Viewpoint: Implementing Japan s New Cyber Security Strategy*



Similar documents
MANAGING THE GLOBAL INTERNET ECONOMY: A NEW CHALLENGE FOR THE US AND JAPAN

The Policy Approaches to Strengthen Cyber Security in the Financial Sector (Summary) July 2, 2015 Financial Services Agency

Germany: Report on Developments in the Field of Information and Telecommunications in the Context of International Security (RES 69/28),

Cybersecurity Global status update. Dr. Hamadoun I. Touré Secretary-General, ITU

Cyber Security Strategy(Information Security Policy Council, June 10, 2013)

Toward a Deeper and Broader U.S.-Japan Alliance: Building on 50 Years of Partnership

National Cyber Security Policy -2013

CYBER SECURITY AND CYBER DEFENCE IN THE EUROPEAN UNION OPPORTUNITIES, SYNERGIES AND CHALLENGES

Cyber Security Strategy

Kshetri, N. (2014). Japan s changing cyber security landscape, Computer, 47(1), doi: /MC

COMMUNIQUÉ ON PRINCIPLES FOR INTERNET POLICY-MAKING OECD HIGH LEVEL MEETING ON THE INTERNET ECONOMY,

For Discussion Paper No. 9/2011 on 3 November 2011 DIGITAL 21 STRATEGY ADVISORY COMMITTEE. Cyber Security

GLOBAL BUSINESS DIALOGUE ON ELECTRONIC COMMERCE CYBER SECURITY AND CYBER CRIME SEPTEMBER 26, CEO EDS Corporation

THE WHITE HOUSE Office of the Press Secretary

Cyber Security Recommendations October 29, 2002

STRATEGIC OBJECTIVE 2.4 OVERCOME GLOBAL SECURITY CHALLENGES THROUGH DIPLOMATIC ENGAGEMENT AND DEVELOPMENT COOPERATION

the Council of Councils initiative

Before the. United States Department of Commerce. and the. National Institute of Standards and Technology

engagement will not only ensure the best possible law, but will also promote the law s successful implementation.

Middle Class Economics: Cybersecurity Updated August 7, 2015

ESTABLISHING A NATIONAL CYBERSECURITY SYSTEM IN THE CONTEXT OF NATIONAL SECURITY AND DEFENCE SECTOR REFORM

2015 Michigan NASCIO Award Nomination. Cyber Security Initiatives: Michigan Cyber Disruption Response Strategy

Comments on CBRC Draft Regulations Affecting Technology Purchases. 14 September 2015

The trend of the Cyber Security and the efforts of NEC. December 9 th, 2015 NEC Corporation

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

April 28, Ms. Hada Flowers Regulatory Secretariat Division General Services Administration 1800 F Street, NW, 2 nd Floor Washington, DC

2 Gabi Siboni, 1 Senior Research Fellow and Director,

The Senior Executive s Role in Cybersecurity. By: Andrew Serwin and Ron Plesco.

Legislative Proposals for the Maryland Commission on Cyber Security Innovation and Excellence

HMG Security Policy Framework

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

RE: ITI Comments on Korea s Proposed Bill for the Development of Cloud Computing and Protection of Users

JOINT STATEMENT OF THE SECURITY CONSULTATIVE COMMITTEE

Cyber Security Strategy of Georgia

BSA GLOBAL CYBERSECURITY FRAMEWORK

Testimony of. Doug Johnson. New York Bankers Association. New York State Senate Joint Public Hearing:

Statement for the Record. Richard Bejtlich. Chief Security Strategist. FireEye, Inc. Before the. U.S. House of Representatives

DIGITALEUROPE and European Services Forum (ESF) response to the Draft Supervision Rules on Insurance Institutions Adopting Digitalised Operations

Japan. Type of Market: Large/Challenging. Overall Rank ITA Health IT Top Markets Report 35

CYBER SECURITY STRATEGY OF THE CZECH REPUBLIC FOR THE PERIOD

Policing Together. A quick guide for businesses to Information Security and Cyber Crime

National Cyber Threat Information Sharing. System Strengthening Study

Cybercrime Bedrohung, Intervention, Abwehr. Cybersecurity strategic-political aspects of this global challenge

The development of Shinawatra University s international graduate program in joint public and business administration (PBA)

