The First Digital Cybersecurity Working Group

Overview

• Date: February 3, 2026 (Tue) 14:00 to 16:00
• Venue: Ministry of Economy, Trade and Industry 17th Floor International Meeting Room ・ Online
• Agenda:
  1. Opening
  2. Agenda
     1. Holding and managing digital and cyber security working groups
     2. Explanation by the Secretariat
     3. Discussion
  3. Adjournment

Material

• Proceedings (PDF/89KB)
• Digital Cybersecurity Working Group Member List (PDF / 106 kb)
• Document 1: Digital Cybersecurity Working Group (PDF / 101 kb)
• Document 2: Digital Cybersecurity Working Group Operating Guidelines (PDF / 56 kb)
• Exhibit 3-1: Explanatory materials for the secretariat (PDF / 2,688 kb)
• Appendix 3-2: Reference materials for the secretariat (PDF / 14,015 kb)
• Exhibit 4: Material submitted by Mr. Yokoyama (PDF / 2,703 kb)
• Exhibit 5: Materials submitted by Mr. Murakami (PDF / 703 kb)
• Exhibit 6: Materials submitted by members of the Nakatani Committee * Not disclosed
• Appendix 7: Documents submitted by Mr. Iwasaki (PDF / 160 kb)
• Exhibit 8: Materials submitted by Mr. Ishihara (PDF / 1,163 kb)
• Appendix 9: Documents submitted by Mr. Iguchi (PDF / 309 kb)
• Proceedings (PDF/346KB)

Summary of the proceedings

The secretariat explained materials 1 to 3.
The following is an exchange of opinions with Committee members in "(3) Discussion" of the proceedings.

Comments from Committee Members

Vision for 2030 (short-term) and 2040 (medium-to-long-term), and policy direction toward realization

[About the whole]

• In 2040, when the Society 5.0 era arrives and we create a society in which no one is left behind, it is important to think about how much better a society can be created by humans using AI robots. It would be good if we could also discuss how security should be in such an era. The digital and cyber domains are closely related to the other 16 fields, so it is better to clarify the point of contact. In cybersecurity, it is important to write a roadmap for the 16 fields together, implement it in society, and make it a form that will please the people.
• In order to clarify responsibility and explain progress even if responsibility changes within the ministry, a schedule should be drawn up, and progress should be shown to the public using the schedule to gain trust.
• Policies are not supposed to work, and need to be designed to be effective, tracked, and agile to modify / withdraw.
• From the perspective of international competitiveness, based on our experience in dealing with the aging population and disasters, we will also consider expanding into ASEAN and other countries (strengthening services / applications).
• It is necessary to update AI policies based on international comparisons, identify "what is being done / what is lacking" even in the short term while looking ahead to 2040, and modify and invest in agile.
• Digital cybersecurity initiatives will lead to the enhancement of corporate values, and will also lead to the enhancement of competitiveness when shown to capital markets.

[Cloud and data infrastructure]

