Research on the Introduction of Privacy Protection Management Mechanisms and Data Value-Added Services into Communications Enterprises in 2020

Research on the Introduction of Privacy Protection Management Mechanisms and Data Value-Added Services into Communications Enterprises in 2020

2021/12/09

I. Introduction

  The global economy is shifting away from traditional economic models towards an emerging digital era as technology advancement and new applications are introduced. The rapidly changing digital age has led to a gradual transformation in the way digital technology is used in the industry, thereby driving the overall growth of the global digital economy. The digital economy is driven by "data," and how data is used, its purpose, risks and regulation are all inextricably intertwined with industrial development and application, as is the case for the communications industry.

  As such, while the free circulation of data has become central to international free trade and economic operations, it is not only conducive to the promotion of transnational business and economic and trade interactions, but also fraught with worry and concern over how to ensure the protection and security of personal data and privacy. As a result, the issue of how to adapt the data risk control mechanism and related complementary measures so that they can be applied to the industry and comply with regulatory requirements has become a global reality that must be actively addressed. As far as Taiwan is concerned, when considering how to cope with industry needs, there is a pressing need to strike a balance between personal data and international regulatory requirements, and to expedite the legitimate utilization of personal data protection and data value-added service in the sector in an effort to facilitate the development of the digital economy.

II. Recommendations on Data Governance and Innovative

  Application Planning. According to the aforementioned international data strategies and strategies for innovative data applications, the development of the data economy as a whole is driven by the formulation of overall superior policies, with a view to fully utilizing the potential value of data and building a vibrant ecosystem suited for innovative data applications. With the outbreak of COVID-19 this year, the application of data will be crucial in the post-pandemic era. It is also observed that data applications are gradually moving towards cross-boundary sharing and reuse, and empowerment of data subjects, and therefore, in light of the above observations and findings, we offer recommendations on data governance and innovative application planning. First, as for the establishment of a ministry and mechanism for data application and communication, since there is no single dedicated authority in Taiwan, and the formation of a ministry for science and technology development is now under intense discussion, data application may become an important function of the ministry, so we have to consider an authority for data application and communication. Further, there is currently no sandbox mechanism for data application in Taiwan. Reference should be made to the British data communication mechanism for providing legal advice and consultation sought on data application regulation.

  Second, with regard to the formulation of regulations and amendments to existing laws relating to data applications, the most noteworthy is the EU Data Governance Act 2021. Taiwan does not have a complete and appropriate legal framework for data application, except for the Freedom of Government Information Law, the Personal Data Protection Act (PDPA) and the relevant laws and regulations distributed in various fields, and the nation is currently seeking an adequacy decision from the EU, and therefore our PDPA needs to be amended accordingly, yet no progress has been made at this stage. Consequently, a comprehensive strategy should be developed by taking into account both the formulation of the basic data application regulations and the amendments to the current PDPA, in order to achieve long-term data governance and application and sharing.

  Lastly, in terms of the incorporation of the concept of data empowerment and the design of the mechanism, the international trend moves towards data empowerment to give data subjects more control over their data. The Financial Supervisory Commission (FSC) of Taiwan has also incorporated this idea in its open banking, so has the National Development Council’s (NDC) MyData program. As such, it is suggested that the government should provide guidelines or devise the relevant system, or even make reference to the Japanese data bank mechanism regarding the establishment of intermediaries to assist consumers in managing their data, which could be used as a reference for the design of the mechanism in the future.

III. Accountability for and Management of Data Use in Enterprises

  Among the countries studied regulation of Singapore and Taiwan are similar and have adopted the development of digital economy as their main economic strategy, but Singapore has been more proactive than Taiwan in the design of the legal system to facilitate the use of data. Therefore, with regard to the control of data use in businesses by the competent authorities, this Project, by looking at the amendment to the Singaporean PDPA, aims to reinforce the regulation of the accountability system and the operation of the existing series of guidelines. From the changes in Singapore's PDPA, it can be observed that the competent authorities can refer to the practices of enterprises in the use of data.

  First of all, the existing regulations in Taiwan tend to have more about compliance than accountability, with emphasis being placed on data security maintenance and compliance with the PDPA. For instance, Taiwan’s “Regulations Governing Security Measures of the Personal Information File for Non-government Entities Designated by National Communications Commission” focus on following the law on the use of personal data. Nonetheless, the so-called accountability means that the competent authorities must oversee the implementation of data protection measures and policies of enterprises, not just pro forma compliance with the letter of the law.

