TOKYO -- Japan will call on operators of critical infrastructure, such as water and electricity, to caution against procuring telecommunications equipment that have the risk of containing malicious software, Nikkei has learned.
The warning will appear in Japan's revised cybersecurity guidelines due out this spring, in what would be the first such mention of threats that telecommunications equipment pose.
The issue of such equipments used to obtain information or risk shutting down infrastructure follows in the footsteps of the U.S., which has explicitly talked about the threat of products from Huawei Technologies and other Chinese companies.
The guidelines covers 14 areas of infrastructure, including electricity grids, water supply and financial institutions. The revisions, originally set to be made after the 2020 Tokyo Olympics, have been moved ahead to this spring due to an increased potential for damage from digital attacks.
The revised policy will note concerns that communications equipment with the capacity to steal information or stop key functions could be fitted during development or manufacturing. If it made its way into infrastructure, such equipment could cause electrical blackouts or compromise air travel safety, to name just two potential serious problems.
The warning affects future procurement efforts by infrastructure companies, but does not apply retroactively, as inspections and spending on a massive scale would be needed to review all the equipment already installed. There are also concerns that drawing attention to particular pieces of equipment or infrastructure as a security risk could attract cyberattacks.
In August, the U.S. banned the use of products from Huawei or compatriot ZTE by American government institutions and companies they do business with, in its National Defense Authorization Act for fiscal 2019.
Japan's ministries and agencies agreed in December to factor in national security risks when procuring nine types of communications equipment, including communication lines and devices, starting in April. The move was meant to prevent others from stealing information by accessing such devices via "backdoors," for example.
Tokyo's revised infrastructure policy will call on the private sector to do likewise, aiming to protect infrastructure critical for everyday life. An expert panel will meet around the end of March to discuss the revisions, with a cybersecurity strategic headquarters chaired by Chief Cabinet Secretary Yoshihide Suga to make a decision as soon as the spring.