Skip to main content

This page has been translated using TexTra by NICT. Please note that the translation may not be completely accurate.
If you find any mistranslations, we appreciate your feedback on the "Request form for improving the automatic translation ".

Digital Extraordinary Administrative Advisory Committee Working Group Technology-Based regulatory reform Promotion Committee (6th)

Overview

  • Date and Time: Monday, September 11, 2023 (2023) from 10:00 to 12:00
  • Location: Online
  • Agenda:
    1. Opening
    2. Proceedings
      1. Change of Members
      2. Explanation from the Secretariat
        • Progress of "Technology-based regulatory reform" and how to proceed for the time being
      3. Explanation from Mr. Okada
        • Technology Strategy Innovation Management in Public Services
          "Based on the experience of the first stage SIP"
      4. Explanation from the cybersecurity Division, Commercial Information Policy Bureau, Ministry of Economy, Trade
        • METI's cybersecurity Policy
      5. Exchange of opinions
    3. Adjournment

Materials

Relevant policies

Minutes, etc.

Date and Time

Monday, September 11, 2023 (2023) from 10:00 a.m. to 12:00 p.m.

Location

Held online

Members present

Chairman

Hiroshi Esaki, Digital Agency Senior Expert (Architecture)

Members

  • Yusaku Okada (Professor, Department of Management Engineering, Faculty of Science and Engineering, Keio University)
  • Keiko Ogawa (Certified Public Accountant, Banking Capital Markets Leader LegTech Leader Partner, EY Strategy and Consulting Co., Ltd.)
  • Tsukasa Ogino (Representative Director of the security Council for Important Consumer Products)
  • Hei Makoto Kato (Specially Appointed Associate Professor, Graduate School of Information Science and Engineering, The University of
  • KAWAHARA Yoshihiro (Professor, Graduate School of Engineering, The University of Tokyo)
  • Yumi Kawabata, Journalist Strategic Innovation Specialist
  • Taro Shimada (Representative Executive Officer, President and CEO, Toshiba Corporation)
  • Shinji Suzuki (Designated Professor, The University of Tokyo Institute for Future Initiatives, Director of Fukushima Robot testing Field, Fukushima Innovation Coast Initiative Promotion Organization)
  • Takao Someya (Professor, Graduate School of Engineering, The University of Tokyo)
  • Keisuke Toyoda (Specially Appointed Professor, Institute of Industrial Science)
  • Takao Nakagaki (Professor, Faculty of Creative Science and Engineering, School of Science and Engineering, Waseda University)
  • Ayumu Nagai (Representative Director and President of Astamuse Corporation)
  • Katsunori Nemoto (Counselor of the Japan Business Federation)
  • Daiyu Nobori (Director of the Cyber Technology Laboratory, Information-Technology Promotion Agency)
  • Kenji Hiramoto (Director General, Information-Technology Promotion Agency Digital infrastructure Center)

Overview

Counsellor Hitoshi Suga: time, we will open the sixth meeting of the Technology-based regulatory reform Promotion Committee. Members are invited to participate online this time as well. We have set up a time for exchanging opinions in the second half of the meeting, but as in the past, we will use Webex chat to listen to your opinions and questions as needed during the explanation.

Then, I would like to ask Chairman Ezaki to proceed with the proceedings from now on. Thank you very much.

Chairman Ezaki: . I would like to begin the proceedings. The sixth session is based on the agenda you have just shown me. First, the Secretariat will report on the change in the members of the Committee. Next, the Secretariat will explain the progress of technology-based regulatory reform and how to proceed for the time being. Next, Mr. Okada will talk about Technology Strategic Innovation Management in Public Services "Based on the Experience of the First SIP." After that, the cybersecurity Division of the Commerce and Information Policy Bureau of the Ministry of Economy, Trade and Industry will talk about METI's cybersecurity measures. Finally, we will have a free exchange of opinions, questions, and opinions from all of you on all of today's agenda.

First of all, I would like to ask the Secretariat to report on the change in the membership of the Committee.

Counsellor Hitoshi Suga: . From this time, Mr. Kenji Hiramoto, who has become the Director General of the Information-Technology Promotion Agency Digital infrastructure Center, which was newly established this year, will participate as a new member. Mr. Hiramoto, thank you for your continued support. That's all for my report.

Chairman Ezaki: , you are also working in Digital Agency, and I will be working with you again. Thank you. For your greetings, please introduce yourself briefly when you speak in the course of questions.

