icon-angleicon-facebookicon-hatebuicon-instagramicon-lineicon-linked_inicon-pinteresticon-twittericon-youtubelogo-not
People 律师等人员介绍

由具有多领域专业知识和工作业绩的律师灵活组成工作团队,提供高质量的法律意见和实务支援。

Publications 著书和论文

以下介绍本事务所的律师等人员所著的简报,论文报道以及书籍等。我们将充分利用我们实务上的专业知识和经验,就日益多样化、复杂化的法律及法律修改的最新动向提供相关信息。

Seminars 演讲与研讨会

本事务所积极举办包括在线发布在内的各种形式的研讨会和演讲活动。我们对各个领域及热点的最新企业法务实务进行解说。

SCROLL
TOP
Publications 著书和论文
简报

Recent Legal Developments in Japan for Fortifying Essential Infrastructure Services’ Resilience Against Cyber Threats

NO&T Japan Legal Update

著者等
工藤靖
出版社
长岛・大野・常松律师事务所
书籍名或刊登
杂志
NO&T Japan Legal Update No.44 (2024年3月)
语言

英文

相关信息
业务领域
关键词
请注意,本简报的目的是提供信息,并非提供法律建议。另外,本简报仅包括根据发行日(制作日)时点的信息,不包括该时点之后的信息。特别是速报可能会与现状的解释或惯例不同,敬请留意。

I. Introduction

In light of the escalating cyber threats in Japan during the year 2023, the Japanese National Police Agency (“JNPA”) has underscored the persistent prevalence of ransomware attacks, with a noteworthy increase in incidents related to a new form of ransomware known as “No-ware ransom”※1. This variant involves the theft of data from victims’ companies without encryption of the stolen information, thereby causing substantial harm. Additionally, the Information-Technology Promotion Agency publicly reported “10 Major Security Threats 2024”※2. In this article, which concerns threats to enterprises, attacks exploiting vulnerabilities embedded in the supply chain are ranked as the second-highest threat, while damage caused by ransomware attacks is ranked first.

Given the concerning trend in cyberattacks, the Japanese national government, together with pertinent government agencies, has proactively established a system (the “System”) under the Economic Security Promotion Act (“ESPA”) to ensure provision of essential infrastructure services (“EIS”) and enhance the supply chain risk management, including ensuring cybersecurity in EIS. This System is aimed at fortifying EIS resilience against cyber threats and ensuring a comprehensive response to emerging challenges.

The subsequent sections provide a comprehensive outline of the System, especially focusing on the supply chain risk management implemented to safeguard EIS.

II. Outline of the System for Ensuring Provision of Essential Infrastructure Services Under the Economic Security Promotion Act

The System is established pursuant to the ESPA, which was enacted in 2022 in response to escalating cybersecurity threats in Japan. Operational from May 2024, the System aims to mitigate risks such as the embedding of malware during equipment installation or software updates and the exposure of vulnerable information by third parties outside Japan. Starting from 2023, competent authorities have created and updated guidelines in preparation for effective implementation of the System beginning in May 2024※3.

(i) Outline of the System for Ensuring Provision of EIS

  • Purpose: The primary objective of the System is to prevent critical facilities of the EIS (“CF”) from being exploited from outside Japan as a means of disrupting stable provision of EIS. Competent authorities conduct a prior screening process and issue recommendations or orders concerning the installation or entrustment of maintenance, etc. (as defined below), of the CF.
  • Scope of EIS: EIS encompasses services in electricity, gas, oil, water, railways, truck transport, international maritime cargo, aviation, airports, telecommunications, broadcasting, postal services, financial services, and credit cards. Designated as EIS are services that are either (i) crucial for national livelihoods or economic activities and the lack of which may lead to widespread or large-scale social turmoil or (ii) essential for citizen survival with limited substitution possibilities. Competent authorities in the respective EIS fields designate the specific services falling under this purview. Please be informed that, in response to a ransom-ware attack on the Nagoya United Terminal system operated in Nagoya port facilities in July 2023, as a result of which certain port-facility operations were suspended for more than two days, the Japanese government decided to amend the relevant regulations in order to add “port transport” to EIS in January, 2024.
  • Scope of the CF: Equipment or programs that may be exploited for interference with the stable provision of EIS, such as through cyber-attacks or physical interception measures, are designated as CF. Competent authorities in the respective EIS fields identify and designate such CF※4.
  • Scope of EIS Operators: EIS operators are designated based on the unique circumstances of each EIS, considering factors such as the scale of operation or substitutability. Competent authorities in the respective EIS fields identify and designate EIS operators※5.
  • Duty of EIS Operators: Upon the installation of CF for business use or the commencement of entrustment of maintenance, etc., of CF to other business operators, EIS operators are generally required to submit a notification plan in advance and undergo a screening process conducted by the competent authorities. This measure ensures a proactive approach to cybersecurity, aligning with the overarching goals of ESPA.
  • Definition of “maintenance, etc.”: Any maintenance, management, or operation that is critical for maintaining functions of CF or for the stable provision of EIS concerning CF in a stable manner, and that is likely to be used as a means of sabotage.