• The vision is that by 2030, digital transformation will be the norm, as security will be ensured and AI will be a prerequisite. In 2040, collaboration and sharing will be established in Japan and overseas, including universities, on the premise of cloud native. Standardized cloud native infrastructure will be implemented in medical care, and the environment will contribute to research and drug discovery.
• It is important to realize the ideal state in 2040 ahead of schedule. The national government, local governments, educational research institutes, and the private sector will work together to promote infrastructure development and implementation. We propose infrastructure development for advanced security cloud infrastructure with an eye toward the quantum age and integrated communication and security design for function even during disasters.
• What we should aim for in 2030 is not "concept and demonstration," but to create a situation where AI / data utilization is established in the field including medical care and the public sector. In 2040, we should aim for a situation where "AI is function as a social infrastructure across fields on the premise of data and trust" rather than "DX closed by field."
• It is important not only to talk about data infrastructure, but also to create the motivation to provide data. In other words, the creation of use cases is also important. And the balance between data infrastructure and use cases is important, and these issues are prominent in medical digital transformation and public sector. Only when data organization, governance and security are integrated, efficiency and sophistication can be realized through AI. In particular, when data is refined, it is a prerequisite that humans handle data while understanding the meaning. In conventional data, the meaning is fixed at the time of occurrence, but for unstructured data such as words and images, the layer that handles the meaning is extremely important. Therefore, it is necessary to consider a data infrastructure with a layer for semantic processing.
• As the core of building a digital ecosystem, it is important to develop an industrial dataspace. The high-quality data accumulated by the Japanese manufacturing and service industries are important resources for future AI development and utilization, and it is an urgent task to build a mechanism that enables highly reliable data-linkage across companies, industries, and countries. The Japan Business Federation (Keidanren) is conducting a study under Public-Private Partnership, and it is important to visualize the benefits of data-linkage through use cases based on actual needs in order to encourage the participation of many companies, especially small and medium-sized enterprises. In addition, it is essential to ensure trust, including security, and the government is required to develop a systematic trust-service system and guidelines that are easy for the private sector to use. In addition, it is important to develop an environment for interoperability with overseas dataspaces such as those in Europe and strengthen intergovernmental dialogue to promote international data-linkage.
  Proposed the development of trust service systems and guidelines, and intergovernmental dialogue for interoperability with foreign data spaces.
• The bottleneck on the corporate side of AI utilization is undeveloped AI. It is important to openly develop a domestic "data-ready AI infrastructure" that Japanese companies can use. In this case, in addition to the elements of making data-ready (structuring, semantics, quality assurance, governance / security, and continuous improvement), it is also important to create a "data-ready enablement" layer that serves as a mechanism for business growth using AI. It is also important to promote AI integration within companies as well as between companies.
• In order to promote the use of AI, the development of guidelines for understanding "how far to go" is the key to the spread of AI.
• In the short term, is Japanese DX going well? As with intra-company and My Number systems, only the current processes are being improved, and the entire work process is not being reviewed. It is important to conduct DX after reviewing it. It is important to review the work process when introducing AI and physical robots.
• The issue of the industrial data space is making little progress. It is important not only to hold competitive data but also to link data as collaborative data. To that end, Keidanren has introduced good examples that show the merits of data linkage and has emphasized the need for a trust infrastructure. I would like to ask for your support.
• Based on research findings that "data storage," "public data infrastructure," and "cross-industry digital collaboration" are effective as industrial policies, they should be at the center of the discussion.
• In order to realize people-centered well-being, we expect the construction of a digital platform infrastructure for society as a whole and the "enhancement and strengthening of domestic clouds." The government needs a one-stop / once-only finish.
• In cybersecurity in particular, dependence on overseas platforms is directly linked to security concerns, and it is important to consider how to circulate data collection, analyses, protection, and utilization as an ecosystem. At the same time, it is essential to invest in the development of domestic LLM technology, which is the foundation for AI utilization.

[About cybersecurity]

