Technology-Based Council for Promotion of Regulatory Reform (6th) Working Group of the Digital Ad Hoc Administrative Study Group

Last Updated:: Oct 2, 2023

Overview

Date and time: Monday, September 11, 2023, from 10:00 a.m. to 12:00 p.m.
Location: Online
Agenda:
1. Opening
2. Agenda
  1. Change of Members
  2. Explanation from the Secretariat
    - Progress of "Technology-Based regulatory reform" and the Immediate Way Forward
  3. Explanation from Mr. Okada
    - Technology strategy innovation management in public services "Based on the experience of the first stage SIP"
  4. Explanation from the cybersecurity Division, Commerce and Information Policy Bureau, Ministry of Economy, Trade and Industry
    - On Ministry of Economy, Trade and Industry's cybersecurity Policy
  5. Exchange of views
3. Adjournment

Material

Relevant policy

RegTech Consortium - New Economic Growth in review of analog regulations -

Minutes, etc.

Date and time of the

Monday, September 11, 2023, from 10:00 a.m. to 12:00 p.m.

US>

Held online

Members present

Chairman

Hiroshi Esaki (Digital Agency Senior Expert, Architecture)

Member

Yusaku Okada (Professor, Department of Industrial Engineering and Management, Faculty of Science and Technology, Keio University)
Keiko Ogawa (Banking Capital Market Leader, Regtech Leader Partner Certified Public Accountant, EY Strategy & Consulting Co., Ltd.)
Tsukasa Ogino (Representative Director, Important Home Appliances Coordination Security Council)
Makoto Kato Hei (Designated Associate Professor, Graduate School of Information Science and Technology, University of Tokyo)
KAWAHARA Yoshihiro (Professor, Graduate School of Engineering, The University of Tokyo)
Yumi Kawabata (Journalist Strategic Innovation Specialist)
Taro Shimada (Representative Executive Officer, President and CEO, Toshiba Corporation)
Shinji Suzuki (Director, Fukushima Robot Test Field, Fukushima Innovation Coast Initiative Promotion Organization, Project Professor, The University of Tokyo Institute for Future Initiatives)
Takao Someya
Keisuke Toyoda (Project Professor, Institute of Industrial Science)
Takao Nakagaki (Professor, Faculty of Creative Science and Engineering, Faculty of Science and Engineering, Waseda University)
Ayumu Nagai (President and Representative Director of Astamuse Co.
Masanori NEMOTO (Japan Business Federation Consultant)
Daiyu Nobori (Director, Information-Technology Promotion Agency, Japan Cyber Engineering Laboratory)
Kenji Hiramoto (Director of Information-Technology Promotion Agency, Japan digital infrastructure Center)

Overview

SUGA Director: time, we will open the 6th technology-based Council for Promotion of Regulatory Reform. This time, all members are invited to participate online. We will have a time to exchange opinions in the second half, but as before, we would like to ask your opinions and questions at any time during the explanation using the Webex chat.

I would now like to ask Chairman Ezaki to lead the proceedings. Thank you very much.

Chairman Ezaki: . Now, I would like to begin the proceedings. The proceedings of the sixth meeting are as you have just seen. First, the secretariat will report on the changes in the committee members. Next, the same secretariat will explain the progress of technology-based regulatory reform and how to proceed for the time being. Next, Mr. Okada will talk about technology strategy innovation management in public services "Based on the experience of the first phase of SIP." After that, the cybersecurity Division of the Ministry of Economy, Trade and Industry Commerce and Information Policy Bureau will talk about Ministry of Economy, Trade and Industry's measures for cybersecurity. Lastly, we will have time for you to freely speak, ask questions, and exchange opinions on all of today's agenda.

First of all, then, I would like to ask the Secretariat to report on the change in the membership of this Committee.

SUGA Director: Please refer to Document 1. From this time, Mr. Kenji Hiramoto, who has become the director of the Information-Technology Promotion Agency, Japan digital infrastructure Center, which was newly established this year, will be joining as a new member. Mr. Hiramoto, I look forward to working with you in the future. That's all for my report.

Chairman Ezaki: is also working in Digital Agency, but we will be working together again. Thank you in advance. Regarding greetings, etc., I would like you to briefly introduce yourself when you speak in questions, etc.

Next, the secretariat requested a report on the progress of technology-based regulatory reform and the way forward for the time being.

SUGA Director: Next, as always, I would like to report on Exhibit 2, which is the progress we have made so far in considering a technology-based regulatory reform and how we should proceed going forward.

Please turn over one page, here is the summary of the committee, and the next page is the whole picture for your review. The next page is the agenda. We have had various discussions over the past five sessions. First, regarding the technical verification, I mentioned that public call will be conducted from the first to the third round. Both have been implemented, and I would like to report on them.

Second, we've had a lot of discussion about the vertical and horizontal axes of the technology map. We would like to proceed in this way for the time being, so we would like to consult with you on a definite plan this time.

The third one is a technical catalog. The biggest one in particular is this time, we will receive a presentation from cybersecurity Section of Ministry of Economy, Trade and Industry. We received an indication that we should add items related to cybersecurity in the catalog, so we would like to make a proposal for that. Based on the addition, we will also report how we will conduct the catalog public call as needed in the future.

Lastly, as we have started to operate the consortium, I would like to report on it and propose a date for the first event, RegTechDay.

First, I would like to talk about the technical verification project. As I reported before, the ministries and agencies responsible for regulations said that technical verification was necessary for 1043 provisions out of 10,000. By summarizing them, it became clear that they could be broadly divided into 14 verification types. In accordance with those 14 types, we were coordinating the procedures for the demonstration with the joint names of the ministries and agencies. Among the ministries and agencies in joint names, as I reported last time, representatives from local governments came to Oita prefecture to do it together. The number of applicable provisions is the number of provisions in Oita prefecture in parentheses next to the number of provisions of the national government. As a whole, there are quite a lot of types that are shared, and in the end, there are some that have to be done separately.

Regarding the five types in red, which were the first technical verification public call in the first phase, we have already completed the public call, which is responsible for the technical verification, and will start the demonstration from now. The second phase is shown in blue and the third phase is shown in yellow. In both cases, public call was carried out from June to August. We have already completed the public call and will start the demonstration from now.

The next page shows the types, an overview of the technical verification, the specific provisions of the laws and regulations subject to the verification, and a list of the specific technologies for the actual performance test. For each type, we first coordinated with the ministries and agencies responsible for the regulations on the detailed specifications that we wanted the functions to be confirmed, and made a public call. We are now at the stage where the public call of the operators who will lead the verification has been completed. From here on, we will have a dialogue with the operators and the ministries and agencies responsible for the regulations, establish the details of the specific method of proceeding, and gradually enter the actual verification. Although it is an extremely costly process, we are proceeding with each of the ministries and agencies very carefully one by one.

The first and second parts have been explained so far, so I will skip them. The third part is from page 11, and the last part is the summary. It was conducted in the summer when the public call period was from August 4 to 25. For example, in Type 2, regarding the regulations that require regular inspections of facilities that exist under the ground surface or in places where contact is impossible, using non-destructive inspection technology, you will be asked to verify whether the technology can be substituted. Type 4 is a part of the regulations that require visual confirmation of the presence or absence of defects and deterioration of equipment and devices inside and outside the facility, which can be substituted with sensors.

From the next page, we will challenge whether it is possible to use IoT and sensors as a technological substitute for regular inspections of the operating status of facilities, and whether it is possible to replace regular inspections based on collected samples with continuous inspections for type 10 environmental information such as air and water quality.

The next time I will be able to give you a detailed report, it will be at the stage where we have started this kind of verification, so please give me some time.

From the next page is about the technology map. It's on page 14, but first of all, it's on the vertical axis. The technology map that we are used to seeing originally, as written in the lower right, is arranged vertically with 7 types and representatives of the analog regulations we are talking about. We wrote down the common function for it, and we roughly mapped what kind of technology has the potential to replace what kind of function.

On the next page, as I explained last time, the structure of the regulations has a purpose, and in order to achieve that purpose, the structure is such that what kind of function will be satisfied by what kind of means. So that the structure can be represented on the map as it is, list the regulation purpose and the means to achieve the regulation.

The next page shows the basic structure of the regulations. Very interesting things have come to light. After having Mitsubishi Research Institute analyze all 10,000 provisions extracted through digital screening, we have come to know that all regulations have almost the same structure. First, the purpose of the regulation is at the top, and at the bottom, there are the subject of regulation and the subject who wants to ensure safety. Someone acquires information and data on this subject of regulation. Whether it is healthy, deteriorated, rusted, or cracked, someone acquires such information. Then, the acquired information is transmitted to someone. Next, these pink decision-makers come in and make a decision on whether the situation is bad or not. The decision result is transmitted to the next response body. Based on that decision, the received response body will deal with the situation, such as immediately starting repairs if repairs must be done quickly. Of course, the same body may play several roles. Basically, all regulations require a loop of acquiring data, making decisions, and responding accordingly.

Next page. Based on the basic structure of this regulation, the horizontal axis of the technology map should be organized into input, process, and output according to the IPO model. In other words, first, the data to be managed is acquired, securely transmitted to a remote location, and then judged as the next phase. According to that judgment, the final output, response, and response will be made. With this structure, I think that almost all regulations can be plotted well.

On the next page, we asked you to check all 10,000 articles and clauses for the description rate of each element. In short, we asked you to check what data is read by whom, how it is judged and communicated, and how much of each element can be read in the articles. Red and warm colors have high description rates, which means that something close to green is almost impossible to read in the articles. For example, there is a regulation that requires the manager to confirm the situation of a specific place by a qualified person, but how to respond to specific cases is probably confirmed in the contents of the test, so it cannot be read by looking at the articles of the regulation. As a result of the analysis, we found that some of the information on the subject of management and judgment on the left side of the table was mostly confirmable or analogic in the wording of the articles.

