Cybersecurity Strategy in Japan October 9th 2014 Yasu TANIWAKI Deputy Director-General National Information Security Center (NISC) Government of JAPAN
Big Data Society and Cybersecurity Open data Digitally stored knowledge M2M (streaming data) Personal data Collected and stored big data (static / dynamic) Increasing dependence of socioeconomic systems on IT More severe risks Dessemination of risks Globalization of risks Cyber Space 1
Sophisticated Attacks to Sensitive Information [Recent major cases] 2011.9 ~ [Mitsubishi Heavy Industries, Ltd. (MHI), House of Representative (HR) etc.] Found virus infection by targeted attacks 2012.5 [Japan Nuclear Energy Safety Organization (JNES)] Found possibility of information leakage over previous months 2013.1 [Ministry of Agriculture, Forestry and Fisheries of Japan (MAFF)] Announced attack case on TPP-related information leakage 2013.4 [Japan Aerospace Exploration Agency (JAXA)] Found unauthorized access to servers from outside 2013 autumn [Government agencies etc.] Found zero-day attack* causing particular entities to be infected by web browsing 2014.1 [Japan Atomic Energy Agency (JAEA)] Found possibility of information leakage by virus infection * Zero-day attack: Attack misuses unpatched or undisclosed security holes in software. [Threats to government s organizations] No. of threats detected through monitoring by sensors, etc.** No. of notices issued through monitoring by sensors, etc. FY 2011 FY 2012 FY 2013 Approx. 660,000 Approx. 1,080,000 Approx. 5,400,000 139 175 139 No. of warnings issued on suspicious e-mails 209 415 381 24 hrs & 365 days (10 times in a min.) ** No. of no normal accesses or communications among events detected by sensors installed in the ministries by the GSOC (abbreviation for Government Security Operation Coordination team) etc. 2
Attacks on Critical Infrastructures [No. of attacks on critical infrastructures] No. of info. Messages or reports* from critical infrastructures areas * Reports from the critical infrastructure operators to the NISC ** Reports concerning Cyber Attacks No. of received info. Messages*** about targeted attack e-mail, etc. FY 2012 FY 2013 Main Details 110 (76)** 153 (133) FY 2012 FY 2013 246 385 Unauthorized access,dos 121 Virus infection 7 Other intentional factors 5 *** Reports from the five industries (45 organizations), or critical infrastructure equipment manufacture, power, gas, chemistry and petroleum to Information-Technology Promotion Agency (IPA), Japan [Area of the Critical infrastructure] (1)Information and (6) Gas Communications (7) Gov t and (2) Finance Admin. Services (3) Aviation (4) Railways (5) Electricity (8) Medical Services (9) Water (10) Logistics (11) Chemistry (12) Credit Card (13) Petroleum **** These three sectors were added to the third action plan to security measures for critical infrastructures decided by the Information Security Policy Council (ISPC) on 19 th May 2014. 3
[Spread of smart phones etc.] Widespread Scope of Targets Household ownership rate increased five times rapidly* (End of 2010: approx. 10% -> End of 2012: approx. 50%) Illicit sites targeted at mobile devices increased twenty times rapidly (End of 2011: approx. 3 thousand -> End of 2013: approx. 57 thousand) * 2013 White Paper Information and Communications in Japan by the Ministry of Internal Affairs and Communications (MIC) Regarding the increase rate of illicit sites: Research by Trend Micro corp. ** Approaches for Vehicle Information Security (August 2013) by Information-technology Promotion Agency (IPA), Japan *** Handout at 14 th Study group for Smart Meter system, by the Ministry of Economy, Trade and Industry(METI) [Penetration throughout all of society in Japan] 4
Attacks from a Variety of Entities in the World [Attacks on Japan from Overseas] Geological location of IP addresses used by malware (2013)* Japan 3% 97% of malware tried to connect to oversea servers. Overseas 97% [Recent major cases] [Korea] DDoS attacks to 40 web servers of government agencies etc. 2011.3 Attack commands issued using home PCs in Japan as bots 2013.3 (Reference) 2013.5 [Korea] Large-scale cyber attacks to critical infrastructures Same malicious program concurrently found in Japan [US] The US government points out the possibility of the involvement of foreign governments or militaries in targeted attacks made to steal national or corporate secrets** * Source: National Police Agency of Japan (Feb. 2014) ** Source: The Administrative Strategy on Mitigating the Theft of U.S. Trade Secrets (White House, February 2013) & the Annual Report to Congress (Department of Defense, May 2013) 5
