The security facet of cyberspace along with a world filled with CPU-controlled household and everyday items can be examined from various angles. The concept of security also varies in accordance with different stages of national conditions and industrial development in different nations. As far as our nation is concerned, the definition of security industry is "an industry offering protection for human bodies, important infrastructure, information, financial system, as well as offering equipment to defend the security of national lands and the service"1 as initially defined by "Security Industry Program Office." Judging from the illustration of the definition, the security industry should be inter-disciplinary and integrative, which covers almost all walks of life and fields, such as high-tech industrial security management, traffic & transportation security management, fire control and prevention against natural calamities, disaster relief, information security management, security management in defense of national borders, and prevention of epidemics.
After the staged mission, "e-Taiwan program", was accomplished in 2007, our government hoped to construct a good surrounding by creating a comfortable life from a user’s point-of-view. This was hoped to be achieved by using "the development of a high-quality internet society" as a main source by using innovative services, internet convergence, perceptive environment, security, trust, and human machine linkage. At the Economic Development Vision for 2015: First-Stage Three-Year Sprint Program (2007~2009) formulated by the Executive Yuan, wireless broadband, CPU computer-controlled items all have become part of our every day lives, and healthcare, along with the green industry are listed as the next emerging industries; whereby the development of relevant critical technologies is hoped to be promoted to create higher industrial values and commercial opportunities. However, from a digitally-controlled-life viewpoint, the issue concerned by all walks of life is no longer confined to the convenience and security of personal life but gradually turns to protection of security of a critical infrastructure (CI) run by using information technology. For instance, finance management, stock market, communication network, harbors and airports, high speed rail, R&D of important technology, science parks, water purification facilities, water supply facilities, power, and energy facilities. 2Because security involves resources related with people's most fundamental living needs and is the most elementary economic activity of the society, it is regarded as an important core objective to promote the modern social security system. Therefore, critical infrastructure protection requires more dependence on information and communication technology to maintain the stability of finance and communication, as well as the security of facilities related with supply and economy of all sorts of livelihoods in order to ensure regular operation.
With the influence of information and communication technology on the application of critical infrastructure on the increase, the society has increasingly deepened its dependence on the security of our cyber world. The concept and connotation of information security also keep extending with it toward the aforementioned critical infrastructure protection planning, making critical information infrastructure protection (CIIP) and critical infrastructure protection (CIP) more inseparable in concept3 , and becomes an important goal of policy implementation to achieve the vision of a digital lifestyle which is secure for every nation. In recent years, considerable resources have been invested to complete an environment whereby a legal system of “smart lifestyle” is developed. However, what has been done for infrastructure protection continues to appear as not being comprehensive enough. This includes vague definitions, scattered regulations and policies, different protection measures taken by different authorities in charge, obvious differences in relevant risk management measures and in the magnitude of management planning of information security and so on. These problems all influence the formation of national policies and are the obstacles to the promotion of relevant industrial development. In view of this, the 2008/2009 International CIIP Handbook will be used as the cornerstone of research in this project. After the discussion on how critical infrastructure protection is done in America, Germany and Japan, the contents of norms of regulations and policies regarding critical infrastructure protection in our nation will be explored to make an in-depth analysis on the advantages and disadvantages of relevant norms. It is hoped to find out what is missing or omitted in the regulations and policies of our nation and to make relevant amendments. Suggestions will also be proposed so that the construction of a safe environment whereby the digital age of our nation can be expanded to assist the “smart lifestyle” to be developed further.
1.See http://tsii.org.tw/modules/tinyd0/index.php?id=14 (last visited May 24, 2009)
2.For "2008 International Conference on Homeland Security and Application of Technology in Taiwan ~ Critical Infrastructure Protection~", please visit http://www.tier.org.tw/cooperation/20081210.asp (last visit date: 05/17/2009).
3.For critical infrastructure protection, every nation has not only proceeded planning for physical facilities but put even more emphasis on protection jobs of critical information & communication infrastructure maintained via the information & communication technology. In the usage of relevant technical terms, the term "critical infrastructure" has also gradually been used to include the term "critical information & communication infrastructure". Elgin M. Brunner, Manuel Suter, Andreas Wenger, Victor Mauer, Myriam Dunn Cavelty, International CIIP Handbook 2008/2009, Center for Security Studies, ETH Zurich, 2008. 09, p. 37.
