Introduction

In light of the escalating cyber threats in Japan during the year 2023, the Japanese National Police Agency (“JNPA”) has underscored the persistent prevalence of ransomware attacks, with a noteworthy increase in incidents related to a new form of ransomware known as “No-ware ransom”[1]. This variant involves the theft of data from victims’ companies without encryption of the stolen information, thereby causing substantial harm. Additionally, the Information-Technology Promotion Agency publicly reported “10 Major Security Threats 2024”[2]. In this article, which concerns threats to enterprises, attacks exploiting vulnerabilities embedded in the supply chain are ranked as the second-highest threat, while damage caused by ransomware attacks is ranked first.

Given the concerning trend in cyberattacks, the Japanese national government, together with pertinent government agencies, has proactively established a system (the “System”) under the Economic Security Promotion Act (“ESPA”) to ensure provision of essential infrastructure services (“EIS”) and enhance the supply chain risk management, including ensuring cybersecurity in EIS. This System is aimed at fortifying EIS resilience against cyber threats and ensuring a comprehensive response to emerging challenges.

The subsequent sections provide a comprehensive outline of the System, especially focusing on the supply chain risk management implemented to safeguard EIS.

II.          Outline of the System for Ensuring Provision of Essential Infrastructure Services Under the Economic Security Promotion Act

The System is established pursuant to the ESPA, which was enacted in 2022 in response to escalating cybersecurity threats in Japan. Operational from May 2024, the System aims to mitigate risks such as the embedding of malware during equipment installation or software updates and the exposure of vulnerable information by third parties outside Japan. Starting from 2023, competent authorities have created and updated guidelines in preparation for effective implementation of the System beginning in May 2024[3].

(i)                Outline of the System for Ensuring Provision of EIS

    • Purpose: The primary objective of the System is to prevent critical facilities of the EIS (“CF”) from being exploited from outside Japan as a means of disrupting stable provision of EIS. Competent authorities conduct a prior screening process and issue recommendations or orders concerning the installation or entrustment of maintenance, etc. (as defined below), of the CF.
    • Scope of EIS: EIS encompasses services in electricity, gas, oil, water, railways, truck transport, international maritime cargo, aviation, airports, telecommunications, broadcasting, postal services, financial services, and credit cards. Designated as EIS are services that are either (i) crucial for national livelihoods or economic activities and the lack of which may lead to widespread or large-scale social turmoil or (ii) essential for citizen survival with limited substitution possibilities. Competent authorities in the respective EIS fields designate the specific services falling under this purview. Please be informed that, in response to a ransom-ware attack on the Nagoya United Terminal system operated in Nagoya port facilities in July 2023, as a result of which certain port-facility operations were suspended for more than two days, the Japanese government decided to amend the relevant regulations in order to add “port transport” to EIS in January, 2024.
    • Scope of the CF: Equipment or programs that may be exploited for interference with the stable provision of EIS, such as through cyber-attacks or physical interception measures, are designated as CF. Competent authorities in the respective EIS fields identify and designate such CF[4].
    • Scope of EIS Operators: EIS operators are designated based on the unique circumstances of each EIS, considering factors such as the scale of operation or substitutability. Competent authorities in the respective EIS fields identify and designate EIS operators[5].
    • Duty of EIS Operators: Upon the installation of CF for business use or the commencement of entrustment of maintenance, etc., of CF to other business operators, EIS operators are generally required to submit a notification plan in advance and undergo a screening process conducted by the competent authorities. This measure ensures a proactive approach to cybersecurity, aligning with the overarching goals of ESPA.
    • Definition of “maintenance, etc.”: Any maintenance, management, or operation that is critical for maintaining functions of CF or for the stable provision of EIS concerning CF in a stable manner, and that is likely to be used as a means of sabotage.

The outlined System under ESPA establishes a comprehensive framework to fortify the cybersecurity posture of CF, safeguarding against external threats and disruptions to EIS.

(ii)              Outline of the Prior Screening Process in the System for Ensuring Provision of Essential Infrastructure Services Under the Economic Security Promotion Act

Please see below a brief outline of the prior screening process mentioned above:

Prior Notification Plan:

  • Installation:
    • The Prior Notification Plan must include a summary of critical facilities, including content, timing of installation, suppliers, components, etc.; and
    • Measures which will be implemented for managing risks related to installation.
  • Entrustment of Maintenance, etc.:
    • In addition, it must set forth a summary of critical facilities, including content, timing of entrustment, contractors, subcontractors, etc.; and
    • Measures which will be implemented for managing risks related to the entrustment of maintenance, etc.