Global Risks in the World (Jan 2014, WEF) Most Potentially Impactful Risks Financial crises Critical information infrastructure breakdown Water crises Climate change Cyber attacks Unemployment and underemployment Extreme weather events Income disparity The deepening reliance on the Internet to carry out essential tasks and the massive expansion of devices that are connected to it, make the risk of systemic failure on a scale capable of breaking systems or even societies greater than ever in 2014, according to the report.. Most Likely Risks Notes: The above dot chart has been a result of surveys made by 700 or more experts around the world with respect to the perspective of 31 risks extracted from the viewpoint of significant impact on all the people and all the industries in the world in the coming ten years. The number 1 indicates the absence of possibility of risk occurrence or a low level of impact while the number 7 indicates a high possibility of risk occurrence or a high level of serious and disruptive impact. <Source: WEF s Global Risks 2014 (January 16, 2014)> 6
History of Cybersecurity Strategy FY 2000 2004 2005 2006 2009 2010 2011 2012 2013 2014 2016 2020 Individual efforts by each agency Focused on responding to cyber incidents Construction of comprehensive infrastructure for counteracting cyber incidents Risk-based approach Active cyber security measures against cyber attacks Responding to new environmental changes IT Strategy e-japan Strategy 2001.1 e-japan Strategy II 2003.7 New IT Reform Strategy 2006.1 i-japan Strategy 2015 2009.7 New Strategy on Information and Communications Technology 2010.5 Declaration to be the World s Most Advanced IT Nation (IT Strategic Headquarters, June 2013) Cyber Security Strategy Cybersecurity Strategy (ISPC, June 2013) Mid/longterm Plan Annual Plan First National Strategy on Information Security Realizing Secure Japan 2006.2 Information Security Strategy for Protecting the Nation ISPC, May 2010. Second National Strategy on Information Security Toward Strong Individual and Society in IT era 2009. 2 2006 2007 2008 2009 2010 2011 2012 2013 2014 Measures for the Government Guidelines for the Forrmulation of Information Security Policies 2000.7 Standards for Information Security Measures for the Central Government Computer System 1st~4th ed. 2005.12 Management Standards for Information Security Measures for the Central Government Computer System 2011.4, revised 2012.4 Common Standards (ISPC,May 2014) Critical Infrastructure Protection Special Action Plan on Countermeasures to Cyber-terrorism of Critical Infrastructure 2000.12 Action Plan on Information Security Measures for Critical Infrastructure 2005.12 The Second Action Plan on Information Security Measures for Critical Infrastructures 2009.2, revised 2012.4 The Third Action Plan (ISPC,May 2014) 7
Framework for Information Security Policies Strategic Headquarters for the Promotion of an advanced Information and Telecommunications Network Society (IT Strategic Headquarters) Director-General: Prime Minister Vice Director-Generals: Minister in charge of Information Technology (IT) Policy Chief Cabinet Secretary Minister of Internal Affairs and Communications Minister of Economy, Trade and Industry Members: All other Ministers of State Government Chief Information Officer (CIO) Experts (Secretariat) IT Policy Office, Cabinet Secretariat Office chief (Government CIO) Ministries responsible for critical infrastructure Financial Services Agency financial Organizations Ministry of Internal Affairs and Communications local governments, information and communication Ministry of Land, Infrastructure, Transport and Tourism railroads, aviation, distribution Critical infrastructure businesses, etc. (Established May 30, 2005 by a decision of the Director-General of IT Strategic Headquarters) Chair: Chief Cabinet Secretary Deputy Chair: Minister in charge of Information Technology (IT) Policy Members: Chairman of the National Public Safety Commission Minister of Internal Affairs and Communications Minister of Foreign Affairs Participation Minister of Economy, Trade and Industry by Cabinet Minister of Defense ministers Experts (7 people) Critical infrastructure special councils Human resources expert committee for dissemination and enlightenment Technological strategy special committee Information security measures promotion committee (Secretariat) National Information Security Center (NISC) Director-General (Assistant Deputy Chief Cabinet Secretary (Situations Response and crisis management)) Deputy Director-General Information security Assistant Government Security Operation Coordination team GSOC Cyber Incident Mobile Assistant Team (CYMAT) Government organizations (each government ministry) National Police Agency Ministry of Internal Affairs and Communications Cooperation Ministry of Health, Labour and Welfare medicine, water supply Ministry of Economy, Trade and Industry electricity, gas, chemistry, credit, petroleum Information Security Policy Council Ministry of Foreign Affairs Ministry of Economy, Trade and Industry Ministry of Defense Companies Individuals 8
