|MITI Action Plan for a Secure E-Government (Provisional Translation)|
Ministry of International Trade and Industry (MITI)
- Background and Overview -
1. New Threats in the Era of Open Information Networks
The development of the Internet and other open information networks is driving current economic and social changes. These networks are sure to serve as the central infrastructure for the future realization of an "advanced information and telecommunications society."(*1) More and more government, corporate, and individual activities are expected to take place on open information networks.
The development of open networks means an increased dependence on digital information and on the process of generation, storage, distribution and use of that information. Although the vulnerability of a computer-dependent society has been pointed out since the era of closed leased-line legacy systems, today's society with its open networks faces new threats. A cracker may penetrate a computer system through open networks without revealing her/his identity and at a low cost to read, falsify, or destroy data.
Building trust in information networks is of paramount importance, since concerns over network risks could lead to a loss of trust in a society that depends heavily on information networks. The importance of international aspects should also be noted because of the global nature of the Internet.
(*1) To promote and integrate various initiatives for the realization of an "advanced information and telecommunications society" and to actively participate in international efforts for advancement in information and telecommunications, the Advanced Information and Telecommunications Society Promotion Headquarters was established in 1994 and is headed by the Prime Minister.
2. Risk Management to Reap Maximum Benefits from an Information Society
Information Technology (IT) security, which refers to ensuring the confidentiality, integrity, and availability of digital information, is important for everyone who lives in an information society. Although there are different views on how to address IT security issues, self-protection is in general more effective and appropriate than excessive regulation. The Internet developed because of its open form of participation, and just like in real society, people are expected to utilize the Internet at their own risk and at their own discretion. Computer users that intend to take necessary security measures to guard their information systems find that their human, technological, and financial resources are naturally limited. It is therefore important that they take comprehensive security measures from the standpoint of risk-management to derive the maximum benefits from the use of information systems. To do so, they need to analyze threats and obstacles carefully and decide how to allocate valuable resources among various organizational, physical, and technical safeguards in accordance with their policies. Since security incidents can occur due to unscrupulous employees who cooperate with attackers or innocent employees who unknowingly reveal information to outsiders, security measures must be effective in handling attacks that try to exploit such human-related vulnerabilities as well as in confounding with advanced technology. Employing safeguards against trouble resulting from natural disasters and human error is also important.
3. IT Security for an E-Government
The Japanese government aims to make all government-related transactions, such as registration, application, and procurement procedures, electronically possible over the Internet. A government in which this goal is achieved is called an Electronic Government, or E-Government. The Japanese government plans to construct the foundation for the world's highest-level E-Government by FY 2003 as one of its "Millennium Projects."(*2) The E-Government aims to improve administrative efficiency and reduce paperwork costs for the private sector. In the E-Government, administrative activities are carried out through the process of generating, storing, distributing, and using digital information, and IT security in this process is extremely critical.
The Ministry of International Trade and Industry (MITI) assigns the highest level of policy priority to IT security for this E-Government. The E-Government is expected to become a model organization in an information society, and a set of IT security measures to be included in this government is expected to become a risk-management model for the private sector. This model will improve the security of Japan's overall networks, and coordination with similar projects in other countries will result in international contributions.
(*2) In Japan, the fiscal year (FY) starts in April and ends in March.
4. MITI Action Plan for a Secure E-Government
The position of the Japanese government on the issues of an E-Government and IT security is expressed in a paper gAbout Millennium Projectsh (approved by the Prime Minister on December 19, 1999) and the "Action Plan for Building Foundations of Information Systems Protection from Hackers, and Other Cyber-threats" (adopted by the Interagency Director-General's Meeting on IT Security on January 21, 2000), among others. The Liberal Democratic Party, for its part, has compiled "Emergency Proposals to Counter Hackers and Cyber-terrorists" (adopted by the LDP Project Team for Measures to Counter Hackers and Cyber-terrorists on February 15, 2000).
The "MITI Action Plan for a Secure E-Government" is based on these documents and is intended to describe MITI's policy priorities and directions in performing its role in four categories (see the attached pages for details): (1) development of forms of IT security technology, (2) security evaluation for IT products and systems, (3) evaluation of encryption techniques, and (4) establishment of an IT security management framework. MITI will carry out these programs through FY2003 and prepare fundamental security elements needed for the construction of a secure E-Government. The results of these programs will be incorporated with broader inter-ministry work.