Policy Recommendations on. Japan-Australia Security Cooperation

Action Plan for Canada s Cyber Security Strategy

Cyber Security Strategy for Germany

State Governments at Risk: The Data Breach Reality

NATIONAL CYBERSECURITY STRATEGIES: AUSTRALIA AND CANADA

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

The UK cyber security strategy: Landscape review. Cross-government

El Camino College Homeland Security Spring 2016 Courses

STATEMENT BY DAVID DEVRIES PRINCIPAL DEPUTY DEPARTMENT OF DEFENSE CHIEF INFORMATION OFFICER BEFORE THE

Partnership for Cyber Resilience

On the European experience in critical infrastructure protection

Evolution of Cyber Security and Cyber Threats with focus on Cloud Computing

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

ASEAN Regional Forum Cyber Incident Response Workshop Republic of Singapore 6-7 September Co-Chair s Summary Report

Solving for the Future: Addressing Major Societal Challenges Through Innovative Technology and Cloud Computing

Specific comments on Communication

DSCI Inputs on TRAI Consultation on Regulatory Framework for OTT services

An Overview of Large US Military Cybersecurity Organizations

Information Assurance. and Critical Infrastructure Protection

Infocomm Security Masterplan 2

National Cyber Security Strategy of Afghanistan (NCSA)

Preservation of longstanding, roles and missions of civilian and intelligence agencies

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

The Danish Cyber and Information Security Strategy

THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY

EU policy on Network and Information Security and Critical Information Infrastructure Protection

Testimony of Matthew Rhoades Director Cyberspace & Security Program Truman National Security Project & Center for National Policy

WRITTEN TESTIMONY OF

2012 Bit9 Cyber Security Research Report

CYBER SECURITY GUIDANCE

POLICIES TO MITIGATE CYBER RISK

CyberSecurity Solutions. Delivering

22 ND ANNUAL MEETING OF THE ASIA-PACIFIC PARLIAMENTARY FORUM RESOLUTION APPF22/RES 01

CSCAP MEMORANDUM NO. 24 Safety and Security of Vital Undersea Communications Infrastructure

RE: Transatlantic Business Concerns about Indian Government IP Policies

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

Trends Concerning Cyberspace

Guiding principles for security in a networked society

Hearing before the House Permanent Select Committee on Intelligence. Homeland Security and Intelligence: Next Steps in Evolving the Mission

TUSKEGEE CYBER SECURITY PATH FORWARD

Cyber Security Strategy

Major Economies Business Forum: Perspectives on the Upcoming UN Framework Convention on Climate Change COP-17/CMP-7 Meetings in Durban, South Africa

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

Cyber Security in Japan (v.2)

Statement National Strategy for Trusted Identities in Cybersecurity Creating Options for Enhanced Online Security and Privacy

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

NASCIO 2014 State IT Recognition Awards

Diversity of Cultural Expressions INTERGOVERNMENTAL COMMITTEE FOR THE PROTECTION AND PROMOTION OF THE DIVERSITY OF CULTURAL EXPRESSIONS

COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER

Cyber Diplomacy A New Component of Foreign Policy 6

UNITED NATIONS COMMISSION ON SCIENCE AND TECHNOLOGY FOR DEVELOPMENT (CSTD)

Cyber Security Collaboration: A Critical Ingredient for Worldwide Security

Information Security Human Resource Development Program

Transcription:

