telecommunications networks as a joint effort of the public and private sectors within CY2001, a liaison and collaboration scheme concerning critical infrastructures (information and telecommunications, financial systems, aviation, railroads, electric power, gas, the central and local governments) will be established, while utilizing existing networks for communication.
ii) Preparation of emergency response system at the Cabinet Secretariat (Cabinet Secretariat)
An emergency response manual for combating IT security issues will be prepared within FY2001, and an IT security work support system will be created by FY2003, for better emergency response system at the Cabinet Secretariat.
iii) Establishment of emergency response system within the police organizations (NPA)
a) Within FY2001, a mobile technical unit will be established for preventing damages in the event of so-called cyber-terrorism and tracking the sources of attack. Besides, a real-time detection network system for recognizing the incidence of cyber-terrorism will be built. These, together with the preparation of necessary facilities and equipment, including staff training and research environment, will provide a scheme for cyber-terrorism prevention and emergency management should it actually happen.
b) By FY2003, efforts will be made to prepare a system for collecting information on terrorist organizations, strengthen ties between the police and systems administrators of critical infrastructures, and improve skills of the staff.
iv) Preparation of emergency response system at the Defense Agency (Defense Agency)
By FY2003, an operations guideline will be formulated for information systems held by the Defense Agency and the Self Defense Forces, while ensuring IT security. In addition, an organizational structure (corps) will be established with abilities for constant monitoring of information systems, system auditing, emergency response and other functions.
6) R&D on IT Security
i) Promotion of R&D on IT security technologies for national defense and public order (NPA and Defense Agency)
NPA will carry out R&D on a powerful firewall by FY2002, thereby strengthening IT security of networks possessed by the police.
In parallel, the Defense Agency will conduct a case method study, etc. of countermeasures against cyber attacks in order to strengthen IT security of networks possessed by the Defense Agency by FY2003.
ii) Promotion of R&D on key technologies concerning IT security (NPA, MPHPT and METI)
To attain a technological level befitting its position as a world's most advanced IT nation by FY2005, R&D will be promoted on IT security technologies against all kinds of currently identified threats. The following R&D themes will be put into practical use by FY2005.
a) R&D relating to the prevention and detection of unauthorized access and cyber-terrorism
To protect information and telecommunications networks from threats like unauthorized access and so-called cyber-terrorism, R&D necessary for prompt detection and appropriate response of these threats will be carried out.
b) R&D for ensuring security and reliability of information and telecommunications networks
To allow unrestricted distribution of information, R&D necessary for ensuring security and reliability of information and telecommunications networks, including those for cryptographic technology, authentication technology for electronic signatures and security evaluation/ authentication technology will be carried out.
7) Fostering Staff in charge of IT Security
Sufficient number of human resources with sophisticated IT security skills will be developed comprehensively through R&D, training courses and introduction of the qualifications framework.
i) Development of human resources to combat high-tech crimes
a) By FY2004, the NPA will appoint high-tech crime investigators, commission cyber-patrol monitors, and train the high-tech crime police staff throughout the nation provided by the police and other organizations to ensure necessary human resources to combat high-tech crimes and to prepare a scheme for cooperation with the private sector. (NPA)
b) Within FY2001, the MOJ will train investigative officers of District Public Prosecutors Office on highly technical knowledge about networks and IT security, as part of the framework for appropriate and prompt actions to handle high-tech crimes that are becoming increasingly complicated and sophisticated. (MOJ)
ii) Fostering of personnel responsible for IT security at the Defense Agency (Defense Agency)
By FY2003, core technical personnel who have learned a high level of IT security technology such as emergency response will be ensured through a dispatch of the Defense Agency staff to the United States. Thus, those technical personnel will be in-house lecturers for educating technical staff, and will be responsible for ensuring IT security of the agency's networks that handle highly confidential information such as military operational information.
iii) Establishment of a qualifications framework concerning IT security (MPHPT and METI)
Within FY2001, IT security subject will be added to a list of test subjects for the examination of Chief Telecommunications Engineer's licenses, and an IT security administrator examination will be introduced for the Information-Technology Engineers Examination. Also, IT security courses will be offered and a training program for IT security evaluation engineers will be subsidized.
8) Strengthening of International Collaboration concerning IT Security
International contribution will be actively promoted in the field of IT security through actions at G8 and OECD, and assistance to developing areas.
i) Strengthening of international collaboration concerning countermeasures against high-tech crimes (NPA, MPHPT, MOFA, MOJ and METI)
In FY2001, through various opportunities including the Second G8 Officials and the Private Sector Meet to Discuss Combating Computer Crime for which Japan serves as the host nation, a government-private sector consultation will be conducted at the international level; and rules for a speedy cooperation for investigation over high-tech crimes will also be discussed.
ii) Strengthening of cooperation with police organizations in each nation (NPA)
In FY2001, ties with police organizations in each nation will be strengthened through a conference of practitioners in charge of technological aspect of counter high-tech crime in Asia and the Pacific and the effective use of the 24-hour contact point system for communications with police organizations in Asian nations. In parallel, technical guidance on countermeasures against high-tech crimes will also be given.
iii) Strengthening of cooperative ties with the U.S. Department of Defense (Defense Agency)
By FY2003, through the exchange of information (IT Forum, etc.) at bilateral consultations on policies with the U.S. Department of Defense, the Information Assurance7 for the Defense Agency will be established, and, at the same time, these know-how and technologies will be released to the public as long as such a release does not jeopardize national defense.
iv) Construction of a global information exchange network for IT security (METI)
METI will strengthen cooperative ties between JPCERT/CC and the relevant organizations for information exchange with those related overseas organizations, both public and private, such as CERT/CC, which collects and accumulates information on security, e.g., occurrence and analysis of unauthorized access/computer viruses. METI will also support networking at various layers of the private sector. Through these measure, information regarding IT security will be accurately and rapidly provided, and further reflected to its responses and measures.
7 Information Assurance: A generic name for various security measures for computer systems, which are being carried out by the U.S. Department of Defense