Kazuaki Omori, Ministry of Internal Affairs and Communications

Cybersecurity Policy and Projects by Ministry of Internal Affairs and

Communications (MIC)

November 2nd, 2016

Kazuaki OMORI

Director, ICT Security Office, Ministry of Internal Affairs and Communication

Copyright (c) 2016 Ministry of Internal affairs and communications (MIC). All Rights Reserved.

Overview of ICT usage in Japan （1） 1

According to Communications Usage Trend Survey 2015, 83% of the Japanese population uses the Internet.

Rerefence: MIC (2016), « Communications Usage Trend Survey 2015 (in Japanese)» <http://www.soumu.go.jp/johotsusintokei/statistics/data/160722_1.pdf>


Figure 1-1: Transitions in the number of Internet users and their percentage of the general population (individuals)

End of 2014

End of 2015

End of 2011

End of 2012

End of 2009

End of 2010

End of 2007

End of 2008

End of 2005

End of 2006

End of 2003

End of 2004

End of 2001

End of 2002

End of 2000

2 Overview of ICT usage in Japan （2）

Matters of concern with Internet usage and problems with ICT networks;- ・ Households: personal information leakage (80.4%) and Virus infections (77.9%) ・ Enterprises : virus infections (47.8%), difficulty of developing security measures (44.2%)

and personnel shortages(44.0%).


Personal Information will be disclosed or exposed externally without permission

Unsure how far security measures should be taken

Computer virus infections

Receiving Spam

Trustworthiness of authentication technology

Others

Matters of Concern with Internet usage at households

Trustworthiness of electronic payments

False billing and other types of internet fraud

One’s own understanding of internet usage

Violations of intellectual property rights

Amount of illegal and harmful information

Internet addiction

Conflict with communication partners

End of 2015

Source: MIC’s White paper Information and Communications in Japan (2016)

Problems with Internet and Internet LAN usage at enterprises

Concern about virus infections

Difficult to develop security measures

Operational & management personnel shortages

Operational & management cost increases

Low security awareness among employees

Difficult to recover from failures, outages, etc.

Difficult to quantity benefit

High Communication charges

Difficult to obtain benefits

Low communication speeds

Concern about trustworthiness of electronic payment

Concern about protection of copyrights and intellectual property

Concern about trustworthiness of authentication technology

Others

No specific problems

End of 2014

End of 2015

*Multiple answers accepted

3 Increase in Cybersecurity Threats


Information and communications technology, including the Internet, is Japan’s growth potential as well as a foundation of socioeconomic activities. In recent years, the threat of information security has been become more and more malicious and sophisticated and causing serious damage.

Jun 2015 Infection by malware of a terminal used by an employee of the Japan Pension Service raised concerns that information of pension members had been leaked (targeted attack)

Oct 2015 Reported a phising site pretends a Financial Services Agency’s warning website for security on domestic internet banking. There were possibilities the info. such as an account number, password, two-factor-authentication and etc. to be stolen through the phising site. (Phising)

Nov 2015 Cyberattack on the official website of TOCOG and the site was out of service for about 12 hours. (DDoS Attack)

June 2016 Infection by malware of a terminal used by an employee of the i.JTB raised the possibility to leak the personal information including passport number. (targeted attack)

Examples of damages caused by recent cyber attacks

1. Malware： Abbreviation for Malicious software. Collective term for harmful software similar to computer viruses.

2. DDoS attack： DDoS stands for Distributed Denial of Service. An attack where a large volume of data is sent all at once to a specified address from a large number of terminals, rendering the server of the addressee inoperable.

3. Targeted attack： An attack launched at a targeted individual or organization aimed at stealing confidential information, etc.

4. “Watering hole” attack： An attack where the attacker lies in wait at a website frequently visited by the targeted organization. The malware infects only the targeted organization and steals its personal information, etc.

5. List-type attack: An attack where the attacker attempts to log in to online services using as a list IDs and passwords of other users obtained illegally.

6. Ransomware: A malware limit user’s system or files by such as encrypting. User will be charged for remove the limit or decrypt .