Main Efforts based on the Cybersecurity Strategy (June 2013) Government Organizations, Independent Administrative Organizations, etc. Critical Infrastructure Industries Enterprises, Individuals Resilient Cyberspace (Strengthening protection) Review of the Common Standards for Information Security Measures for the Central Government Computer Systems and establishment of the methods of risk assessment in order to protect sensitive information Strengthening GSOC, accurate and quick response through cooperation with CYMAT and CSIRT Conducting incident response drills, specifying roles of related organizations such as the police and the Self Defense Forces Measures for new threats pursuant to new services, including SNS and group mail Review of the Action Plan including expanding the scope of critical infrastructure and review of the Safety Standards Strengthening information sharing with government organizations and system vendors, etc. Cross-sector exercises for ensuring business continuity Building a platform for evaluation and authentication of such systems as control systems used by critical infrastructure, in compliance with international standards Measures for malicious smartphone applications Information Security Awareness Month February, Founding a Cyber Security Day Revision of the Information Security Outreach and Awareness Program (Information Security Policy Council, 2011) Promotion of investment in security by small and medium-sized businesses, through incentives such as tax systems Measures by IT-related businesses including notifying malware infection to individuals by ISPs Ensuring the traceability of cyber crimes, such as by examining the way to store logs Vigorous Cyberspace (Fundamentals) Revision of the Information Security Human Resource Development Program (Information Security Policy Council, 2011) Review of the Information Security Research and Development Strategy (Information Security Policy Meeting, 2011) Worldleading Cyberspace (international strategy) Formulation of the International Strategy October 2013 Japan-US Japan-UK Japan-India Japan-EU Japan-ASEAN Conferences on International Rulemaking in Cyberspace IWWN (*1) MERIDIAN (*2)(2014 in Japan) *1 Promoting international measures related to vulnerabilities, threats, and attacks in cyberspace. Participation by government organizations and CSIRTs from countries such as the US, Germany, the UK, and Japan. *2 Sharing best practices for the protection of critical infrastructure, exchanging information on measures such as international cooperation. Participated by government officials in charge of protecting critical infrastructure from countries such as the US, the UK, Germany, and Japan Joint awareness raising activities October Organization al Reform Strengthening NISC functions (Reorganizing to Cybersecurity Center (tentative name): targeted for fiscal 2015) 9
Common Standards for Government Agencies Common Standards of Information Security Measures for Government Agencies (hereinafter the Common Standards ) is a common framework to ensure the level of information security for all the ministries. Each ministry develops its own security policy on the basis of the Common Standards and implement it through the master plan. Information Security Policy Council Decides and revises the Common Standards Directs the implementation by the ministries and advises to improve Committee of CISOs National Information Security Centre (NISC) Oversees objectively and uniformly the status of information security Develops/revises guidelines for the Common Standards Common Standards Direction Advices PDCA Status of implementation Incident information Oversees the status Helps incident handling Each ministry Plan Develops the security policy and the implementation plan PDCA Do Training Technical measures Other measures Check / Act Review/audit Improvement Evaluation/revise Re-allocation of resources Improvement of the information security of the ministries (Past) Level of information security (Now) Level of information security Required as a minimum Actual level A B C D E F Ministries Additional improvements A B C D E F Ministries Bottom up 10
Implementing a multi-layer protection scheme to counter targeted attacks Targeted attack The attack process 1 Initial infiltration A targeted e- mail sent Internet Attacker 3 秘 秘 Confidential 2 Expansion of invaded areas 3 Theft of information Countermeasures with the information system design Ministry A 1 Purpose To block an attack and prevent the expansion of invaded areas Policy A system design which is difficult for attackers to search and explore the system by hacking technologies A system design which is hard for attackers to takeover the devices Attacker 2 秘 秘 Confidential Monitor the sign of attacks, and identify and detect it at an early stage Record a trace of attacks, mainly that of unsuccessful ones Set up a trap to identify and detect the attacker s invasion Constantly monitor the above operations 11
The Third Edition of the Action Plan on Information Security Measures for Critical Infrastructures Critical Infrastructure (13 Sectors) Information and Communications Finance Aviation Railways Electricity Gas Government and Coordination and Administrative Services Cooperation Medical Services by NISC Water Logistics Chemistry Credit Card Added in May 2014 Petroleum Critical Infrastructure Sector-Specific Ministries FSA [Finance] MIC [Telecom and Local Gov.] MHLW [Medical Services and Water] METI [Electricity, Gas, Chemistry, Credit and Petroleum] MLIT [Aviation, Railway and Logistics] Related Organizations etc. Information Security Related Ministries Law Enforcement Ministries Disaster Management Ministries Other Related Organizations Cyberspace Related Operators (1) Maintaining security principles The Cybersecurity Strategy (The Third Action Plan for Information Security of Critical Infrastructure) (2) Enhancing information sharing systems (3) Incident response team (4) Risk management (5) International cooperation 12