Presented by: The ACCJ s Internet Economy Task Force Valid Through November 2014 The 2013 Cyber Security Strategy, released in June 2013, and the International Strategy on Cybersecurity Cooperation, released in October 2013, by the Abe administration are enormous steps forward in Japanese government planning with respect to the mounting cyber security threat. They reflect both the dramatic increase in the external threat situation facing Japan and the government s commitment to take active steps to protect Japanese security and economic interests. The American Chamber of Commerce in Japan (ACCJ) welcomes these strategy documents as the start of what should be a vibrant and open debate on measures Japan will be taking unilaterally and in cooperation with the United States and other nations to protect cyber space. We urge quick implementation of the proposals contained in these documents after broad consultation among domestic and external stakeholders. As this process goes forward, we recommend focusing attention on to the following areas that we believe will further contribute to the successful realization of the new strategies objectives. RECOMMENDATIONS Centralize Cyber Security Planning and Administration in a New Agency The ACCJ applauds the recommendation to strengthen the role of the National Information Security Center (NISC) and expand its role, but we note the lack of the necessary legal mandate, budget or permanently assigned personnel to accomplish its multi-faceted mission. We believe that fundamental reorganization of the Government of Japan s (GOJ) planning and administrative approach to cyber security is urgently required in the light of the growing existential threat to Japan s economy and the security of its citizens presented by the cyber crime, cyber espionage and cyber targeting of critical infrastructure. Such a reorganization should give NISC or a wholly new agency a clear mandate to oversee (not merely coordinate) the diverse responsibilities and programs of existing ministries, thereby creating a strong and accountable focal point for the protection of domestic infrastructure, the promotion of cyber research, the training of key personnel and the implementation in and out of government of relevant standards. This new agency should also have the deep professional expertise necessary to support and coordinate national and local police forces in countering the cyber crime threats domestically and to allow the Self Defense Forces (SDF) to concentrate their limited resources on responding to national security threats as directed by competent civil authority. Adopt a Japanese Equivalent Version of the U.S. Federal Information Security Management Act (FISMA) In addition to an administrative reorganization of the government in responding to the cyber threat, Japan needs to strengthen the legal basis for government information security management. The Federal Information Security Management Act (FISMA) has been part of U.S. law since 2002 and has driven both greater accountability and cooperation across all U.S. government agencies in cyber security related programs. The ACCJ has been on record since 2009 in calling for a consistent procurement guideline without stifling diversity and innovation. Monitoring and enforcement of government-wide cyber security measures are key elements in achieving this goal and would greatly strengthen the hand of the newly named

government Chief Information Officer (CIO) in setting a government-wide procurement strategy. A Japanese equivalent version of FISMA can provide a framework for overseeing new rules for the sharing of sensitive information and encourage the rapid deployment of new standards and technologies. Such rules should allow for a safe harbor mechanism to ensure that private sector entities are not punished for reporting attacks and include safeguards against over classification of information, which can create barriers to sharing. Establish a Japanese Equivalent of the National Institute of Standards and Technology (NIST) Any new administrative and legal framework will require a strong, technologically sound base. For that reason, the June cyber security strategy document should have been more explicit in its references to a standards-setting institute and should deliver an unambiguous call for the creation of an organization equivalent to the United States National Institute of Standards and Technology (NIST), which plays a key role in supporting the U.S. cyber security agenda. An internal Liberal Democratic Party (LDP) taskforce in 2012 also called for creating a Japanese version of NIST. We strongly support this position and urge the GOJ to give priority to collaboration with U.S. counterparts to ensure interoperability with relevant NIST standards for cyber security and technology. While common security standards are important, at the same time, it is important that the GOJ also guard against mandating the use of specific technologies for achieving security goals. Technology in the security area is evolving very rapidly and premature standardization can stifle innovation and lead to a lagged response to security threats. We note that the October International Strategy document pledges GOJ cooperation in the creation of international technological standards for cyber security. Introduce a Japanese equivalent to the FedRamp Program Finally, we believe that the United States and Japan should consider new ways to work together in developing global best practices in the cyber security area. One opportunity is collaboration in building a version in Japan of the U.S. FedRamp program, which can assist government agencies in transitioning to the cloud consistent with world class security standards. Creation of a Japanese version of the U.S. National Cyber Forensics and Training Alliance (NCFTA), which focuses on a public/private partnership to share threat information and cyber technologies, is another example where the two countries working together can do more than they might separately. Both of these initiatives are important not only to improving government performance but also to supporting the GOJ role in providing leadership by example to private sector efforts in Japan to improve cyber security threat readiness. Ensure New Security Measures Are Non-Discriminatory The ACCJ appreciates the recognition in the 2013 strategy of the need to act in ways consistent with Japan s World Trade Organization (WTO) obligations in setting new security standards and rules for procurement and to consult actively with global Internet and cloud services providers in developing measures to protect critical infrastructure and promote industry best practices. U.S. and Japanese companies share concerns in India, China and other markets where new cyber security measures are routinely used to exclude foreign products and services and to undermine intellectual property protections. For this reason, we urge the (GOJ) to avoid actions that may weaken intellectual property safeguards below an appropriate level or make a distinction between cloud services offered from data centers within

