Critical Sectors

Japan CriticalSectors T he critical infrastructures of Japan are defined in the Action Plan on Information Security Measures for Critical Infrastructures that was issued by the Information Security Policy Council in 200: “Critical infrastructures are formed by business entities providing highly irreplaceable services and are essential for people’s social lives and economic activities. If an infrastructure’s function is suspended, reduced or unavailable, people’s social lives and economic activities will be greatly disrupted.” The paper lists the following ten sectors that are deemed to be critical: * 1 The Country Survey of Japan 2008 was reviewed by Toshihiko Suguri and Yoshihiro Sato of the National Information Security Center (NISC), Tohru Nakao and Tomoko Makino of the Ministry of Internal Affairs and Communications (MIC), and Mika Shimizu of the EastWest Centre. Information Security Policy Council. “Action Plan on Information Security Measures for Critical Infrastructures”, p.2. http://www.nisc.go.jp/eng/pdf/actionplan_ci_eng.pdf. Country Surveys • • • • • • • • • • (Tele-) Communication, Government and Administrative Services, Finance, Civil Aviation, Railways, Logistics, Electricity, Gas, Medical Services, Water. PastandPresentInitiativesandPolicies The government of Japan, based on the Action Plan of the Basic Guidelines Toward the Promotion of an Advanced Information and Telecommunications Society of 199, has been steadily promoting policies contributing to the advancement of information technology and telecommunications in Japan. The Comprehensive Strategy on Information Security, released in 2003 by the Ministry of Economy, Trade, and Industry (METI) was the next step of the policy development process. In this document, ICT-related risks and threats confronting the Japanese society were explicitly considered from a nationalsecurity perspective. 2 3 4 Decision of the Advanced Information and Telecommunications Society Promotion Headquarters (9 November 1998). “Outline of the First Follow-up of the Action Plan of the Basic Guidelines Toward the Promotion of an Advanced Information and Telecommunications Society” (19 May 2000). http:// www.kantei.go.jp/foreign/it/2000/0706outline.html. “Comprehensive Strategy on Information Security: Executive Summary.” Chapter 1.2: “New Dimensions of Risks Confronting Society as a Whole” (no date). http://www.meti.go.jp/english/information/downloadfiles/cInfo031216e.pdf. 22 Japan In 200, the First National Strategy on Information Security was issued. This is now the most important policy paper and provides the basis for all other guidelines and action plans related to CIIP and information security. TheFirstNationalStrategyonInformationSecurity In October 2003, the Information Security Committee of the METI published the Comprehensive Strategy on Information Security. This document was the starting point for the development of a national strategy on information security, because it highlighted the need for a comprehensive approach to bring about and improve a highly reliable Information Society in Japan. Most importantly, the Comprehensive Strategy called for a clear definition of responsibilities within the government and promoted the development of a dedicated organization for information security within the Cabinet Secretariat. In 200, the propositions of the Comprehensive Strategy were implemented. A council and an organization were established within the Cabinet Secretariat (the Information Security Policy Council (ISPC) and the National Information Security Center (NISC)), and a new national strategy was elaborated. This strategy, called The First National Strategy on Information Security – Towards the Realization of a Trustworthy Society, is a mid- and long-term strategy formulating clear goals for the years 200–200. The Information Security Policy Council issued separate implementation plans for each of these three years. In general, the strategy aims to make Japan an advanced nation in the field of information security. Most importantly, the strategy aims to establish a new public-private partnership model to improve information security. Thus, the strategy defines the roles of government, critical infrastructures, businesses, and individuals, and the measures that need to be implemented by these actors: 5 6 7 8 “Japanese Government’s Efforts to Address Information Security Issues”. http://www.nisc. go.jp/eng/pdf/overview_eng.pdf. http://www.meti.go.jp/policy/netsecurity/downloadfiles/strategy_summary_English.pdf. http://www.nisc.go.jp/eng/pdf/national_strategy_001_eng.pdf. “Secure Japan 2006: First Step Towards a Trustworthy Society”. http://www.nisc.go.jp/eng/ pdf/sj2006_eng.pdf, and “Secure Japan 2007: upgrading of information security measures in order to create an environment in which people can use IT