Research on the Introduction of Privacy Protection Management Mechanisms and Data Value-Added Services into Communications Enterprises in 2020 2021/12/09 I. Introduction The global economy is shifting away from traditional economic models towards an emerging digital era as technology advancement and new applications are introduced. The rapidly changing digital age has led to a gradual transformation in the way digital technology is used in the industry, thereby driving the overall growth of the global digital economy. The digital economy is driven by "data," and how data is used, its purpose, risks and regulation are all inextricably intertwined with industrial development and application, as is the case for the communications industry. As such, while the free circulation of data has become central to international free trade and economic operations, it is not only conducive to the promotion of transnational business and economic and trade interactions, but also fraught with worry and concern over how to ensure the protection and security of personal data and privacy. As a result, the issue of how to adapt the data risk control mechanism and related complementary measures so that they can be applied to the industry and comply with regulatory requirements has become a global reality that must be actively addressed. As far as Taiwan is concerned, when considering how to cope with industry needs, there is a pressing need to strike a balance between personal data and international regulatory requirements, and to expedite the legitimate utilization of personal data protection and data value-added service in the sector in an effort to facilitate the development of the digital economy. II. Recommendations on Data Governance and Innovative Application Planning. According to the aforementioned international data strategies and strategies for innovative data applications, the development of the data economy as a whole is driven by the formulation of overall superior policies, with a view to fully utilizing the potential value of data and building a vibrant ecosystem suited for innovative data applications. With the outbreak of COVID-19 this year, the application of data will be crucial in the post-pandemic era. It is also observed that data applications are gradually moving towards cross-boundary sharing and reuse, and empowerment of data subjects, and therefore, in light of the above observations and findings, we offer recommendations on data governance and innovative application planning. First, as for the establishment of a ministry and mechanism for data application and communication, since there is no single dedicated authority in Taiwan, and the formation of a ministry for science and technology development is now under intense discussion, data application may become an important function of the ministry, so we have to consider an authority for data application and communication. Further, there is currently no sandbox mechanism for data application in Taiwan. Reference should be made to the British data communication mechanism for providing legal advice and consultation sought on data application regulation. Second, with regard to the formulation of regulations and amendments to existing laws relating to data applications, the most noteworthy is the EU Data Governance Act 2021. Taiwan does not have a complete and appropriate legal framework for data application, except for the Freedom of Government Information Law, the Personal Data Protection Act (PDPA) and the relevant laws and regulations distributed in various fields, and the nation is currently seeking an adequacy decision from the EU, and therefore our PDPA needs to be amended accordingly, yet no progress has been made at this stage. Consequently, a comprehensive strategy should be developed by taking into account both the formulation of the basic data application regulations and the amendments to the current PDPA, in order to achieve long-term data governance and application and sharing. Lastly, in terms of the incorporation of the concept of data empowerment and the design of the mechanism, the international trend moves towards data empowerment to give data subjects more control over their data. The Financial Supervisory Commission (FSC) of Taiwan has also incorporated this idea in its open banking, so has the National Development Council’s (NDC) MyData program. As such, it is suggested that the government should provide guidelines or devise the relevant system, or even make reference to the Japanese data bank mechanism regarding the establishment of intermediaries to assist consumers in managing their data, which could be used as a reference for the design of the mechanism in the future. III. Accountability for and Management of Data Use in Enterprises Among the countries studied regulation of Singapore and Taiwan are similar and have adopted the development of digital economy as their main economic strategy, but Singapore has been more proactive than Taiwan in the design of the legal system to facilitate the use of data. Therefore, with regard to the control of data use in businesses by the competent authorities, this Project, by looking at the amendment to the Singaporean PDPA, aims to reinforce the regulation of the accountability system and the operation of the existing series of guidelines. From the changes in Singapore's PDPA, it can be observed that the competent authorities can refer to the practices of enterprises in the use of data. First of all, the existing regulations in Taiwan tend to have more about compliance than accountability, with emphasis being placed on data security maintenance and compliance with the PDPA. For instance, Taiwan’s “Regulations Governing Security Measures of the Personal Information File for Non-government Entities Designated by National Communications Commission” focus on following the law on the use of personal data. Nonetheless, the so-called accountability means that the competent authorities must oversee the implementation of data protection measures and policies of enterprises, not just pro forma compliance with the letter of the law. The second observation is that Singapore is quite proactive in addressing the need for data use in the development of its digital economy by making an exception to innovative uses regarding informed consent. The inclusion of data portability also represents a heightened control of the data subject. These amendments are all related to Singapore's policy of actively developing its smart nation initiative and signify a more proactive approach by the authorities in monitoring the use of data by businesses. Taiwan needs to be more open and precise in regulating the use of data for the development of its digital economy. Finally, there is increased flexibility in enforcement, as authorities can resolve disputes between subjects over data use more quickly through the introduction of mediation or other alternative dispute resolution (ADR) mechanisms. Meanwhile, the Personal Data Protection Commission (PDPC) has developed industry-specific consultation guidelines, recognizing that there may be specific issues for different industries. The PDPC noted that these guidelines are based on the partnerships, consultations and feedback associated with the relevant industries, and close collaboration with the industry's authorities of target businesses. IV. Conclusion Despite the lack of a dedicated authority for personal data protection, Taiwan can first build a cross-industry coordination and communication platform, and then collaborate across ministries to primary integrate standards in personal data protection to facilitate the needs of industrial innovation in the digital economy.