  The second observation is that Singapore is quite proactive in addressing the need for data use in the development of its digital economy by making an exception to innovative uses regarding informed consent. The inclusion of data portability also represents a heightened control of the data subject. These amendments are all related to Singapore's policy of actively developing its smart nation initiative and signify a more proactive approach by the authorities in monitoring the use of data by businesses. Taiwan needs to be more open and precise in regulating the use of data for the development of its digital economy.

  Finally, there is increased flexibility in enforcement, as authorities can resolve disputes between subjects over data use more quickly through the introduction of mediation or other alternative dispute resolution (ADR) mechanisms. Meanwhile, the Personal Data Protection Commission (PDPC) has developed industry-specific consultation guidelines, recognizing that there may be specific issues for different industries. The PDPC noted that these guidelines are based on the partnerships, consultations and feedback associated with the relevant industries, and close collaboration with the industry's authorities of target businesses.

IV. Conclusion

  Despite the lack of a dedicated authority for personal data protection, Taiwan can first build a cross-industry coordination and communication platform, and then collaborate across ministries to primary integrate standards in personal data protection to facilitate the needs of industrial innovation in the digital economy.

※Research on the Introduction of Privacy Protection Management Mechanisms and Data Value-Added Services into Communications Enterprises in 2020,STLI, https://stli.iii.org.tw/en/article-detail.aspx?no=105&tp=2&i=169&d=8762 (Date:2022/06/25)
Quote this paper
You may be interested
The legal challenges of ubiquitous healthcare

Whereas the burden of private nursing for the elderly is getting heavier, industrialized countries with an aging society are endeavoring to seek possibilities of reducing the unit healthcare cost, such as technology assistance, and even the introduction of the brand new care type or model, which is an emerging application field of increasing importance. The development of such kind of healthcare industry not only is suitable for aging societies but also coincides with the growing health management trend of modern people. Also, while the focus on acute diseases in the past has changed to chronic diseases which are common to most citizens, the measuring and monitoring of physiological indicators, such as blood pressure, pulse, blood sugar and uric acid have critical effects on condition control. However, it will mean huge financial and physical burdens to the elderly or suffering from chronic diseases if they need to travel to hospitals to measure these physiological indicators. At this moment, an economical, reliable and timely physiological information collection and transfer system will be technology with good potential. For this reason, the purpose of this study is to investigate the potential business opportunities by applying the emerging information technology (IT) to the healthcare industry and the derivative legal and regulatory issues, with a focus on the seamless healthcare industry. It is hoped that by assessing the opportunity and risk in terms of legal and strategic analysis, we can single out the potential imbalance of fitting seamless healthcare, an IT-enabled service (ITeS), in the conventional control framework, and thereby establish a legal environment more appropriate for the development of the seamless healthcare industry. Referring to the existing electronic healthcare classification, the industry is divided into the following four blocks: electronic content provider, electronic product provider, electronic linking service provider and electronic passport service provider. Also, by depicting the outlook of the industry, the mode of application and the potential and common or special legal problems of different products are clarified. Given that health information collected, stored and transferred by electronic means involves unprecedented risk in information privacy and security, and that the appropriate control of such risk will affect the consumer’s faith in and willingness to subscribe seamless healthcare services, this study analyzed the privacy framework of the USA, the EU and Taiwan. Results indicate that future privacy legislation in Taiwan should include the protection for non-computer-processed personal information, expand the scope and occupation of applications, reinforce control incentives, and optimize the privacy protection mechanism. Further, only when service providers have the correct and appropriate concept of privacy protection can the watch-and-wait attitude of consumers be eliminated. These can help to promote subsequent development of the industry in the future. Due to the booming international trade as a result of globalization, and the gradual opening of the domestic telecommunication and healthcare markets following Taiwan’s entry into the WTO, transnational distance healthcare will gradually become a reality. However, the determination of the qualifications of practitioners is the prerequisite of transnational healthcare services. Taiwan may also consider lowering the requirements for physicians to practice in other countries and thereby to enhance the export competitiveness of Taiwan’s healthcare industry by means of distance healthcare via endorsement or reciprocity. Lastly, whereas the risks distance healthcare involves are higher than conventional healthcare services, the sharing of burdens and disputes over applicable laws in case of damages are the gray areas for executive control or judicial practice intervention. For this reason, service providers are unwilling to enter the market because the risks are too unpredictable. Therefore, this study recommends that the insurance system for distance healthcare should be the focus of future studies in order to promote the development of the industry.

