The Japanese government will introduce new regulations for 14 critical infrastructure sectors to bolster cyber defenses, learning from the recent Colonial Pipeline hack that shut down a major energy artery in America's East Coast.
The sectors include telecommunications, electricity, finance, railroads, government services and health care, Nikkei has learned. The government will require operators of such key infrastructure to address national security concerns when procuring foreign-made equipment.
The potential for cyberattacks and information leaks has grown over the years as telecom carriers and public utilities increasingly rely on digital technologies to operate and monitor their facilities. Japan hopes to mitigate risks posed by compromised equipment and connections, especially amid growing concerns of data leaks from Chinese-made telecommunications equipment.
The government plans to amend the various laws governing each sector in one sweeping motion and add a clause requiring each sector to be conscious of national security risks.
Specifically, they will be required to look into issues stemming from the use of foreign equipment or services, including cloud data storage, as well as connections to servers located overseas.
The government will monitor companies for compliance and will suspend or cancel their license should any major issues arise. Detailed standards will likely be outlined in future government ordinances and guidelines.
Currently the government does not have a legal basis to assess national security risks when infrastructure operators upgrade their systems.
The increased ability to remotely monitor and control infrastructure-related facilities has opened the sector up to greater cyber risks, like illicit programs built into servers, routers and other telecommunications equipment. There are growing concerns over data leaks through Chinese-made equipment and services in particular, especially since the Chinese government requires companies operating in the country to comply with information requests.
The Japanese government agencies in 2018 agreed to stop procuring equipment that could pose economic security risks. It now wants private-sector companies to follow similar standards.
The push comes after a ransomware attack this month on the Colonial Pipeline, one of the largest in the U.S., forced the government to relax rules on fuel transport. The attack was claimed by hacker group DarkSide.
Cyberattacks on infrastructure can cause major disruptions to daily life, but there is also concern that hackers could cause disasters like airplane accidents and floods by targeting air control systems and dams, or attempt to remotely shut down nuclear power facilities.
Other countries are also imposing similar restrictions on tech-related procurement. The U.S. is requiring that companies seek prior approval to use Chinese-made technology equipment and services.
The U.K. has proposed legislation that would fine telecommunications companies up to a tenth of their revenue for not eliminating equipment made by China's Huawei Technologies from 5G networks. Sweden has told telecom providers to remove products by Huawei and compatriot ZTE from their networks by January 2025.
Nikkei