Meeting of the national council for cybersecurity in critical infrastructure (April 18 in Tokyo’s Kasumigaseki district)

On April 18, the government compiled draft revisions to its cyber-defense guidelines for critical infrastructure operators in 14 sectors, including telecommunications and electricity. The revisions further enhance disaster countermeasures and the strict control of data to ensure Japan’s readiness to handle increasingly sophisticated cyberattacks and system damage. The revisions increase critical infrastructure security and thereby ensure that citizens’ lives will not be disrupted [in the event of a cyberattack]. Regarding the risks posed by telecommunications equipment, the meeting decided it needed to survey the measures taken by Western countries in this area and it deferred the inclusion of this matter in the current set of revisions.

Government drafts revisions to cyber-defense guidelines

At a meeting of the national council for cybersecurity in critical infrastructure, the government presented draft revisions to its “Guidelines for Establishing Safety Principles for Ensuring Information Security of Critical Infrastructure.” A meeting of the Cybersecurity Strategy Headquarters (chaired by Chief Cabinet Secretary Yoshihide Suga) will be held as soon as May, and a formal decision made at that time. The guidelines were scheduled to be revised after the 2020 Tokyo Olympic and Paralympic Games, but the revision was moved up in light of the spread of cyber-damage in Japan and overseas.

Enhance disaster countermeasures and prevention of data leaks 

Central to the revisions is the strict control of data. The draft revisions stipulate “appropriate data control, including proper protection and consideration of storage location.” The revisions encourage critical infrastructure operators to store their security framework and other key information on in-company servers and not at data centers overseas or on an Internet-based cloud service. If data is stored on servers overseas, the laws and regulations of that country are applied and there is a risk that information will be leaked.

Another core element is preventing system suspension at time of disaster. In September 2018, hospitals and other facilities were impacted by the blackouts triggered by the Hokkaido earthquake and the Kansai International Airport was temporarily closed after Typhoon Jebi struck. The draft revisions include locating information systems and servers in safe places unlikely to be affected by earthquakes and torrential rains. The draft revisions also call for companies to work out countermeasures in advance so that damage can be contained. 

The draft does not stipulate measures to address “supply-chain risks,” including system suspension and the leakage of information from telecommunications equipment, such as telecommunications lines and terminals. In December last year, the government agreed to ban from April 2019 the procurement of telecommunications equipment that poses security risks. Some were saying that operators of critical infrastructure should also be requested to take the same measure.

The matter has been deferred despite this, however, because the government has not been able to set Japan’s position due to the difference between the United States and the European Union (EU) in level of concern about telecommunications equipment. Since August, the United States has banned government procurement of products manufactured by telecommunications equipment major Huawei Technologies and four other Chinese companies. In contrast, the EU has not excluded Huawei products across the board but has left the decision up to the individual EU member nations.

At the April 18 meeting of the national council for cybersecurity in critical infrastructure, the government indicated it will decide how it would like critical infrastructure operators to handle supply-chain risks after it conducts a survey of the measures taken by the United States, European nations, and other major countries. The survey will be commenced in or after May and so will not be completed in time for the current revisions. The government plans to again review the guidelines and incorporate any revisions by the end of fiscal 2019.

The government is rushing to take cyber-defense measures for the 2020 Tokyo Games. On April 1, the government launched the “Cybersecurity Council,” a forum for public and private sector representatives to share information about cyberattack methods and countermeasures. The public and private sector representatives will gather and discuss defense measures for critical infrastructure and government agencies.

The “Cyber Security Incident Response Coordination Center,” which will handle cyberattacks targeting the 2020 Games, was also set up on April 1.

Definition of critical infrastructure: Critical infrastructure is social capital that serves as the foundation of citizen lives and economic activities. Suspension or deterioration of critical infrastructure operation causes major disruption. Japan has defined the following 14 sectors as critical infrastructure: information and communication services; financial services; aviation services; railway services; electric power supply services; gas supply services; government and administrative services; medical services; water services; logistics services; chemical industries; credit card services; and petroleum industries. To urge operators of critical infrastructure to take cybersecurity countermeasures, the government has drafted the Guidelines for Establishing Safety Principles for Ensuring Information Security of Critical Infrastructure. The guidelines include concrete measures to enhance security but are not legally binding.