Cyber attacks targeting intellectual property and vital infrastructure have occurred in recent years, posing a more serious security threat. In particular, cyber attacks directed at large companies and governmental agencies have become more remarkable, and this trend is accelerating not just in Japan but worldwide.

Recognizing the situation, METI has invited experts in information security to the study group since December last year, and information security measures that allow people to use information technology, the base for economic activities, more safely and securely have been discussed.

• Jan/2010 Targeted cyber attacks on Google etc.
• 
• Sep/2010 Cyber attacks on Japanese government agencies
• 
• Sep/2010 Cyber attack on Iran's nuclear facility via Stuxnet
• 
• Oct/2010 Release of int'l terrorist information from the Metropolitan Police Agency
• 
• Nov/2010 Release of video footage of the Chinese fishing boat collision near the Senkaku Islands
• 
• Nov/2010 U.S. diplomatic telegrams revealed by WikiLeaks
• 
• Mar/2011 Disruption of supply chains after Great East Japan Earthquake
• 
• Apr/2011 Leakage of large amounts of personal information through cyber attacks on Sony

The report notes emerging threats from more sophisticated and complex new cyber attacks, such as targeted cyber attacks, whose purpose is to steal information from specific organizations and cause damage to them, and cyber attacks to industrial control systems pertaining to key infrastructure. In light of this trend, the report focuses on the following three topics, including the development of human resources essential to the implementation of information security measures.

(1)Responses to targeted cyber attacks

Traditional cyber attacks often distributed massive amounts of malicious programs to an indefinite number of PC users. Unlike them, many of the recent cyber attacks are of the targeted type, which are intended to infect specific organizations or individuals with certainty. This type of attack has increased six-fold over the past four years between 2007 and 2011. To counter these attacks, there should be technical standards that users would follow to protect their information. A framework should be established under the partnership among users, information security companies and public agencies in which they can share security information. When a user is hit by a cyber attack, this framework will prevent other users from sustaining damage from similar attacks.

(2)Ensuring the security of control systems

Recently, control systems have come under threat of cyber attacks because they are more often connected to external networks and using common operating systems. Nevertheless, most of their security measures are not proactive. The report proposes three kinds of measures:

1. Preventive measures

   Develop security standards for control systems and promote international standardization. Create a scheme for objectively evaluating the security level of control systems used in Japan and assuring security of exported products by accommodating mutual recognition with overseas certification systems.

2. Measures after the incident

   Promoting establishment of an incident management system that requires the owner of a control system to perform tests, before patching the system, in order to verify that the patch will not affect other systems and equipment or that facilitates discussion on rules for deciding whether to issue alert information to third parties in the event of an incident.

3. Common measures

   Promoting education for user companies, especially their management, on the development of human resources with advanced expertise and the recognition of the risks and costs involved in security protection.

(3)Development of human resources of information security

An essential element for a company reinforcing its IT infrastructure is professionals to protect it. In particular, countering new security threats, including "responding to targeted cyber attacks" and "ensuring the security of control systems", requires the development of human resources with a new set of skills. However, there is sometimes a gap between the needs of enterprises and educational contents provided by educational institutions regarding human resources.

To eliminate this gap, a newly established examination group organized by the ICT Education Promotion Council of Japan (ICTEPC) and the Japan Network Security Association (JNSA) should discuss detailed issues about practical training, as well as provide younger generation with opportunity to learn practical information security.

August 5, 2011

Office for IT Security Policy, Commerce and Information Policy Bureau