Next, we asked the secretariat to report on the progress of the technology-based regulatory reform and how to proceed for the time being.

Counsellor Hitoshi Suga: Next, I would like to introduce Handout 2. As usual, I would like to report on the progress of the examination of technology-based regulatory reform so far and how to proceed in the future.

I would like to ask you to turn one page, and here is the outline of the committee, and the next page is the whole picture for review. The next page is the agenda. We have had various discussions over the past five times. The first is about Technology validation, and I said that we would hold public appeals for the first to third rounds. All of them have been implemented, and I would like to report on them.

Second, you have been discussing the vertical and horizontal axes of Technology Map. We would like to proceed in this form for the time being, so we would like to consult the final plan this time.

The third is the technology catalog. In particular, the biggest one is the presentation by the cybersecurity Division of the Ministry of Economy, Trade and Industry this time. They pointed out that it would be better to add catalog items related to cybersecurity, so I would like to make that proposal. Based on that addition, I will also report on how we will invite applications for catalogs from time to time in the future.

Finally, since we have started operating the consortium, I would like to report on it and make a proposal including the schedule of the first event, RegTechDay.

First, I would like to talk about the Technology validation Project. As I reported until the last time, the government agency in charge of regulation said that Technology provision is necessary for 1043 validation out of 10,000. When we summarize them, it turns out that they can be divided into 14 ministries and agencies types. In accordance with the 14 types, we have been adjusting the procedure for joint verification under the joint signatures of each prefecture. Among the provision under the joint signatures, as I reported last time, we are doing it together with Oita prefecture as a representative from local government. The number of subject to verification is the number of provision in Oita prefecture in parentheses next to the number of provision in the country. In general, there are quite a few types in which people share a car, and in the end, there are some places where we have no choice but to do it alone. validation ministries and agencies

As for the five types in red for which the guidelines for public offering were written at the beginning of the first stage of the Technology validation Public Offering, the public offering of the leaders of the Technology validation has already been completed, and we will start the demonstration. The second stage is shown in blue, and the third stage is shown in yellow. In both cases, public offering was conducted from June to August.

From the next page, we have an overview of the types, the technology validation, the specific law to be covered, and a list of specific technologies that will actually testing performances. For each type, we first coordinated with the ministries and agencies in charge of each regulation with detailed specifications that we wanted them to confirm their performances, and we invited public submissions for them. At present, we are at the stage where the public submission of business operators who will lead validation has been completed. From here, we will have business operators and ministries and agencies in charge of regulation talk with each other, and we will work out the details of how to proceed, and then we will move on to the actual validation one by one. It is an extremely costly process, but we are proceeding with each provision very carefully. We are proceeding with each ministries and agencies very carefully.

I have skipped the first and second series because I explained them until last time. The third series starts on page 11 and is summarized at the end. We held the competition in the summer, when the public offering period is from August 4 to 25. For example, Type 2 is for regulation, which requires periodic inspection of equipment below ground level or in inaccessible locations using non-destructive inspection technology, to see if technology substitution is possible. Type 4 is for validation, which requires visual inspection to check for defects and degradation of equipment and equipment inside and outside the facility, to see if substitution is possible with sensors. Type 4 is for regulation, which requires soil inspection to check for defects and degradation of equipment and equipment inside and outside the facility.

From the next page, we will ask you to take on the challenge of whether it is possible to substitute technology for periodic inspections of the operating status of equipment using IoT and sensors, and whether it is possible to replace periodic inspections based on collected samples with continuous inspections of environmental information such as air and water quality in Type 10.

The next time I can give you a detailed report is at the stage where we have started this kind of validation, so I would like to have some time.

From the next page, I would like to talk about Technology Map. It is on page 14, but first of all, on the vertical axis. As you can see in the lower right corner, Technology Map, which is originally familiar, is arranged vertically in seven types and the representatives of regulations on paper and in-person processes that we are talking about. We have written down the common functions and roughly mapped what technologies can be substituted for what functions.

On the next page, as I explained last time, the structure of regulation has a purpose of regulation, and in order to achieve that purpose, it has a structure of what functions will be satisfied by what means. So that the structure can be expressed on the map as it is, we will make a list of the purpose of regulation and the means to achieve that regulation.