Challenges and Opportunities from Digital Convergence

Preface With the blooming of IT technologies, the term of “digital convergence” represents the whole atmosphere at this moment. “Digital convergence”—means that after telecommunication and broadcasting systems are following the IP based framework, contents and services, those were easy to define, turn to be confused. Relying on the uniform platform, operators are able to provide services to different systems. Services containing VoIP, IPTV or the latest terms of “Multi-screen Ecosystem” and “Connected TV” are all involved in the “digital convergence” notion. Today, no matter the service of “check in” or “watching TV programs on Smartphone,” any figures about multiple services on different devices are presenting the “digital convergence” effect. On the consumer side, “digital convergence” brings a fascinating imagination of life. Time and space are no more limitations to people for getting information. Consumers select services only depending on the quality of each service. However, the fascinating imagination of customers becomes a pressure to the relative industries. In the past, because of distinctive transmission technique, services of television, internet and information were regarded as in different industries. Effective competitors only appeared in the same industry. However, today “digital convergence” effect results in crossing-industries competition and customer immigration. To accommodating and pursue the new trend, only unique ideas and novel services can help incumbents to survive. “Digital convergence” brings not only a challenge but also an opportunity. Today, user-friendly application services are cumulatively created and accommodated in the mature broadband network. For examples, high quality entertainment services occur after communication and multimedia broadcasting techniques are improved, “Near Field Communication” technology rising causes new types of cash flow services. Otherwise, Cloud Computing technique enables people easily to access tele-healthcare services and Telematics services. Certainly, digital convenience accelerating industries transformation and value-added services is now taking place around us. According to ITU reports, every 10% increase of broadband infrastructure extension might cause 0.255 to 1.38% GDP growth rate. High penetration of broadband infrastructure might lead a significant influence on economy growth. Take South Korean experiences as an example, by owing a complete broadband infrastructure, on-line game industry and national digital content industry in this country are individually possessing $8.3 billion and $ 3.4 billion output value. By sensing the potential possibilities, governments in different countries propose their own national industry policies, including American government proposed “National Broadband Plan”, the “Digital Britain White Paper” formulated by United Kingdom, “Hikari no Michi”(光の道, which means fiber superhighway) in Japan and the “Ultra-Broadband Convergence Network Plan (UBcN plan)” in South Korea, moreover, the “Tri-networks Integration Plan” in China. And Taiwan does not absent in this moment. In order to stand firmly in this trend, we also formulate “Digital Convergence Development Program 2010-2015 (DCDP 2010-2012)” in 2010. Below, we are going to make a briefly and neat description of “DCDP 2010-2012”. 1.INTRODUCTION For assisting national relative industries to smoothly transform and enhancing Taiwan’s international competitiveness, Executive Yuan admitted the “Digital Convergence Development Program 2010-2015 (DCDP 2012-2015)” in 2010. In this program, there were six main goals containing: (1) complement the broadband superhighway infrastructure; (2) initiate the convergence of telecommunication services; (3) accelerate the process of Television digitization; (4) develop emerging internet video services; (5) improve communication industries; and (6) establish an integrity regulation framework, as well as twenty-one improving tactics and seventy-eight measures for crossing- administrations cooperation and negotiation to be declared. Otherwise, Executive Yuan also established DCTF to be responsible for coordinating every effort from every administration and facilitate digital convergence tasks. Latter, we will make further descriptions for the six main goals, we just mentioned above: A.Complement the broadband superhighway infrastructure According to the Global Information Technology Report 2010-2011, proposed by World Economic Forum (WEF), Taiwan on the Network Readiness Index (NRI) item was been ranked at 6th place and at 5th place on another item of highest FTTH/FTTB penetration. However, though our coverage of broadband network was high, the total bandwidth was still insufficient to contain all the new creating services. To resolving the shortage of bandwidth, including Ministry of the Interior (MOI), Ministry of Economic Affairs (MOEA), Ministry of Transportation and Communications (MOTC) and National Communications Commission (NCC) were convened to extend the national fiber coverage and facilitate the installation upgrade. Regarding wireless broadband construction, administrations including MOEA, MOTC and NCC were under obligation to energetically detect the latest developments of wireless telecommunication technologies as well as proposed guidelines from other countries, concerning about the allocation of spectrum, telephone numbers and IP address resources. Through crossing-administrations cooperation and coordination, in December 2011, the total of national subscribers applying fiber network service had achieved 3.31 million houses, besides, there were 24.58% houses in Taiwan possessed 100Mbps broadband network services. Totally, there were 7.88 million wireless broadband accounts being applied. B.Initiate the convergence of telecommunication services Smartphone booming brought an emerging mobile entertainment life style, furthermore, it also accelerated the rising of mobile value-added application services. To this trend, administrations containing MOEA, Financial Supervisory Commission (FSC) and NCC all devoted to establishing a constructive environment, with providing assists and building up a complete regulation framework. For examples, up to the end of 2011, national telecommunication operators had signed a memorandum with EasyCard Corporation to develop a mobile cash flow platform, which allows cash flowing through the Internet, for giving people a more convenient experience. C.Accelerate the process of Television digitization Within various emerging application services, “Television digitization” might be the most important one in people’s life. “Television digitization” service brought not only a higher quality experience of watching programs, but also created extra demands of relative application services. Furthermore, increasing demands also bought an improvement to the industry and simultaneously accelerating the development of digital content industry. Nationwide terrestrial TV signal switching program, a fully signal switching from analog to digital, has accomplished in July 2012. In order to achieve 90% coverage rate of digital signal transmission, accommodations containing Council of Indigenous People (CIP) and NCC were not only devoted to establishing a Digitization Improvement Station, but also attempt to integrate all signals from original terrestrial TV stations into one satellite to transmit. To accomplish this signal switching program, government had cultivated for many years and try to increase people’s acceptance level of high definition (HD) TV service. Before