The Cybersecurity Strategic Headquarters was established under the Cabinet in November, 2014 for the purpose of effectively and comprehensively promoting cybersecurity policies. The Cybersecurity Strategic Headquarters is headed by the Chief Cabinet Secretary, with his deputy - the Minister in charge of Cybersecurity - and composed of the Chairman of the National Public Safety Commission, the other relevant Ministers and knowledgeable experts from academia and business sectors.
National center of Incident readiness and Strategy for Cybersecurity (NISC) was established in 2015 on the basis of former National Information Security Center (also abbreviated to NISC) acting since 2005, as a secretariat of the abovementioned Cybersecurity Strategy Headquarters in collaboration with the public and private sectors on a variety of activities to create a "free, fair and secure cyberspace". NISC plays its leading role as a focal point in coordinating intra-government collaboration and promoting partnerships between industry, academia, and public and private sectors.
NISC coordinates cybersecurity policy by formulating
- Cybersecurity Strategy
- Cybersecurity Policy for Critical Infrastructure Protection
- Common Standard on Information Security Measures of Government Entities
- Cybersecurity Human Resource Development Plan
- Cybersecurity Research and Development Strategy etc.
NISC takes a role of a governmental CERT, and NISC and JPCERT/CC, as a CERT covering private entities, work together as a national CERT.
NISC consists of the following seven groups. The main activities are as follows.
- Strategy and Policy Planning Group
- Formulation of medium-to-long term plan on cybersecurity policy, and conducting research and analysis of cybersecurity technology trends, etc.
- International Strategy Group
- Promotion of international cooperation on cybersecurity policy.
- Comprehensive Measures for Government Agencies Group
- Formulation and operation of unified standards for promoting information security measures of government agencies which is a basis of audit.
- Integration and Coordination of Cybersecurity Information Group
- Collection of the latest information on cyberattacks and operation of the Government Security Operation Coordination team (GSOC).
- Critical Infrastructure Protection Group
- Creation of public-private partnership in cybersecurity measures based on the Cybersecurity Policy for Critical Infrastructure Protection.
- Incident Investigation and Analysis Group
- Analysis of targeted e-mails and malware, and investigation of other cyberattack cases.
- Tokyo 2020 Group
- Promotion of cybersecurity measures for the Tokyo Olympic and Paralympic Games in 2020.
The current Cybersecurity Strategy issued in July 2018 is the second one under the Basic Act on Cybersecurity. Far-seeing 2020, the Tokyo Olympics and Paralympics year, the Cybersecurity Strategy shows a basic position on cybersecurity policy, its objectives and its implementation for 3 years (2018-2020) domestically and internationally. Overview of the Cybersecurity Strategy is as below.
Cybersecurity strategy (Booklet)download
The Basic Act on Cybersecurity
The Basic Act on Cybersecurity has been implemented since 2015 to promote the cybersecurity policy by
- setting basic principles of cybersecurity policy
- clarifying the responsibilities of the government, private entities, and citizens
- stipulating the framework for cybersecurity policy such as the cybersecurity strategy formulation and the establishment of the Cybersecurity Strategic Headquaters.
NISC has set the Common Standards on Information Security Measures of Government Entities to raise the level of information security for all governmental agencies and related agencies, as the baseline standard. Based on the standard, NISC oversees the status of implementation of it across agencies by audits.
NISC operates real-time government-wide monitoring team called the Government Security Operation Coordination team (GSOC). GSOC not only monitors malicious communications incoming to or outgoing from government owned systems but also works as information sharing framework among governmental entities. GSOC provides alerts and advice for the governmental entities when they detect suspicious signals or malware.
Since 2005, the ‘Cybersecurity Policy for Critical Infrastructure Protection’ has been set as a common action plan shared by the government which bears a responsibility for protection of critical infrastructure and by critical
infrastructure operators which independently carry out relevant protective measures, and the 4th edition was published in 2017.
This document identifies the 14 sectors as critical infrastructure and it expects stakeholders to undertake the five measures as below.
- Development and penetration of safety principles
- Enhancement of information sharing system
- Reinforcement of incident response capacity
- Risk management and preparation of incident readiness
- Buildingup of basis of critical infrastructure protection
- The Cybersecurity Policy for Critical Infrastructure Protection (4th Edition) (Revised on January 2020)
- Full Text
- Guideline for Establishing Safety Principles for Ensuring Information Security of Critical Infrastructure(5th Edition)(Revised on May 2019)
- Risk Assessment Guide Based on the Concept of Mission Assurance in Critical Infrastructure (1st Edition) (Revised on May 2019)
ASEAN-Japan Cybersecurity Policy Meeting has been established since 2009 with the aim to promote and strengthen cybersecyruty cooperation and collaboration between ASEAN Member States and Japan. The area of collaboration includes cyber exercise, awareness raising, capacity building and so on. A part of the outcome of the activity is shown as below.
Enhancement of Information Sharing
In order to enhance the information sharing among relevant stakeholders in public and private sector, with the amendment of the Basic Act on Cybersecurity, the Cybersecurity Council was newly established in April 2019, composed of national government bodies, critical infrastructure operators, security vendors, and other related organizations. The amended Act imposes the obligation of confidentiality on the members of the Council and so on to encourage the willingness of information sharing.
General Framework for Secure IoT Systems
NISC has set the ‘General Framework for Secure IoT Systems’ in 2016 which clarifies the fundamental and essential security requirements for secure IoT systems.
- General Framework for Secure IoT Systems
- General Framework for Secure IoT Systems
The Previous version of key documents such as Cybersecurity Strategy is shown in the link below.