Mabito YOSHIDA Director, IT Security Office

1. Information Security Policies in the Telecommunications Field Mabito YOSHIDA Director, IT Security Office Ministry of Internal Affairs and Communications (MIC） JAPAN November 25th 2004

2. Overview of Policies for Construction Safe and Secure Network Infrastructures Transition of security measures ■From ones by individual companies/organizations to ones by collaboration among wide-range of interested parties ■From ones at a terminal level to ones at the a network level 1.Strengthening of network-side security measures 2. R&D ofthe security technologies Construction of safe and securenetwork infrastructures 3．Strengthening of user-side security measures 5. Legislation 4.HumanResources

3. Member ① Security measures on network-sideTelecom-ISAC Japan ISAC: Information Sharing and Analysis Center ■Objectives of Telecom-ISAC Japan Collect and analyze information on incidents that occur in the service infrastructures of telecommunications industry, and share the results within the industry. ■Role of Telecom-ISAC Japan (1) Exchange of reports and information concerning system vulnerabilities (2) Provision of countermeasures and best practices (3) Provision of information on threats and damages caused by cyber attacks and computer crimes, etc. ■Scheme of ISAC National Incident Response Team Telecom-ISAC Japan NIRT Management of collected information • Portal sites • Security information • Related links • What’s new • Event information • Glossary Function of information collection (1) Provision of vulnerability information (2) Delivery of urgent information Management of incident information (3) Provision of telecom-related information Mail, FAX etc. General users • For members • Vulnerability info. • telecom-related information • Technical info. Database of Vulnerability information (4) Operation of portal sites Domestic-related information sites (JPCERT, IPA..) (5 )Operation of test laboratories Management of countermeasure information Delivery of urgent information (6)Holding technology Forum Mail, FAX etc. Foreign related information sites (CERT, ISAC..) Members Established: July 2002 Members: 9 Leading ISPs (NTT Com., KDDI, Japan Telecom, Powered Com, NEC, IIJ, Nifty, Yahoo, Matsushita), etc.

4. ①Security measures on network-side Support measures To ensure Internet security, the implementation of appropriate security measures by telecommunications carriers is important. • ○ Guideline • Basic and comprehensive guidelines regarding all safety and security measures in telecommunications networks • ○ Taxation • Preferentialtax treatment in case where telecommunications carriers obtain facilities which contribute to improved reliability of telecommunications systems • ○ Security Mark • Security mark is given by Internet Access Service Safe and Security Mark Promotion Group(*1) to ISPs which meet certain standards for security measures and user support • (*1) composed of the Telecom Service Association and the Japan Internet Providers Association etc.

5. ② R&D on security technologiesOutline of Measures for Security Technology R&D （1） Enhancement of capabilities to analyze influence of viruses on network （2） Strengthening R&D on technologies for ensuring security of telecommunications infrastructures ・Wide-area monitoring system technologies and high precision trace back technology （3）Establishment of bases for security technology ・Establishment of the Information Security Center at the National Institute of Information and Communications Technology (NICT) Wide-area monitoring system Infiltration detection probe Virus detection probe Archive of System logs Portal site for information provision Firewall probe ISP network Log analysis system Wide area monitoring system Center Monitoring probe Monitoring probe

6. ② R&D on security technologiesApproach of the National Institute of Information and Communications Technology (NICT) Establishment of the Information Security Center (April 2004) • R&D themes • Wide-area monitoring technologies • Technologies for enhancing security measures • Vulnerability evaluation technologies • Cryptographic technologies, etc. Carrying out R&D and preparing facilities Large-scale R&D facilities Nurturing practical researchers for a short period by cooperation of actual working site Realizing advanced counter-measures based on latest R&D results and facilities On-site security measures ・Telecom-ISAC Japan ・JNSA ・SPREAD　　　・CRYPTEC, etc. Human resources Development A base of collaboration among industry-academia-government sectors and high-level human resources Development

7. ③ Security measures on user-side (1) Recommending 3 principles to minimize user risk (2) Arousing awareness of user-side security • Enhancement of security education • Campaigns forsecurityawareness (2) Implementing personal firewall (3) Applying latest security patches (1) Installing virus check software Latest virus detection data The update is ready Viruses Icon and message to notify of the software update From MPHPT “Information Security Sites for the General Public”

8. ④ Human resources • Nurturing security administrators (administration engineers) is indispensable for ensuring information security. • At present, there is a serious shortage of security administrator in Japan. • Approximate shortage of 120,000 people • (from the Telecommunications Software Forum Report (Dec. 2003)) • ○Human resources development through certification systems • Since 2001, a subject on Information Security has been added to the national examination for “Chief Telecommunications Engineer's licenses for Transmission, Switching technology and Line technology”. • Since 2001, “Network Information Security Manager (NISM)” programhas been founded by7 associations (including the Telecommunications Carrier Association), as a private security certification. • ○Support program for human resources development • Have implemented the program subsidizing organizations which promote human resources development in telecommunications field since 2001. • ○Building bases for human resources development • Be implementing a support program for establishment of the Human Resources Development Center for Telecommunications Security in 2004.

9. ⑤Legislation In order to ensure information security, it is important to legislate to prohibit actions that threaten the safety of the network and penalize those who contravene the laws. • ○ Law Concerning Prohibition of Acts of Illegal Access (enforced February 2000) • In addition to specifying the prohibition and penalizing of acts of illegal access, specifies that a duty be placed on access administrators to strive to implement protective measures and aids in the administration of this. • ○ Law Concerning Digital Signatures and Authentication Bodies (enforced April 2001) • In addition to giving the same legal significance to digital signatures as to handwritten signatures and seals, introduce an optional qualification system for authentication bodies. • ○ Establishment of Domestic Legislation for the Ratification of the European Council Cyber-crimes Treaty • Implement the necessary legislation for the early conclusion of the cyber-crimes treaty.

10. medium-term target Elimination of DDoS attacks ISP Eliminate undesirable communications through packet filtering and virus checks Virus checks Elimination of illegal access Elimination of viruses and worms Development of network foundational technologies for enabling everyone to use security-guaranteed communications Packet with a spoofed sender address Elimination of spoofing ○ Realization of network environment to make users use the network without awareness on security measures • Ordinary users have their limits to take all countermeasures on the user side.