The next page is the basic structure of regulation. It has become clear that it is very interesting. When MRI conducted a complete analysis of 10,000 provision extracted by digital consultation, it has become clear that all regulation have almost the same structure. First, the purpose of regulation is at the top, and at the bottom, there are the objects of regulation management, the objects that we want to ensure safety, and so on. Someone acquires information and data on these objects of management. Someone acquires information on whether they are in a healthy state, degraded, rusted, or cracked. And then, the acquired information is conveyed to someone. Next, these pink decision-makers come in and determine whether this state is a bad state. The results of this determination are conveyed to the next responder. The responder who has been conveyed responds to the situation by, for example, instantly starting repair if it is necessary to repair quickly based on the determination. The same responder may play several roles. Basically, it has become clear that all regulation are seeking to turn the loop of acquiring data, making decisions, and responding in this way.

On the next page. Based on the basic structure of regulation, it seems to be good to organize the horizontal axis of Technology Map into input, process, and output according to the IPO model. That is, first, the data to be managed is acquired, securely flowed to a remote location, and transmitted. Then, it is judged as the next phase. According to the judgment, the final output, action, and response are taken. With this structure, I think that almost all regulation can be plotted well.

On the next page, I asked you to check the description ratio of each factor on the text for 10,000 provision. In short, I asked you to check who takes what data, how it is judged and communicated, and how much each factor can be read on the text. Red and warm colors are high in description ratio, which means that something close to green can hardly be read on the text. For example, there is a regulation where the manager is asked to confirm the status of a specific location by a qualified person, but how to respond to what specific case is probably confirmed by the content of the test, so it is impossible to read it even if you look at the text of the regulation. As a result of the analysis, it was found that part of the information on the management target and judgment on the left side of the table could be confirmed or analogized on the text of the text.

Based on the above structure, the vertical axis starts on page 19. In the past, Technology Map had seven keywords and seven types on the vertical axis, so that it was easy for the ministries and agencies in charge of the regulation to understand. When we try to revise this and increase the coverage, according to the structure of regulations on paper and in-person processes, it seems to be good to largely classify the "management targets" with the highest description ratio as the main axis. Pattern 1 on the vertical axis is to sort out in this order what kind of data should be obtained for what management targets in the text, and what kind of judgment and response are expected. regulation

Regarding pattern 2 on the vertical axis, there was an opinion that it would be easier for you to find a place to see in regulation under the jurisdiction of regulation if you were tied to the keywords of the ministries and agencies type as in the previous plan. Therefore, we will continue to maintain that structure, so we have selected pattern 2 on the vertical axis. For the time being, while maintaining patterns 1 and 2, we are currently considering various additional patterns, as the Secretariat is currently struggling due to the difficult points you pointed out last time.

From the next page, if you match the pattern on the vertical axis, it will be a map like this. It is assumed that you can see it on the Internet, and it is not assumed that it can be contained in one sheet of paper, so it is very difficult to see. When you show it as a table, I would like to make it a little bit bigger so that people will want to see it, but if you expand it, I think each part is made quite finely. If you plot the technical information that you know at this point on the vertical axis and horizontal axis that I proposed, it will be a map like this.

Now, what should be behind each plotted technology in Technology Map is a technology catalog. From page 23, it's a catalog story, and the first one is a cybersecurity story.

Regarding the process of creating a technology catalog, we have decided to hold several public appeals for a limited number of fields, asking for information on technologies that could be applied to these fields. Our original proposal was that the information to be included in the catalog would be proposed by the technology holding organization, and that Digital Agency would only make a minimum check on whether the products and services that were proposed were already in a state where they could be recommended, and that they would be immediately listed in the catalog and displayed with an emphasis on speed. This time, as shown in blue on page 24, we would like to add a process called "prior confirmation of the results of the public market-oriented." Based on the fact that there were many opinions that the information should be checked from the viewpoint of whether the products and services proposed were sufficient for procurement, we would like to set up a place called the "Technology Catalog Operation Task Force" for the information on the products and services provided, and change it to a form in which the information will be listed as a catalog after a minimum check on the cybersecurity and Supply Chain Risk Management.

To be specific, please refer to the next page. The situation in cybersecurity and Supply Chain Risk Management is moving minute by minute, so rather than always doing it this way, we will flexibly change the operation while monitoring the situation globally and domestically as needed. Originally, it is difficult for Digital Agency to bear the accountability of the products and services listed in the catalog if something happens after they are adopted, so we would like people who are procurement to make sure of it, and we plan to make it clear in the terms of service. On the other hand, as a catalog to be developed by Digital Agency based on law, this catalog will be published on the Digital Agency website, so we should ensure a minimum level of trust and improve the information to be provided, so we would like to take the following additional measures. Technology Map

First, under this committee, we will set up the "Technology Catalog Operation Task Force," which I mentioned earlier, and we would like you to confirm the input information you applied for before releasing the technology catalog. Its members will be determined with the approval of the chairman, but we would like to keep it private.