Information Sharing among CIIP Players Capability for Engineering of Protection, Technical Operation, Analysis and Response. Functions which provide information sharing and analysis at CII operators, and organizations which serve as these functions. Council The council composed of representatives of each which carries out information sharing between s. An independent body, not positioned under other agencies, including government organizations. (telecom sector: telecommunication) (financial sector: Securities services) (electric power supply sector) (logistics sector) Council steering committee secretariat (NISC) WG WG WG (telecom sector: CATV) (financial sector: Life insurance) (gas supply sector) (chemical sector) (telecom sector: Broadcasting) (financial sector: General insurance) (administrative sector) (credit card sector) Image of corp.a corp.b corp.c (financial sector: Banking) (aviation sector) (water sector) (petroleum sector) org D org E org F CII operators Observer of Council (railway sector) (medical sector) Japan Business Federation / Keidanren Bank of Japan FISC Japan Post Bank NICT IPA JPCERT/CC FSA MIC MHLW METI MLIT 13
Establishment of CSSC (Control System Security Center) In March 2012, CSSC was established as a Research Association, which headquarters is located in Tagajo City of Miyagi Prefecture. 25 members (eg. Mitsubishi Heavy Industries, Ltd., NEC, or Informationtechnology Promotion Agency (IPA), National Institute of Advanced Industrial Science and Technology (AIST). CSSC s testbed is composed of 9-types of simulated plants and it is capable to organize cybersecurity hands-on exercises which simulate cyber attacks. CSSC has started its operation since April 2013. CSSC promotes R&D, International Standardization, making evaluation/certification platform (by utilizing IEC62443), capacity building (cyber exercises) and awareness raising. It also collaborates with distinguished organizations such as Tohoku-University and DHS. In April 2014, CSSC became a certification body of security certification called EDSA following the US (first in Asia). As confirmed by the MRA, certification in Japan becomes automatically certified in US. 14
Importance of Global Partnership in Cyber Space Cyberspace is recognized as global commons. International Laws are applicable to cyber space. International law, and in particular the Charter of the United Nations, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment. (Source) UN General Assembly, Group of Governmental Experts on Development in the Field of Information and Telecommunications in the Context of International Security (June 2013) Cybersecurity is one pillar of national security strategy. Internet freedom --- Free flow of information should be ensured. --- Excessive intervention by the government to cyber space should be avoided. 15
Households with Internet Access in the World (Source) ITU Measuring the Information Society (October 2013) 16
International Strategy on Cybersecurity Cooperation (October 2013) 1. Implementation of dynamic responses to cyber incidents 1) Enhancing multi-layered mechanism for information sharing 2) Appropriate response to cybercrime [Priority Areas] Building a mechanism for international cooperation and partnership for global response to expanding cyberspace 3) Establishing framework of cooperation for international security in cyberspace 2. Building up fundamentals for dynamic response Raising the cybersecurity standard of basic capability and response mechanisms at the global level 1) Support for building a global framework for cyber hygiene 2) Promotion of awareness-raising activities 3) Enhanced research and development through international cooperation 3. International rulemaking for cybersecurity Promoting international rulemaking for ensuring stable use of cyberspace 1) Formulation of international standards of technology 2) International rulemaking 17
1. Asia Pacific International Strategy on Cybersecurity Cooperation (October 2013) Close cooperation with the Asia Pacific region is crucial due to geographical proximity and close economic ties Continuing to strengthen the relationship with the ASEAN through: Policy dialogues such as ASEAN-Japan Ministerial Meeting on Cybersecurity Cooperation, ASEAN- Japan Information Security Policy Meeting, and ASEAN-Japan Ministerial Meeting on Transnational Crime Promoting initiatives such as capacity building for human resources development Promoting joint projects such as JASPER and TSUBAME Promoting Japan-India Cyber Dialogue 2. U.S. and Europe [Regional Initiatives] Deepening partnership with the U.S. centered on the Japan-U.S. Security Arrangements Strengthening cooperation with European countries 3. Other regions Extending cooperation to countries in regions such as South America and Africa where the use of cyberspace has rapidly progressed. 4. Multilateral frameworks Actively contributing to international rulemaking of cybersecurity 18