The Organization Framework, the Notification System and the Legal Norms of Critical Infrastructure Protection in the U.S.1. Organization Framework In the organization framework of critical infrastructure protection, there are mainly the public departments and the PPP organizations. The functions and task description of relevant organizations are as follows. (1) Department of Homeland Security After the September 11 attacks in America, the Homeland Security Act was passed in November 2002, and based on this act, 23 federal organizations, plans and offices were integrated to establish the Department of Homeland Security (DHS) to take responsibility for homeland security in America. The tasks include: (1) to analyze intelligence data collected from various departments such as the Central Intelligence Agency (CIA) and the Federal Bureau of Investigation (FBI) so that any threats to security can be discovered in time, (2) to protect and defend critical infrastructure, (3) to coordinate and lead America to prevent and respond to the attacks from nuclear weapons, biochemical weapons and other and (4) to coordinate the tasks of the federal government, including emergency and rescue. For the task regarding critical infrastructure and critical information infrastructure protection, the main units in charge are the Office of Infrastructure Protection (OIP) and the Office of Cybersecurity and Communications (CS&C) subordinate to National Protection and Programs Directorate (NPPD), Department of Homeland Security (DHS), to reduce the risk in both physical and cyber security to maintain national security1 (2) Congress Relevant units and committees are established both in the Senate and the House of Representatives to be responsible for protection and making policies pertinent to important critical infrastructure and critical information infrastructure. (3) Computer Crime and Intellectual Property Section In 1991, the Department of Justice (DOS) established the Computer Crime and Intellectual Property Section (CCIPS), a section of the Criminal Division, to be responsible for all crime combating computer and intellectual property. Computer crime is referred to cases which include electronic penetrations, data thefts, and cyber attacks to the important critical infrastructure. CCIPS also prevents, investigates, and prosecutes computer crimes by working with other government agencies, the private sector, academic institutions, and foreign counterparts. (4) Other Relevant PPP Organizations 2The Information Sharing and Analysis Center (ISAC) is responsible for the information security message sharing among the industries of each critical infrastructure to ensure the liaison and cooperation among industries. Finally, for the issue on critical information infrastructure, especially cyber crimes, both the National Cyber Security Alliance (NCSA) and the Cross Sector Cyber Security Working Group (CSCSWG) are designated to serve as crucial roles in governmental and non-governmental internet security prevention to be responsible for techniques and education. 2. Notification System (1)Computer Emergency Response Team Coordination Center The Computer Emergency Response Team Coordination Center (CERT/CC) run by Carnegie Mellon University is the oldest and most important early-warning organization for information security in the USA. With its experts studying internet vulnerabilities and risk assessment released regularly, it reminds people of the possible dangers which exist in the information age and the need to improve internet security. (2)US Computer Emergency Readiness Team The US Computer Emergency Readiness Team (US-CERT) was established in 2003. It is responsible for protecting the infrastructure of the internet in America and for coordinating and providing response support and defense against national cyber attacks. It interacts with federal agencies, industry, the research community, state government, and others to disseminate reasoned and actionable cyber security information to the public. (3)Federal Bureau of Investigation The Federal Bureau of Investigation (FBI), the first early warning center of critical infrastructure at the national level, is responsible for providing the information pertinent to legal execution presently and also taking responsibility for the investigation of cyber crime. (4)Information Sharing and Analysis Centers Currently, industry in America, including finance, telecommunications, energy, traffic, water resources, together established individual Information Sharing and Analysis Centers (ISACs) based on the policy made in PDD-63. The ISAC of the financial system established in October 1999 being the first established center. These ISACs further work together to form an ISAC Council to integrate the information from each of them and improve their interaction and information sharing. 