receiving this success, NCC had spent a long time devoting itself to integrating containing every effort from many administrations and associations, such as the local governments, national industry associations and operators of household application, moreover, as well as Public Enterprises, including Taiwan Power Company, Chunghwa Post Corporation and Taiwan Water Corporation to popularizing this program. Nevertheless, about the digitization program of cable TV, up to 2010, though there were already 60% of houses in Taiwan possessing cable TV service, only 5.55% of cable TV houses switched into digital. As a result, we found that no incentive measures might be the crucial reason. To reverse the impasse, our strategy was to amend the current laws, through adjusting the regulation framework we could facilitate the market into effective competition. In addition, to accelerate the cable TV digitization process, government also regarded the Olympic relaying in England as a turning point to create the demands of HD TV service. After getting the franchise, people are able to watch Olympic Games through any platforms, including terrestrial TV, cable TV and even IPTV. As the demands arising, it would also encourage operators to produce more HD programs afterward. D.Develop emerging internet video services Digital convergence effect also caused the emerging internet video services booming. In order to encourage the crossing-platforms video services and achieve 50% user rate in 2015, there were three guidelines been proposed. The first one was emerging video service regulation reforming, the second one was facilitating integration between emerging accessing approaches and distribution channels, and the third one, developing a rational regulation on contents management. In synchromesh with terrestrial TV signal switching program, emerging internet video services were also assigned to provide HD Olympic Games programs. In that period, the subscribers of Chunghwa Telecom’s MOD (Multimedia on Demand) service were able to watch the Olympic Games relaying on 14 free HD channels and 1 free 3D channel, which is provided by ELETA TV. Moreover, they could also receive the programs on demand through internet or Smartphone. Afterward, from the collected data, we found that even though the rate of new subscribers only had a few rise, an obviously rose presented on the turning on rate. Depended on those data, we believe that people had already been more familiar with IPTV and HD programs. Besides, this relaying program totally attracted 95 individual advertising and the total revenue from advertising was NT$ 80 million dollars. E.Improve communication industries Producing prolific contents is the key element for attracting customers and stabilizing the development of digital convergence industry. To facilitate the contents producing, DCDP proposed three elements to be improved: fund, talent and marketing. And the tasks of these three elements were including investment facilitation, marketing skill reinforce, personal training as well as culture protection, consumer’s right protection, technique standardization and transnational cooperation. To assist in industries transformation, MOEA focused on promoting the APP design and upgrades. Recently, measures provided by MOEA, such as transformation counseling, R&D subsidies, drive-by VC investment, personal training and even the R&D loan had already taken effect. In addition, to create a virtuous investment circles in contents industry, government also considered to release more subsidies to encouraged those superior producers and movie makers. F.Establishing an integrity regulation framework Digital convergence effect accelerated the competition in the market, including communication or relative contents industries were enter a transformation era. In this period, it was essential to have a practical and integrity regulation framework. Recently, NCC hastened to undertake the amendments of three Acts, containing Radio and Television Act, Cable Radio and Television Act and Satellite Broadcasting Act. Actually, the expectation of this undertaking was to adopt the adjustment of digital convergence in 2014. In addition, Fair Trade Commission (FTC) and Intellectual Property Office (IPO) would also continue to observe the digital convergence influences in 4C (telecommunication, cable television, computer network and e-commerce) and contents (copyright) industries. 2.Second Edition of DCDP and Primly Policies Indicators Advance Since DCDP was launched, it has caused a tremendous response. Nevertheless, rapidly advanced ICT technologies inspire people’s expectations. Recently, it has already overtaken the anticipations of used DCDP. Therefore, to formulate a prescient version, Executive Yuan adopted the second edition of DCDP 2010-2015 in May 2012. In the second edition, an item of “producing prolific TV programs” is added to be the seventh main subjects, in addition, there are five extra items added in the improving tactics part; moreover, the number of measures increased to 107 items. Digital convergence indicators are also reformulated. First, 100Mbps wired broadcasting service should achieve 100% in 2013, and the second, accomplishing 100% digitization of cable TV in 2014. To achieve these indicators, relative administrations decide to accelerate the network infrastructure complementing process and cable TV digitization process. Simultaneously, they also consider extending their regulatory scale from emerging internet video services to the connected TV industries, and enhancing superior programs producing by policy making. In point of accelerating network infrastructure complementing process, a complete broadband network is a foundation of digital convergence industry. However, a “complete” network indicates not only the non-discriminatory access to the hardware, but also mention about having reasonable prices to access broadband services. By considering of Telecommunication operators and cable TV operators are both provides of broadband services, the digitization issue of cable TV industry is also concerned in the DCDP. As a primary enemy to Telecommunication operators in the convergence market, cable TV operators’ competitiveness does not come from the their large share on the cable TV market, but from their possession of wide spread cable network. Otherwise, various new creating contents and application are also encouraged in the DCDP. With “Smart TV,” “HDTV” and “Connected TV” booming, “TV” has transformed from a passive receiving media to an information transport. Although, those emerging broadcasting techniques might threaten the traditional television industry, they bring positive influences to the media industry. By considering a well-run development must building on a integrity and friendly regulation framework. DCTF, an office established by Exclusive Yuan, will also take its responsible to assist NCC on the digital convergence regulatory issues. 3.Conclusion Digital convergence effect to us is a turbulence but also a moment. Today, this effect, which originally comes from the techniques convergence, has detonated in different nations and various places; crossing-industries competition turns to be more and more common around the world. To accommodate our nation to this trend, the primary strategy proposed by government is to integrate administrations’ effort. Through policies making, including DCDP upgrading and validly relative regulation frameworks amending, every relative industry is able to restore enough energy and seize the moment, further, naturally turns to be a domain of market competition.