Based on the above structure, the concept of the vertical axis is from page 19. In the previous technology map, seven keywords and seven types of analog regulations were placed on the vertical axis so that it would be easy for the ministries and agencies in charge of regulations to understand. In order to correct this and improve the coverage, according to the structure of the regulations mentioned earlier, it seems to be better to broadly classify the "management targets" with the highest rate of description as the main axis. What kind of data should be acquired for what kind of management targets are written in the provisions, what kind of judgment and response are expected, and so on. This is the pattern 1 of the vertical axis.

Regarding Pattern 2 on the vertical axis, there was an opinion that it would be easier for the ministries and agencies with regulatory jurisdiction to find their own place to look if it was linked to the keyword of the regulatory type as in the previous proposal. Therefore, we will continue to maintain the structure and use Pattern 2 on the vertical axis. For the time being, while maintaining Patterns 1 and 2, we received difficult points last time, and we are now in trouble at the secretariat, but we would like to consider various additional patterns.

From the next page, if you match the pattern of this vertical axis, it will be a map like this. It is assumed that you will see it on the Internet, and it is not supposed to be contained in one sheet of paper, so it is very difficult to see. When it is put out as a table, I would like to make it a little bigger so that everyone will be motivated to see it, but if you enlarge it, I think each part is made quite finely. If you plot the technical information we know at the moment on the vertical and horizontal axes we proposed, it will be a map like this.

Now, what should be behind each technology plotted on the technology map is the technology catalog. From page 23, we will talk about the catalog, and the first one is about cybersecurity.

As for the process of creating a technology catalog, we were going to make several rounds of public call on specific fields, asking for information on technologies that could be applied to these fields. We originally proposed that information to be published in the catalog be proposed by technology-holding organizations, and that Digital Agency would perform only a minimum check on the received products and services to see if they are already available for market-oriented, and then immediately publish them in the catalog and put them on the table with a focus on speed. This time, as shown in blue on page 24, we would like to add a new process called "prior confirmation of public call results". We received many opinions that we should check from the perspective of whether the proposed products and services are sufficient to be recommended. Based on this, we have established a "Technology Catalog Operation Task Force" on the information on the provided products and services, and we would like to change it to a format in which the information is published in the catalog after the minimum confirmation of cybersecurity and Supply Chain Risk Management.

To be specific, it is the next page. The situation of the cybersecurity and the Supply Chain Risk Management will change from time to time, so rather than always doing it this way, we will flexibly change the operation while monitoring the situation both globally and domestically as needed. Originally, if something happens when the products and services listed in the catalog are adopted, it would be difficult for Digital Agency to take on the accountability. Therefore, we would like the person who procures them to carefully confirm it, and we plan to clearly state this in the rules. On the other hand, this catalog will be published on the Digital Agency website as a catalog linked to the technology map that Digital Agency will develop based on laws and regulations. Therefore, we would like to take the following additional measures to ensure minimum trust and enhance the information provided.

First, the "Technology Catalog Operation Task Force," which I mentioned earlier, will be established under this committee. Before the technology catalog is released, we would like you to confirm the information you have entered. The members will be determined with the approval of the chairperson, but they will not be disclosed.

Also, when we make a public call of the technology, we have prepared a lot of questions as items to be listed in the catalog, and we would like to ask you to add more questions to enhance the items related to cybersecurity and software supply chain risks. In particular, regarding the protection of personal data, we have received a suggestion that we should at least ask information such as where the storage location is, whether encryption measures are taken, and where the jurisdiction is. Also, regarding software Supply Chain Risk Management, we would like to ask about the characteristics of the software and how security measures are taken based on those characteristics.

On the next page, the idea of the additional items is that if even one item is omitted, it will become a security hole, so I would like to conform to some kind of comprehensive guidelines that are accepted in the world as much as possible. Including security measures in Japan, definitions of important software and five security measures for its use issued by the National Institute of Standards and Technology in the United States, and 11 minimum standards recommended for software verification are generally accepted and referenced in the world. Based on that, we selected the minimum items while considering the ease of entry for applicants.

The next four pages contain a list of specific additions.

Next is the confirmation of the specific implementation status of software verification. We tried our best to make sure that you can check both of them with the checklist. The chairperson also pointed out that we should always confirm whether the Supply Chain Risk Management is fully covered, so we organized the list. At the stage of application, it has not yet been decided to use the technology, so we have decided not to ask anything that we do not need to ask that much. If you can comment on this, please do so.

As mentioned above, we have been working to enrich the security question items, so the second catalog public call has already been decided as a visit for viewing and inspection, and a list of questions has been prepared, but we have been waiting for the implementation for a while. It is 32 pages, but we are finally planning to implement this second catalog public call in September with the addition of the above security measures. After the public call, we will be able to publish the catalog after October. The questions in the catalog itself, except for the security part, have not changed from the last time.

We will continue to develop the catalog after the third meeting. We will also conduct technical verification, and if it is found that the technology can be substituted as a result, we will review the regulations after that. It will finally be possible to procure the technology from there, and it will take some time for the types that require technical verification, so we would like to first develop the catalog focusing on the parts that are said to be no longer necessary for technical verification and that can be used if they have the technology.

From that perspective, on the left side of page 33, there are provisions that require technical verification. There is a technical verification that Digital Agency compiles and implements, and a technical verification that each ministry and agency is supposed to conduct on their own. These two are the 1043 provisions that require technical verification. Other than that, on the right side, there are 10,000 provisions that do not require technical verification. We are thinking of developing a catalog for the majority of about 8600 provisions in advance.

For the third and subsequent catalog public call, which are listed from the next page, I have asked MRI to do the hard work of plotting all 10,000 provisions in accordance with the newly created vertical axis. By making use of the results, I would like to compile them for each type of public call. Preparations seem to proceed quickly, for example, with visual observation. It is a type of regulation that says we should confirm the status of construction, aging degradation, safety measures, etc. by visual observation and lookout. It is also a type of regulation that says we should fly drones, etc. to grasp the status of utilization and damage in large areas of outdoor environments. It is also a type of organizational management that says we should confirm operational management and operational status through field surveys, etc. I think these three will be included in the technical catalog public call in Part 3.

A little later, in the 4th and 5th meetings, we may start regulations other than visual observation. We will check construction and aging degradation by means other than visual observation. Then, the last category of catalogs is measurement and analysis, and the challenge is how to cover the objects to be controlled. Since measurement and analysis of various things are required by regulations, it is necessary to organize how to classify them and request information. We will postpone this for a while, but I would like to start the catalog public call sequentially. From page 35, we have positioned each of the catalog public call categories in the technology map list.

This is the last part. From page 40, we will talk about the start of the operation of the consortium, RegTechDay. We have talked about the RegTech Consortium several times. Through this map and catalog, the Digi Agency will not stay in the middle and connect information. Instead, we would like to build a relationship in which the stakeholders of maps and catalogs, such as technology-holding organizations, regulatory ministries and agencies, and organizations subject to regulations, can directly share necessary information at any time. Based on this idea, we would like to create a relaxed community. This is what we are proposing.

On pages 41 and 42, in this consortium, I would like to see networking of related parties, provision of information, opportunities for learning, and a place where people can learn about what cutting-edge technologies are being unlocked as needed.

On the next page, the RegTech Consortium has quietly started its operation, and more than 100 people have already registered before we hold any event. The consortium itself is a community, so we have set up a Slack to deepen various discussions. We have named the launch event of the consortium RegTechDay, and we would like to hold it online from 1 pm to 3 pm on Friday, October 27th this year. There are figures showing that the economic effect in review of analog regulations is 3.6 trillion yen, but in the first place, what kind of analog regulation is there, what kind of technology will be available in the future, or what kind of technical verification is being done now, etc. We hope that the event will be one where people can easily gather information and connect with the people concerned. If you could reserve this time for the committee members, we would be grateful to have various consultations from the secretariat in the future.

Page 45 is the activity schedule of the consortium. As I showed you last time, it has been updated with the schedule and so on. Starting with this RegTechDay, we would like to continue to plan study sessions, pitch contests, matching events, etc.

The schedule for the future is on the last page, page 46. It has been decided that the map will be released in the summer. In September, the end of the summer, we will launch the first version of the map with the vertical and horizontal axes finally decided. Also, as I mentioned earlier, following the first and second versions in public call, we would like to release the technology catalogs in public call one after another in the form I just described. Although the technical verification is in the phase of growing pains, the operators have finally been decided, and we will have them conduct the technical verification one after another. During this time, we would like to create a consortium community and liven it up.

This is the report from the secretariat.

Chairman Ezaki: Thank you very much for your report. I think there are already a few questions that I would like to ask you. After receiving two more presentations, I would like to receive your opinions and questions at the end. I hope you can understand that the secretariat has been working with great difficulty.

Next, Mr. Okada will explain the "Technology Strategy Innovation Management in Public Services Based on the First SIP Experience."

Tamaki Okada: Thank you very much for your time today.

In the first phase of SIP, I worked as a sub-PD for the introduction of new civil engineering-related technologies, which you just mentioned, for about four years, especially in the area of exit management. In the first year, I was involved in another project, so in the last four years, I also supported the output of actually developed technologies.

Among them, the four matters that I wrote on the last page are the parts that I had great difficulty in exposing the completed technology. The secretariat side has spoken about it including the catalog, and I feel that what we had expected has improved considerably. I believe there are some overlaps, but I would like to talk about my concerns based on my experience during the previous SIP1. As it is a matter that I would like to talk about including my various experiences, I will summarize it on this slide.

