Forwarded From: "Prosser, Mike" <mike.prosser@L-3Security.com>
May 13, 1999 (TOKYO) -- Legislation to outlaw unauthorized access to
computer networks will go into effect in Japan by the end of this year at
the earliest, and the penalties will include fines or imprisonment.
The bill, sponsored jointly by the National Police Agency, the Ministry
of Posts and Telecommunications, and the Ministry of International Trade
and Industry (MITI), was submitted to the Diet after it was adopted at a
Cabinet meeting on April 16. It is expected to pass the Diet by the end
of June.
The concerned government agencies will make the bill to ban
unauthorized access a new law, and not simply an amendment to the Criminal
Law or the Telecommunications Business Law. Under the terms of the
legislation, unauthorized access is defined as "any unauthorized logging
in to a computer network using another person's ID or password, or any
attack on a security hole in an operating system or application." The bill
will ban such unauthorized access. The penalties will include imprisonment
for up to one year or fines of up to 500,000 yen. (121.03 yen = US$1)
Also, the bill will outlaw "any acts to promote unauthorized access"
such as provision or sales of a user ID and password to a third party. In
such cases, penalties will be fines of up to 300,000 yen. Even in the
United States and Europe, where laws banning unauthorized access have
already been enacted, few countries ban acts to promote unauthorized
access.
The bill will protect "all networked computers, those which control
access with a user authentication via a user ID or password as well as
authentication results" from unauthorized access. Networks will include
the Internet, public circuits and corporate dedicated lines.
The new bill will not require corporate system administrators to
"preserve log on records of protected computers," which the NPA has
sought. Preservation of logs was excluded from the bill based on
discussions among the three concerned parties.
In November 1998, the NPA sought to require companies to preserve their
log records, based on its view that "those to be protected by the bill and
obliged parties are identical." However, many companies said that such a
requirement would impose a tremendous burden on them and that it wouldn't
necessarily help prevent unauthorized access.
Nonetheless, companies will still be expected to make their best
efforts to preserve log records to detect any unauthorized access at an
early stage and minimize damages. The bill will not have its intended
effect unless companies take some measures to prevent unauthorized access.
Therefore, the three parties decided to ask companies to implement
voluntary efforts to take some measures to prevent unauthorized access.
Specifically, system administrators are expected to manage passwords on a
thorough basis, and to implement a variety of preventive measures.
Although it is not legally binding, most system administrators will
likely implement such preventive measures on a voluntary basis.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
Received on Fri May 14 08:55:28 1999