In addition, when soliciting technologies, we have a lot of questions as catalog items, and I would like to ask you to add more items to respond to cybersecurity and software supply chain risks. To be specific, we have received suggestions that we should at least ask about the protection of personal data, such as where it is stored, whether it is encrypted, and what jurisdiction it has. In addition, regarding software Supply Chain Risk Management, I would like to ask about the characteristics of software and how it is doing security measure based on its characteristics.

On the next page, as for the idea of additional items, if even one item is omitted, it will be security Hall, so I would like to follow some comprehensive guidelines as much as possible, which are widely accepted. The definitions of important software and the five security measure for their use issued by NIST and the National Institute of Standards and Technology, including security measure, and the 11 minimum standards recommended in the validation of software are widely accepted and referred to. Based on this, we selected the minimum items while taking into consideration the ease of input by applicants.

The next four pages contain a list of specific additional items.

Next, I would like to confirm the specific implementation status of software validation. I would like to make sure that all of them can be confirmed by the checklist. The chairman also pointed out that "We should always check whether Supply Chain Risk Management is covered overall." So, I organized the list. At the time of application, it has not yet been decided that the technology will be used, so I have decided not to ask that much. If you can give me a comment about this, please do so.

As mentioned above, since we have been working to enrich the security questions, the second public offering of the catalog has already been decided for on-site inspection and public inspection, and the list of questions has been prepared, but we have been waiting for the implementation for a while. On page 32, we would like to implement the second public offering of the catalog by the end of September with the addition of the above security measure items. After the public offering, we will be able to publish the catalog after October. The questions themselves in the catalog have not changed from the previous time except for the security part.

In the third and subsequent editions, we will continue to develop the catalog. We will also conduct a technology validation, and if it is found that technology substitution is possible, we will ask you to review the regulation after that. Since technology procurement will finally be possible from there, it will take a little time for the types that require technology validation, so we would like to develop the catalog focusing on the parts that do not need technology validation anymore and can be used if there is technology.

From that perspective, on page 33, the provision that require technical validation are written on the left side. There are technical validation that are implemented collectively by Digital Agency and technical validation that each ministries and agencies is required to perform independently. These two are the 1043 provision that require technical validation. Other than that, on the right side, we are thinking of developing catalogs in advance for about 8600 provision, the majority of the 10,000 provision that do not require technical validation.

For the third and subsequent catalog solicitations, which are described from the next page, we have asked MHI to plot all 10,000 provision along the newly created vertical axis. Based on the results, we would like to organize the public solicitation for each type. For example, in visual inspection, preparations are likely to proceed quickly. This is a type of regulation in which visual inspection and lookout tell us to check the status of construction, aging degradation, and safety measures. This is a type of drones in which regulation tell us to understand the status of wide-area use of outdoor environments and damage by flying. This is a type of organization management in which field surveys tell us to check the status of business management and business operations. I think these three will be included in the public solicitation for technical catalogs in the third round.

A little later, the fourth and fifth catalogs may be held in regulation other than visual inspection. They will check the status of construction and aging degradation by means other than visual inspection. And the last catalog type is measurement and analysis, and Issue is how to cover the objects to be managed. Since measurement and analysis of various things are required by regulation, it is necessary to organize how to classify them and request information. I would like to postpone this for a while, and start the catalog solicitation gradually. From page 35, I have positioned each catalog solicitation type on the Technology Map list.

Finally, from page 40 on, I would like to talk about the start of operation of the consortium, RegTechDay. The RegTech Consortium, as I have talked about several times, is not going to stay in the middle and connect information through this map and catalog, but I would like to create a gentle community from the idea of building a relationship in which the technology holding organizations, the ministries and agencies responsible for regulation, and the target organizations in regulation, who are stakeholders of the map and catalog, can directly share necessary information as needed.

As for pages 41 and 42, in this consortium, we would like to have a place where people can learn about networking, information provision, learning opportunities, and what kind of technology is being unlocked at the cutting edge.

On the next page, the RegTech Consortium has started operating quietly, and more than 100 people have already registered before any events have been launched. Since the consortium itself is a community, we have set up Slack, where we have prepared a venue for deepening various discussions. We would like to call the launch event of the consortium RegTechDay, and hold it online from 1 p.m. to 3 p.m. on Friday, October 27 this year. The economic effect of the review of regulations on paper and in-person processes is 3.6 trillion yen, but I would like to make it an event in which people can casually collect information on what regulations on paper and in-person processes is, what technologies will be available in the future, and what kind of technology validation is being conducted now, and connect with people concerned. If you could reserve this time, I would be grateful if the secretariat would be able to consult with you in various ways in the future.