7. Adware: A software to earn by showing advertisement, which usually installed with software freeware. It will automatically add the advertisement when an user use a browser.

Crime for pleasure Exhibitionistic, showing off, harassing behavior, etc.

White collar crime & organized crime

Purpose is money; planned, pernicious

2000 2005 2010 2015

Infection via a network

Infection via websites Infection via email sent to specific targeted addresses

メールによる感染 Infection from randomly sent email

Damages from targeted attacks,3

“watering hole” attacks,4

fraudulent cash transfers, and list attacks5

DDoS attack2 damages Unauthorized access damages

Increase in malware1 infection, unauthorized access and DDoS attacks

Conspicuous attacks The attack is immediately detected, and measures can be put in place

Inconspicuous attacks Time lapses before discovery of the attack takes, increasing and prolonging damages

Ransomware※６

Malicious Adware※７

Drive-by downloads

The purposes of attacks are changing and the dangers are grow

ing

Increasingly sophisticated attack methods

4

Overview of Organization Chart with the New Cybersecurity Basic Act


4

Governmental bodies (Ministries)

Individuals Private Entities

• Critical Infrastructures

Other relevant Ministries

FSA (Financial Industry) MIC (Local Gov, Telecom) MHLW (Medical, Water) METI (Electricity, Gas, Chemistry, Credit Card, Petroleum) MLIT (Aviation, Railway, Logistics)

Others MEXT(Cybersecurity education) etc.

Cabinet Prime Minister

IT Strategic Headquarters

Cybersecurity Strategic Headquarters *Launched on Jan 9th 2015 by Basic Act

Director General Chief Cabinet Secretary

Vice Director General Minister in charge of CyberSecurity

Members Chair at National Public Safety Commission Minister of MIC Minister of MOFA Minister of METI Minister of MOD Olympics Minister Experts (Private entities including Universities)

Ministers participate

Close cooperation

5 Member Ministries of CSS HQ

Close cooperation

National Center of Incident Readiness and Strategy for Cybersecurity （NISC）*Renamed on Jan 9th 2015

by Basic Act

Secretariat

GSOC (Government Security Operation Coordination team )

Cooperation

National Security Council (NSC)

NPA (Cyber Crime)

MIC (Communication & Network policy)

MOFA (Diplomatic policy)

METI (Information policy)

MOD (National Security)

Critical Infrastructures

Cooperation

Overview of Cybersecurity Relevant Ministries 5

5 FSA (Finance), MIC (ICT, Local Government), MHLW (Medical care, Water), MLIT (Aviation, Railway, Logistics), METI (Power, Gas, Credit card, Petroleum, Chemical)

Other Ministries and agencies having jurisdiction over critical infrastructure

NISC National center of

Incident readiness and Strategy for Cybersecurity

NICT (National Institute of Information and Communications Technology) ICT-ISAC Japan

Promoting cyber attack prevention and detection, and reducing virus infection, from the viewpoint of protecting the telecommunication network through collaboration with ISPs

MOD (Ministry of Defense)

◆ Strengthening international cooperation

◆ Strengthening capacity and preparations of the Self-Defense Forces in cyber space ◆ Cyber defense Corps (approx. 100

members) was installed

NPA (National Police

Agency)

◆ Promoting crackdown on cyber crime, cyber attack, etc.

ICT Security Office

Information and Communications Division

Bureau of operational policy, responding cyber attack and cyber planning office

IPA (Information-technology Promotion Agency) JPCERT/CC (Japan Computer Emergency Response Team Coordination Center)

METI (Ministry of

Economy, Trade and Industry)

◆ Promoting security measures of control systems such as electricity, gas and software/hardware

Cybersecurity Division

Promoting R&D for network defense of Self-Defense forces Technology Research Division

Copyright (c) 2016 Ministry of Internal Affairs and Communications (MIC). All Rights Reserved.