This Action Plan will be revised as necessary to keep up with international trends in IT security. One important subject that is not covered fully in this Action Plan is how to effectively and systematically gather, analyze, and disseminate information related to IT security. MITI will further study this area.
This program is intended to develop a common technological basis for a secure E-Government. IT security in an E-Government needs to keep pace with rapidly changing information technology so that security concerns do not get in the way. This program is to provide robust and user-friendly IT security technology based on the latest technology the market has to offer.
There are two types of technology that are to be developed in this program: first, new and advanced IT security technology and second, technology for more efficient use of existing security technology (e.g. improvement in user interfaces) that would shift the government's IT security to a new stage. In fact, IT security is often threatened because of difficulties in proper implementation of existing security measures. This program, therefore, is not complete only with the development of individual protection measures. It should also include development of technology for effective IT security control covering the total process from planning to implementation (e.g. prevention, detection, and analysis of intrusions, as well as recovery) and review.
MITI, in cooperation with the Information-Technology Promotion Agency (IPA) and other bodies, will start projects for developing information security technology needed for secure E-Government in FY 2000. (*3) The following list provides examples of possible study areas and projects. In the actual implementation of projects, priorities will be assigned according to necessity and urgency for the realization of the E-Government. MITI will endeavor to identify the specific IT security needs of an E-Government and it will also seek ideas from the public in order to identify promising projects. Study areas concern:
(*3) IPA is a MITI-related organization approved by MITI established in 1970 in accordance with the Law Concerning the Promotion of Information Processing. See www.ipa.go.jp for more information.
(1) Crafting, updating, and following IT security policy
Projects related to technology for more efficient creation and updating of IT security policies, as well as projects for easier and surer operations based on IT security policies
(2) Constructing secure information systems
Projects related to technology for ensuring confidentiality, integrity, and availability (e.g. protection from Denial-of-Service (DOS) attacks, protection from falsification of web pages, and measures for secure creation of documents by multiple staff members)
(3) Operating information systems securely
Projects related to technology for uninterrupted, secure, and efficient operation of information systems in an environment where new threats and vulnerabilities continue to appear (e.g. technology for collecting and sharing data on vulnerability within the government and technology for electronic authentication that is easy to use in organizational changes)
(4) Saving and using data securely for long periods of time
Projects related to technology for secure and long-term storage and use of data
(5) Using information systems securely from remote computers
Projects related to technology for safe and efficient use of information systems from outside offices
(6) Detecting intrusions and other computer security incidents
Projects related to technology for quick and accurate detection and notification regarding computer security incidents
(7) Analyzing the causes of computer security incidents
Projects related to technology for rapid and accurate analysis of causes of computer security incidents
Projects related to technology for rapid and sure recovery of functions after computer security incidents and similar fields
Establish Confidence in IT Products and Systems to be Used in the E-Government through Security Evaluation
This program is intended for promoting the security evaluation of IT products (software, firmware, and hardware) and systems to be used in an E-Government. (The assessment of the qualities of cryptographic algorithms is outside the scope of this program. See the following section for this topic.) Secure IT products and systems are essential elements for the secure operation of information systems in accordance with security policies. Security evaluation is an important way to address this point
Last December, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) adopted the "Evaluation Criteria for IT Security" as an international standard (ISO/IEC 15408). In addition, several countries have signed an arrangement on the recognition of certificates to harmonize their evaluation and certification/validation schemes. Given these international trends, for Japan's E-Government to be viewed as secure internationally, it is increasingly important that the IT products and systems used are evaluated with objective and internationally accepted criteria. MITI intends to prepare the technological and human basis for IT security evaluation.
MITI will actively carry out the following tasks to create an environment for IT security evaluation. The product of these tasks will be used in discussions at the Inter-ministerial Meeting on Government Information Systems. The Inter-ministerial Meeting is expected to agree on a secure product procurement policy, which is expected to take effect in FY 2001.