Measures for Risk Management:

  • The EIS operator is required to report the measures taken to prevent interference with CF in both types of notifications.
  • Specific examples of measures are outlined in the System’s guidance.

Examples of Detailed Measures for Risk Management:

Among other things, detailed measures for the supply chain risk management against cyber threats include the following:

  • For Installation:
    • Implementing necessary controls to prevent unauthorized changes to the CF and their components during manufacturing by suppliers. A contract should stipulate the EIS operator’s right to verify these controls.
    • Adoption of a system to identify signs of unauthorized disruption of the CF and their components, as a result of which the provision of EIS can be maintained.
  • For Entrustment of Maintenance, etc.:
    • Implementation of necessary controls to prevent unauthorized changes to the CF by the entrusted party (including the re-entrusted party). A contract should allow the EIS operator to verify such controls.
    • In the case of re-entrustment, a contract should stipulate the provision of information for cybersecurity checks and approval by the EIS operator.

Flexibility in Implementation:

  • The Japanese government acknowledges that measures should be determined based on the nature and degree of risk associated with the business.
  • EIS operators are not obliged to implement all listed measures; they can choose substantially equivalent measures and select relevant items accordingly.
  • The focus is on achieving the intended cybersecurity goals, allowing flexibility in implementation based on individual circumstances.

Screening Period:

  • The relevant competent authority will review the content of the prior notification.
  • As a general rule, the screening period is within 30 days from the receipt of the plan by the competent authority. This period could be extended to 4 months at most, depending on the plan-dependent degree necessary scrutiny.

Recommendations/Orders:

Following review, the competent authority will take one of the following actions:

  • High Risk Determination:
    • If the relevant authority determines that the CF poses a high risk of its being misused to disrupt the stable provision of EIS, a recommendation will be made for necessary measures to prevent actions disruptive to the EIS operator. If the relevant authority determines that there is not a high risk of such misuse, no recommendation will be issued.
  • EIS Operator’s Response:
    • The EIS operator is required to respond to the relevant authority within 10 days from the receipt of the recommendation, indicating whether or not it will accept the proposed measures.
  • Orders in the Absence of Response or Rejection:
    • If there is no response from the EIS operator within the specified period, or if the EIS operator explicitly notifies the relevant authority that it does not accept the recommendation (unless there are legitimate grounds for such refusal), the competent authority may proceed to issue orders for the implementation of the recommended measures.

This outlined process ensures that EIS operators actively engage in risk management and cybersecurity measures, fostering a collaborative effort with competent authorities to protect the CF from external threats.

In addition, this structured process may have an effect on the suppliers and vendors of EIS operators, since there is a possibility that they would not be able to carry out transactions with EIS operators due to the recommendation by the relevant authorities. Therefore, under the System, while EIS operators are generally required to ensure to the supply chain risk management against cyber threats and make an appropriate prior notification to the competent authorities, the suppliers and vendors of the EIS operators are effectively obligated to cooperate with EIS operators in order to timely complete the screening process. The System therefore also has an indirect impact on both domestic and foreign EIS operator vendors and suppliers.

View original article here.

Author:Yasushi Kudo

Footnotes

[1] https://www.npa.go.jp/publications/statistics/cybersecurity/data/R05_kami_cyber_jousei.pdf

[2] https://www.ipa.go.jp/security/10threats/10threats2024.html

[3] For example, Cabinet Office of the Japanese government publicly discloses its guideline in the following website.

https://www.cao.go.jp/keizai_anzen_hosho/doc/infra_kaisetsu.pdf

[4] For example, the Japanese Financial Services Agency has publicly disclosed its guidance relating to the CF in the following website.

https://www.fsa.go.jp/news/r5/economicsecurity/infra_kaisetsu_financesector.pdf

[5] For example, the Japanese Financial Services Agency has publicly disclosed the designation of the EIS operators in the financial services in the following website.

https://www.fsa.go.jp/news/r5/economicsecurity/tokuteishakaikiban.pdf

More from Nagashima Ohno & Tsunematsu