MOFA (Ministry of

Foreign Affairs)

MIC Ministry of

Internal Affairs &Communicatio

ns

Overview of MIC’s Cybersecurity Measures

INDVIDUALS

http://www.active.go.jp/

✓ Increased the number of participants

✓ Expanded critical infra. Sectors

✓ Add new scenario for exercise

INDIVIDUALS ACTIVE PROJECT

（Advanced Cyber Threats response InitiatiVE）

ORGANIZATIONS CYDER PROJECT

(CYber Defense Exercise with Recurrence)

Looking ahead to holding a safe and secure Tokyo Olympic and Paralympic Games in 2020, MIC promotes multiple cybersecurity projects.

6


○ Conducting the following projects from perspectives such as defense of network infrastructures and enhancement of ICT security for users.

Network Security on IoT Device

IoT Security Guideline was published in July

IoT SOCIETY

z

NETWORK INFRASTRUCTURES

R&D by NICT R&D of the world’s most advanced cyber

security technology using Large-scale observation network

“NICTER” “DAEDALUS”

CYBER DEFENSE EXERCISE WITH RECURRENCE

CYDER


CYDER (CYber Defense Exercise with Recurrence) Project 8


System configuration Large-scale virtual LAN environment

(StarBED by NICT)

DNS

Mail Web

AP

DB

File Client Device

JGN(Japan Gigabit Network)-X by NICT

Tokyo Virtual hacker

Ishikawa Pref.

Enable participants to master a series of actions to minimize damages in case of a cyber attack

Practices to be carried out on virtual networks with 150 units of high-performance servers

Prepare up-to-date exercise scenarios based on the actual attack cases

Features

Activities in 2015 and 2016

Approximately 200 stakeholders from 80 organizations (government, critical infrastructures) took part in the exercises

From FY2016, NICT, a governmental research institute, became an operating body to further improve quality and stability of practices

In 2016, 1500 participants from 500 organizations including local governments will attend CYDER at 11 locations

Pseudo attack with malware on the virtual network

National 318 (CYBER) EKIDEN 9

Sponsored by the National Information Security Center (NISC) of the Cabinet Secretariat and the Ministry of Internal Affairs and Communication (MIC), the National 318 (Cyber) Ekiden (anti cyber-attack training for government ministry and agency staff) was held on March 18th, 2016 as a cyber security month event to enhance capability in government organizations to thwart cyber attacks

Participants engaged in practical exercises in a series of procedures aimed at responding to incidents of specific and other targeted-attacks including the infection of terminals by malware, fraudulent external communications, and document theft. The environment and scenarios of the exercises were based on results of MIC’s previous CYDER (Cyber Defense Exercise with Recurrence) event.

Civil servants of 13 ministries including major ministries responsible for infrastructures participated in FY2015.

Overview

At the venue of the event Award ceremony

Cybersecurity Awareness Month National 318 EKIDEN FY2015

Scene during the exercises

Commemorative photo with recipients Poster NISC’s Website


Cyber Security Capacity Building for 2020 Tokyo Olympic and Paralympic Games

MIC will organize a cyber security capacity building program for 2020 Tokyo Olympic and Paralympic Games. The

objective of the program is to train operators who will be in charge for security protection during the Games. The

training will take a red team-blue team style on a cyber range named “Cyber Colosseum” that simulates massive

and complicated cyber attacks expected during the Games.

Activities

Summary

■ The Cyber Range, “Cyber

Colosseum” will simulate

Games’ related systems

such as official websites,

administration systems and

other connected information

infrastructure systems.

■ Red team-blue team type of

exercises will be held for

operators of the systems

above during the Games and

the range will produce

massive/complex cyber

attacks for the exercises.

Red Team-Blue Team Exercise

The program aims to enhance collaboration among interested parties for the Games

10

Image

http://illpop.com/img_illust/mini/appliance_a02.png

ADVANCED CYBER THREATS RESPONSE INITIATIVE

ACTIVE


ACIVE Project 12


ACTIVE (Advanced Cyber Threats response InitiatiVE)” is a project of providing comprehensive countermeasures against malware by collaborating with ISPs, anti virus vendors, and so on.