Norms of Critical Infrastructure Protection in Japan

The approaches to promote critical infrastructure protection in Japan The approaches to promote critical infrastructure protection in Japan are illustrated below: 1. Coverage of Critical Information Infrastructure In the "Action Plan on Information Security Measures for Critical Infrastructure" promulgated by the Information Security Policy Council (ISPC) in 2005, critical infrastructure is defined as: Critical infrastructure which offers the highly irreplaceable service in a commercial way is necessary for people's normal lives and economic activities, and if the service is discontinued or the supply is deficient or not available, it will seriously influence people's lives and economic activities. Based on the definition of the action plan, the critical infrastructure contains: telecommunication systems, administration services of the government, finance, civil aviation, railway, logistics, power, gas, water, and medical services 2. Promoted Relevant Policies of The Past The issues regarding the CIIP are gradually being developed with the norm of information social security policy in Japan. Adopting the Action Plan of the Basic Guidelines Toward the Promotion of an Advanced Information and Telecommunications Society of 1998 proposed by the Japanese government in 1998 as a basis. The Japanese government keeps presenting polices of improvement for the relevant issues in order to acquire the stable development of telematics and telecommunications. Several years later, the Ministry of Economy, Trade, and Industry (METI) announced the Comprehensive Strategy on Information Security in 2003. The formulation of the strategy not only emphasizes the possible telematics-related risks and protection against threats that may be encountered in the information society, but it also enhances the level of information security to the level of national security and presents a comprehensive information security improvement program. Furthermore, the submission of the strategy has identified government’s responsibility in the development of information security Therefore, a division which is solely responsible for information security was established in the Cabinet Secretariat and is devoted to the development of it. In 2005, the Ministry of Economy, Trade, and Industry (METI) amended the Comprehensive Strategy on Information Security and announced the First National Strategy on Information Security based on the creation of a policy of a long-term information security task in Japan which is also the foundation for the policy of guidelines and action security concerning critical information infrastructure. This is in addition to being the most important basis for the policy of information security development. The strategy is different from the Comprehensive Strategy on Information Security in connotation. In the range of information security protection, it not only maintains information security from the perspective of the government; for instance, to divide the rights and duties on information security protection practices between the central government and the local government, and to strengthen the capacity of the government to solve emergencies such as cyber attacks, but it also tries to employ the public-private partnership on the CIIP issue to construct an extensive information security protection and to develop a Capability for Engineering of Protection, Technical Operation, Analysis and Response (CEPTOAR): one similar to the ISAC of America, to strengthen the information sharing and analysis of information security of all industry involved. According to the strategy, the METI established the Information Security Policy Council (ISPC) and the National Information Security Center (NISC) under the subordination of the Cabinet Secretariat in order to reach a goal of dependable society of information security.1 Finally, the information security policies more directly related with the CIIP are the Action Plan on Information Security Measures for Critical Infrastructure and the Standards for Information Security Measures for the Central Government Computer Systems, both of which regulate CI-related threats, information security standards, public-private partnership information sharing system, and the levels of information security standards between different governments and critical infrastructures, respectively. 3. Oraganization Framework Generally speaking, the Cabinet Secretariat is the main division of the CIIP and the information security for the Japanese government, while the ISPC and the NISC established under the Cabinet Secretariat in 2005 are the core organizations for the development of the CIIP policy. In addition, the National Policy Agency (NPA) and the Ministry of Internal Affairs and Communications (MIC) also played an important role in assisting the Cabinet Secretariat with critical infrastructure protection. The part of public-private partnership is covered by the CEPTOAR which takes the responsibility for information sharing and analysis of information security between the government and private organizations. 