【0074】能動的サイバー防御法案とは？

The “Active Cyber Defense Bill” is a new initiative by the Japanese government aimed at preventing major cyberattacks and minimizing the damage they cause. This bill enables early detection of potential cyberattack signs, allowing for preemptive measures through the collection and analysis of information before an attack occurs.

Specifically, the bill establishes a new independent body called the “Cyber Communications Information Management Committee” to ensure proper acquisition and analysis of communication data. The committee will collaborate with related organizations, such as the National Police Agency and the Ministry of Defense, to strengthen measures against cyberattacks.

The introduction of active cyber defense is expected to enable early detection of attack signs and the tracking and elimination of attackers, minimizing potential damage.

The bill respects the constitutionally guaranteed “secrecy of communication” while ensuring proper handling of communication data. The “Cyber Communications Information Management Committee,” modeled after the Fair Trade Commission, will operate with a high degree of independence as an external bureau of the Cabinet Office. It will consist of five members, including a chairperson, who will be selected from legal and information communication experts and appointed by the Prime Minister with the consent of the Diet.

The bill includes the “Act to Prevent Damage from Illegal Acts against Critical Electronic Computers” and amendments to 15 existing laws, such as the Police Duties Execution Act. The government and the ruling party aim to approve the bill in early February and submit it to the regular Diet session. The committee will have the authority to demand disciplinary action from appointing authorities if staff members handling cyberattack responses deliberately or negligently leak communication data. Unauthorized provision of obtained communication data will result in up to four years of imprisonment or a fine of up to 2 million yen.

The government, with the prior approval of the committee, will monitor communication data between foreign entities and between foreign and domestic entities. The monitoring period is set at six months for foreign-to-foreign communications and three months for foreign-to-domestic communications. Law enforcement and the Self-Defense Forces will also need the committee’s prior approval to implement “infiltration and neutralization measures,” such as accessing and disabling the attacking server, although exceptions are made for emergencies. In cases of highly organized and planned attacks from abroad, the Prime Minister can order the Self-Defense Forces to execute “communication protection measures.”

To strengthen government-private sector collaboration, the Prime Minister will establish a council for information sharing. Infrastructure operators, such as those in the power industry, will be required to report cyberattacks to the government. Failure to report will result in fines of up to 300,000 yen.

However, it raises the question of whether this approach, which seems slow-paced, can effectively counter highly sophisticated cyberattacks from overseas.

The conclusion: “The government won’t protect you; you have to protect yourself.” It’s time to study more about cybersecurity.