ACTIVE is intended to send a warning to Internet users to prevent malware infection, and remove malware, and encourages users to take autonomous protection measures against malware infection.

These initiatives lead to decrease the number of malware infection in Japan to create the world's highest information security environment.

Reference : ACTIVE Website <http://www.active.go.jp/en/>

ACIVE Project

Aiming at preventing malware infections and damages, ACTIVE alerts internet users who don’t recognize malware infections and, in case of malware infections, blocks communications between malware infected terminals and C&C servers.

(1)Listing and updating information on C&C servers and providing it to ISP

(2) Blocking communications between malware infected terminals and C&C servers

(3) Alerting users of malware-infected terminals

(ii)Approach for preventing malware damage

(2)Alerting (user)

(3)Alerting (web-site administrator)

(1)Listing and updating information on malignancy websites and providing it to ISP

(2)Alerting users when they are accessing malignancy websites

(3)Alerting administrator of malignancy websites

Alert! This website is malicious. Would you really like to access?

Yes No

(i)Approach for preventing malware infection

(1)Gathering information on malignancy website


13

ISP

Users of malware-infected terminals

C&C servers

(3)Alerting (user)

(2)Blocking communications

(1) Updating and providing information on C&C servers (*) to ISP (*) Servers which command and control malware-infected terminals

Alerting Internet Banking Users’ Attention to Malware (VAWTRAK) Infection 14

Due to the increase in fraudulent cash transfers through internet banking, the National Police Agency has implemented tactics to eradicate malware (VAWTRACK) aimed mainly at internet banking in Japan.

Cooperating in these tactics, the Ministry of Internal Affairs and Communications liaised with Telecom-ISAC Japan to provide alerts to users infected with this malware through the Advanced Cyber Threats Response Initiative (ACTIVE) through, a national initiative based on public and private collaboration.

っｘｘ

(1)Capture of information from infected PC

Infected terminal

Malware (VAWTRAK)

Metropolitan Police Department

Telecom-ISAC Japan Ministry of Internal Affairs

and Communications

cooperation

ISP business participating in ACTIVE

Information on infected terminals is provided

to each ISP

(2) Provision of information about infected terminals

Attacker

Urges users of infected terminals to eliminate the said malware

Alert!

(3)

(4)

Fraudulent payments

Attack

* Approximately 82,000 terminals affected worldwide Of these, about 44,000 were in Japan

Provides information about infected terminals to participating ISP operators making use of ACTIVE, and ISP operators provide alerts to terminal users ・・・


Using ACTIVE for International Malware Extermination Strategy 15

“Game Over Zeus,” malware for making fraudulent cash transfers via internet banking, has spread throughout the world. In Japan alone, it was found that approximately 200,000 terminals were infected by this malware. In light of these developments, an offensive led by the Federal Investigation Bureau (FBI) of the United States and Europol, the EU law enforcement agency, was launched in June 2014 to eradicate GOZ.

Using ACTIVE to alert domestic users infected with GOZ .

US CERT

Japan United States

FBI GOZ

Infected terminals (Japan)

JPCERT

ISP

Alerts to users

IP address information of infected terminals

Captures information from infected terminals


Establishment of ICT-ISAC

ICT-ISAC

(Formerly) Telecom-ISAC

ISPs

ICT Vendors

System Integrators

DDoS Attacks

Website Defacement

bots

Targeted Attacks

Vulnerability information on IoT

systems

Each CEPTOR

JPCERT/CC

FS-ISAC

・・・

Security Vendors

“Telecom-ISAC (Information Sharing and Analysis Center)” was launched in 2002 to collect and analyze cyber attack incident data among telecommunication and ISP industries.

In order to expand information sharing across industries such as broadcasting and ICT, Telecom-ISAC was reorganized as “ICT-ISAC Japan” in March, 2016.