Cybersecurity Basic Act (draft) Cabinet Submission of Cybersecurity Strategy to a Cabinet meeting for approval The Prime Minister Formulates a draft CSS Offers opinions on direction and supervision of ministries IT Strategic HQs 1 Formulates the priority plan for establishing an Advanced Information and Telecommunications Network Society (AITNS) and its implementation. 2 In addition, deliberates to plan important policies for establishing AITNS and its implementation Some of these responsibilities will be entrusted to the Government CIO. Legislation required to enable the Cabinet Secretariat to appropriately address these functions. Views on CSS Cybersecurity Strategic Headquarters 1 Formulate the Cybersecurity Strategy (CSS) And its implementation 2 Formulate common standards for information security measures for national administrative organs and incorporated administrative agencies. Evaluate(including audit) and promote the implementation of such measures 3 Evaluate the measures taken by national administrative organs in the event of significant cybersecurity incidents (including examinations for cause). 4 In addition, perform the following functions: a. Research and deliberate on the planning of major cybersecurity policies; b. Formulate: inter-governmental implementation plan for such major policies; the national administrative organs expense budgeting plan for cybersecurity; guidelines on the implementation of such policies. Promote and evaluate these policies. c. Lead comprehensive coordination of cybersecurity policies. Recommendations Obligated to submit materials, etc. Report collection about measures based on the recommendation National Administrative Organizations, etc. Views on CSS Makes an effort to satisfy the request National Security Council 1 2 3 Flexible and substantial discussions on foreign and defense policies related to national security. Discussion on important issues regarding national defense: e.g. measures against an armed attack situation. Responsive discussions on important issues regarding measures against critical incidents; provide advice about what measures the Gov. should take. Local governments, Independent Administrative Agencies, National Universities, Corporations with special semigovernmental status, Relevant organizations, etc. May request HQs cooperation (e.g. provision of information, etc.) Local governments 19
Recent Efforts on Cybersecurity Strategy (Summary) Cybersecurity Strategy (June 2013) Resilient Cyberspace - Strengthening protection - Revision of the Standards for Information Security Measures for the Central Government Computer Systems (May 2014) Issuing the Third Edition of the Action Plan on Information Security Measures for Critical Infrastructures (May 2014) Vigorous Cyberspace - Building fundamentals - Revision of the Information Security Human Resource Development Program (May 2014) Revision of the Information Security Research and Development Strategy (July 2014) World-leading Cyberspace - International Strategy - Issued International Strategy on Cybersecurity Cooperation j-initiative for Cybersecurity (October 2013) ASEAN-Japan Commemorative Summit Meeting (held in December 2013) Organizational Reform Issuing Annual Report on Cybersecurity (July 2014) Strengthening the function of NISC (scheduled in FY2015) 20
Policy Agenda on Cybersecurity towards 2020 The Defence in Depth system needs to be established to counter targeted attacks. Necessary measures have been promoted by the government agencies. Information sharing framework among critical infrastructure operators needs to be enhanced. International collaboration and human resources development aiming to strengthen information security of the Control System is necessary. Promoting utilization and application of the ICT in various fields, and strengthening its security are the two wheels of a cart. In particular the security standards in a cloud computing environment should be urgently clarified. Measures to ensure security across various fields in an IoT environment need to be considered. Security enhancement through global collaboration, such as strengthening the multinational frameworks including the UN and OECD, and bilateral policy discussions, is required. Preparation for the Tokyo Olympic Games in 2020 as a milestone for cybersecurity enhancement. 21
Towards Confidence Building in the World Voluntary confidence-building measures can promote trust and assurance and help reduce the risk of conflict by increasing predictability and reducing misperception. They can make an important contribution to addressing the concerns of States over the use of ICTs by States and could be a significant step towards greater international security. States should consider the development of practical confidence-building measures to help increase transparency, predictability and cooperation. (Source) UN General Assembly, Group of Governmental Experts on Development in the Field of Information and Telecommunications in the Context of International Security (June 2013) 22
Thank you! 23