Page 45 is the activity schedule of the consortium. As I showed you last time, it has been updated with the schedule. Starting with this RegTechDay, we would like to continue to plan study sessions, PitchCon testing, and matching events.

The last page, page 46, is the future schedule. It has been decided that the map will be released in the summer. It will be September, the end of the summer, but the vertical and horizontal axes have finally been decided as the first part of the map, so I would like to release it. In addition, as I mentioned earlier, following the first and second rounds of public offering, I would like to release the technology catalog in a series of public offering in the form I have just categorized. Technology validation is in a difficult phase, but business operators have finally been decided, so they will be engaged in technology validation one after another. In between, I would like to create a community with consortia and liven up the community.

That was the report from the office.

Chairman Ezaki:

Next, I would like to ask Mr. Okada to explain, "Based on the experience of the First SIP of Technology Strategy Innovation Management in Public Services."

OKADA Member: Thank you very much for your time today.

In the first phase of SIP, I was involved in infrastructure maintenance and management, as you have just mentioned, as a sub-PD in the introduction of new civil engineering-related technologies. In particular, I was involved in exit management for about four years. In the first year, I was involved in other areas, so for the last four years, I supported the output of the technologies that were actually development.

Among them, the four things I wrote on the last page are the parts where we had a lot of trouble, especially in showing the completed technology. Now, the secretariat side has talked about it, including the catalog, and I feel that what we thought has been greatly improved. I think there are some overlapping parts, but I would like to talk about what I was concerned about based on my experience during the previous SIP1 phase. I would like to talk about the things I would like to talk about, including my various experiences, so I will organize them at the end with this slide and talk about them collectively.

The reason why it originally started with infrastructure maintenance is in the upper left on page 2. In fact, there are, for example, 700,000 bridges and 10,000 tunnels in the country. However, 85% of them are owned by local local government. That means they are not so-called charged. In that case, the maintenance and management of them will be paid for by so-called taxes. It has been said since more than 10 years ago that whether taxes are actually tax revenues commensurate with the amount of stock is no longer the case. As was the case with the Sasago Tunnel incident, it has been said that if infrastructure maintenance and management are not performed properly, social safety will be greatly affected. In fact, there are an increasing number of bridges that cannot be maintained and managed, and some local government are using a method called triage. Some bridges are closed to traffic when they get really bad, and the only way to stop using them is to close them.

Based on this, the first phase of the SIP infrastructure began in 2010. Within the SIP infrastructure, new technologies have been development, and as you mentioned here, we have responded to social issues centered on so-called digital technologies. About 60 teams have advanced their technologies through development.

However, even in the middle of this progress, there was the incident in Genoa in 2018. In fact, even in the infrastructure of such a town, if the maintenance and management is not advanced because the regulation is not available, the situation will be like this. In this way, infrastructure accidents continue to occur in various countries around the world. In addition, there are places where it actually has a significant impact on social life, so I think it is progressing as an extremely urgent Issue.

On the other hand, when we think about the technology, on page 3, this is a graph of MOP that often appears. The horizontal axis is TRL. Recently, the term BRL has been used, but we are raising the level of technology. What is actually conducted at universities and research institutes is mainly basic research and applied research on the left. In fact, in the case of SIP today, the research that is entered at the stage of public offering is usually selected from excellent research in this area. When it comes to the exit, practical application and commercialization on the far right side, which targets around 7, 8, and 9 of TRL, are necessary.

However, in this area, it was actually the case for universities as well as researchers at so-called RIKEN and AIST, but in the daily activities of researchers, it was almost impossible to think about it directly, especially about 10 years ago. Under such circumstances, recently, it has been said that such practical application and commercialization should be the final goal, so we have to go there. However, even if I just told each research team to go this far, it was impossible. This is also the case with demonstration experiments, which you mentioned earlier. Including that, regarding practical application and commercialization from such a research development, it is difficult to move smoothly even if I say that it is a condition to leave it to each development team. In fact, the need to support the raising of TRL in this area on the secretariat side became a major problem that emerged in the latter half of the second year of SIP. From around that time, various efforts to support the so-called social implementation of SIP technology were actually carried out at the center of the project team in the secretariat.

