Mabito YOSHIDA

Director, IT Security Office Ministry of Internal Affairs and Communications (MIC ）

JAPAN

November 25th 2004

Information Security Policies in the Telecommunications Field

2

Transition of security measures■From ones by individual companies/organizations to ones by collaboration among wide-range of 　　 interested parties ■From ones at a terminal level to ones at the a network level

Overview of Policies for Construction Safe and Secure Network Infrastructures

Construction of safe and securesafe and secure

network infrastructures

4.　 Human　Resources

1.　 Strengthening of network-side security measures

2. R&D of　 the security technologies

5. Legislation 3． Strengthening of user-side security measures

3

Management of collected

information

MembersMembers

General usersGeneral users

Domestic-related Domestic-related information sites information sites (JPCERT, IPA..)(JPCERT, IPA..)

■■Role of Telecom-ISAC JapanRole of Telecom-ISAC Japan(1) Exchange of reports and information concerning (1) Exchange of reports and information concerning

system vulnerabilitiessystem vulnerabilities(2) Provision of countermeasures and best practices(2) Provision of countermeasures and best practices(3) Provision of information on threats and damages (3) Provision of information on threats and damages

caused by cyber attacks and computer crimes, etc.caused by cyber attacks and computer crimes, etc.

■■Role of Telecom-ISAC JapanRole of Telecom-ISAC Japan(1) Exchange of reports and information concerning (1) Exchange of reports and information concerning

system vulnerabilitiessystem vulnerabilities(2) Provision of countermeasures and best practices(2) Provision of countermeasures and best practices(3) Provision of information on threats and damages (3) Provision of information on threats and damages

caused by cyber attacks and computer crimes, etc.caused by cyber attacks and computer crimes, etc.

Function of information collection

Management of incident

information

Management of countermeasure

information

Database of Vulnerability information

Foreign related Foreign related information sites information sites (CERT, ISAC..)(CERT, ISAC..)

(1) Provision of vulnerability information

MemberMember Mail, F

AX etc.

Telecom-ISAC JapanTelecom-ISAC Japan

■■Objectives of Telecom-ISAC JapanObjectives of Telecom-ISAC Japan

Collect and analyze information on incidents that Collect and analyze information on incidents that occur in the service infrastructures of occur in the service infrastructures of telecommunications industry, and share the telecommunications industry, and share the results within the industry.results within the industry.

■■Objectives of Telecom-ISAC JapanObjectives of Telecom-ISAC Japan

Collect and analyze information on incidents that Collect and analyze information on incidents that occur in the service infrastructures of occur in the service infrastructures of telecommunications industry, and share the telecommunications industry, and share the results within the industry.results within the industry.

■Scheme of ISAC

　 Portal sites • Security information• Related links• What’s new• Event information• Glossary

Delivery of urgent information

(3) Provision of telecom-related information

(2) Delivery of urgent information

Mail, FAX etc.

NIRTNIRT

National Incident National Incident Response TeamResponse Team

For membersFor members • Vulnerability info.Vulnerability info.• telecom-related telecom-related

informationinformation• Technical info.Technical info.

(4) Operation of portal sites

(5 )Operation of test laboratories

(6)Holding technology Forum

① Security measures on network-side 　　Telecom-ISAC Japan

Established: July 2002Members: 9 Leading ISPs (NTT Com., KDDI, Japan Telecom, Powered Com, NEC, IIJ, Nifty, Yahoo, Matsushita), etc.

ISAC: Information Sharing and Analysis Center

4

To ensure Internet security, the implementation of appropriate security measures by telecommunications carriers is important.

○ Guideline

　 Basic and comprehensive guidelines regarding all safety and security measures in telecommunications networks

○ Taxation

　 Preferential tax treatment in case where telecommunications carriers obtain facilities which contribute to improved reliability of telecommunications systems

○ Security Mark

Security mark is given by Internet Access Service Safe and Security Mark Promotion Group(*1) to ISPs which meet certain standards for security measures and user support

(*1) composed of the Telecom Service Association and the Japan Internet Providers Association etc.