3. Legal Norms In reference to the laws and regulations of critical infrastructure protection, America has aimed at critical infrastructure protection and computer crime to formulate the following regulations. (1) Federal Advisory Committee Act of 1972 According to the Federal Advisory Committee Act (FACA), the advisory committee can be established in every federal agency to provide the public, along with received open advice, with relevant objectives, and to prevent the public from being inappropriately influenced by the policies made by the government. However, to keep the private institutions which run the critical infrastructures from worrying the inappropriate leak of the sensitive information provided and consulted by them, Critical Infrastructure Partnership Advisory Council was established so that the Secretary of Homeland Security has the right to disregard the regulations of FACA and establish an independent advisory committee. (2) Computer Fraud and Abuse Act of 19863 The Computer Fraud and Abuse Act (CFAA) was enacted and implemented in 1986. It mainly regulates computer fraud and abuse. The Act states that it is against the law for anyone to access a protected computer without authorization. However, it also recognizes the fact that accessing a computer system of electronic and magnetic records does not mean a violation of the law. According to the CFAA, what is needed is one of the following requirements to be the wrongful conduct regulated in the Act: (1) whoever intentionally accesses a computer to obtain specific information inside the government or whoever has influenced the transmission function of the computer system; (2) whoever intentionally accesses a computer to obtain a protected database (including the information contained in a financial record of a financial institution or of a card issuer, or the information contained in a file of a consumer reporting agency on a consumer, or the information from any department of agency of the United States, or the conduct involving an interstate transaction); (3) whoever intentionally accesses any nonpublic computer of a department or agency of the United States, and causes damage. In addition, the Act also prohibits conduct such as transmitting malicious software, and defrauding traffic in any password or similar information. For any person who suffers damage or loss by reason of a violation of the law, he/she may maintain a civil action to obtain compensatory damages and injunctive relief or other equitable relief. However, the Computer Abuse Amendment Act (1994) expands the above Act, planning to include the conduct of transmitting viruses and malicious program into the norms whose regulatory measures were adopted by the USA Patriot Act enacted in October 20014 (3) Homeland Security Act of 20025 The Homeland Security Act provides the legal basis for the establishment of the Department of Homeland Security and integrates relevant federal agencies into it. The Act also puts information analysis and measures of critical infrastructure protection into the norm. And, the norm in which private institutions are encouraged to voluntarily share with DHS the information security message of important critical infrastructure is regulated in the Critical Infrastructure Information Act: Procedures for Handling Critical Infrastructure Information. According to the Act, the DHS should have the obligation to keep the information provided by private institutions confidential, and this information is exempted from disclosure by the Freedom of Information Act. (4) Freedom of Information Act Many critical infrastructures in America are regulated by governmental laws, yet they are run by private institutions. Therefore, they should obey the law and provide the government with the operation report and the sensitive information related with critical infrastructure. However, knowing that people can file a request at will to review relevant data from the government agencies based on the Freedom of Information Act (FOIA), then the security of national critical infrastructure may be exposed to the danger of being attacked. Therefore, the critical infrastructure, especially the information regarding the safety system, early warning, and interdependent units, are all exempted by the Freedom of Information Act. (5) Terrorism Risk Insurance Act of 20026 After the 911 Incident, Congress in America passed the Terrorism Risk Insurance Act to establish the mechanism to underwrite terrorism risk insurance, in which insurance companies are required to provide terrorism attack risk insurance and the federal government will also cover part of loss for severe attacks. 1.http://www.dhs.gov/xabout/structure/editorial_0794. shtm (last accessed at 21. 07. 2009). 2.http://www.thei3p.org/ (last accessed at 21. 07. 2009). 3.http://www.panix.com/~eck/computer-fraud-act. html (last accessed at 21. 07. 2009). 4.Mark G. Milone, Hacktivism:Securing the National Infrastructure, 58 Bus. Law, 389-390, 2002. 5.http://www.dhs.gov/xlibrary/assets/hr_5005_enr.pdf (last accessed at 21. 07. 2009). 6.http://www.ustreas.gov/offices/domestic-finance/financial-institution/terrorism-insurance/pdf/hr3210.pdf (last accessed at 21. 07. 2009).