• In 2030, progress was made from individual response to common response and overall optimization. In 2040, it is important that the environment for common response and overall optimization is in place.
• He proposed the establishment of guidelines for companies to show the minimum level of measures and a framework for the public and private sectors to realize "what should be done". It should earn trust by creating a schedule and showing the achievement status to the public every six months.
• Manpower alone is limited against vulnerabilities unique to AI and advanced attacks using AI. "AI for AI" - Security measures based on AI are essential.
• While it is important for the government to show "how far it should go" as a guidepost, it is also important for the certification to be a checklist so that it does not interfere with personalization.
• As ransomware increases, it is necessary to present a level at which "companies will do at least this much". It is ideal for startups and large companies to cooperate and the public and private sectors to set and promote goals. The ideal security in the ambient / ubiquitous society in 2040 should also be discussed.
• The low self-sufficiency ratio in cybersecurity is the result of a downward spiral. The use of foreign products results in data leakage, the lack of real data prevents the development of domestic technology, and products that analyze and utilize Japanese data are developed overseas, making the country even more dependent on foreign products. It would be nice to have a target value for the self-sufficiency ratio in cybersecurity.
• In order to improve the self-sufficiency ratio in cybersecurity, it is necessary not only to talk about the sovereign, but also to harmonize standards with like-minded countries and to exclude those for which concerns are recognized from government procurement and support programs. cybersecurity should promote it through all-out efforts by the public and private sectors.
• There is a tendency to think that we can prevent cybersecurity by using the most advanced technology of like-minded countries, but the more famous a country is, the more it is being studied as a target of reverse engineering, and there is a risk that it will be easily broken. It is effective to additionally utilize domestic technology as a second line of defense. It is important to create environments in which Japanese companies can utilize their own intelligence that covers the characteristics of each industry based on the knowledge of CYCROSS and other projects promoted by the NICT. The government has major roles to play.
• If the definition of "what to protect from what" is ambiguous, what should be protected cannot be protected. It is also important to define the required security level from the design and operation stages and to evaluate it based on international standards (ISO / IEC 15408, etc.).
• Instead of a follow-up response after the service is provided, "what to protect / threats / required levels" should be defined from the planning and design stage, and an evaluation based on international standards, etc. should be incorporated.
• The security of the entire supply chain is a major issue. Wouldn't it be effective to establish a system to certify security readiness through vulnerability diagnosis and simple checks of business partners (small and medium-sized enterprises, etc.)?
• In light of recent cyberattacks cases, it is important to examine whether BCPs, including backups by other companies, have been established on an industry-wide basis, especially for critical infrastructures that support people's lives.
• Necessary preparations and administrative work should be simplified so that small and medium-sized enterprises will not be left behind when strengthening the cybersecurity by making it stricter, stricter and stronger.
• As for cybersecurity, I hope that the evaluation systems being studied in Ministry of Economy, Trade and Industry will evolve in the future to meet the needs of the AI era.

[Issues by field (public sector, medical digital transformation, autonomous driving, etc. in semi-public sector)]

• Universities are a place to build and demonstrate medical DX in addition to public DX. Medical care assumes the AI of medical data infrastructure such as electronic medical records. It is necessary to rebuild a secure and cloud-native design.
• The one-stop government should refer to overseas examples and promote the expansion of use cases (e.g. automatic linkage between cars and insurance).
• The government should involve the public by proposing reforms that people will find "more convenient" (for example, making death procedures and address changes a one-stop).
• The government's challenge is to improve the convenience of residents. It is necessary to realize connected one-stop / once only, safe and secure operation of My Number Card, and increase added values.
• For social implementation of autonomous driving, combination with regulatory reform (ensuring predictability) is important. Verification of policy effects and agile adjustment and withdrawal are also proposed. For autonomous driving, it is questionable whether demonstration leads to social implementation. In light of the modular AI advancing in the world, there is room for realistic introduction such as public ride-sharing and subsidies for level 2 introduction.
• The utilization of medical and health big data has been delayed. Medical data such as electronic medical records, health checkup data, and health insurance claims are dispersed, and it is a difficult issue that requires understanding of the public regarding technologies such as data engineering, restrictions on the scope of use, and the handling of personal information. However, data utilization should be promoted with a sense of speed in order to reduce social costs.
• A new legal system that handles the primary and secondary use of medical data in an integrated manner should be developed, and the government should work together to promote medical DX.

[Development of digital human resources]

• Human resource development for infrastructure development and implementation is urgently needed. In order for society as a whole to become more literate in AI, digital, and security, it is important to develop integrated literacy and recurrent education from elementary, middle, and high school.
• An analysis of skill assessments for 100,000 people shows that behavior change is unlikely to occur simply by acquiring skills. It is necessary to update to "organizational structural reforms" and "AI human capital-based management" appropriate for the AI era.
• After Vision for a Digital Garden City Nation's goal of developing 2.3 million digital human resources by fiscal 2026, it is necessary to think about organizational structural reforms. Reform of not only training but also "containers that create value by mastering them" (organizational structure, evaluation system, and promotion of challenges) is necessary as the second step. We also propose an update to AI human capital management.
• DX human resources should clarify the "image of human resources suitable for strategies and business models" and visualize the securing and development of basic skills + company-specific skills. It is also important to appoint external human resources and improve the workplace environment (job type, etc.).
• The public and private sectors should jointly promote the development of security human resources. Could the attractiveness of qualifications (information processing safety assurance support personnel) be improved and rebranded, and university courses / departments be reviewed?
• There are not enough people at ventures such as data engineering and security personnel. It is necessary to be able to hire people with competitiveness compared to foreign companies. In addition, it is important to create an environment that enhances the mobility of human resources such as personnel exchanges between large companies and ventures.
• In local governments, the gap is widening due to the shortage of CiOS and the "one person information system" problem, etc. Appropriate investment and construction of core competencies are necessary in the AI era.
• Proposed to clarify DX human resources linked to strategies, appoint external human resources, and improve working environment (diversity, job type, etc.).