① Security measures on network-side Support measures

5

（ 1 ） Enhancement of capabilities to analyze influence of viruses on network

（ 2 ） Strengthening R&D on technologies for ensuring security of telecommunications infrastructures

・ Wide-area monitoring system technologies and high precision trace back technology （ 3 ） Establishment of bases for security technology ・ Establishment of the Information Security Center at the National Institute of Information and Communications Technology (NICT)

Wide-area monitoring system

② R&D on security technologies

Outline of Measures for Security Technology R&D

Portal site forinformation provision

Archive ofSystem logs

Log analysis system

Wide area monitoring system

Center

Firewall probe

Virus detection probe

Infiltration detection probe

ISP network

Monitoring probe Monitoring

probe

6

Human resources Development

On-site security measures ・ Telecom-ISAC Japan ・ JNSA・ SPREAD　　　・ CRYPTEC, 　etc.

R&D themes•Wide-area monitoring technologies •Technologies for enhancing security measures•Vulnerability evaluation technologies•Cryptographic technologies, etc.

② R&D on security technologies Approach of the National Institute of Information and Communications Technology (NICT)

Establishment of the Information Security Center (April 2004)

Large-scale R&D facilities Nurturing practical researchers for a short period by cooperation of actual working site

Realizing advanced counter-measures based on latest R&D results and facilities

Carrying out R&D and preparing facilities

A base of collaboration among industry-academia-government sectors and high-level human resources Development

7

③ Security measures on user-side　

(1) Recommending 3 principles to minimize user risk

　　　　

(2) Arousing awareness of user-side security

Enhancement of security education

Campaigns for security awareness

From MPHPT “Information Security Sites for the General Public”

(1) Installing virus check software

(2) Implementing personal firewall

(3) Applying latest security patches

Latest virus detection data The update is

ready

Icon and message to notify of the software update

Viruses

8

Nurturing security administrators (administration engineers) is indispensable for ensuring information security.

At present, there is a serious shortage of security administrator in Japan.

Approximate shortage of 120,000 people (from the Telecommunications Software Forum Report (Dec. 2003))

○Human resources development through certification systems • Since 2001, a subject on Information Security has been added to the national examination for “Chief

Telecommunications Engineer's licenses for Transmission, Switching technology and Line technology ”.

• Since 2001, “Network Information Security Manager (NISM)” program has been founded by 7 associations (including the Telecommunications Carrier Association), as a private security certification.

○Support program for human resources development• Have implemented the program subsidizing organizations which promote human resources

development in telecommunications field since 2001.

○Building bases for human resources development• Be implementing a support program for establishment of the Human Resources Development Center

for Telecommunications Security in 2004.

④ Human resources

9

○ Law Concerning Prohibition of Acts of Illegal Access (enforced February 2000)

In addition to specifying the prohibition and penalizing of acts of illegal access, specifies that a duty be placed on access administrators to strive to implement protective measures and aids in the administration of this.

○ Law Concerning Digital Signatures and Authentication Bodies (enforced April 2001)

In addition to giving the same legal significance to digital signatures as to handwritten signatures and seals, introduce an optional qualification system for authentication bodies.

○ Establishment of Domestic Legislation for the Ratification of the European Council Cyber-crimes Treaty

Implement the necessary legislation for the early conclusion of the cyber-crimes treaty.

In order to ensure information security, it is important to legislate to prohibit actions that threaten the safety of the network and penalize those who contravene the laws.

⑤ Legislation

10

　　medium-term target

○ Realization of network environment to make users use the network without awareness on security measures

Ordinary users have their limits to take all countermeasures on the user side.

ウイルス・ワームの排除

なりすましの排除 送信元を詐称したパケット

DDoS攻撃の排除

パケットフィルタリング・ウイルスチェック等によりユーザの望まない通信を排除

ウイルスチェックISP不正アクセスの排除

セキュリティ保証型の通信を誰もが簡便に利用できることを可能にするネットワーク基盤技術の開発

Elimination of DDoS attacks

Elimination of illegal access

Elimination of spoofing

Elimination of viruses and worms

Eliminate undesirable communications through packet filtering and virus checks

ISP

Development of network foundational technologies for enabling everyone to use security-guaranteed communications

Packet with a spoofed sender address

Virus checks