Open Government Data in TaiwanIn the recent years, the tide of open movement has pushed vigorously from the open source software, open hardware and the recent open data. More and more countries have joined the global initiative of open government data in order to achieve the ultimate goal to promote the democratic governance. National government adopts open data policy to enhance the transparency, participation and collaboration of the citizen into the government operation. Meanwhile, fueled by the knowledge economy and the statistical analysis of the big data technology, open government data could work as the catalyst to individuals, industries and government agencies to transform data into potential knowledge-based services. Up to the end of 2013, there are around 77 countries have adopted the Open Government Data policy. Taiwanese government also declared to take part in the open data revolution. The government had officially launched the open data policy in 2012. In Resolution No. 3322, the Executive Yuan prescribes that open government data could enhance the transparency of the government; improve the quality of life of people; and meet the needs of the industry. Governmental agencies under the authority of the Executive Yuan shall to recognize the importance of the empowerment brought from open government data to the quality of the decision-making process and asked the agencies to implemented the policy from the perspectives of the user’s needs and applications, and also the consider to include machine readable format for the data. The Executive Yuan directed the Research, Development and Evaluation Commission (RDEC)(行政院研究發展考核委員會) to develop related principles and measures to support government agencies of the Executive Yuan to plan, execute and open up their data. At the same time, it also directed the Industrial Development Bureau(IDB), Ministry of Economic Affairs (MOEA) (經濟部工業局)to develop responsive strategies to cope with the industrial development. Pursuant to the Resolution No. 3322 of the Executive Yuan, RDEC worked through the open government data related laws and regulations, proclaimed the “Open Government Data Operating Principle for Agencies of the Executive Yuan”(行政院及所屬各級機關政府資料開放作業原則)and the “Essential Requirements for Administrate Open Government Data Datasets” (政府資料開放資料集管理要項)in the early 2013. All government agencies of the Executive Yuan have to adopted the following 3 open government data steps:"open up government data for public use”, “provide data free of charge subject to certain exemptions”, "automated systematic release and exchange data”, and work in with 4 open government focus strategies: “release data actively and by the priority in the field of daily necessity”, “develop the norm of open government data”, “promote the use of Data.gov.tw”, and “demonstrate and advocate open government data services”. Ministry of Economic Affairs (MOEA) (經濟部工業局)also provided grants ($9,200 NTD) to the open government data value-added applications and development. The open government data platform (data.gov.tw) was launched in July, 2013, as the official Taiwan government site providing public access and reuse of government data sets from 62 government agencies of the Executive Yuan, including the Ministry of Interior (MOI)(內政部), Ministry of Foreign Affairs (MOFA)(外交部), Ministry of Economic Affairs (MOEA)(經濟部), Council for Economic Planning and Development (CEPD)(行政院經濟建設發展委員會), Hakka Affairs Council (HAC)(客家委員會), Water Resources Agency, Ministry of Economic Affairs (WRA) (經濟部水利署), and 4 local governments. At the end of 2013, each government agency is required to release at least 55 data sets. In addition, the rising tide of private-sector (individual or enterprise) also aims to mine the gold in open government data. Act upon the National Information and Communication Initiative (NICI)(行政院國家資訊通信發展推動小組)in the consultation of the open government data policy, Taipei Computer Association (TCA)(台北市電腦同業工會)organized the “Open Data Alliance” (ODA)(Open Data聯盟)as a bridge between the information provide-side (public sectors) and the demand-side (private sectors), to communicate and coordinate the expectations and needs from communities (bottom-up) towards open government data. On Dec. 11, 2013, Taiwan took one more step in the global open data initiative. Open Data Alliance (ODA) and the Open Data Institute (ODI) in UK signed the memorandum of understanding (MOU) and announced the alliance established to promote and explore the potential opportunities of open data holds for the public, private and academic sectors. The engagement of ODA and ODI could bring another catalyst for the open movement in Taiwan to take one big step in the international community. According to a survey from ODA, the biggest challenge so far is the available data sets do not really meet the needs of the industry. And most of the feedback reflects the concerns in licensing, charge, frequency of updates, data formats and data quality. These voices echo the open government data issues encountered in many countries. There are still some obstacles with the applicable laws and regulations (for example, Charges and Fees Act, Personal Data Protection Act, Accoutability & Liability etc.) wait to be solved before both public and private sectors to go onto the next level of open data development.