In this context, so-called output is often mentioned. When considering the business model shown on page 4, BtoB and BtoC are often mentioned. In any case, if you make a good product, it will sell, if you make a good product, people will buy it, and it will be fine if you reduce the cost more than before. In the case of infrastructure, I mentioned earlier that there are many bridges and tunnels that are not charged. If the source of the money to actually use them is taxes, it is different from so-called BtoB and BtoC. development

It says BtoG at the bottom, but there are places where we have to solve problems in this business model. To put it bluntly, in local government, for example, we often have a single-year settlement of accounts. Then, when thinking about the budget over the medium to long term, such as maintenance and management, for example, if I pay one million yen now, it will be cheaper for 10 years. Even if I can understand it in my head, the person in charge will say that it is not possible under my authority. In this way, it is difficult to accept the medium to long term idea, which has emerged as a very big problem. Cost cutting is a typical example, but people are very happy about the fact that the cost will be reduced this year. However, the idea of investing now to reduce the cost in the future is difficult to open their wallets, even if they understand the logic.

Another important point is functional requirements. In fact, it is enough to consider ordering requirements. There will be places where it is good to be able to do this, but if we do not actually set up functional requirements, "cheap or bad" will be chosen, although it is a bad word. Therefore, in fact, if we do not consider ordering performance to a certain extent, people will not buy good things and will buy cheap things. In many cases, incentives and motivation of people who introduced new technology were impaired. For this reason, it is called BtoG, but rather than studying the general way of local administration as it is, it is important to look at the way of introduction of new technology, including the way of local administration, and to give ingenuity to the way of introduction in various ways.

After that, when we actually introduced the new technology, we made a catalog of the contents created by the researchers in development. However, it seems that this had a very bad reputation. It was like a proceedings of an academic society, and it was difficult to understand because there were difficult terms that only experts could understand. For example, local administration people said that they didn't know what was good, what could be done, or what was different from the past.

So, we wrote the products and sales points like a headline, and we said, "What can I do?" We actually reworked the method from the perspective of the reader. However, it is difficult to ask researchers to do all of this. We reorganized the team by people who are skilled in such things, and reviewed the content and content of the catalog. We also included the voices of users and voices actually obtained in the field, such as demonstration experiments.

For example, regarding the inspection of the state of corrosion, in addition to the first proposal, one administration that saw it had another need from local government, for example, there were places where utility poles were corroded due to dog urination in parks, and it was successful to use it. In fact, in the demonstration, there were various ways and possibilities of utilization. While seeing such things, we took the form of updating it by adding various things that could be used in any place.

Various technologies and characteristics will also come out in multicopter, so-called drones. It is easy to show that this can be done in drones by taking images with a camera without inspecting the visual inspection. When we actually talk about bridges, for example, it is strong and weak against wind, it is strong if it is in the sea, and it is strong if it is in the mountains. In various ways, so-called good and bad points will actually come out in drones. Without actually validation with a combination of techniques while firmly showing such advantages and disadvantages, it is difficult to cover all of them with one drones, especially for large bridges. It has become necessary to model a combination of new technologies.

There is also a device that can see the overall condition of the car while it is actually running in the tunnel by using a so-called laser. It can also grasp the corrosion state and cavity state in the tunnel. This was completed at a very early stage, but the big problem is that China actually built a similar car. It was forced to run in China, which led to a significant decline in international competitiveness. Of course, in terms of performance, this one is better, but as I said earlier, if performance requirements and performance orders are not made firmly, if a little bit of grasshopper technology comes in, it will be defeated. In order to support new technology, the performance of new technology must be evaluated firmly, and if it is not put into a flow where performance orders can be made, it will be difficult for those who make good products to pay the price.

There is also a device called laser striking sound that analyzes the sound emitted by the laser instead of taking a video. Currently, this technology, including SIP Phase 2 and Phase 3, is showing great results. However, as I said earlier, in order to actually use this technology, we need to show not only the state of the technology and where it can be used, but also where the market for using this technology is located. Otherwise, it will not work.

A similar example is a tunnel in which all the sounds and video analysis are combined. It was made into a development by attaching various measuring instruments to the guide frame. It is said that it is difficult to measure while driving in the middle of the road because of the traffic regulation. Since the system does not require a traffic regulation, we initially recommended that it be an extremely high-level new technology, but when it is actually used, the police say it is unprecedented. Even if it is said that it is okay without a regulation, it will be a problem if something happens, so we end up asking for a regulation, which in a sense has led to a decrease in sales. It is good to do a demonstration experiments because there are places that are difficult to use if there is no precedent, but if the demonstration experiments becomes an experimental facility, it will be the first place in the actual site that we will not be afraid to do it. It is also very important to find a cooperative local government that will not only be used at the so-called test site but also be used somewhere properly, and to make achievements there first.

