Japan: IT Security, JCSEC criteria

[David Farber <farber () central cis upenn edu>]

Date:  Thu, 16 Sep 1993 19:54:42 +0200
From: Klaus Brunnstein <brunnstein () rz informatik uni-hamburg d400 de>
Subject:  Japan: IT Security, JCSEC criteria


It is not well recognized in the current discussions in North America and
Europe aimed at harmonizing their different criteria (FC, ITSEC) that Japanese
organisations are undertaking major efforts to assess and improve the state of
IT and Communications security also in their country. In order to guarantee
their IT industries' opportunities in international markets, they are also
looking for a minimum harmonized set of criteria (JCSEC) as a basis of
universally applicable product evaluation and certification.


Among others, Information-technology Promoting Agency (IPA) and Japan
Electronic Industry Development Association (JEIDA) have started their
respective work with major analyses of the state-of-security in Japan, North
America, Europe and Australia. IPA, a MITI funded organisation with interests
in AntiVirus measures, sponsored a study which received some attention in
1992.  Its basic statement was that the number of hacker-like attacks on
systems doubled in recent times while virus infections diminished
significantly. It is interesting that IPA's recent statistics about viral
events in Japan sharply increased in 1993: from 1990's total 14 events over
1991's total 57 events and 1992's 252 events, the partial figures in 1993
(Jan-July) are 366. While findings in Mac (less than 10 reports) and so far 19
viruses having appeared on the (IBM-incompatible) Japanese PCs (15 reports in
1993) are constant, the very fast growth of IBM compatible PCs is based on 42
different viruses, with 166 Yankee Doodle, 103 Cascade 1701/1704, 24
Anti-Telefonica, 20 Stoned III or Michelangelo and 14 Form reports in 1993.
Though IPA's request for reporting virus events is now known in many
enterprises, these figures do NOT indicate the exact number of infections but
only show the relative development: growth.


As its basis for future work, JEIDA has published a "Summary Report on the
Worldwide Survey for Information Systems Security in Nine Nations", conducted
by Coopers & Lybrand, in March 1993. The survey which is based on 1,059
questionnaires filled from enterprises in Japan (39%), Australia (21%), North
America (15%) and Europe (13%) analyses the state of security consciousness
(chapter 1), experience with incidents (ch.2: e.g. malfunction of
hardware>75%, introduction of viruses >30%, theft of equipment about 10%,
disclosure of Passwords: 10%, etc), and IS Security Measures taken (a rather
detailed analysis, ch. 3). An analysis of the Cost of IS Security Measures
(ch. 4) and IS Risk Analysis (ch. 5), Motivating Factors (ch. 6) and
Development Priorities (ch. 7) concludes this study (17 pages). For detailed
analysis, it would be helpful to complement the hi-quality color print with a
volume containing more details of the raw data, but this "JEIDA Study" is
worthwhile to read for worldwide comparison.


JEIDA published another study in August 1992 "Japanese Computer Security
Evaluation Criteria: Functional Requirements (Draft V1.0)" which has not been
recognised so far in the Western discussion (similar to Russia's development,
published in December 1992, though in Russian). JEIDA's study (in English),
developed after MITI guidelines, describes (ch.1: Introduction) Functionality
Requirements, with scope of the "Target of Evaluation" (TOE) and Target
Models, and gives detailed "Functional Requirements" (ch.2), including minimum
requirements for Identification and Authentication (2.1), Access Control
(2.2), Accountability (2.3), Auditing (2.4), Object Reuse (2.5), Integrity
(2.6), Reliability of Service (2.7) and Data Exchange (2.8). Though the
structure conforms with ITSEC concerning the 8 basic function categories,
JCSEC evidently follows US' Minimal System Function Requirements philosophy
which is also basic to ECMA's (European Computer Manufacturers Association)
and ISO/IEC JTC1 SC 27 works. The report (26 pages) ends with a graph
describing the different security criteria in USA, Europe, Japan and ISO,
followed by a glossary with informal definitions of essential terms.


Though the Assurance part of JCSEC has not been published so far (due
end-of-1993), it seems as if ITSEC's Assurance levels may play the role of
related "Minimum Assurance Requirements" (rather than the complex Assurance
descriptions in US' Federal Criteria).


JEIDA officials motivated their work in JCSEC generally with their vendors'
experience when having attempted to sell Japanese IT systems in Australia.
Following regulations for Australian government installations, which seem also
to be applied by major Aussie enterprises, Japanese installations had to
undergo a security evaluation process which was partly difficult as most
documents were not available in English. When being forced to prepare
evaluation and certification of their products in non-Japanese countries, MITI
and Japanese vendors evidently concluded that a set of internationally
harmonized criteria with minimum requirements would serve their interests
best. Moreover, Japanese vendors seem to favour self-evaluation of security
functions, as opposed to an evaluation by independent institutions as
practiced or prepared in USA and Europe. As some of these ideas are shared
also by IT vendors outside Japan (see ECMA's approach), the Japanese
involvement may add fresh wind to the international ITSEC discussion which is
presently dominated by USA/Canada and Europe (including their preoccupations
:-)


Klaus Brunnstein (Univ-Hamburg, September 16, 1993)


PS: JEIDA's address is: Japan Electronic Industry Development Association,
JEIDA, Kikai-Shinko-Bldg., 3-5-8 Shiba-Koen, Minato-ku, Tokyo 105 JAPAN.


------------------------------