The approaches to promote critical infrastructure protection in JapanThe approaches to promote critical infrastructure protection in Japan are illustrated below: 1. Coverage of Critical Information Infrastructure In the "Action Plan on Information Security Measures for Critical Infrastructure" promulgated by the Information Security Policy Council (ISPC) in 2005, critical infrastructure is defined as: Critical infrastructure which offers the highly irreplaceable service in a commercial way is necessary for people's normal lives and economic activities, and if the service is discontinued or the supply is deficient or not available, it will seriously influence people's lives and economic activities. Based on the definition of the action plan, the critical infrastructure contains: telecommunication systems, administration services of the government, finance, civil aviation, railway, logistics, power, gas, water, and medical services 2. Promoted Relevant Policies of The Past The issues regarding the CIIP are gradually being developed with the norm of information social security policy in Japan. Adopting the Action Plan of the Basic Guidelines Toward the Promotion of an Advanced Information and Telecommunications Society of 1998 proposed by the Japanese government in 1998 as a basis. The Japanese government keeps presenting polices of improvement for the relevant issues in order to acquire the stable development of telematics and telecommunications. Several years later, the Ministry of Economy, Trade, and Industry (METI) announced the Comprehensive Strategy on Information Security in 2003. The formulation of the strategy not only emphasizes the possible telematics-related risks and protection against threats that may be encountered in the information society, but it also enhances the level of information security to the level of national security and presents a comprehensive information security improvement program. Furthermore, the submission of the strategy has identified government’s responsibility in the development of information security Therefore, a division which is solely responsible for information security was established in the Cabinet Secretariat and is devoted to the development of it. In 2005, the Ministry of Economy, Trade, and Industry (METI) amended the Comprehensive Strategy on Information Security and announced the First National Strategy on Information Security based on the creation of a policy of a long-term information security task in Japan which is also the foundation for the policy of guidelines and action security concerning critical information infrastructure. This is in addition to being the most important basis for the policy of information security development. The strategy is different from the Comprehensive Strategy on Information Security in connotation. In the range of information security protection, it not only maintains information security from the perspective of the government; for instance, to divide the rights and duties on information security protection practices between the central government and the local government, and to strengthen the capacity of the government to solve emergencies such as cyber attacks, but it also tries to employ the public-private partnership on the CIIP issue to construct an extensive information security protection and to develop a Capability for Engineering of Protection, Technical Operation, Analysis and Response (CEPTOAR): one similar to the ISAC of America, to strengthen the information sharing and analysis of information security of all industry involved. According to the strategy, the METI established the Information Security Policy Council (ISPC) and the National Information Security Center (NISC) under the subordination of the Cabinet Secretariat in order to reach a goal of dependable society of information security.1 Finally, the information security policies more directly related with the CIIP are the Action Plan on Information Security Measures for Critical Infrastructure and the Standards for Information Security Measures for the Central Government Computer Systems, both of which regulate CI-related threats, information security standards, public-private partnership information sharing system, and the levels of information security standards between different governments and critical infrastructures, respectively. 3. Oraganization Framework Generally speaking, the Cabinet Secretariat is the main division of the CIIP and the information security for the Japanese government, while the ISPC and the NISC established under the Cabinet Secretariat in 2005 are the core organizations for the development of the CIIP policy. In addition, the National Policy Agency (NPA) and the Ministry of Internal Affairs and Communications (MIC) also played an important role in assisting the Cabinet Secretariat with critical infrastructure protection. The part of public-private partnership is covered by the CEPTOAR which takes the responsibility for information sharing and analysis of information security between the government and private organizations. 