There is also a method to actually measure the state of land subsidence using a laser from a satellite. By collecting information from a satellite in flight and analyzing it, implementation was able to do it at an early stage. However, one major problem was who the data belonged to, and in particular, if the land was sinking, it would cause social anxiety if it was disclosed. In fact, the data based on the contract with this company has been developed in such a way that the people in the infrastructure hold it firmly and do not disclose it. If the data is closed in this way, it cannot be used as learning data for, for example, AI. It is difficult to use the data including the data collected in this way for future learning.

As is the case with the data collected in drones, when it comes to data that must be maintained and managed, there are still people who want to close it. Unless we look at the scope of opening and closing of acquired data, such as opening up some part of the data to the open, rather than truly opening it completely, it is easy to close it if it is too safe, and the psychology of not wanting to open it works. In fact, it is undeniable that the effect of digital technology will be halved. Therefore, it is important to consider the opening of data, including who will manage the data actually collected in such places and who will make full use of it, as the consortium mentioned earlier.

So, I have just introduced some technologies. There was a tendency to think about the exits of such technologies. For these technologies, in the stage gate, not only the actual evaluation of technologies, but also the evaluation of exits as I just described, and the evaluation of TRL, which I talked about at the beginning, were performed. What was interesting when I actually tried it is the upper right part on page 6. At first, I thought that development technologies and exit strategies were not so linked. Actually, at the end of the third year as a stage gate, about 30 people evaluated each of them, and this is a graph that takes the mean value of them. When you actually look at it, development technologies and exits are very linked. As expected, when the level of TRL increases, the evaluation of development technologies actually increases. I don't know which one comes first, but it is like that, so I think that upgrading the level of technologies, so-called enhancing international competitiveness, actually enhanced international technological capabilities. It was thought that researchers would lose interest in TRL 5 or so. However, by showing these points clearly, by raising TRL, breakthroughs as researchers will also occur, which can be an incentive for researchers in various ways.

In addition, the final source of technology I mentioned earlier will be many in the local local government. When thinking about how to support the technology created in the local local government, we talked about having universities in area become so-called main players. In fact, when people and universities in the Kasumigaseki and Kanto regions left, there were places that were not evaluated in various ways. In the local local government, we are also closely monitoring cooperation with local universities. We need to think about cooperation with such places, and the most important thing is not so much the transmission of technology as the maintenance and management of technology. Even if the technology is new at that time, it will inevitably deteriorate. Therefore, so-called maintenance and management of the technology, and human resource development to use the technology are important. In these two points, I think that universities in area are very important as main players. We want people from universities in area to work hard as main players even after the SIP is finally over, so we are asking the university network in area to promote the introduction and recommendation of such new technology centered on the current Japan Society of Civil Engineers.

Against this backdrop, as I said, universities in area were connected to local government in various ways to train human resources, pass down technologies, and maintain and manage infrastructure. On the other hand, as shown on page 7, various technologies are available in the SIP infrastructure, but if you take them with you, they will not like you. In the past, it was as if a liquor store had become a seven eleven, and each area University had a team in the form of the SIP infrastructure. In such a network, the people of area University had various events hosted by area University to introduce their technologies, technologies introduced by SIP, and technologies introduced by the Ministry of Land, Infrastructure, Transport and Tourism. development

In addition, as shown on page 8, we proceeded with business support for those that were of interest to us by consulting companies and local industries.

We went to a place called Betaashibashi in Tottori prefecture, where various drones were used, cameras were used, and evaluation was made by combining techniques. The best thing about this demonstration experiments is that if you use it once at a site where it is difficult to use it at the site, the so-called social awareness of these products will increase. I think it was very good for SIP to find a place where they would use it in this way. In addition, by actually using it at the site, some technologies moved toward a state where they could be used at other infrastructure sites as well. I think it was very good for SIP to find a place where they would use it at the site where it is difficult to use it at the site where it is difficult to use it at the site where it is difficult to use it at the site where it is difficult to use it at the site where it is difficult to use it at the site where it is difficult to use it at the site where it is difficult to use it at the site where it is difficult to use it at the site where it is difficult to use it at the site where it is difficult to use it at the site where it is difficult to use it at the site where it is difficult to use it at the site where it is difficult to use it at the site where it is difficult to use it at the site where it is difficult to use it at the site where it is difficult to use it at the site where it is demonstration experiments

As I mentioned above, on the last page, it is very important to open data. If we are not careful about how much we open it, people who have the original infrastructure and facilities will feel very uneasy. In fact, people who think it is the facilities are very strong. Therefore, it will be necessary to consider the opening of data in this area in the future. I think it is important to look at these, including the area government.