The reason why it originally started as infrastructure maintenance management is in the upper left of page 2. In fact, there are 700,000 bridges and 10,000 tunnels in the country. However, 85% of them are owned by local governments. This means that they are not so-called paid. In that case, the maintenance and management of them will be paid by so-called tax. It has been said for more than 10 years that the tax is no longer equivalent to the amount of stock. As seen in the Sasago Tunnel incident, it has been said that unless the maintenance and management of infrastructure is done properly, it will have an enormous impact on social safety. In reality, the number of bridges that cannot be maintained and managed is increasing, and some local governments are using a term such as triage. There are some bridges that have no choice but to close the road and stop using it if it really gets worse.

Based on this, the first phase SIP infrastructure started in 2010. In this SIP infrastructure, new technologies will be developed, as you mentioned here, focusing on so-called digital technologies to respond to these social issues. About 60 teams have been developing technologies.

However, even in the middle of the process, there was the accident in Genoa in 2018. In fact, even in the infrastructure of such towns, if traffic regulations cannot be imposed and maintenance and management cannot be promoted, the situation will become like this. As you can see, infrastructure accidents continue to occur in many countries around the world. In addition, some places are actually having a major impact on social life, so I think it is progressing as an extremely urgent issue.

On the other hand, when you think about that technology, on page 3, this is a graph of MOP, which you often see. The horizontal axis is TRL. Recently, the term BRL has come out, but it is about raising the so-called technical level. What is actually being conducted at universities and research institutes is centered on the left side, which is called basic research and applied research. In fact, in the case of current SIP, when research enters at the stage of public call, it usually selects excellent research in this area. When it comes to actual exit, it is necessary to target the practical application and commercialization on the far right, which is around TRL 7, 8 and 9.

However, in this area, particularly in the latter half of the second year of SIP, there was a need for the Secretariat to support the raising of TRL in this area. Since then, various efforts to support the so-called social implementation of SIP technology have been carried out at the center of the project team in the Secretariat. Recently, researchers at RIKEN and AIST have been told to make such practical application and commercialization their final goal. So, we have to go there. However, even if we just told each research team to go this far, they could not go there. This was also the case in verification test as mentioned earlier. The reality is that it does not work well even if we say this is a condition and leave it to each development team. In fact, the need to support the raising of TRL in this area has emerged on the Secretariat side. Since then, various efforts to support the so-called social implementation of SIP technology have been carried out at the center of the project team in the Secretariat.

In this context, the so-called output is often mentioned, but when I think about the business model shown on page 4, BtoB and BtoC are often mentioned. In any case, we often develop products in such a way that if we produce good products, they will sell, if we produce good products, people will buy them, and we can reduce costs. Earlier, I mentioned that in the case of infrastructure, there are many bridges and tunnels that are not charged. If the money that is actually used comes from taxes, it is different from so-called BtoB and BtoC.

At the very bottom, it is written as BtoG, and there are some problems that need to be solved in such a business model. To put it plainly, for example, local governments often say that they settle accounts for a single fiscal year. In that case, when considering mid - and long-term budgets such as maintenance and management, even if I understand in my mind that, for example, if I pay one million yen now, it will be cheaper for 10 years, the so-called person in charge cannot do it within my authority. In this way, the fact that it is difficult to accept the mid - and long-term idea has emerged as a very serious problem. A typical example is cost reduction, but people are very happy that the cost will be reduced this year. However, the idea of investing now to reduce future costs is difficult to open the wallet even if the logic is understood.

Another important point is the function requirements. In fact, it would be good if we could consider the ordering requirements. There are some places where it would be good if we could do this. However, if we do not actually set up the function requirements, "cheap and bad" will be chosen, which is a bad word. Therefore, in fact, if we do not think about ordering performance to some extent, good products will not be bought and cheap products will be bought. There have been many cases where the incentives and motivation of people who introduce new technologies have been damaged. For this reason, we call it BtoG. Rather than studying the so-called way of general local administration as it is, we have come to think that it is important to look at the way of introducing new technologies, including the way of local administration, and give ideas to the way of introducing them in various ways.

After that, when we actually introduced a new technology, we made a catalog of the contents created by the R & D researchers in the SIP area, but it seemed to have a very bad reputation. It was in the form of a so-called conference proceedings, and there were difficult terms that only experts could understand. For example, local government officials said they didn't know what was good, what they could do, or what was different from what they had done before.

So, as in the headline, we wrote down our sales points and products. By asking what we could do, we were able to recreate our approach from the reader's point of view. However, it is difficult to ask researchers to do all the work. We reassembled a team of people who are good at this, and reviewed the contents and contents of the catalog. In addition, we incorporated feedback from users and from the actual verification test.

For example, regarding the inspection of corrosion conditions, apart from what was originally proposed, there was a government that saw it. For example, there was a need from a local government that a utility pole had been corroded by dog urination in a park, and it worked well. In the actual demonstration, there will be various ways and possibilities to use it in various ways. While looking at these things, we also took the form of updating it by including various information on where it can be used.

Multicopter, so-called drone, also has various technologies and features. It is easy to show that this can be done by taking images with a camera without visual inspection in a drone. When it comes to actual bridges, for example, it is strong against wind and weak against wind, it is strong in the sea and strong in the mountains, and in various ways, drones actually have strengths and weaknesses. Unless we show these strengths and weaknesses and actually verify them with some combination of techniques, especially for large bridges, it is difficult to cover everything with a single drone. It has also become necessary to model something like a combination of new technologies.

There is also a device that can determine the state of corrosion and cavities in a tunnel by using a laser to see the overall state while a car is actually running in a tunnel. This was completed at a very early stage, but in fact, the big problem was that China actually built a similar one. Because it was run in China, it led to a decline in international competitiveness. Of course, this is better in terms of performance, but as I said earlier, if performance requirements and performance orders are not firmly established, if even a small grasshopper technology comes in, it will be defeated. In order to support new technology, if we do not firmly evaluate the performance of new technology and make it possible to order performance, people who make good products will be hard pressed.

In terms of laser strike sound, there is a device that analyzes the sound emitted by the laser, rather than capturing images. Currently, including the second and third stages of SIP, it is a technology that has achieved very good results. However, as I said earlier, it will not work well unless we show not only the demonstration of the technology but also where there is a market for using this technology, including in what state and where it can be used for actual use.

As a similar example, there is one that performs both hammering sound and image analysis at the same time in a tunnel. It was developed by attaching various measuring instruments to the guide frame. It is said that the one that can measure while driving in the middle of the road is troublesome because traffic restrictions are imposed. This system does not require traffic restrictions, so we initially promoted it as an extremely high-level new technology. However, when it comes to actually using this, the police say it is unprecedented. Even if it is said that it is okay without restrictions, it will be a problem if something happens, so they want restrictions in the end. In a sense, it has also reduced sales. It is good to conduct a verification test because it is difficult to use it without precedents. However, if the verification test is used as an experimental facility, they will be afraid to do it at the first stage in the actual field. It is not just used in the so-called experimental field. It is very important to find a cooperative local government that will use it in a proper place and build a track record there.

There is also a way to measure the actual state of land subsidence by using a laser from a satellite. By collecting information from a flying satellite and analyzing it, we were able to implement it from an early stage. However, one major problem was who the collected data belongs to, and in particular, if the land subsidence is revealed, it will cause social anxiety. In fact, the data based on the contract with this company has been progressed in such a way that the people of the infrastructure have not taken it firmly and revealed it. If the data is closed in this way, it cannot be used as training data for AI, for example. It is difficult to use the collected data for future learning.

As is the case with data collected by drones, when it comes to data for maintenance and management, some people still want to keep it closed. Unless we look at the scope of opening and closing of the acquired data, such as opening up a certain part of the data rather than opening up the data or a part of the data to be truly open, it is easy to close the data if it is too safe, and there is a psychology that does not want to open it. In fact, as a digital technology, we cannot deny that the effect will be halved. Therefore, it is important to consider the opening of data, including who will manage the data actually collected in such a place and who will firmly utilize it, as mentioned by the consortium earlier.

So, I introduced several technologies now. There was a trend to consider the exit of such technologies. For these technologies, among the stage gates, not only the evaluation of the actual technology, but also the evaluation of the exit as I just mentioned, the evaluation of TRL as I mentioned at the beginning, was also conducted. What was interesting when I actually did it is the upper right part of page 6. At first, I thought that the development technology and the exit strategy were not linked very much. We actually evaluated as a stage gate at the end of the third year, and this is a graph of the averages of the evaluations by about 30 people each. When you actually look at it, the development technology and the exit are very linked. As expected, as the level of TRL rises, the evaluation of the development technology actually rises. I don't know which comes first, but it turns out that raising the level of technology, the so-called international competitiveness, actually increased the international technological capability. As a researcher, I thought that I would lose interest at about TRL 5. However, it came out that by showing these things well, raising TRL will also cause breakthroughs as a researcher, which can be an incentive for researchers in more ways.

As for the technologies I mentioned earlier, local governments are the final source. When we thought about how to support the technologies created in local governments, we made a proposal to have local universities become the main players. In fact, when the people and universities in Kasumigaseki and the Kanto area left, there were some that were not appreciated in various ways. Local governments are also carefully considering cooperation with local universities. They should think about such cooperation, and the most important thing is to maintain and manage the technology rather than passing it on. Even if the technology is new at the time, it will inevitably deteriorate. Therefore, it is important to maintain and manage the technology and develop human resources to use the technology. In these two points, I think local universities are very important as the main players. We want the people at local universities to work hard as the main players even after the end of SIP, so we are promoting the introduction and recommendation of such new technologies in the local university network with the current Japan Society of Civil Engineers at the center.

Under such circumstances, as I said, local universities were originally connected with these local governments to develop human resources, pass on technologies, and maintain and manage infrastructure in various forms. In response to this, as shown on page 7, various technologies will be developed in the SIP infrastructure, but they will be disliked if they are brought as they are. In the old days, a liquor store became a seven eleven, and each local university will be included in the team in the form of the SIP infrastructure. In such a network, local university people will host events to introduce their own technologies, technologies developed in the SIP, and technologies introduced by the Ministry of Land, Infrastructure, Transport and Tourism in various forms. This is what we thought and proceeded.

