Forwarded From: "Prosser, Mike" <mike.prosser@L-3Security.com> May 13, 1999 (TOKYO) -- Legislation to outlaw unauthorized access to computer networks will go into effect in Japan by the end of this year at the earliest, and the penalties will include fines or imprisonment. The bill, sponsored jointly by the National Police Agency, the Ministry of Posts and Telecommunications, and the Ministry of International Trade and Industry (MITI), was submitted to the Diet after it was adopted at a Cabinet meeting on April 16. It is expected to pass the Diet by the end of June. The concerned government agencies will make the bill to ban unauthorized access a new law, and not simply an amendment to the Criminal Law or the Telecommunications Business Law. Under the terms of the legislation, unauthorized access is defined as "any unauthorized logging in to a computer network using another person's ID or password, or any attack on a security hole in an operating system or application." The bill will ban such unauthorized access. The penalties will include imprisonment for up to one year or fines of up to 500,000 yen. (121.03 yen = US$1) Also, the bill will outlaw "any acts to promote unauthorized access" such as provision or sales of a user ID and password to a third party. In such cases, penalties will be fines of up to 300,000 yen. Even in the United States and Europe, where laws banning unauthorized access have already been enacted, few countries ban acts to promote unauthorized access. The bill will protect "all networked computers, those which control access with a user authentication via a user ID or password as well as authentication results" from unauthorized access. Networks will include the Internet, public circuits and corporate dedicated lines. The new bill will not require corporate system administrators to "preserve log on records of protected computers," which the NPA has sought. Preservation of logs was excluded from the bill based on discussions among the three concerned parties. In November 1998, the NPA sought to require companies to preserve their log records, based on its view that "those to be protected by the bill and obliged parties are identical." However, many companies said that such a requirement would impose a tremendous burden on them and that it wouldn't necessarily help prevent unauthorized access. Nonetheless, companies will still be expected to make their best efforts to preserve log records to detect any unauthorized access at an early stage and minimize damages. The bill will not have its intended effect unless companies take some measures to prevent unauthorized access. Therefore, the three parties decided to ask companies to implement voluntary efforts to take some measures to prevent unauthorized access. Specifically, system administrators are expected to manage passwords on a thorough basis, and to implement a variety of preventive measures. Although it is not legally binding, most system administrators will likely implement such preventive measures on a voluntary basis. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:23:27 PDT