safely and securely”. http://www. nisc.go.jp/eng/pdf/sj2007_eng.pdf. 22 Country Surveys • Central and local governments are required to define best practices for information security and implement these practices in their agencies. By defining and implementing standards for information security, the government shall increase the overall ability to respond to emergencies, including cyber-attacks; Critical infrastructures must ensure stable provision of their services. The major step to prevent disruptions of critical infrastructures is the development of so-called Capabilities for Engineering of Protection, Technical Operations, Analyses, and Response (CEPTOAR; for more detail, see the chapter on Organizational Overview) for each major sector. The Action Plan on Information Security Measures for Critical Infrastructures defines the strategy for critical infrastructures in more detail; Businesses need to implement information security standards and measures that are promoted by government agencies. Security audits and third-party evaluation systems shall be promoted; Individuals: the government aims to raise awareness of information security among users of IT services by improving information security education and by promoting user-friendly services. • • • The second version of the Comprehensive Strategy is being discussed as of March 200. 9 Information provided by an expert. 22 Japan ActionPlanonInformationSecurityMeasuresfor CriticalInfrastructures In 2000, the Cabinet Secretariat released a Special Action Plan on Countermeasures to Cyber-Terrorism of Critical Infrastructure0, which was replaced in December 200 by the Action Plan on Security Measures for Critical Infrastructures, published by the ISPC as an amendment of The First National Strategy on Information Security. The new plan includes definitions of critical infrastructure elements and threats, safety standards for information security, information-sharing systems in public-private partnerships (PPP), interdependency analyses, and exercises. In particular, the plan emphasizes the importance of PPPs. The plan therefore aims to establish within each critical sector so-called Capabilities for Engineering of Protection, Technical Operation, Analysis, and Response (CEPTOAR, see the chapter on Organizational Overview). In addition, the Action Plan provides for analyses of interdependencies and cross-sectoral status assessments of the critical infrastructures. For this purpose, various cross-sectoral exercises are projected. Such exercises shall be implemented in every fiscal year, based on concrete threat scenarios corresponding to the assumed threats. StandardsforInformationSecurityMeasuresforthe CentralGovernmentComputerSystems In order to achieve a sector plan for improving the information security level of the whole government, the ISPC has issued the Standards for Information Security Measures for the Central Government Computer Systems. The standards formulated by the ISPC represent the nominal level of information security in 10 “Special Action Plan on Countermeasures to Cyber-terrorism of critical infrastructure”.,(15 December 2000), provisional translation. http://unpan1.un.org/intradoc/groups/public/documents/APCITY/UNPAN009986.pdf, and “Special Action Plan on Countermeasures to Cyber-Terrorism of Critical Infrastructure”, Summary, provisional translation, (no date). http:// www.kantei.go.jp/foreign/it/security/2001/cyber_terror_sum.html. 11 http://www.nisc.go.jp/eng/pdf/actionplan_ci_eng.pdf. 229 Country Surveys government agencies. The NISC inspects and evaluates the actual levels and compares them with the standards. In that way, it is possible to formulate recommendations for each government agency. OrganizationalOverview Within the Japanese government, the Cabinet Secretariat is the main actor in the field of CIIP and information security in general. In 200, thr ISPC and the NISC were established within the Cabinet Secretariat. These two organizations are now the focus of CIIP policies in Japan. In addition, the METI, the National Police Agency (NPA), and the Ministry of Internal Affairs and Communications (MIC) assist the Cabinet Secretariat and play major roles in the field of CIIP. As a private-public partnership initiative, the so-called CEPTOAR (Capabilities for Engineering of Protection, Technical Operation, Analysis, and Response) are designed to serve the purpose of information-sharing between government and the private sector. PublicAgencies Cabinet Secretariat and IT Strategic Headquarters The IT Strategic Headquarters, which includes all ministers and private-sector experts, was established in July 2000 within the cabinet in order to promote comprehensive measures for making Japan an internationally competitive IT nation. At the same time, the IT Strategy Council, consisting of 20 opinion