[Provisional Translation]

Action Plan for Building Foundations of Information Systems Protection from Hackers and Other Cyberthreats

Adopted by the Interagency Director-Generals' Meeting on IT Security
on 21 January, 2000

I. Introduction

Considering the current situation, further efforts are required to achieve appropriate levels of IT-security, both in the public and private sectors, that reflect the development of information and network technologies.

II. Current Measures

1. Measures within the Government

Government ministries and agencies have already taken various measures to protect their own systems from such IT-related threats as intrusion by hackers and viruses. (Hereafter, throughout this document, the term "measures within government" refers to measures for government to protect its own systems.)

Following are major measures that have been taken so far, by the information-systems departments in the ministries concerned.

In this connection, the "Guideline for Government Information Systems security" was approved by the Inter-ministerial Meeting of Government Information Systems Division-Directors in 1999.

(1) Administrative System

• Appointing system administrators

(2) Measures Related to Users (Internal Staff Members), etc.

• User ID control (e.g.; eliminating or suspending ID of staff who have been absent for a long period of time)
• Password control (e.g.; instructing users to set up their own passwords, ensuring that they do not use passwords that are easy to guess, training users to frequently change their passwords)
• Limiting access to critical data
• Controlling access to critical facilities

(3) Measures for the Construction and Maintenance of Systems

• Installing functions (such as firewalls) to prevent unauthorized access
• Viruses testing when introducing new hardware and software
• Regular viruses testing using vaccine
• Keeping and regularly analyzing access log

(4) Other Measures

• Improving emergency preparedness (communication and recovery procedures within each organization when an emergency, such as unauthorized access, occurs)
• Teaching and training of users
• System audit by a third party

2. Raising Private Sector Awareness

Several government ministries and agencies are also trying to raise private sector awareness by establishing standards and guidelines to help private sector take measures such as those listed above.

(for reference)

Standards and Guidelines Published by Related Ministries and Agencies (There are various types, depending on the fields and industries.)

• Standards for the Safety and Reliability of Information Communications Networks (l987, Ministry of Posts and Telecommunications)
• Guidelines for the Prevention of Computer Viruses (1995, Ministry of International Trade and Industry)
• Information Systems Security Guidelines (1995, Ministry of International Trade and Industry)
• Guidelines for the Prevention of Unauthorized Computer Access (1996, Ministry of International Trade and Industry)
• Systems Audit Guidelines (1996, Ministry of International Trade and Industry)
• Accreditation Criteria for Secure Information-Processing Businesses (1997, Ministry of International Trade and Industry)
• Policies for the Safety of Information Systems (1997, National Public Safety Commission)

Not only do agencies try to raise awareness, but they also establish legal standards in some cases (e.g., Technical Standards concerning Telecommunications Equipment in the Telecommunications Industry Law, a certification system for the compliance to the Technical Standards, etc.).

3. Promotion of Research and Development

In order to contribute to the protection of public and private information systems, the ministries and agencies involved are actively promoting various types of technologies for IT security, such as methods to control unauthorized access (including automatic detection and back-tracking of unauthorized access, etc.), anti-virus measures, and cryptography.

4. Improving Laws and the Investigation Structure

While these preventive measures are being taken, laws and the investigation structure are being improved in order to punish acts of unauthorized access and other illegal activities.

(1) Legislation (penal provisions)

(i) Revising the Criminal Law regarding computer crimes.
The 1987 revision of the Criminal Law made the following illegal fraudulent acts using computers, obstruction of Business by Destroying a Computer and illegal production of electro-magnetic records.

(ii) Establishing the Unauthorized Access Prohibition Law
On August 6, 1999, the Diet passed the "Unauthorized Computer Access Law." This law was promulgated on August 13 (it came into force on February 13, 2000, with the exception of some parts.). This law prohibits "acts of unauthorized computer access," defined as follows; any acts of making available a "specific computer" (connected to telecommunication line) use of which is restricted by "access control function", through inputting another person's "identification code", or any information or command, via telecommunication line.

(2) Investigation Structure

In what can be referred to as "Cyber-Police Force," a structure is being built to strengthen the prefectural police force; e.g., by establishing a national center in the National Police Agency to fight against high-tech crimes.