In addition, as shown on page 8, we have provided business support for projects that have attracted the interest of consulting companies and local industries.

In a place called Beta-Fumihashi in Tottori prefecture, we used various drones and cameras, and conducted a verification test to evaluate combined techniques. What was the best thing about this verification test? When something was not easily used in the field, once it was found that it had been used in the field, the so-called social recognition for these products increased. I think it was very good for the SIP side that they found a place to use it in this way. Also, by actually using it in the field, we moved toward a state where several technologies could be used in other infrastructure more and more.

As I said, on the last page, it is very important to make data open. If we are not careful about how open it is, people who already have infrastructure and facilities will feel very uneasy. In fact, they think it is only for the facilities. Therefore, it is necessary to consider the opening of data in this area in the future. I think it is important to look at these issues, including local governments.

You mentioned verification earlier, but beyond that, certification will be important. As I just mentioned, it will be difficult to use the technology as a first launch unless someone certifies it. It will not be a complete certification, but the extent to which it certifies that it is safe will be one of the important points in proving the technology.

In the same sense, especially with the introduction of AI and automation, it is true that there will continue to be very delicate issues such as who will take responsibility when something happens, and whether it is the user or the manufacturer. I believe that such legal development and literacy education will become necessary.
In addition, technology maintenance and human resource development will be very important for the continuity of technology in the future. Under such circumstances, I think that looking at how to revitalize the entire region in the form of support for regional universities and regional industry-academia collaboration will lead to the expansion of technology.

Today, I talked about providing information including what I experienced in the first phase of SIP. It was quick and short, but that's all. Thank you very much.

Chairman Ezaki: , thank you very much. Thank you very much for showing your experiences in the architecture field and at the SIP in a very clear, unambiguous, and compact manner. Regarding the progress of the secretariat this time, from that point of view, as you said at the beginning, I think there are still some areas that have been left out from your experience. I would appreciate your suggestions and opinions in the Q & A session in the second half. Thank you very much.

This is the third and the last explanation for today. Mr. Tsukamoto from cybersecurity Section, Commerce and Information Policy Bureau, Ministry of Economy, Trade and Industry will explain Ministry of Economy, Trade and Industry's cybersecurity policy.

Tsukamoto, Deputy Manager: , thank you very much for your time today. I am Tsukamoto, Deputy Manager of cybersecurity Division, Ministry of Economy, Trade and Industry. Today, I would like to explain about the cybersecurity policy being implemented in Ministry of Economy, Trade and Industry, especially the guidelines and such things. As it was mentioned in the material released by the secretariat of the Digital Ad Hoc Administrative Research Committee, there are some parts about cybersecurity that could be used for cooperation or reference. I would like to explain mainly about those parts.

Today's table of contents is like this. First, I would like to introduce trends in other countries, and then second, I would like to introduce what efforts Ministry of Economy, Trade and Industry is making, particularly in the areas of creating guidelines and creating systems. Specifically, I would like to introduce IoT security, software security, control system IoT security, and data handling security.

First of all, as a trend of other countries, it is the United States. The United States has just announced its cyber strategy in March 2023. In a part related to today's theme, the third pillar, 3.2, is IoT, and 3.3, is software. The United States is developing a security labeling program for IoT, which I will introduce later. As for the software part of 3.3, it is expected that the United States will increase its responsibility to vendors in the future. In this strategy, it is written that the United States must start to hold companies responsible for failing to take reasonable precautions to protect their software. As a measure to ensure this, it is stipulated that laws will be formulated to establish liability for software products and services. In the United States, I think regulations on software vendors will be developed more and more in the direction of holding them responsible. This is the labeling scheme for IoT that I mentioned earlier.

This is what the FCC announced in August this year. It is expected to start as a voluntary labeling system, and we are now in the process of public comment on its contents and ideas. It is until September 25th. As you can see in the blue part above, we are aiming to start the operation in the second half of 2024.

This is a presidential decree issued in 2021, going back a little bit in time. This has a considerable influence in the U.S. One of the themes is the improvement of software supply chain security. This is written, and various efforts are being made in the U.S. in 2021, 2022, and now. This is a timeline, and it is a reference for what happened.

On the next page, a memorandum of understanding is signed that requires departments and agencies to implement critical software, and OMB requires NIST and CISA to ensure that critical software is updated.

NIST is creating various guidelines. One of them is a framework for developing secure software called SSDF. It mainly consists of four pillars: organization preparation, software protection, secure software development, and vulnerability response. It describes the methods and specific examples. These guidelines have been issued, and OMB, an administrative agency, incorporated them and concluded a memorandum of understanding on the use of SSDF. The content is to require software vendors to obtain a self-certification to prove the conformance of SSDF implementations before using the software. In other words, for software procured by government agencies, we would like vendors to submit their self-certification on whether they are compliant with SSDF. It is like making the guidelines partially regulated. The memorandum has been updated, although this is a procedural aspect.

Next is the EU. The EU is also moving in various ways, and I think it is moving so that the degree of regulation is stronger than in the U.S. Regarding the third point below, which is "in addition to", I think the EU Cyber Resilience Act (CRA) is a considerably important movement.

The law will come into effect in the latter half of 2025. To be specific, all products with digital elements will be subject to the law. There are some exceptions, such as medical devices, but basically all digital products will be subject to the law. It states that self-declaration of conformity or third party certification will be required for compliance with security requirements when creating SBOM and providing updated programs for these digital products, depending on the importance of the product. The maximum penalty is 15 million euros or up to 2.5% of sales. In addition to certification, there will be reporting requirements and various regulations, but if you violate them, you will be subject to very expensive penalties. This law is currently under discussion and will be applied in the latter half of 2025 at the earliest.

This is a reference to the types of digital products I mentioned earlier. I also listed the UK. Regarding the third point, which begins with "Also," this is also a consideration of a law that requires mandatory security measures for IoT products. This is a reference as it lists what is being done, including other countries and states.

In this way, other countries are strengthening regulations on IoT and software security. Ministry of Economy, Trade and Industry is also in the process of creating various guidelines that I will introduce. The guidelines are not legally binding, so I think it is important to see how much we can work to secure them and whether we can promote regulations. I think that reflecting them in digital initiatives, as mentioned in today's discussion, will be one leverage for advancing IoT software security.

Now, I would like to continue by introducing Ministry of Economy, Trade and Industry's initiatives. Ministry of Economy, Trade and Industry's cybersecurity policy is to have industry as a whole take measures to deal with cybersecurity, to help ensure rapid recovery in the event of an emergency, and to engage in a variety of other activities, such as human resource development. Earlier, there were developments in other countries, and today I would like to introduce what kind of systems we are trying to create in response to these developments.

The Industrial cybersecurity Study Group has been studying the issue in a broad sense, and working groups have been divided to discuss specific issues. This is the review system for Ministry of Economy, Trade and Industry's cybersecurity policy.

Under the working group, it is divided into various sub-working groups and task forces. In WG1, we first discussed the basis of our idea, which is called the Cyber-Physical Security Framework (CPSF). In a word, when the world is factored, it is divided into three layers: physical space layer, cyber space layer, and the layer between physical space and cyber space layer. The components located in these layers can be decomposed into six components: system, person, object, data, procedure, and system. If these components are reliable as the root of trust and if they are coordinated while maintaining reliability, the security of the world can be maintained. We advocate such values and concepts. These are too many concepts, so we are creating frameworks and guidelines that break them down. This is a reference that we are creating various guidelines.

Next, specific issues related to IoT security. First of all, as background, the number of IoT devices is currently 35.8 billion in 2023, but it is expected to increase steadily and reach almost 40 billion by 2024. According to a survey by Ministry of Internal Affairs and Communications, one third of the observed unauthorized communications are targeting IoT devices. In addition, according to a survey in Japan, 25% of companies have experienced temporary suspension of IoT devices and OT systems due to security incidents and accidents, so IoT seems to be one of the security risks for many companies.

We are doing various things, but first of all, we are considering an IoT conformity assessment system. As I mentioned earlier, the US has started a labeling program. I omitted the explanation, but Germany, Finland, Singapore, and others are also developing IoT labeling schemes. We thought it would be necessary to create such a labeling scheme in Japan, so we set up a study group last November and compiled an interim report on creating a voluntary labeling scheme for IoT products, and we are still considering it.

Ministry of Internal Affairs and Communications partially regulates the Internet of Things in its technical standards, but the equipment is limited and the minimum necessary regulations are written there. This review covers a wider range of Internet of Things, including consumer Internet of Things. In addition, since there are risk levels depending on the IoT, we are considering creating a labeling system according to the risk.

As for a scheme, we are thinking of cooperating with IPA. As we will introduce later, IPA currently has a JISEC certification system that conducts CC certification, but we are thinking of expanding it to cover a wide range of IoT devices, not just CC certification. We have IoT product vendors, and we would like them to evaluate the IoT they make, or for low-risk products, we would like to create a scheme that allows self-evaluation. By doing so, we will define some security requirements, so we are considering a scheme in which we check whether they meet them, and if they meet them, we apply to IPA, and IPA will affix the label.

CC certification and JISEC certification will be further developed from JISEC certification in a narrow sense, and we are considering creating a system that can label according to several risk levels such as ☆ 1, ☆ 2, ☆ 3, and ☆ 4. ☆ 1 has minimum standards to deal with low-level risks. The higher the ☆, the broader the threat and the more serious the threat. We would like to consider such a system, and in cooperation with other countries such as the United States and the EU, which I mentioned earlier, we would like to build a system that can be mutually certified. If such a system is established, I think it could be considered to include it in the security check, which was just introduced by the Secretariat of Digitalization.

Subsequently, although similar to the SSDF, we are also formulating guidelines aimed at improving security during the development of IoT devices, etc.