leaders, was established in order to study the issue strategically and by combining private-public 12 National Information Security Center (NISC). “Japanese Government’s Efforts to Address Information Security Issues – Focusing on the Cabinet Secretariat’s Efforts.” Chapter 3.1. “Standards for Information Security Measures for the Central Government Computer Systems”. http://www.nisc.go.jp/eng/pdf/overview_eng.pdf, p. 23ff. 230 Japan partnerships. In January 2001, the Strategic Headquarters for the Promotion of an Advanced Information and Telecommunications Network Society (IT Strategic Headquarters) was launched under the provisions of the Basic Law on the Formation of an Advanced Information and Telecommunications Network Society (IT Basic Law), with the prime minister as its director-general, and including all cabinet members and opinion leaders from the private sector as members, to serve as a new base for joint government and private-sector promotion of IT policies. Information Security Policy Council (ISPC) The ISPC, set up in May 200, is chaired by the chief cabinet secretary and forms part of the IT Strategic Headquarters with members from various ministries as well as private-sector experts. It plays a central role in developing and reviewing the information security strategies and policies. Thus, the ISPC has the following tasks: • • • • To develop and review strategies with regard to information security; To undertake proactive and retrospective assessments of information security policy, based on the basic strategy; To develop safety guidelines for information security that are uniform throughout government; To recommend information security policies based on the governmentwide safety guidelines. The National Information Security Center (NISC) The NISC was launched in April 200 as Japan’s central implementing body for IT security issues. It collaborates closely with the ISPC and pursues the following tasks: 13 E-Japan Priority Policy Program. http://www.kantei.go.jp/foreign/it/network/priority-all/1. html. 14 Basic Law on the Formation of an Advanced Information Telecommunication Network Society. http://www.kantei.go.jp/foreign/it/network/0626_e.html. 231 Country Surveys • • • • • • • Planning government-wide fundamental strategies for information security policy; Promoting comprehensive measures on information security concerning government organizations; Supporting these government organizations in an appropriate way when information security incidents occur; Strengthening the information security of critical infrastructures; Reinforcing information-sharing systems; Implementing cross-sector cyberspace exercises; Creating an international strategy and promoting relationships with other countries. Ministry of Economy, Trade and Industry (METI) The METI is responsible for planning and implementing various information policies under the guidance of the IT Strategic Headquarters. In particular, METI deals with e-commerce, e-government, data protection, and research and development related to IT. In order to enhance the IT industry competitiveness in Japan, METI promotes policies that improve information security in companies. National Police Agency (NPA) The NPA has long been committed to maintaining computer and network security and investigating cyber-crimes. Traditionally, it has done this via its High-Tech Crime Prevention Department. In 1999, a new program was established to help fight high-tech crime. The High-Tech Crime Technology Division (HTCTD) was set up in the Information-Communications Bureau, and a National Police Agency Technology Center was created as the technical heart of the division. In April of 200, the National Police Agency established 15 http://www.meti.go.jp/english/policy/index_information_policy.html. 16 http://www.cyberpolice.go.jp/english/action01_e.html. 232 Japan the HTCTD in each Prefectural Information-Communications Department in order to enhance the capacity for technological support. Additionally, the National Police Agency is committed to creating a monitoring and emergency response service to prevent and minimize the spread of large scale cyber-related incidents, as well as to arrest so-called cyber-terrorists. One branch of this service consists of mobile technical teams, or Cyber Forces. These technical computer-security teams are stationed throughout Japan, and the Cyber Force Center acts as their command center. It monitors internet security around the clock and collects and analyzes relevant information. It is also equipped with facilities for a wide range of research and development, as well as for personnel education and training. Ministry of Internal Affairs and Communications (MIC) The MIC is responsible for creating the fundamental national infrastructure of Japan, including information and communications. In order to realize “secure and safe” communications as a social infrastructure, MIC promotes various policies that reinforce information security in the three categories of “Network”, “Terminal System and Equipment”, and “Person”. The MIC publishes an annual White Paper on Information and Communications in Japan. In each edition, a special chapter deals with privacy protection as well as information security. The aim is to strengthen public-private partnership cooperation to ensure information security. Moreover, the MIC conducts research related to fundamental technologies related to measures against cyber-attacks and other network security issues and to the protection of personal information in the field of ICT, and carries out measures to upgrade emergency information functions in the telecommunications area. The 200 White Paper deals with ways to achieve a ubiquitous network society (u-Japan) by 2010 that allows connection to networks anytime, anywhere, by anyone, and enables an easy exchange of information. The MIC outlined the 17 http://www.npa.go.jp/english/kokusai/pdf/Poj2007-52.pdf. 18 http://www.soumu.go.jp/english/index.html. 19 http://www.soumu.go.jp/joho_tsusin/eng/whitepaper.html. 233 Country Surveys future of such a society and summarized the necessary policies as the u-Japan Policy, which is based on the four principles “ubiquitous”, “universal”, “useroriented”, and “unique”. Among these, “ubiquitous” (connects everyone and everything) plays the key role.0 Public-PrivatePartnerships Capabilities for Engineering of Protection, Technical Operation, Analysis, and Response (CEPTOAR) Public-private partnerships are an important part of CIIP policies in Japan. The Comprehensive Strategy on Information Security of 2003 already contained suggestions for cooperation between the national government and private enterprises. The First National Strategy on Information Security and the Action Plan on Security Measures for Critical Infrastructures substantiated this requirement. They formulate the need for implementation of CEPTOAR within each critical infrastructure sector. The latter serve the purpose of information-sharing between the government and the private sector. The CEPTOAR receive information from the Cabinet Secretariat (via the presiding ministries and agencies) and provide this information to their corporate members that operate critical infrastructures. In order to enable information sharing between government agencies and private companies, the NIPC issued a “traffic light” protocol for information sharing: information can be classified as red (not to be disseminated), amber (need-to-know restriction), green (can be shared among all persons concerned), or white (can be made public). 20 Ministry of Internal Affairs and Communications, Information and Communications in Japan. “2007 Report on the Current Status of Information and Communications”. http://www. johotsusintokei.soumu.go.jp/whitepaper/eng/WP2007/contents.pdf. 21 Comprehensive Strategy on Information Security (executive summary), op. cit. http://www. meti.go.jp/english/information/downloadfiles/cInfo031216e.pdf. 22 http://www.nisc.go.jp/eng/pdf/actionplan_ci_eng.pdf. 23 http://www.nisc.go.jp/eng/pdf/overview_eng.pdf, p. 51. 23 Japan EarlyWarningandPublicOutreach NationalIncidentResponseTeam(NIRT) The National Incident Response Team (NIRT) has been part of the IT Security Office of the Cabinet Secretariat since April 2002, and is in charge of the first response to cyber-incidents as the Japanese government CERT. Based on the Action Plan for Ensuring e-Government’s IT Security (adopted on 10 October 2001 by the IT Security Promotion Committee), NIRT comprises 1 computer security experts from both the government and the private sector and has the following tasks: • • To understand incidents correctly: To collect and analyze the related information or intelligence and make forecasts on possible future damage; To develop technical countermeasures for mitigation and recovery, and to prevent reoccurrence: To analyze countermeasures and to organize concrete remedies to be implemented by the ministries and agencies; To assist in response: To provide help-desk service for ministries and agencies, as well as response support when required; To collect and analyze information or intelligence in order to make predictions and provide effective incident response; To supply expertise, knowledge, and information to government organizations; To improve the necessary expertise. • • • • JapanComputerEmergencyResponseTeam CoordinationCenter( JPCERT / CC) JPCERT / CC is an independent non-profit organization acting as a national point of contact for the other Computer Security Incident Response Teams 24 http://www.nisc.go.jp/en/sisaku/h1310action.html. 25 http://www.nisc.go.jp/en/shoukai/nirt. 26 http://www.jpcert.or.jp/english. 