AVAR November 2004 in Tokyo, Japan Computer Secutiry Situation in Japan (Report from National Police Agency Japan) Takashi Garcia SATO Assistant Director, Superintendent, Cybercrime Division National Police Agency, Japan

Content 1. Trend in Internet Usage in Japan 2.Countermeasures by Police i.Organization ii.Investigation – Statistics iii.Cooperation with Industrial Circles iv.Improvement of Public Awareness v.International Cooperation 3.Legal System against Cybercrime i.Basic Laws ii.Recent Progress of Laws

1. Trends in Internet Usage in Japan Estimated millions (2003). Population of Japan: millions (2003) → 60.6% of Population is using internet in Japan.

2. Countermeasures by Police i. Organization 2. Countermeasures by Police i. Organization National Police Agency Coordinates/Advises Local Police  Cybercrime Division Provides Technical Assistance  High-Tech Crime Technology Division 47 Prefectural Police (Local Police) – Task Force against Cybercrime – Agents with High-tech – Information Security Advisors

47 Prefectural PoliceNPA -Task Force against Cybercrime -Hiring Agents with High-tech -Equipments for Cybercrime Investigation (ex. High Efficiency Computer) -Information Security Advisor High-Tech Crime Technology Division Technical Assistance Liaison & Coordination, Advice Cybercrime Division Technology Center Cyber Terrorism Technology Center (Cyber Force Center) Cyber Force -Investigate Cybercrime -Counter Cyber Terrorism -Cooperate with Industrial Circles -Raise Public Awareness about Information Security -Train Police Personnels -Keep the IT Society Safe and Secure Organization against Cybercrime

Established in April 2004 Approximately 20 personnel Duties – Coordinates/Advises Local Police about investigations – Raises public awareness about Information Security – Plays a role as contact point of international cooperation – Makes IT security policies and drafts of new or revised law Cybercrime Division, NPA Cybercrime Division, NPA

ii. Investgation - Statisticts Arrest Rate for Cybercrime

Analysis of Arrest Rate for Cybercrime

Example of Specific Cases (1) Unauthorized Computer Access – Criminal stole other persons’ ID and password, illegally accessed to the Internet auction site and put fake goods in the auction. 31 victims paid about 4 millions yen to his fake name banking account. (unauthorized computer access, fraud etc., 2004 February, Saitama, Yamagata, Ibaragi, Kyoto and Okayama) Crime against Computer / Data – Criminal deleted hospital’s data such as 500 patients’ name, address and disease name and obstructed business of the hospital because he received a caution in the hospital and got angry. (obstruction of business by destroying a computer etc March, Hyogo)

Example of Specific Cases (2) Internet Crime – Criminal found the message from junior high school girl in dating service site for mobile phone. He contacted the girl through the internet and promised to pay yen to her for child prostitution. (Violation of Child Pornography and Prostitution Law, 2004 February, Hiroshima) – Criminal put the message of sale of game software on the internet bbs. He sold copied CD-Rs of game software to 29 persons without permission of the copyright holder. (Violation of Copyright Law, 2004 March, Aomori ) – Criminal put the message such as “I will go to XXX post office for robber on next Sunday. Can you stop it?” on the internet bbs and threaten the post office. (Intimidation, 2004 May, Gunma)

Cases Consulted with Police People can consult with the police on cyber crimes and other network-related incidents. – 11,135 cases in 2000 – 17,277 cases in 2001 – 19,329 cases in 2002 – 41,754 cases in 2003 Breakdown of 41,754 in 2003 – 20,738 Fraud & Sharp Business – 5,999 Internet Auctions – 4,225 Illegal & Harmful Contents – 2,619 Defamation – 2,329 Spam s – 1,147 Unauthorized Computer Access and Virus – 4,697 Others

Examples of Cases consulted with Police Fraud & Sharp Business – Someone sent which says that he is a creditor and strongly demands the charge for accessing pay internet site. (In general those who receive those s have no access to this kind of pay internet site. But it becomes big profit if one out of hundred persons pays to him!) Internet Auctions – The winner of a bid for some goods in internet auction sent money to get the goods. But he/she received no goods and lost contact with the owner of the goods. (Sometimes the information of contact to the owner of goods is fake.)

iii. Cooperation with Industrial Circles Comprehensive Security Meeting (NPA) –composed with various experts about IT from private sector –discuss policy of cooperation between industrial circles and police Connection Conferences with ISP (each prefecture) –composed with ISP, police and prefecture –exchange information about cyber crime

iv. Improvement of Public Awareness (1) Home page of counter-cybercrime of the National Police Agency ( ) –Policies for information security –Contact information for Prefectural Police in case of cybercrime –Statistics of cybercrime etc.

iv. Improvement of Public Awareness (2) Home page (security portal site of the National Police Agency) ( ) –Prompt and accurate information in case of emergency –Internet Activities Monitored (every 15 minutes’ renewal ) –Technical Advices for Internet Users –News of Security Trends in the world