4. Notification System For critical infrastructure protection, Japan has set up a warning and notification system in addition to the emphasis on fundamental information security protection. With the concept of public-private partnership, various messages related with information security are analyzed and shared in order to prevent information security incidents from occurring. The network of notification system in Japan mainly consists of several organizations as listed below. (1) National Incident Response Team The National Incident Response Team (NIRT) which is the information security office under the Cabinet Secretariat in the organization framework belongs to the Computer Emergency Response Team (CERT)2 and is first in line in the government to handle internet emergencies. According to the Action Plan for Ensuring e-Government's IT Security, the NIRT which consists of 17 experts from the government and the private organizations is responsible to (1) accurately understand and analyze emergencies, (2) develop technical strategies to solve and rehabilitate emergencies to prevent incidents from reoccurrence, (3) provide other governmental organizations the assistance to solve the information security issue, (4) collect and analyze information or intelligence so that effective solutions and strategies may be provided when an incident happens, (5) provide the governmental organization with professional knowledge and information, and (6) enhance and improve all knowledge pertinent to information security. (2) Computer Emergency Response Team Coordination Center The Japan Computer Emergency Response Team Coordination Center (JPCERT/cc) is the first Computer Security Incident Response Team (CSIRT) established in Japan. It consists of internet service suppliers, security products/service suppliers, governmental agencies, and associations of industry & commerce. The JPCERT/CC is also a member of the Asia Pacific Computer Emergency Response Team (APCERT) and a member of the Forum of Incident Response and Security Teams (FIRST). It coordinates and integrates prevention measures pertinent to information security and is consistent with other CSIRTs. (3) Telecom Information Sharing and Analysis Center In Japan, besides the mechanism responsible to notify the government, which functions as a bridge for communication between it and all those outside of it, the mechanism of information sharing and notification is also established among industries to provide each with a channel for information exchange and consultation. In 2001, Japan established the Telecom Information Sharing and Analysis Center Japan (Telecom-ISAC Japan). In addition to real-time inspection for computer intrusion incidents and conducting information collection and analysis, the Telecom-ISAC Japan proposes to e-government many suggestions related with the Transact-SQL issue as well. The reasons for launching the Telecom-ISAC are to instantaneously detect a computer intrusion incident, and to instantaneously gather and analyze its information, and then exchange this with other telecom carriers and offer them relevant countermeasures for precaution; so that in can reach the goal of ensuring telecom security since it is an important infrastructure concerning social economy. (4) Cyber Force The reasons for launching the Cyber Force are to maintain the security to use the internet by regularly "patrolling" it, searching for evidence of internet crime, and to notify the critical infrastructure operators about any unusual internet use so as to prevent the occurrence of cyber terror attacks. The Cyber Force also assists operators to solve and diminish the damage and influences when an incident occurs. (5) Portal Site of National Police Agency The National Police Agency owns the portal site "@police". It exists to prevent large-scale cyber emergencies and to provide gathered information concerning information security to government. In addition to providing the techniques related with the safe use of computer networks, @police is also dedicated to educating internet users about the concept of information security and to increase security awareness. (6) Ministry of Economy, Trade and Industry Since 1990, the Ministry of Economy, Trade and Industry (METI) has cooperated with the JPCERT/CC and the Information Technology Promotion Agency (IPA) to provide reports on virus, intrusion, and the damage caused by them, to remind the public to pay attention. 5. Legal Norms The laws regarding critical infrastructure protection in Japan are illustrated as follows: (1) Unauthorized Computer Access Law of 1999 The Unauthorized Computer Access Law includes various conducts such as cyber intrusion, and data thefts, into the norms of criminal punishment to deter cyber crimes from spreading in order to ensure the safety of the critical information infrastructure. (2) Act on Electronic Signatures and Certification Business of 2000 With the formulation of the Act on Electronic Signatures and Certification Business, the smooth promotion of the electronic signature system is ensured and the circulation and process of electronic communication can be fostered further. (3) Basic Law on Formation of an Advanced Information and Telecommunication Network Society of 2001 Through the formulation of the Basic Law on Formation of an Advanced Information and Telecommunication Network Society, the legal basis to execute an information technology policy is enhanced, and the direction and job content for the government to execute this policy is explicitly stated. 1.http://www.nisc.go.jp/eng/pdf/national_strategy_001_eng.pdf(last accessed date: 2009/07/20). 2.http://www.nisc.go.jp/en/sisaku/h1310action.html(last accessed date: 2009/07/20).

