RIEKO MIKI, Nikkei staff writer
TOKYO — Japan looks to require that companies in key infrastructure sectors such as finance, telecom and transport have plans for coping with cyberattacks, in response to a rise in such incidents globally.
The government will urge corporate managers to take the lead in making organizational changes and devising these plans, in addition to ensuring that equipment is secure. Tokyo will spell out these steps by April as it makes the first full revision of the country’s key infrastructure action plan since 2017. The new rules, which focus on economic security, will take effect in fiscal 2022.
Japan notes the growing concerns in the U.S. and Europe that financial systems and others that support the public’s livelihood could be crippled if corporate cyber defenses fail. In May, the largest American operator of oil pipelines was forced to suspend operations following an attack.
Countries worldwide are scrambling to bolster defenses, viewing an all-hands-on-deck approach as necessary to deal with increasingly sophisticated attacks.
Japan regards roughly 1,700 financial institutions as key infrastructure, according to official data as of the end of fiscal 2020. About 1,300 telecommunications operators, 22 railways and 29 utilities also would be covered by the new rules.
The other sectors are airlines, airport operators, gas providers, government services, medical institutions, waterworks, logistics, chemicals, credit and oil.
Japan’s cybersecurity plan previously has been part of government guidelines, but not legally binding. The anticipated revision will make the plan more effective, as measures would be clearly based on cybersecurity laws.
No penalties are involved, but the supervising ministry or the National Center of Incident Readiness and Strategy for Cybersecurity will conduct regular inspections and seek improvements as needed. Businesses may be asked to conduct an internal inspection based on the Companies Act.
The new rules are expected to state that companies must clarify accountability for their cybersecurity plans, have the capability to deal with threats at any time and create an organizational structure for handling emergencies. Management will be urged to take part without consigning all the work to a specialized department.
Tokyo also wants companies to deal with supply chain risks, such as information leaks via telecom equipment and cloud computing systems. Businesses will be asked to strengthen risk management, including at affiliates and suppliers. The government is believed to have in mind Chinese products, such as equipment made by Huawei Technologies.
Separately, the government is considering conducting screenings before companies introduce new equipment, as part of economic security legislation to be submitted to the Diet next year. With the rule changes, Japan intends to have companies take steps such as inspecting equipment on their own before the new law goes into effect.
Cyberattacks in Japan grew more than eightfold from 2015 to 2020, according to the National Institute of Information and Communications Technology. Government-backed entities and defense contractors such as Mitsubishi Electric and NEC have been targeted. The government touched on involvement by China, Russia and North Korea in its cybersecurity strategy decided in September.
Earlier this year, the U.S. devised a plan to improve cybersecurity at key infrastructure companies such as utilities. It is poised to call for the introduction of new defense systems by the government and private sector together using new technologies.