5. International Cooperation

The government participates in international forums such as the OECD (Security Privacy subcommittee2 ) and the G8 Senior Experts' Group on Transnational Organized Crimes(the "Lyon group"). In addition, each ministry and agency is making efforts toward international cooperation.

III. Basic Philosophy regarding a Strengthened Approach

1. Approaches within the Government

The measures which the government has taken thus far is limited mainly to measures by the information systems department in each agency. From now on, however, inter-ministerial cooperation should be promoted, so that the government can effectively incorporate new measures within the government itself, such as incorporating IT security evaluation that is currently being studied and utilizing results of R&D efforts. It is hoped that these new approaches will raise the level of security standards.

To this end, in this action plan, we note that the protection of governmental IT systems is an issue to be dealt with by the entire government as a whole, not only by the information systems division in each agency, and call for further actions, setting fiscal year 2003 as the immediate target date.

2. Approaches in the Private Sector

In this action plan, following two perspectives are underlined to strengthen efforts by the government.

(1) Information on further approaches and measures within the government, such as those outlined in Point 1 above, will be provided, as models, to the private sector.

(2) In such sectors, as critical private infrastructure and local public organizations, which in an emergency situation, could severely affect the civil life (in other words, there is the danger of "cyberterrorism"); additional special measures will be promoted on top of the usual policy of "creating an environment for self initiated measures."

3. International Cooperation

4. Other Measures

Illegal acquisition or disclosure of information processed by or stored in a computer (here in after referred to as "computer information") is, to a considerable extent, legally punishable under current laws, and subject to the corresponding types of penalties3. when illegal action causes in someone else's economic loss to others, it is of course subject to loss/damage compensation under Civil Law. However, there is no law or regulation which criminalize unauthorized acquisition or disclosure of computer information per se.

On the other hand, there is considerable discrepancies in other countries' punitive legislations for the protection of computer information. They do not necessarily criminalize unauthorized access to computer information in general.

• Germany: An act of unauthorized acquisition of electronic information under protection is punishable in general.
• U.S.A.: Accessing to a computer without permission and obtaining classified information concerning national security, and diplomacy, or financial information in certain financial institutions, is punishable.
• France: There is no provision to punish on the act of illegal acquisition of information per se.

When the Penal Code was revised in 1987, the issue of whether or not to create such provisions was discussed. Conclusion was that it was necessary to further consider how to treat various kinds of information, how to balance the treatment of computer information and that of non-computer information, etc.4 Based on this we continue to discuss this Issue.

(2) Measures against Cyberterrorism

Concerning measures to prevent cyberterrorism, fundamental policies will be promoted in accordance with this action plan, and the discussions will be conducted with a view to finalizing a "Special Action Plan Concerning Measures to Combat Cyberterrorism" by December 2000.

IV. Specific Actions for Reinforcing the Approaches

1. Reinforcing Approaches within the Government

[Overview]

We will build government computer systems with more reliable security, are to be build by introducing new methods such as security evaluation and fruits of R&D efforts.

[Specific Actions]

(i) Use of Secure Products and Technologies

• When constructing a new computer system, each ministry and agency is to carefully consider the use of products and technologies with sufficient security levels for the system.
• The Ministry of International Trade and Industry, in cooperation with other concerned ministries/agencies, is to discuss, among others, how to make use of security-related international standards (e.g. ISO/IEC 15408)5 in the government procurement of IT products, etc., with a view to reaching a conclusion by May 2001. The results of these discussions will be submitted to the Inter-ministerial Council of Government Information Systems (its secretariat is in the Management and Coordination Agency), so that this council can agree on a "policy concerning the use of products, with a high standard of security in procurement by each government ministry and agency".

(ii) Development of Secure Products and Technologies

• Agencies and ministries involved, such as the Ministry of International Trade and Industry and the Ministry of Post and Telecommunications, are to promote the development of necessary products and technologies related to IT security (in particular, technologies such as monitoring, detecting, and tracing hacking), based on the statement "by the fiscal year 2003, technologies necessary for the realization of an electronic government shall be developed" in "Policy Measures for Economic Rebirth" .
• The National Police Agency, the Defense Agency, and other agencies which need to build systems with particularly high standards of security continue to promote the development of products and technologies with high standards of security, as required for their own systems.
• Including the above, the outcome of technology development in IT security promoted by these ministries and agencies is to be shared, as necessary, by other ministries and agencies.
• The above-mentioned technology development is to be promoted with due consideration to international standards.