Last year, we conducted various verification tests, including penetration test, on 155 IoT devices from 74 companies in each verification test. As a result, 4,789 vulnerabilities were detected in 155 products, and I once again felt the need to take measures against vulnerabilities. Since 80% of the vulnerabilities were primitive vulnerabilities, such as outdated software versions, I thought that most of the vulnerabilities could be eliminated by taking appropriate measures at the time of development.

Therefore, as a guide for implementing security measures at the time of development, we have created an easy-to-understand guide for SMEs with a focus on SMEs, especially since SMEs lack knowledge and human resources. I will omit the details, but it describes building a system, creating a security policy, carefully considering security from the design stage, and developing and designing with the assumption that security verification will be performed at the time of release. Looking at these, if there is anything that needs to be done, I think it would be an idea to include it in the checklist I mentioned earlier. In short, I think it will be a reference for companies that deliver software to see how security-conscious they are in their development.

Next is the IoT-SSF, the IoT security and safety framework. The IoT labeling system, conformity assessment system, and development guidelines that I explained earlier also ensure security when shipping IoT, but even in the space where IoT is actually used, no matter how much labeling is applied or checked at the time of development, new vulnerabilities will emerge and attackers will target them, so risks will naturally arise during use. It is a framework that takes a broader view of how to manage risks during use.

I will explain the details later, but the first axis for looking at the risk of IoT devices is the degree of difficulty of recovery. In other words, there is a risk that people will be injured by IoT, so it is called recoverability. If someone dies, they cannot recover, so the degree of difficulty of recovery is mapped to a higher position. If it is a minor injury, it will be cured, so the risk is low. That is placed on the horizontal axis. The second is the degree of economic impact. Assuming that IoT is installed in a factory line, if it stops, it will stop for a day and could cause damage of hundreds of millions of yen. The vertical axis is an indicator of how much economic impact it had. On this vertical axis and horizontal axis, the risk of devices can be mapped, albeit qualitatively. This is my first proposal.

This is three dimensional, and I think there are four perspectives from the first to the fourth for managing each mapped risk. The first is consideration at the time of design, and as you go from there to the fourth, there will be more perspectives for sharing risks in society. The fourth is the need to buy something like IoT insurance. It is a framework that shows that risks can be shared from various perspectives.

Various use cases have been created and introduced. To give a simple series of introduction, assuming a case where AGV in a distribution warehouse performs automatic picking, this framework states that stakeholders should be organized, so AGV stakeholders are manufacturers, system integrators, and distribution operators. It is a framework that shows that there are such stakeholders, what risks exist for them, and where those risks occur in terms of the system base, and that these are shared among stakeholders. It shows the concept of what measures should be taken to reduce such risks. It is a framework in which each stakeholder is asked to take measures voluntarily.

One possible explanation in the secretariat's materials is that if the IoT-SSF is included in the security checklist for a self-declaration of conformity, it may be considered whether the applicant is voluntarily managing risk reduction measures by sharing them with stakeholders.

Next is software security, which is being discussed by the Ministry of Economy, Trade and Industry Council and the Software Task Force under the review system mentioned earlier. First, we are compiling a collection of examples of open source software management.

The main focus is on SBOM. You mentioned earlier that SBOM will be mandatory in the EU, but SBOM is a software bill of materials. There are many OSSs in the world, and according to some people, 95% of applications are built from open source. Open source also has Tier1, Tier2, Tier3, and Tier4 components, and I think applications are built by combining components. There is a problem that it is often not managed, and vulnerabilities are not managed. Even if an attack is made based on vulnerabilities, it may lead to a delay in identifying the cause. Therefore, SBOM is a method of managing the breakdown of software components, such as who created them, what version they are, and what vulnerabilities they have. This is a method of vulnerability management that is attracting increasing attention in both Europe and the United States.

Ministry of Economy, Trade and Industry wants to promote this as well, and last year, we conducted demonstrations in cooperation with the automobile industry, the medical device industry, and the software industry. Since the tiers are wide, we have conducted demonstrations on how to divide them and efficiently manage vulnerabilities. Based on these demonstrations, we formulated the "Guide on the Introduction of SBOM for Software Management" in July this year. For the utilization of SBOM, this guide describes the concepts and procedures for operation, such as how to build the system, how to create the SBOM, and how to share the SBOM with related parties, and it has been published.

This year, we have been conducting verification tests, and SBOM is a tool for managing vulnerabilities. Of course, various vulnerabilities emerge day by day, and more and more of them are registered in NVD and JVN. When these databases and SBOM software automatically work together, vulnerabilities raised in JVN are automatically reflected in SBOM, and software developers and Tier1 and Tier2 parties can all understand and manage vulnerabilities. We are also conducting verification tests to link such vulnerabilities.
We had a checklist about software management earlier, and depending on how strict it is, I think one of the considerations will be how much SBOM has been considered.

For your reference, SBOM is being discussed not only by one country or one area such as the US and the EU, but also in multilateral frameworks such as the Quad. One of the documents in the summit declaration in May this year is cybersecurity, and one of them is the Joint Principles on Software Security, which is similar to what is written in the SSDF, especially the SBOM. The significance of these measures, the significance of managing vulnerabilities, and the significance of using SBOM are being discussed in multilateral frameworks such as the Quad.

Next is OT security. We have a factory SWG, which is chaired by Professor Ezaki. We established it in January last year and published the guidelines in November last year after repeated discussions. It is difficult to show just how good it is because of the wide variety of factories, but these guidelines present the values of building a system by understanding the size of the factory, the equipment and systems that make up the factory, and the number and ability of the personnel that make up the factory, and of planning what measures must be taken to protect the values that the factory wants to achieve, and they also present the process by which this can be done.

This was also released in November last year, and it is now being used by many people. There are a wide variety of factories, and I think that countermeasures may differ depending on the industry, so I would like to set up a mechanism to promote countermeasures in each industry.

The third layer TFs are related to data security. The Layer 3 TFs introduced earlier are frameworks that qualitatively sort out what kind of stakeholders there are when data is exchanged, how each holds the data, and what kind of risks there are.

This is called the Data Management Framework. For example, in the case of POS data for retailers, sales data is first registered at the cash register and the daily sales are aggregated on the computers in the physical store. It is further aggregated to become data for each area. The flow of such data and the state of each piece of data, which are called attributes, are first organized. The term "place" may violate laws such as the Act on the Protection of Personal Information. For example, if data is transferred without being concealed as personal information, it may violate the Act on the Protection of Personal Information. Alternatively, if there is a vulnerability in the process of transferring data, it may be compromised on the network and lead to the leakage of personal information or data. There are such security risks. We have created a framework that qualitatively represents the state of data, where there are risks, and how they are managed. I think it is useful to understand the risks of handling such data, as the secretariat of the digital system has just introduced the handling of data.

In this way, we are building guidelines and frameworks that will allow us to cooperate with the part that the Secretariat of the Provisional Digital Administration Investigation Committee is trying to advance, and I hope it will be one of the materials for consideration. It was very quick, but thank you for your attention.

Chairman Ezaki: . A very diverse range of discussions are under way, and since specific guidelines and labeling are also being discussed, I believe that we must proceed in a manner that is consistent with the considerations in Digital Agency. I also believe that there were many points that are very relevant to the experience that Member Okada just explained.

Chairman Ezaki: I have finished the explanations I have prepared for today, so now it is time for the exchange of opinions, which is the main subject of today's discussion. If there are any opinions or questions from the members regarding today's discussion, the way of proceeding with future discussions at the committee, requests for future presentation opportunities, etc., please let me know.

Shimada:

Chairman Ezaki: In particular, regarding the issue of transparency, I understand that you are concerned about the possibility that not disclosing the information will turn it into a haunted hall. I would like to hear the response from the secretariat first.

SUGA Director: On page 25 of Document 2, member Shimada agreed to establish a TF and strengthen the checks to some extent, but on the other hand, he expressed concern that it would be a problem to keep the members private, that is, there would be more things that are not in the catalog for unknown reasons. On that point, if possible, we should start with non-disclosure, share the data on the percentage of failures with everyone here, and if the method is not good, I think we can do it in an agile way by checking if the percentage is appropriate, if it has been dropped too much, or if it has been squeezed too much.

The reason for the non-disclosure is that it is not desirable to put any pressure on the faculty members. Since the human resource pool of those who can serve as members is very small, the system itself will not be sustainable if they decline. Therefore, I would like to propose that the secretariat start with a heavy responsibility. What do you think?

Another point, regarding the commitment of the ministries and agencies responsible for regulations at the time of the technical verification, I believe that by conducting the technical verification this time, the ministries and agencies responsible for regulations are already deeply committed compared to ordinary procurement cases. In the specifications, we have written in quite detail what specific function and performances we want to confirm. Among them, I think there are some parts that have not been translated into language until now. As pointed out by Mr. Okada, if we do not carefully check the performances, cheap and low-quality technologies will come in, and honest people will end up making fools of themselves, but there are aspects where language has been considerably developed. On the other hand, the difficulty is that even if the regulations themselves are fixed by the ministries and agencies responsible for regulations, it is not necessarily the ministries and agencies responsible for regulations that procure the technologies. In the case of procurement by subordinate organizations under the jurisdiction of the ministries and agencies responsible for regulations themselves, we would like to request them to connect to procurement by all means. On the other hand, if the regulations are opened and companies that are in compliance with the regulations actually start procurement, I think we can ask the ministries and agencies responsible for regulations to send a signal that they do not mind the adoption of the technology, and to communicate that they will take many steps forward. I think we can ask them to do as much as possible to follow up on when the technology was actually adopted as a result of the technical verification. If there is good wisdom, I would like to receive advice.

Shimada: In that sense, I think there is also fairness in procurement, so I think the certification system is the key.