4. Notification System For critical infrastructure protection, Japan has set up a warning and notification system in addition to the emphasis on fundamental information security protection. With the concept of public-private partnership, various messages related with information security are analyzed and shared in order to prevent information security incidents from occurring. The network of notification system in Japan mainly consists of several organizations as listed below. (1) National Incident Response Team The National Incident Response Team (NIRT) which is the information security office under the Cabinet Secretariat in the organization framework belongs to the Computer Emergency Response Team (CERT)2 and is first in line in the government to handle internet emergencies. According to the Action Plan for Ensuring e-Government's IT Security, the NIRT which consists of 17 experts from the government and the private organizations is responsible to (1) accurately understand and analyze emergencies, (2) develop technical strategies to solve and rehabilitate emergencies to prevent incidents from reoccurrence, (3) provide other governmental organizations the assistance to solve the information security issue, (4) collect and analyze information or intelligence so that effective solutions and strategies may be provided when an incident happens, (5) provide the governmental organization with professional knowledge and information, and (6) enhance and improve all knowledge pertinent to information security. The Japan Computer Emergency Response Team Coordination Center (JPCERT/cc) is the first Computer Security Incident Response Team (CSIRT) established in Japan. It consists of internet service suppliers, security products/service suppliers, governmental agencies, and associations of industry & commerce. The JPCERT/CC is also a member of the Asia Pacific Computer Emergency Response Team (APCERT) and a member of the Forum of Incident Response and Security Teams (FIRST). It coordinates and integrates prevention measures pertinent to information security and is consistent with other CSIRTs. (3) Telecom Information Sharing and Analysis Center In Japan, besides the mechanism responsible to notify the government, which functions as a bridge for communication between it and all those outside of it, the mechanism of information sharing and notification is also established among industries to provide each with a channel for information exchange and consultation. In 2001, Japan established the Telecom Information Sharing and Analysis Center Japan (Telecom-ISAC Japan). In addition to real-time inspection for computer intrusion incidents and conducting information collection and analysis, the Telecom-ISAC Japan proposes to e-government many suggestions related with the Transact-SQL issue as well. The reasons for launching the Telecom-ISAC are to instantaneously detect a computer intrusion incident, and to instantaneously gather and analyze its information, and then exchange this with other telecom carriers and offer them relevant countermeasures for precaution; so that in can reach the goal of ensuring telecom security since it is an important infrastructure concerning social economy. (4) Cyber Force The reasons for launching the Cyber Force are to maintain the security to use the internet by regularly "patrolling" it, searching for evidence of internet crime, and to notify the critical infrastructure operators about any unusual internet use so as to prevent the occurrence of cyber terror attacks. The Cyber Force also assists operators to solve and diminish the damage and influences when an incident occurs. (5) Portal Site of National Police Agency The National Police Agency owns the portal site "@police". It exists to prevent large-scale cyber emergencies and to provide gathered information concerning information security to government. In addition to providing the techniques related with the safe use of computer networks, @police is also dedicated to educating internet users about the concept of information security and to increase security awareness. (6) Ministry of Economy, Trade and Industry Since 1990, the Ministry of Economy, Trade and Industry (METI) has cooperated with the JPCERT/CC and the Information Technology Promotion Agency (IPA) to provide reports on virus, intrusion, and the damage caused by them, to remind the public to pay attention. 5. Legal Norms The laws regarding critical infrastructure protection in Japan are illustrated as follows: (1) Unauthorized Computer Access Law of 1999 The Unauthorized Computer Access Law includes various conducts such as cyber intrusion, and data thefts, into the norms of criminal punishment to deter cyber crimes from spreading in order to ensure the safety of the critical information infrastructure. (2) Act on Electronic Signatures and Certification Business of 2000 With the formulation of the Act on Electronic Signatures and Certification Business, the smooth promotion of the electronic signature system is ensured and the circulation and process of electronic communication can be fostered further. (3) Basic Law on Formation of an Advanced Information and Telecommunication Network Society of 2001 Through the formulation of the Basic Law on Formation of an Advanced Information and Telecommunication Network Society, the legal basis to execute an information technology policy is enhanced, and the direction and job content for the government to execute this policy is explicitly stated. 1.http://www.nisc.go.jp/eng/pdf/national_strategy_001_eng.pdf(last accessed date: 2009/07/20). 2.http://www.nisc.go.jp/en/sisaku/h1310action.html(last accessed date: 2009/07/20).