Japan and those outside of Japan. Specifically, we are concerned that recent guidelines for cloud computing security drafted by the Office for Information Security Policy at the Ministry of Economy, Trade and Industry (METI) were developed without adequate consultation with relevant stakeholders and could give the impression to domestic consumers that cloud services offered from abroad are inherently unsafe. Increase U.S.-Japan Cooperation on Cyber Security We welcome the efforts of the GOJ to support greater research and development of security technologies and to promote investment and employment in this new market sector. However, we are concerned that these programs may not be open and transparent to foreign participation with appropriate safeguards. An urgently important topic for future bilateral consultation should be to create a framework between Japan and the United States to permit this kind of collaboration and the corresponding sharing of sensitive cyber-security information along the lines of similar arrangements with NATO countries. In this context, we support current discussions within the Diet to enact a secrecy law to ensure the confidentiality of sensitive government information. We also need parallel efforts to assure that other government data can be made widely available to citizens and for commercial use by business and that any new legislation does not become a barrier to the sharing of information necessary to bidding on government projects. We urge greater cooperation between the U.S. and Japanese private sectors in this area. ISSUES The March 20, 2013 cyber attacks on three major banks and the three largest TV broadcasters in Japan s neighbor, the Republic of Korea, were a wakeup call to all of us on the growing nature of the global cyber threat to governments, the private sector and critical infrastructure. As the New York Times has written, the focus of recent cyber attacks is shifting rapidly from espionage to disruption. The South Korean attack, notable in that malware was used to destroy the Master Boot Record whether Windows or Unix was a clear escalation of the destructiveness of the threat, going beyond past examples of distributed denial of service (DDoS) attacks. Japan has not been exempt from such cyber threats. In 2011, user names and passwords were stolen from computers in the Upper House of the Diet, and cyber attacks on eleven companies and research institutes, including Mitsubishi Heavy Industries, may have compromised sensitive data related to nuclear power. In 2012, the renegade hacker organization, Anonymous, defaced the website of Japan s Finance Ministry, and documents related to the Trans-Pacific Partnership (TPP) negotiations were illegally accessed on Ministry of Agriculture computers. The Abe administration has set responding to the cyber threat as a key priority and is taking steps to increase public awareness and promote greater government collection and sharing of threat information with the private sector. It has also stepped up information exchange with the United States, with the first comprehensive round of cyber security consultations involving multiple ministries taking place in Tokyo during May 2013. The June 2013 release of a new government planning document, Cyber Security Strategy and the October 2013 International Strategy on Cybersecurity Cooperation (link to English summaries: http://www.nisc.go.jp/eng/) may be the

most significant signs of new government activism and determination in this area. The ACCJ welcomes the new and complementary strategies as a significant evolution in GOJ thinking on the cyber challenge and as compelling and persuasive roadmaps, outlining a number of urgent actions needed to guard Japan s cyber space. We urge their rapid implementation in line with the 2015 timetable laid out in the June document. BACKGROUND Japan s efforts to protect and promote cyber security date back to 2005 with the creation of the National Information Security Center (NISC) within the Cabinet Office. The Center was charged with coordinating the government response to cyber challenges, although actual legal authority, budget, and staff resided as before with existing agencies, including the Ministry of Defense, the Ministry of Economy, Trade and Industry, the Ministry of Internal Affairs and Communications and the National Police Agency. A key NISC function has been the drafting of national plans, released in 2006, 2009, 2010 and 2013, and yearly updates. A review of the plans shows a gradual evolution in the Japanese government s grasp and response to the challenges in cyber space. The 2006 and 2009 reports were produced under Liberal Democratic Party (LDP) governments and respectively labeled as the first and second Information Security Plan. The emphasis in these reports was largely on technical solutions to security concerns and the introduction of preventive strategies. Ensuring information security was seen as critical to the competitiveness of Japanese industry globally and as necessary to alleviate Japanese small business and consumer concerns with the safety of their personal information on the Internet, especially in areas like banking, online commerce, healthcare and education. The change in government with the Democratic Party of Japan (DPJ) victory in the 2009 election was the proximate reason for the issuance of a new plan in 2010, but the naming of the report and its contents departed in important ways from that of the previous two plans. The Information Security Strategy for Protecting the Nation was released against the background of large-scale cyber attacks against targets in the United States and the Republic of Korea and embarrassing leaks of personal data from Japanese firms. The economic dimensions of Internet security were still a motivating concern, but there was also growing recognition within the government of the threat posed by transnational cyber crime. The 2013 Cyber Security Strategy represents a further step down this path. Gone is the reference to information security in the title of the report. Gone, too, is the largely economic focus of previous plans. The emphasis in the new document is squarely on the national security implications of the threat. The report also takes up for the first time the topic Internet of Things, indicating a keen awareness that Japan s highly advanced information and communications technology (ICT) infrastructure and the sensor networks it depends on may be more vulnerable to cyber disruption than in any other country. The new plan is based on the concept of risk management, recognizing that security is not an absolute. In the new threat environment, security is a dynamic and moving target, with informed trade-offs required to preserve the openness that