The Coverage and Policies of Critical Infrastructure Protection in U.S.

Regarding the issue of critical infrastructure protection, the emphasis in the past was put on strategic facilities related to the national economy and social security merely based on the concept of national defense and security1. However, since 911 tragedy in New York, terrorist attacks in Madrid in 2004 and several other martial impacts in London in 2005, critical infrastructure protection has become an important issue in the security policy for every nation. With the broad definition, not only confined to national strategies against immediate dangers or to execution of criminal prevention procedure, the concept of "critical infrastructure" should also include facilities that are able to invalidate or incapacitate the progress of information & communication technology. In other words, it is elevated to strengthen measures of security prevention instead. Accordingly, countries around the world have gradually cultivated a notion that critical infrastructure protection is different from prevention against natural calamities and from disaster relief, and includes critical information infrastructure (CII) maintained so that should be implemented by means of information & communication technology into the norm. In what follows, the International CIIP Handbook 2008/2009 is used as a research basis. The Subjects, including the coverage of CIIP, relevant policies promoted in America, are explored in order to provide our nation with some references to strengthen the security development of digital age. 1. Coverage of Important Critical Information Infrastructures Critical infrastructure is mainly defined in "Uniting and Strengthening our country by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, as known as Patriot Act of the U.S., in section 1016(e)2 . The term ‘critical infrastructure’ refers to "systems and assets, whether physical or virtual, so vital to our country that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." In December 2003, the Department of Homeland Security (DHS) promulgated Homeland Security Presidential Directive 7 (HSPD-7)3 to identify 17 Critical Infrastructures and key resources (CI/KR) ,and bleuprinted the responsibility as well as the role for each of CI/KR in the protection task. In this directive, DHS also emphasized that the coverage of CI/KR would depend on the real situations to add or delete sectors to ensure the comprehensiveness of critical infrastructure. In March 2008, DHS added Critical Manufacturing which becomes the 18th critical infrastructure correspondent with 17 other critical infrastructures. The critical infrastructures identified by DHS are: information technology, communications, chemical, commercial facilities, dams, nuclear reactors, materials and waste, government facilities, transportation systems, emergency services, postal and shipping, agriculture and food, healthcare and public health, water, energy (including natural gas, petroleum, and electricity), banking and finance, national monuments and icons, defense industrial Base, and critical manufacturing. 2. Relevant Policies Previously Promoted With Critical Infrastructure Working Group (CIWG) as a basis, the President's Commission on Critical Infrastructure Protection (PCCIP) directly subordinate to the President was established in 1996. It consists of relevant governmental organizations and representatives from private sectors. It is responsible for promoting and drawing up national policies indicating an important critical infrastructure, including natural disasters, negligence and lapses caused by humans, hacker invasion, industrial espionage, criminal organizations, terror campaign, and information & communication war and so on. Although PCCIP no longer exists and its functions were also redefined by HDSP-7, the success of improving cooperation and communication between public and private sectors was viewed as a significant step in the subsequent issues on information security of critical infrastructure of public and private sectors in America. In May 1998, Bill Clinton, the former President of the U.S., amended PCCIP and announced Presidential Decision Directive 62, 63 (PDD-62, PDD-63). Based on these directives, relevant teams were established within the federal government to develop and push the critical infrastructure plans to protect the operations of the government, assist communications between the government and the private sectors, and further develop the plans to