Broadcasters

Foreign Partners

NCC/Com-ISAC (US)

IT-ISAC (US)

eco (Germany)

・・・

Domestic Partners


16

ICT-ISAC Japan’s Activities

1) Working Groups (WGs) activities to share and analyze (discuss) ICT industry’s issues about Cybersecurity

MIC R&D of Cyber-Attack Prediction and Rapid Response Technology Through International Partnership, etc.

NISC CEOPTAR Council

3) Collaboration and cooperation with security institutions in Japan and overseas with partnerships (Ministry of Internal Affairs and Communications (MIC), National center of Incident readiness and Strategy for Cybersecurity (NISC), CEPTOAR Council , JPCERT/CC, IPA et al.)

4) Works for MIC’s (governmental) projects against cyber attacks *) ACTIVE has launched since Nov. 2013, PRACTICE since Apr. 2011

2) Holding workshops, cyber-attack exercise and seminars, etc.

5) Others (propagation and advancement of security technologies, and contribution to the educational activities)

17


Reference: ICT-ISAC (2016), “Cyber Attack Defense Exercise-WG（CAE-WG）”

IOT SECURITY PROJECT

IoT Society


What is the percentage of observed cyber attacks to IoT?

Cyber Attacks observed by NICTER in 2015

１４

of observed

Others

To IoT Devcies (Web Camera, Routers,etc.)

To PCs

To remote logins To Websites

To DNS servers

cyber attacks

to IoT

19

IoT Acceleration Consortium 20

The IoT Acceleration Consortium is a private-led IoT body since October 2015 to promote IoT/BD/AI. Giving recommendations for the development and utilization of technologies along with the solution of polity issues.

IoT Security WG

Consideration of network connection guidelines for IoT equipment

Advanced model business promotion WG

(IoT propulsion lab)

Development, demonstration, and standardization of network and other IoT-related technologies

Technical development WG (Smart IoT Acceleration Forum)

Creation of advanced model business and environmental improvements, including regulatory reform

General Assembly Steering Committee

Chair Vice Chair

Ministry of Internal Affairs and Communications, Ministry of Economy, Trade and Industry, and relevant agencies

Cooperation Cooperation

Jun Murai, Dean and Professor of the Faculty of Environment and Information Studies

Hiroo Unoura President and Chief Executive Officer, Nippon Telegraph and Telephone Corporation

Hiroaki Nakanishi Hitachi, Ltd., Chairman & CEO

Chair

Vice Chair

Data distribution promotion WG

Development, demonstration, and standardization of network and other IoT-related technologies.

Steering Committee members (Chairman + 14 members) Chair, Jun Murai, Dean and Professor of the Faculty of Environment and Information Studies


The objective of the Guideline is to show required basic security protections for IoT based on “Security by Design Principle” and to lead IoT stakeholders to take proactive actions in industries with consideration of specific natures of IoT. It also aims to create an environment where users can utilize IoT devices, systems, and services securely.

The objective of the Guidelines is not to clarify all the legal responsibility of the stakeholders when they are involved in a cyber security incident but to promote their awareness of necessity of IoT security protections and to lead them to share necessary information among the stakeholders. The objective of the Guideline is to expect the stakeholders to consider

appropriate security protections based on what they must protect and risks they face, rather than to require the stakeholders to take a single standardized security protection.

IoT Acceleration Consortium, Ministry of Internal Affairs and Communications, and Ministry of Economy, Trade and Industry published the IoT Security Guideline on 5th July in 2016. The guideline has the following objective.

IoT Security Guideline in Japan and the Objective 21

Phases Guidelines Main points

Policies Establish basic policies based on the nature of IoT

• Commit to IoT security by management teams • Prepare for internal fraud or human error

Analysis Recognize security risks of IoT

• Identify what should be protected • Assume risks resulting from connections

Design Consider a design to

protect what should be protected

• Consider a design that does not cause any trouble to connected counterparts

• Evaluate and verify a design to ensure safety and security

Implementation and

connection

Consider Protections on Network Side

• Connect IoT devices to the network properly based on the function and purpose

• Keep initial settings in mind

Operation and

maintenance

Maintain a safe and secure state and transmit

and share information

• Maintain a safe and secure state after shipping and releasing • Grasp all IoT risks after shipping and releasing, and advise all stakeholders of what to be observed