Chairman Ezaki: In terms of transparency, it is a major policy to provide processes and data. Regarding the non-disclosure of people who check it, I was explained that it could be a hybrid form.

Member Hiramoto: I will participate from this time. Nice to meet you. I am at the digital infrastructure Center, and Director Saito Architecture has been participating so far, but I decided to participate in order to get closer to the technology.

When I saw the materials this time, I thought it was wonderful that the map was very complete and the technologies were listed.

As a matter of fact, we at IPA have experience in creating a technology catalog called the Technology Reference Model and an OSS catalog in the form of OSSiPedia, so I will talk about it from there. The technology catalog has momentum at the start, but if we don't do it while receiving feedback, the technology will spread and it will be difficult to maintain, so I thought it was important to think about the operation cycle properly.

At that time, there were two points that I felt. Looking at these technologies, I sometimes wonder what kind of companies are the companies that release products. If you can jump to a site where you can see corporate information such as gBizINFO from a corporate number, or if there are many similar technologies, you may be pointed out that there is a problem of fairness if the information displayed on the top is always the same. Therefore, I think it is necessary to create multiple types of sorting methods.

Also, as I mentioned earlier about feedback, I think we need a system to receive suggestions and feedback from general technology companies and engineers and make corrections, although the secretariat may add them to the technology map.

Chairman Ezaki: , you spoke about your very valuable experience and suggested that we should be mindful of continuing to operate the system.

Member: Looking at today's materials, I think they have been enriched. I have one comment on security. For details, there is a PDF I created while listening to the explanation, so I will explain it with it.
*Described in the "Comments from Members via Chat, etc." at the end

On page 25, there was an item on the protection of personal information and security as information to be input. There was a talk about the jurisdiction of the court. I have a comment on this. Security is not just about safety in cyberspace. From the perspective of Japanese administrative organizations, Japanese companies, citizens who entrust their data to them, and customers, there must be some kind of security guarantee under substantive law. Otherwise, I think it will end up being just an abstract concept.

The part further on page 25 is wonderful, and I think there are three reasons why I have to enter it. I understand that the three reasons are to grasp the risk of default, such as defects of the vendor company, leakage, and inability to retrieve data due to service suspension, to always think about how the Japanese can take legal action when it happens, and to intercept the problem by realizing a situation where the vendor stores the data of Japanese people with great care so that they do not have to compensate by making the vendor liable for compensation when it happens.

If so, as stated in (2), I think that important data is not limited to personal data. If you write "personal data" limitedly, it will cause misunderstanding. If you write "all handled business data, including personal data, are subject to protection," it would be better because it would not mean that data other than personal data are not so important.

What I wrote in (3) is that the country where the jurisdiction is located is certainly important, but what is often overlooked is the applicable governing law. I think jurisdiction and governing law are completely different concepts. Even if it is written that the Japanese court has jurisdiction, there are cases where it is written that ○ ○ country ○ ○ state law will be applied. This will cause unexpected disadvantages to users, so I think governing law should be written together with jurisdiction.

As for (4), it often happens that when foreign vendors' products are sold to Japanese people, they don't know whether they are sold by the head office or by a Japanese subsidiary. For example, if you try to use the wonderful cloud service of brand G, users don't know whether it is "GLLC," a corporation in Ward A of Tokyo, "G Cloud Japan," a corporation in Ward B of Tokyo, or "GLLC" in Delaware in the United States, and they may start using it because they think it is safe. If you are a foreign company with an important brand, you can use G's service with peace of mind, thinking that it is safe because they guarantee it and that they will compensate you, including the personal assets of your directors. But foreign vendors are often so clever that in the case of multiple, simultaneous leaks of large-scale data in Japan, they isolate the risk so that you don't have to pay for the damages caused by their negligence even if everyone comes to them at the same time, and they devise ways so that you don't have to pay compensation more than the liability assets of a small Japanese company. In such cases, it is Japanese people who suffer great damage, so when Japanese government agencies and private companies want to contract for services listed in catalogs, I think it is necessary to oblige them to clearly state who the counterparty is, not the brand name, but "○ ○ Co., Ltd." or "○ ○ LLC in the United States."

As for (5), no matter how much it is written clearly that OO is a Japanese company, if OO has nothing to do with the assets of the foreign head office and OO does not have much assets to pay compensation, it is meaningless because there is nothing that can be obtained in Japanese courts no matter how much it is tried in Japanese courts, and the user is forced to give up. However, even if the user is forced to give up, it is okay to enter a means such as cyber insurance in advance. However, in that case, the user company and the user office need to know how much insurance they will take and whether there is any risk of taking out insurance in the first place. For that purpose, it is okay for the foreign vendor listed in the article to self-report the amount of credit collateral they have in Japan, or if it is confidential, it is okay if they do not have to enter it. If the entry is voluntary and confidential, they will be cautious enough to sign a contract and enter the cyber insurance, so I think it is worthwhile to have an entry field.

Finally, if a large-scale failure occurs at the same time, the user will demand compensation, but if you look closely at the terms and conditions, it is written in fine print that it will not compensate for any special damages up to the last year. However, it is practically difficult for the person in charge at the government office or private company to read it. The scope of compensation will be an extremely important factor when reading the technical catalog and deciding what to do. It is difficult to read the terms and conditions, so I would like you to simplify this for management judgment and add a self-reported value of the upper limit in about 1 to 2 lines, even if it is as simple as the column to enter international jurisdiction. I think it is good for the business operator to claim that their service is safe, and it is also good for Japanese users to be able to grasp the safety fee. I have sent a comment, although it is a scribble.

Chairman Ezaki: Thank you very much. Basically, we need to provide complementary information, but we have to be aware that if we are too aggressive, the overhead of compliance will increase. Have you received a response from the secretariat?

SUGA Director: I think you are right. After considering whether it should be a mandatory item or a voluntary item, I would like to respond to both of them. I will consult with you again about that. I would be very grateful if you could address the point that it is difficult to claim compensation from overseas companies in the event of any damage, and find room for this catalog to contribute to the problem that it is practically difficult to read all the terms and conditions.

Member Someya: I would like to make one comment and ask one question.

First, as a comment to the secretariat, as you mentioned in the first question, it is about the fact that the members of the technical catalog operation TF are not open to the public. Usually, decisions on these kinds of things are made by the entire committee, rather than by individual risk, so I thought that it is not necessarily necessary for them to be closed to the public. Also, when it comes to being closed to the public, everyone gets caught up in it, and they wonder why, and they worry about transparency when making important decisions. On the other hand, if the timing and content of the members' disclosure are properly managed, I felt that it could be operated appropriately without going to the trouble to make it private here.

Second, regarding the presentation by Mr. Okada, I was impressed that you have continued your activities at SIP in close contact with the field. Regarding the item of local universities, which was mentioned at the end of the presentation, I sympathize with you from the bottom of my heart that supporting local industry-academia collaboration is extremely important for solutions. It was a good talk, but I think there are some that are actually not easy, so I would like to ask about challenges and solutions to them, or if you have any requests toward the government, as Digital Agency is also present today.

Chairman Ezaki: to start the first half of the session simply from the Secretariat, and Mr. Katsuya Okada to start the second half

SUGA Director: Certainly, we also think that it is a fairly in-depth suggestion to keep the members "private," and we thought that we had to come up with some way to protect the members. We thought that it is also important to secure the integrity of those involved in decision-making by flexibly judging the timing of publication, including making it after important decision-making, and in any case, ensuring that those involved in important decision-making are not in a black box forever. Therefore, we would like to review this policy based on your proposal.

Tamaki Okada: area, I think that the most important thing is how to find people who are likely to do it, although it may be useless if I say it. However, in my experience, basically retired emeritus professors do quite well. In other words, active professors are still mainly working in research, etc., so it is difficult to get them to do this kind of thing on an extra level. On the other hand, when they say that they will do it for young doctoral students, etc. because they are still healthy after retirement, they do it hard.

If we support various ways of obtaining the national government's budget, such as by going to get the budget for regional revitalization in Ministry of Internal Affairs and Communications and Cabinet Office with local people, I think we will be able to get it included. Not by getting money for digital technology development, but by combining regional revitalization, we can get other budgets well. It is not only universities that actually go to get it, but there are budgets that are easy to get through industry-academia cooperation, so I personally thought that it would be good if someone could guide them well.

In the case of civil engineering, it is done by the Japan Society of Civil Engineers, but it is necessary to support such consortiums, and if you can set up an environment that is not only direct but also indirect, I think it will work well, and I feel that there were surprisingly many people who wanted to do it as long as they had that.

Chairman Ezaki: I understood that it is exactly to show success stories such as the Technology Map and to use senior human resources in it. Regarding the first question, is it correct to understand that "consider" does not mean "do not do" as a government official, but it is a response to think about a specific method in the direction of disclosure?

SUGA Director: I would like to respond in that way.

Member Suzuki: My name is Suzuki from the University of Tokyo, but I am participating here in my position as the head of the Fukushima Robot Test Field.

When I attended the last meeting and the one before that, I asked Mr. Okada, as he said earlier, that there are different levels of technology depending on the level. Therefore, I asked him that it would be a good idea to introduce products with low technical readiness but potential in the form of a catalog instead of cataloging only completed products, and I thought it would be a good idea to create items to help viewers recognize the level of technical readiness.

After listening to today's talk, I think that there is a discussion of risk-based and performance-based approaches at the root. Some people say that there are things that do not require verification, and I think it is because the risk is low, but we have created risk management guidelines for flying drones at the Fukushima Robot Test Field. Globally, there is a risk assessment guideline called SORA, which was created by the ICAO Working Group, a specialized agency of the United Nations, and there are places that have reformulated it to suit Japanese environments. Self-declaration is fine for low-risk items, but if the risk is medium or higher, a third party evaluation is required, and without it, it lacks objectivity to determine whether it is really safe.