Main comments from the secretariat and observers

Director, Tanabe, Digital Agency

• The plan is to provide an easy-to-understand experience by promoting the expansion of services on the basis of Mynaportal, etc., and providing and expanding information on birth procedures, etc. on the portal. The plan is to proceed with the examination of automatic operation with the related departments.

Moriya Ministry of Economy, Trade and Industry, Director of Information Economics Division

• As for corporate DX, the plan is to further advance this initiative and consider what kind of initiatives are required, including human resource development, because the company is aware of the situation in industry regarding organizations and AI utilization among the DX-brand measures.
• It plans to work with the AI and AI Working Group based on the significance of data infrastructure.

Takeo Ministry of Economy, Trade and Industry, Manager of cybersecurity Section

• In AI transformation, security is two sides of the same coin. In the field of security, it is necessary to respond to the new era, such as the use of AI.
• Regarding the presentation of minimum security measures and security measures in the supply chain, the government is promoting the establishment of a system to present and evaluate the minimum security measures that enterprises in the supply chain should implement. Through this system, we would like to strengthen security measures in the entire supply chain, including small and medium-sized enterprises.
• Regarding the improvement of self-sufficiency in the security field, Ministry of Economy, Trade and Industry announced industrial promotion strategies for the cybersecurity field in March of last year. By working to achieve this, we would like to improve self-sufficiency in the security field and build an ecosystem.
• Regarding human resource development, it is important to improve the attractiveness of IT safety support personnel. In addition to promoting matching between qualified personnel and SMEs, we will also implement human resource development for young people and industry. We would like to strengthen human resource development while collaborating with each ministry and Public-Private Partnership.
• It is important to consider security from the development stage, as secure by design is being called for internationally. Our ministry is also promoting initiatives such as a certification system for IoT products. We would like to continue to promote various initiatives under the risk-based approach.

Observer

• Based on the Cyber Strategy (approved by the Cabinet at the end of last year), it plans to incorporate issues such as ecosystems centered on human resources and domestic products, small and medium-sized enterprises / supply chains into concrete measures, and also refers to strengthening intelligence function.
• A sense of speed is necessary for medical DX to contribute to quality improvement, efficiency improvement, and future secondary use. The goal is to introduce electronic medical records to almost all medical institutions by 2030. The policy is to promote reforms by showing migration procedures based on cloud-native assumptions, elimination of non-introduction at clinics, and heavy customization at large hospitals.
• Based on the evaluation of the 2.3 million digital human resource development target (2022 to 2026), the next promotion method will be considered.

Minister Digital Agency

• Preparation of Semiconductor-Ready AI is extremely important and should be discussed in the working group on AI and semiconductors.
• As there are opportunities to consider a cross-sectoral cybersecurity, I would like to consider cybersecurity's collaboration with the other 16 fields.
• When all 17 areas are discussed, we would like to sort out the areas in which Digital Agency and National Cybersecurity Office (NCO) will be involved.
• The perspective of strengthening and nurturing domestic cybersecurity is important, and we would like to proceed with studies on AI and cloud computing as well.
• It is important for Japan, which already knows the challenges of the aging society, to promote the DX of the aging society in the sense that it can lead to the acquisition of huge markets such as those in ASEAN.
• Regarding the cybersecurity of SMEs, is it possible to hire people collectively, such as by selecting one CIO or CAIO for each industry or business type?
• It is important for academia, such as universities, to take on the role of developing digital human resources while reconsidering the allocation of human resources under the declining birthrate.