• Recognize each stakeholder's roles in IoT systems and services • Evaluate vulnerable devices and give appropriate cautions

Rules for General Public

•Refrain from purchasing and using devices or services for which those call centers or support services are not available

•Pay attention to initial settings •Turn off the power of devices if they are no longer in use •Delete all data when disposing of devices

This guideline specifies rules for providers of IoT devices, systems and services on each step of their required operations (policies, analysis, design, implementation, connection, operation and maintenance)

Overview of IoT Security Guideline 22

PROMOTIONS AND SO ON

Others

Please visit <http://www.nisc.go.jp/active/kihon/cyber-security-senryaku_2015.html>


Promoting Utilization of Safe Cipher 24


◇ CRYPTREC Overview ■ Members

• Composed of experts on cryptography technology.

■ Activities • Publish “CRYPTREC Cipher List”* • Conducting the monitoring and evaluation of the safety of encryption technology.

• The Ministry of Internal Affairs and Communications (MIC) and the Ministry of Economy, Trade and Industry (METI) jointly implemented a Cryptography Research and Evaluation Committee (CRYPTREC) project for purposes of ensuring safety and reliability of e-government etc.

• CRYPTREC reformed “the e-Government Recommended Ciphers List (released on February 20, 2003)” as “the list of ciphers that should be referred to in the procurement for the e-Government system (CRYPTREC Ciphers List)” on March 1, 2013.

◇ Development of CRYPTREC Ciphers List • With consideration of the sophistication of

encryption and attack techniques as well as the development of new cryptography, the list was revised in 2013 for the first time in ten years.

• The revision was made from various viewpoints, including ease of procurement, promotion of domestic encryption codes and the safety point of view.

* “CRYPTREC Ciphers List” consists of “e-Government Recommended Ciphers List”, “Candidate Recommended Ciphers List” and “Monitored Ciphers List”.

* The following rule is specified for the algorithms of encryption and electronic signatures at each government ministry and agency: Those specified in “e-Government Recommended Ciphers List” shall be used if they are available.

CRYPTREC Ciphers List CRYPTREC Ciphers List

Recommendations on how to use are published.

List guide Deleted from the List.

Recommended Ciphers List

• Technology that has been safety-evaluated

Operational monitoring cipher list

• Technology that allows only temporary use for the maintenance of compatibility.

e-Government Recommended Ciphers List

• Technology that has been safety-evaluated

• Technology with utilized results confirmed in the market (commercialized technology)

At any time

Losing safety assurance

With track records on commercialization and utilization

Utilized by each ministry

Those not commercialized

At any time

Losing safety assurance

Educational Campaign of Safe Use of Wireless LAN (Wi-Fi)

Implementing an educational campaign related to the safe use of Wi-Fi for wireless LAN off-road promotion from the mobile phone networks from the perspective of the effective utilization of radio waves.

Specifically, creating an educational manual on the safe use of Wi-Fi and announcing the same at MIC’s website (information security website for the public) while implementing seminars targeting general users, local governments, and others.

http://www.soumu.go.jp/main_sosiki/ joho_tsusin/security/wi-fi.html

Educational Manual on the Safe Use of Wi-Fi

Checks the Service Set Identifier (SSID) of the access point to confirm that the user is properly connected to the intended access point.

Makes sure that the access point is compatible with the appropriate encryption method.

Check if the website is SSL (*) protected if the user’s important personal information, including information on the user’s ID, password, and credit card number.

The text explains countermeasures against risks and information security countermeasures with regard to the use of Wi-Fi.

(*) Secure Socket Layer (SSL): A mechanism of transmitting and receiving encrypting data over the Internet.

25


New Guideline

Thank you for your attention.


Kazuaki Omori, Ministry of Internal Affairs and Communications

Documents

Transcript of Kazuaki Omori, Ministry of Internal Affairs and Communications