is so vital to continuing innovation and competition on the Internet. The new strategy recognizes that cyber security is the business of all stakeholders, not just the GOJ. These stakeholders include not just traditional domestic infrastructure operators in areas like transport, energy and communications, but also a whole new group of direct and indirect Internet service providers, including many global providers of services to Japan -- among them prominent members of the ACCJ. Most importantly, this strategy along with its companion document, International Strategy on Cybersecurity Cooperation, released in October 2013, include a number of significant and actionable proposals for strengthening Japan s cyber security and improving international coordination against the cyber threat: Affirmation of NISC as lead agency for cyber strategy in Japan and its renaming as the Cyber Security Center Organization of a cyber defense unit within the Self Defense Forces (SDF) and legislative changes to set cyber space as a national security domain on par with land, air, sea and outer space Creation of an institution or process to set cyber standards for government and industry Government sponsorship of annual cyber threat simulation exercises for industry New measures for the handling of sensitive information to share cyber threatrelated information within government and with the private sector Provision of incentives to support small business investment in and management of cyber security technologies Launch of Clean Cyber days and months to drive public awareness of the threat and solutions Clarification of the permissible range of reverse engineering for cyber security purposes in the Copyright Law Measures to promote research and development of cyber security technologies to support international competitiveness of Japanese industry Strengthened partnership with the United States and other countries that share similar values and interests with regard to cyber space Cooperation with Association of Southeast Asian Nations (ASEAN) member states for regional capacity building against cyber threats and to promote cooperation in dealing with cyber crime CONCLUSION Over the past decade, the cyber threat has expanded dramatically beyond the activities of a few individual hackers and criminal organizations to become a matter not just of business and economic security, but of national security. ACCJ members include companies that offer a wide range of ICT products and services to Japanese enterprises and consumers and have innovative technologies and deep experience directed to meeting the cyber challenge. We look forward to sharing this expertise with our Japanese business partners and to bringing new investments and technology to Japan in the cyber security area. We believe that Japan and the United States are natural partners in the area of cyber security and are strongest when we can work together as partners. The ACCJ appreciates the GOJ s engagement on cyber security concerns with the U.S. government and welcomes opportunities through the U.S.-Japan Internet Economy Dialogue and other bilateral and domestic policy mechanisms to support this process.

Balancing the common interest in a robust legal framework with the free flow of information and freedom of speech and expression is a continuing challenge. The cyber threat challenge is difficult because it is multi-faceted, coming not just from cyber crime or espionage, but the growing ability of sophisticated adversaries to target and destroy critical infrastructure such as energy and communications networks. In this regard, a close partnership between the public and private sectors is essential in responding to the cyber threat and a broad national discussion on the appropriate balance between securing information and while allowing it to be freely shared is required. The ACCJ welcomes the GOJ s commitment to assuring the free flow of information and its recognition that freedom of speech, privacy protection and the promotion of innovation and growth also need to be core objectives for an effective cyber security policy.

*Note: This Viewpoint is not a standard ACCJ Viewpoint. Standard ACCJ Viewpoints are presented in both English and Japanese in a branded format (for other ACCJ Viewpoints, please visit: http://www.accj.or.jp/en/advocacy/viewpoints). This document, however, does represent the ACCJ s official position and will form the English portion of a forthcoming standard ACCJ Viewpoint.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information