(2) Building and reinforcing monitoring systems and response capabilities in case of emergencies

[Overview]

To cope with emergencies such as unauthorized access and virus infections, monitoring systems and responsiveness, including sharing urgent information, intrusion detection, system-closure, should be built and strengthened.6

[Specific Measures]

• The National Police Agency is to strengthen and expand the current monitoring and emergency response system by analyzing high-tech crime and modus operandi of unauthorized access. The Defense Agency is to establish a system-operation guideline (by 2003) to operate its own system with information security maintained. It shall also study various threat tendencies and, together with that data, organize a monitoring and emergency-handling structure for its own system.
• Each ministry and agency is, either by itself or in cooperation with one another, to study how to establish monitoring systems and response capabilities, considering the above approaches and their own experience at the end of 1999 and the beginning of 2000. If necessary, they should utilize this Director-Generals' Meeting (including the Directors' meeting under that).

During the roll-over period from 1999 to 2000, an information network was created to share such emergency information as unauthorized access and virus infections, among government agencies and private sectors, as a part of Y2K information networks. That information network was operated by the ministries of the Prime Minister's Office, with the support of IT experts outside the government.

(3) Study on Comprehensive and Systematic IT Security Measures

[Overview]

Study should be conducted on how to ensure that IT security measures are formulated in a more comprehensive and systematic manner, well beyond the extent of specific, technical measures that have been taken by information-systems divisions of ministries and agencies.7

[Specific Measures]

• The Director-Generals' Meeting (including the Directors' meeting under it), continues to discuss how to ensure more comprehensive and systematic IT security measures, in cooperation with relevant ministries and agencies. The goal is to prepare "Guidelines concerning IT Security Policies" by December 2000, for each ministries and agencies (tentative title; see Notes below).
• In order to make the above-mentioned guidelines internationally reliable, the ministries and agencies involved should thoroughly study measures and tends in other countries and contribute to the discussions mentioned above.
• Each ministry and agency should based on the above-mentioned guidelines, establish its own IT-security policy by the end of fiscal year 2002, and should promote comprehensive and systematic measures based on the policy.

(Notes)

Items Expected to Be Included in the Guidelines

• The basic philosophy concerning the promotion of comprehensive and systematic IT-security measures (purposes of establishing IT-security policies, etc.)
• The structure and items in the IT-security policies to be prepared by each ministry and agency (organization, responsibility delegation, extent of application, methods of risk analysis, specific Procedural rules at each step such as decision-making, reviewing, emergency response, etc.)
• An organizational system for establishing IT-security policies (setting up a policy establishing team, procedures for creating policies within a team, agency, or ministry, etc.)
• An example of IT-security policies

(4) Other Measures

[Specific Measures]

• Each ministry and agency should strive to improve its capability through such means as in-house training of its government employees, as a foundation for the promotion of IT-security measures, including the above-mentioned measures. It should also promote the active use of outside expertise such as technology experts in the private sector, to an extent of confidentiality requirements.
• There is a need to discuss and create a system by which the IT-security measures in each ministry and agency are routinely evaluated and verified. Therefore, this Director-Generals' Meeting should continue to address the issue, with a view to finalizing it by December 2000.8 (For an immediate follow-up of this action plan, see Main Point 4 at the end of this document.)

2. Promotion of Measures in the Private Sector

(1) Information Dissemination to the General Public

[Specific Measures]

• Based on the experience of promoting measures discussed in Point 1 above and other measures within respective jurisdiction, each ministry and agency should, gather and make public information that can be useful when private corporations and businesses carry out their IT-security measures.