The outlined System under ESPA establishes a comprehensive framework to fortify the cybersecurity posture of CF, safeguarding against external threats and disruptions to EIS.

(ii) Outline of the Prior Screening Process in the System for Ensuring Provision of Essential Infrastructure Services Under the Economic Security Promotion Act

Please see below a brief outline of the prior screening process mentioned above:

  • Prior Notification Plan:

    • Installation:

      • The Prior Notification Plan must include a summary of critical facilities, including content, timing of installation, suppliers, components, etc.; and
      • Measures which will be implemented for managing risks related to installation.
    • Entrustment of Maintenance, etc.:

      • In addition, it must set forth a summary of critical facilities, including content, timing of entrustment, contractors, subcontractors, etc.; and
      • Measures which will be implemented for managing risks related to the entrustment of maintenance, etc.
  • Measures for Risk Management:

    • The EIS operator is required to report the measures taken to prevent interference with CF in both types of notifications.
    • Specific examples of measures are outlined in the System’s guidance.
  • Examples of Detailed Measures for Risk Management:
    Among other things, detailed measures for the supply chain risk management against cyber threats include the following:

    • For Installation:

      • Implementing necessary controls to prevent unauthorized changes to the CF and their components during manufacturing by suppliers. A contract should stipulate the EIS operator’s right to verify these controls.
      • Adoption of a system to identify signs of unauthorized disruption of the CF and their components, as a result of which the provision of EIS can be maintained.
    • For Entrustment of Maintenance, etc.:

      • Implementation of necessary controls to prevent unauthorized changes to the CF by the entrusted party (including the re-entrusted party). A contract should allow the EIS operator to verify such controls.
      • In the case of re-entrustment, a contract should stipulate the provision of information for cybersecurity checks and approval by the EIS operator.
  • Flexibility in Implementation:

    • The Japanese government acknowledges that measures should be determined based on the nature and degree of risk associated with the business.
    • EIS operators are not obliged to implement all listed measures; they can choose substantially equivalent measures and select relevant items accordingly.
    • The focus is on achieving the intended cybersecurity goals, allowing flexibility in implementation based on individual circumstances.
  • Screening Period:

    • The relevant competent authority will review the content of the prior notification.
    • As a general rule, the screening period is within 30 days from the receipt of the plan by the competent authority. This period could be extended to 4 months at most, depending on the plan-dependent degree necessary scrutiny.
  • Recommendations/Orders:
    Following review, the competent authority will take one of the following actions:

    • High Risk Determination:

      • If the relevant authority determines that the CF poses a high risk of its being misused to disrupt the stable provision of EIS, a recommendation will be made for necessary measures to prevent actions disruptive to the EIS operator. If the relevant authority determines that there is not a high risk of such misuse, no recommendation will be issued.
    • EIS Operator’s Response:

      • The EIS operator is required to respond to the relevant authority within 10 days from the receipt of the recommendation, indicating whether or not it will accept the proposed measures.
    • Orders in the Absence of Response or Rejection:

      • If there is no response from the EIS operator within the specified period, or if the EIS operator explicitly notifies the relevant authority that it does not accept the recommendation (unless there are legitimate grounds for such refusal), the competent authority may proceed to issue orders for the implementation of the recommended measures.

This outlined process ensures that EIS operators actively engage in risk management and cybersecurity measures, fostering a collaborative effort with competent authorities to protect the CF from external threats.

In addition, this structured process may have an effect on the suppliers and vendors of EIS operators, since there is a possibility that they would not be able to carry out transactions with EIS operators due to the recommendation by the relevant authorities. Therefore, under the System, while EIS operators are generally required to ensure to the supply chain risk management against cyber threats and make an appropriate prior notification to the competent authorities, the suppliers and vendors of the EIS operators are effectively obligated to cooperate with EIS operators in order to timely complete the screening process. The System therefore also has an indirect impact on both domestic and foreign EIS operator vendors and suppliers.

Endnotes

*3
For example, Cabinet Office of the Japanese government publicly discloses its guideline in the following website.
https://www.cao.go.jp/keizai_anzen_hosho/doc/infra_kaisetsu.pdf

*4
For example, the Japanese Financial Services Agency has publicly disclosed its guidance relating to the CF in the following website.
https://www.fsa.go.jp/news/r5/economicsecurity/infra_kaisetsu_financesector.pdf

*5
For example, the Japanese Financial Services Agency has publicly disclosed the designation of the EIS operators in the financial services in the following website.
https://www.fsa.go.jp/news/r5/economicsecurity/tokuteishakaikiban.pdf

This newsletter is given as general information for reference purposes only and therefore does not constitute our firm’s legal advice. Any opinion stated in this newsletter is a personal view of the author(s) and not our firm’s official view. For any specific matter or legal issue, please do not rely on this newsletter but make sure to consult a legal adviser. We would be delighted to answer your questions, if any.

全文下载(PDF)

律师等

技术相关著书/论文

网络安全相关著书/论文

确定 选择业务领域
确定