Protecting Our Infrastructure: utilizing everything we have. Suguru Yamaguchi Advisor on Information Security, Cabinet Secretariat, Government of Japan

Large-scale Accident in Critical Infrastructure  Typical Examples –Mizuho Bank （ ) –FDP at Tokyo ATC ( )  Hard for Gov. to know what’s going on.→ first response is always in their hand.  Troubles/Accidents at Dependable infrastructure make huge impacts on our life.  Prevention  Response: minimize impact and involved areas  Learn from accidents: analysis and expertise （読売新聞：２００２年４月３日報道写真）

Analysis on Inter-dependency among Critical Infrastructure By JST RISTEX Mission Program II Area with Large impact 0 hr.1 hr.12 hr.24 hr. Simulation on spreading impact on social systems in the case of critical accidents on core system of large scale bank in Japan (simulation)

Internet = Critical Infrastructure  Internet is critical infrastructure –Various kinds of our activities are now on the Internet. Online banking / reservations / shopping and commerce / money transfer / …. –We can’t imagine our life without the Internet.  “Dependable” infrastructure –What and how we can make this? –Need research

Internet: Global and Ubiquitous Infrastructure for Communication Communication Technology Wireless Satellite ATM Optical Fiber Copper Cable WDM/SDH ISDN Internet Technology CATV Cable Modem Society TCP/IP

Internet for Everything  Always connected with global address  New services with various kind of devices

Targets and Schedule of CEIIS Targets and Schedule of CEIIS Critical InfrastructureCompaniesIndividuals ◎ Establish Ground-Design of Japanese Information Security Policy ◎ Implement Effective Measures and Policy To be reliable for private sectors as their counter-party To be reliable in global arena Implement balanced investment toward technologies Keep transparency Maintain function as highly reliable infrastructure Keep verifiable design of function and business continuity Promote coordination and mutual assistance Support security-culture as major stakeholders Reach consensus in management and circulation methods of privacy information The First proposal (Oct/04) The Second Proposal (Mar/05) The Third Proposal (July/05) (1)Implementation Structure of Overall Information Security Policy (2)Measures for Government itself

Recommendations #1 (as of Nov. 2004)  “Information Security Policy Committee” (tentative name) –Under IT Strategy Headquarter –By FY2006 –Set mid / long term strategy –Recommendations –Evaluations  “National Information Security Center” (tentative name) –Operational guidelines for government systems –Audit and inspections –Response for IT incidents on government systems –Repository of “expertise”

E-government in 2005 (JP) Comm. Biz Edu. Transport National Resource National Resource Broadcast The Internet Various kind of digital communication infrastructure

 E-gov portal site –One stop service –Single window service –“online”

Targets and Schedule of CEIIS Targets and Schedule of CEIIS Critical InfrastructureCompaniesIndividuals ◎ Establish Ground-Design of Japanese Information Security Policy ◎ Implement Effective Measures and Policy To be reliable for private sectors as their counter-party To be reliable in global arena Implement balanced investment toward technologies Keep transparency Maintain function as highly reliable infrastructure Keep verifiable design of function and business continuity Promote coordination and mutual assistance Support security-culture as major stakeholders Reach consensus in management and circulation methods of privacy information The First proposal (Oct/04) The Second Proposal (Mar/05) The Third Proposal (July/05)

Catalyst: each ministries Sectors and Roles Government Local Government Critical infrastructure Companies Individuals Government “Culture of Security” Top down approach from Gov., Bottom up from private sectors

Top down & bottom up  Top down approach from Government –Standards and guidelines for procurement / installation / operation and responses –Critical Infrastructure Protection (CIP) –Minimum requirements on systems / networks –regulations  Bottom up approach from Private Sectors –Expertise from real operational systems –“Know How” on profitability / cost-down / actual operation / customizing systems / ….

Cabinet Secretariat FSAMETIMLITMPHPT Ele.FinanceGasTrainCommAir Critical Infrastructure Local Gov. Information flow

More works required  Exercise on Large scale accident –Within an identical infrastructure –With other infrastructures –We don’t know the effect of “Inter-dependency” Research required.  Awareness program –Classic / Legacy approach on generic security management –Changes on its systems drastically More computers and networks in their systems –Sharing Best Practices

Services Monitoring Traffic and access Other ISP’s Ｘ ISP Blocking the traffic Define their handlings in contract IT section Not enough expertise Out sourcing Top Management Decisions on business operations Attacker Conducting intentional activities Need to work globally Attack Traffic Forging source address Mission difficult (not impossible) （１） Improving Technology and Operation （２） Gov/Private Sector collaboration （３） Re-designing Security functions （４） HQ role （５） Learn more from accidents （６） Preparation / Prevention

Sharing Best Practices Best Practice developed through competition: high quality expertise on technology, engineering, and operation Distributing Best Practice Work with Non-profit area Improving business environment Private Sectors Government

Improving Information Sharing Government Critical Infrastructure Companies ISAC model? Inter-sector communication Anonymity / Responsibility Among Ministries LEA

Summary  Collaboration and mutual understandings on what we are doing is quite important among Government / private sector relationship  Need to do more –Improving information sharing –Exercises & Awareness –Research, esp. on analysis on “inter-dependency” among CI  CEIIS (Committee of Essensial Issues on Information Security) –Recommendations #2 by the end of FY2004 (Mar. 2005)