National Police Agency ・ Analysis of Criminal Cases and Consultations ・ Making Policies to Raise Public Awareness on IT Security Information Security Advisor Liaison & Coordination Companies Entities Concerned Citizen Public Relations, Education, Consultation, Advice Connection Conferences with ISP Assistance Based on Unauthorized Computer Access Law Public Relations Education Consultation Liaison & Coordination Exchange of ideas Prefectural Police (Local Police) iv. Improvement of Public Awareness (3) Cooperation

v. International Cooperation G8 Lyon/Rome Group –“High-Tech Crime Sub Group” –Daily Cooperation through the “24-Hour Contacts for International High-Tech Crime” ICPO –Daily Cooperation among each state’s police through the ICPO –“Asia-South Pacific Working Party on IT Crime” APEC Council of Europe

3. Legal System against Cybercrime i. Basic Laws Unauthorized Computer Access Law (legislated in 1999) Penal Code Law for Punishing Acts Related to Child Prostitution and Child Pornography (legislated in 1999) Other domestic criminal laws (e.g. drug, firearms, copyright protection and so on)

Prohibition of unauthorized computer access and penal provisions (Article 3 and 8) Prohibition of facilitation of unauthorized computer access and penal provisions (Article 4 and 9) Prohibition of unauthorized computer access Less than 1 year in prison or a fine less than 500,000 yen Fine less than 300,000 yen Protective measures by access administrators (Article 5) ○ Secure maintenance of ID codes ○ Upgrading the access control function Assistance by Prefectural Public Safety Commissions (Article 6) ○ Emergency response to attacking incidents Sharing information with National Public Safety Commission, Minister of Economy,Trade and Industry and Minister of Public Management, Home Affairs,Posts and Telecommunications (Article 7) ○ Publication of the status of unauthorized computer access ○ Publication of the research and development of security technology ○ Public relation and education Protective measures Sound growth of advanced information-communication society Prevention of high-tech crime/ maintenance of the order of electrical communication Unauthorized Computer Access Law

Penal Code – provisions relating to Cybercrime Illegal production and use of an electromagnetic record (Art.161bis) - less than 10 years in prison or fine less than one million yen Illegal production and use of an electromagnetic record on payment card (Art. 163bis) - less than 10 years in prison or fine less than one million yen Interference with business transaction by computer system (Art. 234bis) - less than 5 years in prison or fine less than one million yen Computer Fraud (Art. 246bis) - less than 10 years in prison Destruction of official or private electromagnetic record (Art ) - less than 7 years in prison

Law against Child Prostitution and Child Pornography Prohibition of child prostitution and invitation of child prostitution (Art.4 - 6) - less than 7 years in prison and/or fine less than 10 million yen Prohibition of production and distribution of child pornography (Art.7) - less than 5 years in prison and/or fine less than 5 million yen Prohibition of dealing (selling and buying) of children under the purpose of child prostitution or child pornography (Art.8) – 1-10 years or more than 2 years in prison Children under 18 years old are protected by this law.

ii. Recent Progress of Laws Recent problems about Information Security Computer Virus (e.g. MS Blaster) Websites often used by criminals (e.g. internet auction site, date servicing site) P2P tool (file exchange software) (e.g. Winny or WinMX) Leakage of digital personal information from big companies Anonymous environment (e.g. internet café, wireless LAN, …)

Recent Progress on Legal System Submission of revision of Penal Code, Criminal Procedural Law and so on, to Diet, to join the Convention of Cybercrime Secondhand Dealers Law (come into effect from September 2003) Law on Control of Dating Service on the Internet (come into effect from September 2003)

Convention on Cybercrime (1) Substantive Criminal Law – Illegal Access – Illegal Interception – Data Interference – System Interference – Misuse of Devices (Computer Viruses) – Forgery and Fraud – Child Pornography – Infringements of Copyright

Procedural Law –Expedited Preservation of Stored Computer Data –Production Order –Search and Seizure of Stored Computer Data –Real-Time Collection of Computer Data International Co-operation –Extradition –Mutual Assistance Convention on Cybercrime (2)

Revision of Penal Code, Criminal Procedural Law and so on Penal Code – Production and Distribution of Computer Virus Criminal Procedural Law – Seizure of Digital Evidence from Remote Computer – Request of Cooperation (to those who receive seizure) – Request of Preservation (from police) (maximum 90 days) Unauthorized Computer Access Law – expansion of criminal jurisdiction to outside Japan

Secondhand Dealers Law Target: – Secondhand Dealers using the technology of information and telecommunication (mainly internet auction dealers) Content: – Dealers have to submit documents to local Public Safety Commission (local Police) when they want to start internet auction which may deal with secondhand goods. – Dealers have to report to Police when the goods on the internet auction have possibility of stolen goods. – Police can issue stop order when the goods on the internet auction have big possibility of stolen goods.

Law on Control of Dating Service on the Internet Target: – Dating Service Providers, Users of Dating Service Content: – Prohibition of invitation to make sexual intercourse or invitation to do pay dating service with children (under 18 years old), using dating service on the internet (to children or from children) – Dating Service Providers must take measures to prevent children from using dating service on the internet, in view of the damages of children by crimes resulting from dating service on the internet.

Thank you very much !!! Takashi Garcia SATO Assistant Director, Superintendent, Cybercrime Division National Police Agency, Japan