Therefore, in the future, when third party evaluation is used for high-risk inspections, I would like to see consideration of how to make function. Since it is performance-based, the new technology presented here does not require itself, but it is an example, so while there are various methods possible, I think we must consider how to use them in combination. Self-declaration is fine for low-risk items, but if it is high-risk, third party verification will be necessary to determine whether it is really okay. Member Okada mentioned earlier about creating such a verification mechanism, but I thought that it is also necessary to consider how to build third party certification at a stage when such a mechanism has not yet matured in Japan.

Chairman Ezaki: Once again, Mr. Suzuki pointed out that there are labeling and certification levels depending on the essential level.

SUGA Director: The members are in Test Field Type 3 in Fukushima, and they will be taking care of the verification itself. In addition, I am truly grateful that we, the secretariat, have set up opportunities to attend and explain at various places you are planning.

Regarding TRL, it has already been added to the catalog based on what you pointed out, but if it is included as it is, many people may not be able to write it. At the moment, we are focusing on ease of understanding and dividing it into three stages: research stage, demonstration stage, and sales stage. If there is any indication as to whether it is too comprehensive, I would like to hear it.

Another topic that has been discussed is certification and endorsement, which starts not only with verification but also labeling. Listening to the presentation from cybersecurity Division, Ministry of Economy, Trade and Industry, I thought that since we are a rice cake maker, how can we ride on the new systems that can be created without doing everything on our own in Digital Agency and digital ad hoc meetings? I think there is also an aspect that we will contribute to the enforcement of the systems themselves. If function with certification and endorsement can be created in the future, we would like to be the first to ride on it. I believe this is an ongoing discussion, but I will closely follow it.

Member Suzuki: Regarding the level of TRL mentioned earlier, I think everyone will recognize it if it is initially written in broad items such as under research, under development, and commercialized, so thank you for including it.

Regarding certification, as you explained, I believe that Digital Agency will not go that far, but rather that industry organizations dealing with certification will play a central role in advancing it together with academia, so I hope that Digital Agency will continue to send a message that encourages such moves. Thank you for your support.

Chairman Ezaki: I understood that when you think about scalability, you should be aware that it is not a form that you do only here.

Member Nakagaki: was very helpful. Excuse me for asking a specific question, but it is a data-ownership issue. It is always a problem with the Smart Security Promotion Committee, but the miss rate and the mistake rate, especially the miss rate is often fatal, so if you try to loosen the detection, there will be more mistakes. In order to improve the quality of the data, the equipment developer would like to have high-quality machine learning training data after release. However, in the case of the customer who installed it, permission is required, and there are many cases where it is not disclosed under various restrictions. Are there any good examples of how to deal with it?

Tamaki Okada: I don't know if this will be an example, but in the case of the regional universities I mentioned earlier, there were several places in the area where civil engineering teachers were building human resource development centers in a form of connecting with the outside, such as infrastructure centers. We will collect data from local governments at such places and close them there. For those that actually want to use it, let's go there and connect a comprehensive partnership with the university so that it can be used. By having the places that use the technology also join us, I think we can create a local network and make it open in that network. For example, among the local governments that used it, we could take all the data, including the city data, so that it can be used in the prefecture and if you go there, you can use it.

At first, in terms of local governments, the idea was that the prefectural government could not use the city's database. If we leave it to local governments as it is, to put it simply, it would be no good because there is no connection, or because the prefecture and the city are on bad terms, or because there is talk of old bid-rigging, we would not want to team up with them, and so on. So, when I said earlier that we would store it within the local university, people around us would feel safe, including the fact that we could provide some security, so we would create a place to collect such data in a center within the local university. And if that center did not use all of it, and if we could form a console with it so that the companies in it could also use it, I think we could form a Minister in charge of Administrative Reform Okada including external relations. In fact, there are some places where that has worked well. In that sense, I think one way is to make good use of the center of the local university.

Member Nakagaki: ): I think this answer is related to the answer to the next question, but there is a reluctance of those who want to be the frontrunner. As we showed in the previous questionnaire, if we have a track record, we will try it, but on the other hand, when a new technology is in the implementation stage for the first time, no one will take a risk at the development stage to provide a voluntary field test. You asked me if there is a good way to overcome this, but does it mean that it is possible if universities are involved?

Tamaki Okada: Sometimes there are people who are university researchers in local governments, and if you follow them with a very local network, you can see that they are key people there. Or if there is a special assistant to the mayor who is a technical official like a vice mayor of a city, you can see that they are doing this. Or if you look at technology in that way, or look at local networks, you can see that there are several in local governments. Also, if you catch a section chief who often comes to events, he may say he wants to do it. So, instead of just holding remote web conferences as I said earlier, if you hold a real meeting, there will be people who want to listen to you, and if you talk to them, they will want to do it. On the other hand, the more digital, the more real the meetings and events are, and the more you can catch people who are interested in them, I think this is the hand of local governments.

Member Nakagaki: It was very helpful.

Chairman Ezaki: It was a knowledge about making good use of where we have neutrality.

Kawabata Members: Since I don't have time to tell you everything you've commented on the chat, I'll tell you what's important.
*Refer to "Comments from members in chat, etc." at the end.

In Exhibit 2, I was able to understand the analysis and analysis of the conventional legal development, and I understood the order of the legal development well. On the other hand, I think that the digitalization system will be an add-on in the future, and at the same time as analyzing the conventional legal development, I thought that it was necessary to think about what the digitalization system should be like. For example, the conventional legal development required a prompt response to problems, but with the digitalization system, I think we can obtain data for preventive maintenance and mitigation. I think the conventional legal development is to inspect broken parts and define the purpose and method of the inspection, but for example, since sensors and other equipment are advanced, sensors and measurement data can be shared, and in some cases, measurement data can be fed back to the platform, so I thought that it would be good to add a form that can be promoted in the future legal development.

Therefore, in addition to conventional legal analysis, in the future, due to the declining birthrate, the number of workers will decrease, and it will cost money and data to inspect broken parts. For example, at construction sites, the introduction of BIM not only simplifies the design method, but also makes it possible to use design data for preventive maintenance and inspection in the future. If such laws can be established, I think the introduction of BIM will proceed.

This leads to the next document, Reference 3. In infrastructure monitoring, it is important not only to monitor what has been built and what has been broken, but also to install sensors. In particular, in civil engineering work, when the budget is tight, there is no mechanism to actively introduce new sensors at the time of budget allocation. However, if there is a legal framework that can promote preventive maintenance technology, I think we can promote such things.

I believe that these are related to Materials 2 and 3.

As pointed out by other members, regulations and procurement are very difficult. In the case of private companies, even if they take the trouble to participate in the PoC stage at the stage of technology establishment, while it costs a lot of people and money, the cost of procurement will fall even if it is approved, so it is often the case that a different company will join. It is natural that bidding depends on the budget, but private companies may be reluctant to participate up to the PoC stage. I thought it would be good to create a mechanism to balance that.

I'm sorry I don't have an idea for the last part, but I would appreciate it if you could reflect the points made in documents 2 and 3.

Chairman Ezaki: Since the time has come, I would like you to firmly include what you wrote in the chat from members Kawabata and Ogino in the minutes.

SUGA Director: Were the members all right?

Ogawa: If there is no time, I will list it in the chat.

Chairman Ezaki: , we will receive them via chat, email, etc. and include them in the proceedings without fail.

Ogawa: Certainly.
*Described in the "Comments from Members via Chat, etc." at the end

Chairman Ezaki: , do you have a quick reaction from Director on these three issues?

SUGA Director: Since these are all valuable points, I will consider my response and consult with you about the revised proposal.

Chairman Ezaki: 's time, but that is all about today's agenda.

Chairman Ezaki: , Finally, I would like to ask for an explanation from the Secretariat regarding the next meeting of the Committee.

SUGA Director: I will let you know the schedule of the next committee meeting later. The handling of the minutes and materials will be the same as before. Thank you very much again today.

Chairman Ezaki: Thank you very much for your very constructive and substantive comments.

"I will consider it" does not mean that the officials will "not do it," but I believe that the opinions received will be reflected, so I ask for your continued support. Thank you very much for today.

[Comments from members via chat, etc.]
Member:
This is a comment on the secretariat document "The 6th Technology-Based Council for Promotion of Regulatory Reform" Technology-Based regulatory reform "Progress and Current Approach".

Regarding "(ii) Add items related to cybersecurity and software supply chain risks to the input items" (the purpose is clearly stated as "to support appropriate risk judgment, etc. of technology catalog users") among the input items of "Additional response to cybersecurity and Supply Chain Risk Management" on page 25.

In the first place, I think that the word "security" has a strong meaning of "guarantee (of safety)." It is essential for risk management to understand the guarantee for safety, not just to say safety.

(1) The purpose of this measure is to prevent security risks that may cause default (defects, data leakage, inability to retrieve data due to service suspension, etc.) of products and service suppliers.

(a) identifying its risks;
(b) To be aware of the scope of legal action that the user organization could take in the event of actual problems;
(c) Reduce the probability of problems occurring by creating a situation in which enterprises are willing to voluntarily supply products and services with due care by ensuring that the obligation to compensate for damage in the event of irreparable harm is fully met.

I think that it is in the point of realizing.

(2) If so, first of all, there is no rationality that the security infringement that can occur due to the responsibility of the business operator is limited only to the "protection of personal data", and rather, I think that the limited description of "personal data" is misleading and disadvantageous. Therefore, I think that it should be "protection of all handling business data (including personal data)".

(3) Next, in addition to "country of jurisdiction," I think "applicable governing law" should also be added to the input items. "Jurisdiction" and "governing law" are completely different concepts, and I think both are equally important. (There are cases in which the terms and conditions say that the governing law is a foreign law, even if you feel comfortable that the Japanese court has jurisdiction. In this case, the Japanese court has to apply the foreign law to the trial even if the victim user is Japanese, and it will result in extremely disadvantageous results for Japanese users. That risk needs to be understood by the user in advance.)