(2) Promotion of Measures for Critical Infrastructure in the Private Sector

[Specific Measures]

• Each ministry and agency should, by April 2000, determine "critical sectors" among areas where cyber attacks might cause serious affects on citizens' lives (i.e., the areas subject to cyberterrorism): they may include finance, energy, communications, transportation, medical care sectors, other critical infrastructure in the economic society and local governments (including police and are services). Each ministry and agency should report its selection to the Director-Generals' Meeting, where representatives from these "critical sectors" and government officials are to exchange necessary information between the public and private sectors. If necessary, each ministry and agency should investigate and study issues such as the progress of IT networks in each sector, etc.
• At this Director-Generals' Meetings (including the Directors' meeting under that), future measures should be discussed, based on the information exchange described above. The results of these discussions should be finalized by December 2000, as "A Special Action Plan Regarding Measures against Cyberterrorism".
• Each ministry and agency should, under respective jurisdiction, continue to promote and reinforce studies regarding various measures related to IT security (including the review of different types of standards); when appropriate, it should report the results at this Director-Generals' Meetings (including the Directors' meeting under that) and contribute to the discussions on "A Special Action Plan Regarding Measures against Cyberterrorism."

3. Strengthening International Cooperation

• Further cooperation and coordination should be explored with overseas government agencies promoting measures similar to those that are listed in Points 1 and 2 above.

[Specific Measures]

• The Ministry of Foreign Affairs (MOFA) should, in cooperation with other ministries and agencies involved, collect information from the appropriate authorities in the United States and with countries where advanced measures are being developed in this area. MOFA should also conduct relevant information exchange with these countries, with a view to establishing a necessary cooperative structure (e.g., building an emergency information-sharing system between governments, cooperation through multi-national forums, etc.)

4. Follow-Up of The Action Plan

• The Director-Generals' Meeting should follow up investigation concerning the implementation of various measures listed in this document by December 2000.

*1 The term "hacker" now has a wide variety of meanings, but throughout this document it refers to a person who gains unauthorized access to a computer or computers.

*2 The Security Privacy Subcommittee of the OECD is a working group under the auspice of the Committee for Information, Computer and Communications Policy (ICCP). Its official name is the "Working Party of Information Security and Privacy (WPISP)."

*3 For instance, if one conducts an act of unauthorized computer access and then obtains information, that party is subject to punishment under the "Unauthorized Computer Access Law." In addition to this law, there are other laws aiming at protecting computer information.

• The Penal Code\provides for punishes crimes concerning data on electronic computers and electromagnetic records, secrecy violation, crimes of defamation, etc. in some cases, property crimes, such as theft and breach of trust, can be applied.
• Penalty for infringement of intellectual property right (Copyright Law, Patent Law, etc.)
• Penalty for infringement of confidentiality in communication (Wire Telecommunications Law, Telecommunications Business Law, etc.)
• Penalty for violation of confidentiality obligation by public officer (National Public Service Law, Local Public Service Law, etc.)

*4 Following are issues in creating provisions to punish acts of illegally acquiring or disclosing in general,

• Computer information comes in all sorts of forms and styles; even "confidential" information differs in its level of required protection and criticality. Some information is classified, some involves privacy, and yet some, contains property values. Therefore, it is necessary to consider how to treat each type of information, corresponding to such differences.
• There are of course information, not processed or protected by computers, which needs to be placed under protection and is considered critical. There comes a question of how to maintain a balance between computer information and this type of information.
• The relationship among these relevant provisions should be carefully considered.

*5 For the last ten years or so, several European and American nations (such as the United States) have been creating and carrying out security evaluation and certification scheme (systems by which the security level of information-related machines and devices are evaluated and certified), basing the systems on the military procurement standards. This has led to a movement toward an international mutual recognition arrangement of the certified results. ISO/IEC 15408 is recognized with this background as the international standard in issues relating to security evaluation.

*6 In the United States, the federal government, in cooperation with various executive agencies within the government and with the private sectors, has been working on establishing a system for disseminating warnings, detecting intrusions, etc. in emergency situations. In addition, the military already has established systems which constantly monitors and handles emergencies Defense Information Systems Agency, etc.).

*7 Measures for IT security are not limited to isolated measures such as "building a system" and "monitoring and emergency response."
It is critical to establish comprehensive and systematic methodology, covering the following issues, with the dynamic cycle of security measures in mind.

• how to conduct risk analyses and prioritize various measures and
• how to review various measures after they have been agreed upon and carried out, as well as ways to improve the measures once they have been executed.

*8 In the United States, an "Experts, Review Team" from various government departments and bureaus has been set up in order to review the promotion of measures in various government organizations.