23 Country Surveys (CSIRTs) in Japan. Since its establishment in 1992, the center has been gathering information on computer incidents and vulnerabilities, issuing security alerts and advisories, and providing incident responses as well as education and training to raise awareness of security issues. JPCERT / CC coordinates with network service providers, security vendors, government agencies, and industry associations, and is a member of the Forum of Incident Response and Security Teams (FIRST; see the survey on FIRST in this volume). AsiaPacificComputerIncident(Emergency)Response Team(AP-CIRT / APCERT) The aim of the Asia Pacific Security Incident Response Coordination (AP-CIRT) is to foster close collaborations among the CIRTs (Computer Incident Response Teams) in the region. In February 2003, its name was changed to Asia Pacific Computer Emergency Response Team (APCERT), and it continues to carry out its mission, which is to maintain a trusted contact network of computer security experts to improve the region’s awareness and competency in relation to computer security incidents. TelecomInformationSharingandAnalysisCenter Japan(Telecom-ISACJapan) Telecom-ISAC Japan is an independent organization established as Japan’s first ISAC (Information Sharing and Analysis Center) in July 2002. TelecomISAC Japan works to improve information security by various means such as collecting, analyzing, and sharing incident information, providing timely countermeasures and best practices, and coordinating / collaborating with related organizations, based on mutual cooperation between a wide variety of members in the information and telecommunications industry, such as ISPs, carriers, and manufacturers. 27 See the membership list: http://www.apcert.org/about/structure/members.html. 28 http://www.apcert.org/about/mission/index.html. 29 https://www.telecom-isac.jp/index.html.Information provided by an expert. 23 Japan CyberForce The Cyber Force, a section within the police, gathers data on the internet around the clock and looks for evidence of cyber-crime. When the Cyber Force detects an unusual phenomenon, it provides critical infrastructure operators with security information to prevent cyber-terrorism and conducts vulnerability tests. Additionally, the Cyber Force will give operators of critical infrastructures advice on how to limit the damage from such an incident and how to recover their services safely, and to find the cause of the incident.0 @police The National Police Agency has a security portal site, @police, whose purpose is to prevent large-scale cyber-related incidents or keep them from spreading by quickly providing information gathered by the police on information security. Moreover, @police makes efforts to increase security awareness among internet users. Therefore, it provides a wealth of diverse content in order to help as many people as possible improve their security. Special online security courses, examples of internet crimes and how to avoid them, quick security checks, and information on security holes are provided for the benefit of private PC users as well as server administrators. MinistryofEconomy,TradeandIndustry(METI) METI has responded to security breaches in cooperation with JPCERT / CC and the Information Technology Promotion Agency (IPA) since 1990. Around that time, it also began releasing reports on computer viruses and unauthorized access and started to gather information about damage caused by computer viruses and disseminating it to the public immediately after the incident. 30 http://www.cyberpolice.go.jp/english/action02_e.html. 31 http://www.cyberpolice.go.jp/english. 32 Yutaka Hayami. “Realizing a World-Class Highly Reliable Society”. http://www.aavar.org/ 2004web/AVAR2004/Presentations/ps011.ppt. 23 Country Surveys LawandLegislation UnauthorizedComputerAccessLaw1999 The Unauthorized Computer Access Law No. 12 of 1999 prohibits acts of unauthorized computer access (Article 3) as well as acts that facilitate unauthorized computer access (Article ). Article 3 covers acts such as: • Facilitating a specific use that is restricted by an access control function, by entering via a telecommunications line another person’s identification code into a specific computer that controls access; • Facilitating a specific use that is restricted by an access control function, by entering via a telecommunications line any information (excluding an identification code) or command that can evade the restrictions of that access control function for that specific purpose; Facilitating a specific use that is restricted by an access control function, by operating a computer whose specific use is restricted by an access control function installed on another specific computer that is connected, via a telecommunication line, to that specific computer, by entering via a telecommunications