secure national critical infrastructure. In addition, concrete policies and plans regarding information security of critical infrastructure would contain the Defence of America's Cyberspace -- National Plan for Information Systems Protection given by President Clinton in January, 2000 based on the issue of critical infrastructure security on the Internet which strengthens the sharing mechanism of internet information security messages between the government and private organizations. After 911, President Bush issued Executive Order 13228 (EO 13228) and Executive Order 13231 to set up organizations to deal with matters regarding critical infrastructure protection. According to EO 13228, the Office of Homeland Security and the Homeland Security Council were established. The duty of the former is mainly assist the U.S. President to integrate all kinds of enforcements related to the protection of the nation and critical infrastructure so as to avoid terrorist attacks, while the latter provides the President with advice on protection of homeland security and assists to solve relevant problems. According to EO 13228, the President's Critical Infrastructure Protection Board directly subordinate to the President was established to be responsible for offering advice on polices regarding information security protection of critical infrastructure and on cooperation plans. In addition, National Infrastructure Advisory Council (NIAC), which consists of owners and managers of national critical infrastructure, was also set up to help promote the cooperation between public and private sectors. Ever since the aforementioned executive order, critical infrastructure protection has been more concrete and specific in definition; for instance, to define critical infrastructure and its coverage through HSPD-7, the National Strategy for Homeland Security issued in 2002, the polices regarding the National Strategy to Secure Cyberspace and the National Strategy for Physical Protection of Critical Infrastructure and Key Assets addressed by the White House in 2003; all of this are based on the National Strategy for Homeland Security. Moreover, the density of critical infrastructure protection which contains virtual internet information security was enhanced for the protection of physical equipment and the protection from destruction caused by humans. Finally, judging from the National Infrastructure Protection Plan (NIPP), Sector-Specific Plans (SPP) supplementing NIPP and offering a detailed list of risk management framework, along with National Strategy for Information-Sharing, the public-private partnership (PPP) and the establishment of information sharing mechanism are highly estimated to ensure that the network of information security protection of critical infrastructure can be delicately interwoven together because plenty of important critical infrastructures in the U.S. still depend on the maintenance and operation of private sectors. 1.Cf. Luiijf, Eric A. M. , Helen H. Burger, and Marieke H. A. Klaver, “Critical Infrastructure Protection in the Netherlands:A Quick-scan”. In:Gattiker, Urs E. , Pia Pedersen, amd Karsten Petersen (eds. ) . EICAR Conference Best Paper Proceedings 2003, http://cip.gmu.edu/archive/2_NetherlandsCIdefpaper_2003.pdf (last accessed at 20. 07. 2009) 2.For each chapter of relevant legal cases, please visit http://academic.udayton.edu/health/syllabi/Bioterrorism/5DiseaseReport/USAPatriotAct.htm. The text regarding the definition of critical infrastructure is cited as "Critical Infrastructure Defined- In this section, the term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matter. " 1.Cf. Luiijf, Eric A. M. , Helen H. Burger, and Marieke H. A. Klaver, “Critical Infrastructure Protection in the Netherlands:A Quick-scan”. In:Gattiker, Urs E. , Pia Pedersen, amd Karsten Petersen (eds. ) . EICAR Conference Best Paper Proceedings 2003, http://cip.gmu.edu/archive/2_NetherlandsCIdefpaper_2003.pdf (last accessed at 20. 07. 2009) 2.For each chapter of relevant legal cases, please visit http://academic.udayton.edu/health/syllabi/Bioterrorism/5DiseaseReport/USAPatriotAct.htm. The text regarding the definition of critical infrastructure is cited as "Critical Infrastructure Defined- In this section, the term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matter. " 3.Introduction of Consumer Protection in Taiwan , Republic of China , Consumer Protection Commission (CPC), Executive Yuan.http://www.fas.org/irp/offdocs/nspd/hspd-7.html ( Last visit 2008/6/27 )

TOP