(4) For all vendor's products and services, I think it is necessary to make it mandatory to indicate the "official name of the legal entity and the country where the legal entity is established" so that Japanese users can clearly identify the "legal entity" that is the counterparty to the contract. The reason is explained below.

In the case of foreign vendors, the head office is located in a foreign country, but there are cases where they sell directly, or there are branches, subsidiaries, or agents in Japan, and there are various patterns. In this case, there is a problem that it is not clear who the provider of the product / service (debtor) is in the contract with the user (creditor) before introduction. (For example, only "Company G" is written, and the user does not know well whether it is "G Limited Liability Company (a corporation in Ward A, Tokyo)", "G Cloud Japan Limited Liability Company (a corporation in Ward B, Tokyo)", or "GLLC (a corporation under the laws of Delaware, USA)", and they apply and start using it with ambiguity, thinking that "G" is safe because of its high brand power.)

In other words, in the case of overseas companies, even if Japanese users are mistaken in thinking that they are dealing with "a globally reliable American XX company with a large amount of RC (several rich foreigners are on the board, and ultimately, in addition to the company, they should be able to pursue the personal assets of those directors)," in fact, they may not be dealing with "a Japanese affiliate of XX company with only a small amount of RC and only a few directors with insufficient financial resources."

Furthermore, overseas companies are very clever, and if a large number of Japanese users' data is accidentally leaked at the same time as a large-scale data leak, even if compensation claims are filed simultaneously, compensation is limited to the assets of the small Japanese company, and there are many cases in which the head office is protected by legal devices (risk isolation) that do not affect the head office. As a Japanese user, even if you think you have collateral, it is often the case that it was actually unsecured. It is necessary to protect users from such misunderstandings. Of course, if a "corporation in name only" is the front, there are cases in which responsibility can be pursued for signboard lending, etc., but that is a very limited case, and the burden of proof is on the user, and the hurdles are very high, and I think users are at a considerable disadvantage.

Today, the confidentiality and availability of data are extremely important assets. Users entrust their valuable data and data processing (important assets), which are the rights of their own organizations and citizens, to business operators, and have them assume the "obligation" of security in exchange for payment.

When entrusting important assets to others, I think it is normal to carefully examine the credit capacity of the other party to the contract and the existence of collateral. This is essential for risk management. It is exactly the same as when lending money to others.

In this way, especially for overseas companies with multiple subsidiaries, etc., it is essential for each user to be able to clearly identify "who on earth will be the debtor under the contract with the Japanese user" in their own investigation of credit capacity and collateral.

(5) In relation to (4) above, in order to achieve (c) above, I think it should be required that the extent and type of collateral assets held in Japan by the counterparty corporation be entered and described in the self-declaration.

When a large number of Japanese users are using a service through the Japanese branch of a foreign vendor at the same time, if there is a fault such as vulnerability in the service and all the data is leaked, all of them will claim compensation from the company.

If a Japanese government agency or private organization has a large amount of data on its citizens or customers, and a foreign vendor leaks that data, the Japanese organization will be sued by the citizens or customers for state compensation or civil damages, which must be paid. However, no matter how much Japan has jurisdiction, if Japan does not have much property, the subsidiary company of the vendor cannot pay damages. As a result, compensation cannot be obtained from the foreign vendor that caused the incident (even if they win the case, if they do not have any money, they cannot receive any compensation), and most of the amount will be lost.

In such a case, it is necessary for the user to subscribe to cyber insurance, etc. in advance. However, in order for the user to properly grasp whether insurance is necessary or not and the amount to be insured, it is necessary to grasp the amount of collateral property in Japan of the overseas vendor that the user uses.

In order to manage such risks, I think it is necessary to have them enter the outline and status of collateral liability property in the self-declaration. I think it is also good to allow it to be "private" without requiring the entry. In this case, the user can recognize that "the credit is a private company, so let's be cautious enough to sign a contract and join the cyber insurance," so I think it is still valuable.

(6) Finally, I think that the outline of the upper limit of the amount of damages on the business side in the terms and conditions of the contract for the product / service related to the damage in the event that the user data, etc. are leaked, damaged, or cannot be taken out due to the negligence of the business side should be clearly stated, even if it is only one or two lines.

Most users believe that they will be adequately compensated. However, if you read the terms and conditions carefully, they will say, "We will not compensate for any special damages, up to the amount of your last payment in a year." Users sign up for the contract without reading the detailed terms and conditions, and when a problem actually occurs, they will have no choice but to accept it. On the user side, it is possible to take measures such as subscribing to cyber insurance as described above, and using data distribution, encryption, and multi-cloud. However, in order to make management decisions on how much or how little to manage the risk, it is necessary to be able to concisely know whether there is an upper limit to compensation or not, as described above.

It is practically difficult for users to read the terms and conditions in detail, and there is also a risk of interpretation, so I think it should be filled in with a summary of the method of determining the upper limit of liability (about one or two lines) as a self-reported value of the business operator on the side of posting in the catalog.

Ogino Members:
There is some overlap between matters related to cybersecurity and matters related to software in the supply chain. The secretariat materials this time have separate sections. I think it is necessary to organize them in order for those who apply and those who post them to describe them appropriately. (Pages 26 to 31) Also, I think we should recheck the materials to confirm the completeness (Page 32).

Kawabata Members:
Regarding Material 2: Regarding the analysis of the existing legal system, I think it is wonderful that the content is well understood. On the other hand, I think it is better to reflect the advantages of digitalization. I think it is necessary to have a framework to promote preventive maintenance as well as to respond quickly when there is a problem. Also, the acceleration of sharing and F/B to the platform are also advantages of digitalization, so I think it would be good to include that point.

Regarding Exhibit 3: Especially for infrastructure monitors, I think there is no time to lose at the moment. I think it is necessary to create a legal system that can promote preventive maintenance technology. Regarding regulations and procurement, I think the degree of freedom in procurement may be changed for the technology establishment stage up to the PoC stage and for the subsequent mass production stage. It takes a certain amount of cost to develop and approve the technology in the early stages, but when it comes to the dissemination stage, the bidding budget will be the first consideration, so private sector may be reluctant.

Ogawa:
As I did not have an opportunity to speak today, I will finish here as instructed by the Chairman. I would appreciate it if you would disseminate it to everyone and publish it.

I would like to make three comments today.

First, the need for dynamic monitoring of "minimum checks". We also regard "minimum checks" as a major step. On the other hand, technology evolves day by day, so it is easy to assume that it will be upgraded and updated after it has been evaluated once. In this case, there is a natural possibility that the supply chain will be affected. In addition, changes such as a change in the owner or acquisition of the company that provides the technology may also affect the risk. We believe that we should also introduce a dynamic evaluation and monitoring mechanism, including change management, for these changes in risk.

Next, as Mr. Okada mentioned earlier, in the purchasing process of each local government and regulatory agency, I think it is necessary to have a training program to gain enough knowledge to understand the necessary and sufficient performance requirements. If there is not enough knowledge about performance requirements, it will be decided only in terms of price. This is common even in the private sector, and as a result, it may not lead to an appropriate final purchase decision, or it may backtrack after purchase, resulting in a large cost overrun. I think it is also necessary to have a training program to improve legal, performance, technical literacy, and knowledge to ensure the maintenance of the level of performance requirements on the side of each local government and regulatory agency.

Finally, I think it is necessary to consider the appropriate return process to the private sector for this regulatory technology, so-called RegTech and TrustedData, so that this initiative will contribute more to reducing costs for society as a whole.

We have been conducting research on RegTech since 2015. The UK authorities were very alarmed by the emergence of the competitive area of FinTech in the US Silicon Valley and the fact that a large amount of capital began to flow to the US. Therefore, we focused on RegTech. We classify the degree of development of RegTech in stages, and the first level is the automation of regulatory reports, etc. by RPAs, etc. and the visualization analysis of compliance risks, and the second level is cognitive technology, risk evaluation by AI, and decision support, for example, technology such as cognitive technology to temporarily classify suspects in anti-money laundering.

At that time, several private-sector companies discussed the creation of a KYC (KnowYourCustomer) platform, for example. However, they faced many difficult issues due to their different interests, such as who would be responsible if they made a mistake and who would bear the cost of development and maintenance. As a result, they learned about the limitations of the private sector alone, and their expectations of the government grew.

I feel that the country's commitment this time is very valuable from this point of view as well. I have high hopes that the technology discussed here will greatly contribute to lowering social costs when used as a compliance measure for private companies. I also think that the TrustedData generated this time will contribute to creating new businesses and creating start-ups by being appropriately opened.

Regarding the newly launched RegTech Consortium, I expect that it will not only collect information for the technology map, but also discuss more specifically how to give back to the private sector.

Toyota Members:
I have run out of time at today's meeting, and it is a little off the subject that has become more specific this time, so I did not dare to say anything, but let me add one point.

In the past, we have had to make internal adjustments with various companies and local governments in Japan. There have been few successful examples of strategic inclusion of international standardization, especially wide-area cooperation with Europe and the United States.

Before starting individual internal coordination, I think that we should thoroughly research overseas movements from a more macroscopic point of view, and allocate a budget to activities that are coordinated with them or strategically go ahead of them. It is difficult for private companies to provide a perspective that prevents domestic standardization in Japan from becoming a local expert in global standards. Even if it is impossible to cover everything, I feel that there should be cases where the government takes the lead in identifying strategic areas, conducting surveys, and allocating a cooperative budget.

You also talked about SIP today. In addition to the fact that social implementation of SIP is difficult, I think there is a potential problem that international standards cannot be obtained even if implementation progresses, so I thought we should raise the issue at this point.

This is just a supplementary opinion, but I would appreciate it if you could add it to the minutes. Thank you for your continued support.
Greater than or