line any information or command that can evade the restriction concerned. • Article  makes it illegal to provide another person’s identification code relating to an access control function to a person other than the access administrator for that access control function, or to the authorized user for that identification code, while indicating that it is the identification code for a specific computer’s specific use, except where such acts are conducted by the access administrator, or with the approval of that access administrator or of the authorized user. 33 To exclude such acts conducted by the access administrator who has added the access control function concerned, or conducted with the approval of the access administrator concerned or of the authorized user for that identification code. 23 Japan Moreover, the Japanese Penal Code, Article 2, makes it illegal to damage documents or electronic-magnetic records in public or private use. ActonElectronicSignaturesandCertification Business2000 The Act on Electronic Signatures and Certification Business No. 102 of 2000 aims to promote the distribution of information by electromagnetic forms and information processing by ensuring easy use of electronic signatures, and thereby to contribute to the improvement of citizens’ quality of life and the sound development of the national economy, by providing the presumption of authentic establishment of electromagnetic records, the accreditation system for designated certification businesses and other necessary matters, with respect to electronic signatures. BasicLawonFormationofanAdvancedInformation andTelecommunicationNetworkSociety2001 The purpose of the IT Basic Law, which entered into force on  January 2001, is to promote measures for forming an advanced information and telecommunications network society where citizens can enjoy the benefits of ICT. Its measures include (Articles 1–2) the formation and expansion of advanced ICT networks; the promotion of fair competition; increasing IT user skills and development of expert human resources; reform of regulations and facilitation of e-commerce through appropriate protection; promotion of e-government and digitalization of administration; assuring security and reliability for networks and the protection of personal data; promotion of creative research and development; and international cooperation. 34 http://www.cybercrimelaw.net/laws/countries/japan.html. 35 http://www.cas.go.jp/jp/seisaku/hourei/data/aescb.pdf. 36 http://www.kantei.go.jp/foreign/it/it_basiclaw/it_basiclaw.html. 239

Related docs
_A_ SECTORS
Views: 7  |  Downloads: 1
sectors template 2
Views: 4  |  Downloads: 0
5 Engaging the public and private sectors
Views: 1  |  Downloads: 0
The Charter of the Public and Private Health Sectors of The
Views: 4  |  Downloads: 0
gender and pay in the it and retail sectors in ni
Views: 1  |  Downloads: 0
GAO - critical sectors to protect
Views: 31  |  Downloads: 0
The National Strategies have identified critical infrastructure sectors and
Views: 8  |  Downloads: 4
Strategies of Various Industrial Sectors
Views: 42  |  Downloads: 3
Scoring Cycle Chart Sectors
Views: 2  |  Downloads: 1
Guide-to-Branding-in-the-Public-and-NotForProfit-Sectors
Views: 124  |  Downloads: 35
Substance and Sectors NGO Perspectives
Views: 0  |  Downloads: 0
Further Evidence of Price Transmission and Asymmetric Adjustment in the U.S. Beef and Pork Sectors
Views: 22  |  Downloads: 2
ALL SECTORS- SSM
Views: 8  |  Downloads: 0
consulting to the health not-for-profit sectors Project
Views: 0  |  Downloads: 0
premium docs
California Member-Managed LLC Operating Agreement$19.95
Acknowledgment of Independent Contractor$8.95
Artist-Agent Engagement Agreement$8.95
Website Design Non-Disclosure$14.95
Employee Handbook for Company$39.95
Limited Liability Partnership Agreement$29.95
Office Lease Agreement$8.95
Other docs by goodbaby
If you are a Facebook member or would like to join_ take a look at
Views: 36  |  Downloads: 0
Ideas for addressing issues surrounding Facebook and other
Views: 24  |  Downloads: 0
Ideal CMS Outline - CoPress
Views: 21  |  Downloads: 0
IATUL BOARD
Views: 17  |  Downloads: 0
I also thought of
Views: 19  |  Downloads: 0
How seriously do you take the threat of terrorists employing
Views: 17  |  Downloads: 0
HOW FACEBOOK CAN DAMAGE YOUR CAREER PROSPECTS
Views: 23  |  Downloads: 0
How do I make sure the employer I want will see my video resume
Views: 18  |  Downloads: 0
Homework Assignment _1
Views: 21  |  Downloads: 0
holeton_NMC_handoutdoc - nmc the new media consortium
Views: 27  |  Downloads: 0
Hello Sir_
Views: 23  |  Downloads: 0
Health Science Undergraduate Student Union
Views: 16  |  Downloads: 0
HANDBOOK OF IMPORTANT
Views: 15  |  Downloads: 0
Hallo
Views: 17  |  Downloads: 0
Hadoop and Hive Development at Facebook
Views: 34  |  Downloads: 4