(1) MITI will formally incorporate ISO/IEC 15408 in Japanese Industrial Standards (JIS) as of the summer of 2000.
(2) In FY 2000, MITI will start a training program for preparation of the human basis (developers, evaluators, and users) needed for greater use of IT security evaluation in Japan.
(3) MITI will promote security evaluations for existing products, in coordination with IPA projects related to IT security. In addition, the IPA will introduce security evaluations in its own development projects for the E-Government, and especially in those projects that are critical to IT security.
(4) MITI will promote the development of technology to be used in IT security evaluations of information systems, which are believed to be more difficult than evaluations of individual products.
(5) MITI will use the results of these tasks in inter-ministry discussions
about how to use security-evaluated products in the E-Government.
Cryptography is a key technology for electronic authentication as well as for the assurance of the confidentiality and integrity of information. Evaluation of security and other aspects of cryptographic techniques to be used in an E-Government is, therefore, of great importance. This program and Program 2 (evaluation of IT products and systems) are complementary with regard to establishing trust in the core technology that will be used in the E-Government. Looking abroad, the United States, for example, is in the process of selecting cryptographic algorithms for the Advanced Encryption Standard (AES). MITI intends to ensure the reliability of cryptographic techniques in Japan through technical assessment of the security, efficiency, and other aspects of encryption techniques in an objective manner.
ISO/IEC recently started work for the standardization of encryption algorithms. Although this program is being carried out from the viewpoint of use for the E-Government, the results and framework for cryptographic evaluation developed in this program will be used in coordination with ISO/IEC activities as appropriate.
MITI will start a project to evaluate the security, efficiency, and other aspects of encryption algorithms in an objective manner. For this purpose, MITI will form a Cryptographic Technology Evaluation Committee (its tentative name) to consist of Japan's top cryptographers. Evaluation will occur objectively and transparently to ensure confidence in the results. The results of evaluations will be used in work at the Inter-ministerial Meeting on Government Information Systems. The Inter-ministerial Meeting is expected to agree on basic policies on how to construct information systems using IT security techniques, with a view to begin implementation in FY 2001.
(1) MITI will form the Cryptographic Technology Evaluation Committee (its tentative name) in April 2000. Professor Hideki Imai of Tokyo University will chair the Committee and the IPA will serve as the secretariat. The Committee and secretariat will decide the criteria and methodology for evaluation as soon as possible and prepare a call for the submission of algorithms. They will carry out evaluation by the end of FY 2000 for the first stage.
(2) In addition to the evaluation of cryptographic algorithms, MITI will study and implement the evaluation of cryptographic modules as necessary for the E-Government.
(3) MITI will use the results of these cryptography-related projects in inter-ministry discussions about how to use cryptography in an E-Government.
(4) Japan will actively contribute to recent ISO/IEC activities for the standardization of cryptographic algorithms so that cryptographic algorithms submitted by the Japanese National Body to ISO/IEC are incorporated in international standards.
While technology-oriented approaches described in Programs 1 _ 3 are important, non-technical approaches are no less important in ensuring IT security. This program is intended to establish an IT security management framework to address human-related IT security problems for the E-Government. In doing so, MITI will study international standards and guidelines to improve the various IT security guidelines it published in the past.
Internationally, ISO/IEC is currently working on "Guidelines for the Management of IT Security" (ISO/IEC TR 13335, or "GMITS"). In addition, a British standard for information security management (BS 7799) that is not used in the United Kingdom alone has been proposed as a new ISO/IEC standard. There are also various guidelines and manuals prepared by non-governmental organizations to address the issues of controlling and auditing information systems.
MITI intends to study these international trends and establish an IT security management framework for the E-Government.
The following tasks will be carried out to establish international trust in Japan's networks. MITI will use the results of these tasks in inter-governmental work related to IT security policies for the E-Government.
(1) MITI will draft new standards or guidelines on IT security management, with plans to incorporate them in the JIS in FY 2000 or FY2001. A committee will be formed at the beginning of FY 2000 to study IT security management for Japan while referring to international guidelines.
(2) In parallel with this task, Japan will actively participate in international work on IT security management such as efforts carried out in the ISO/IEC.