You mentioned validation earlier, but beyond that, certification will be important. If someone does not give a certification, it will be difficult to use it for the first time, as I said. It will not be a complete certification, but to what extent you give a certification that it is okay will be one of the important points to be able to prove the technology.

In the same sense, especially with the introduction of AI and automation, it is true that there will continue to be very subtle questions about who will be responsible if something happens, whether it will be the user or the manufacturer. I think it will be necessary to develop laws and establish a literacies education.
In addition, technology maintenance and human resource development will be very important for the continuity of technology in the future. Under such circumstances, I believe that it will lead to the expansion of technology to see the revitalization of the entire area in the form of support for industry-academia cooperation at universities in area and area.

Today, I talked about providing information, including what I experienced during the first phase of SIP. It was a quick trip and some of it was short, but that's all. Thank you very much.

Chairman Ezaki: . Thank you very much for showing your experience in architecture and SIP very clearly, clearly, and compactly. The progress of the Secretariat this time is also as you said at the beginning from such a perspective, and I think it is because of your experience that there are still some parts that are missing. In the second half of the Q & A session, I would like to receive various suggestions and opinions. Thank you very much.

So, this is my third and final explanation for today. I would like to ask Mr. Tsukamoto of the cybersecurity Division of the Commercial Information Policy Bureau of the Ministry of Economy, Trade and Industry to explain about the cybersecurity policy of the Ministry of Economy, Trade and Industry.

Assistant Director Tsukamoto: , I would like to thank you for your time today. My name is Tsukamoto, and I am an Assistant Director of the cybersecurity Division of the Ministry of Economy, Trade and Industry. Today, I would like to explain mainly the cybersecurity policy being implemented by the Ministry of Economy, Trade and Industry, particularly the guidelines. I believe there are some parts of the Digital Extraordinary Administrative Advisory Committee Secretariat's presentation materials on cybersecurity that can be used for cooperation or reference. I would like to explain mainly such parts.

Today's table of contents is like this. First, I would like to introduce trends in foreign countries. Second, I would like to introduce what kind of efforts the Ministry of Economy, Trade and Industry is making, particularly in the creation of guidelines and systems. Specifically, I would like to introduce security of IoT, security of software, security of control IoT, and security of data handling.

First of all, as a trend of foreign countries, the United States has announced its cyber strategy in March 2023. In the part related to today's theme, the third pillar 3.2 is IoT and 3.3 is software. In terms of IoT, the United States is currently development the security Labeling Program. I will introduce it later. In the software part of 3.3, the United States is expected to considerably increase its responsibility to vendors in the future. Even in this strategy, it is written that the United States must start taking some responsibility for business operators who have not taken reasonable precautions to protect software. As a measure to ensure this, it is clearly stated that the United States will develop a law to establish responsibility for software products and services. I believe that the United States will regulation software vendors, in other words, take responsibility. This is the labeling scheme for IoT that I mentioned a little earlier.

This is what the FCC announced in August this year. It is expected to start as a voluntary labeling system, and public comments are currently being made on its content and concept. It is until September 25. As you can see in the fourth point in the blue above, we are aiming to start operation in the second half of 2024.

This is a presidential decree issued in 2021, which goes back a little bit in time. It has considerable influence in the U.S. One of the themes is the security improvement of the software supply chain. It is written, and various efforts are being made in the U.S. in 2021, 2022, and the present. This is a timeline, and it is a reference for what happened.

On the next page, OMB has a memorandum of understanding with each ministry that requires them to make a implementation for critical software. OMB also requires NIST and CISA to update critical software.

NIST has created various guidelines. One of them is called SSDF, which is a framework for secure software development. It consists of four main pillars: organization preparation, software protection, safe software development, and response to vulnerabilities. It describes the method and specific examples. This guideline has been issued, and OMB in public authorities has taken it in and signed a memorandum on the utilization of SSDF. The content is to require software vendors to obtain self-certification to certify the conformity of SSDF implementation before using software. In short, for software to be procurement by government agencies, it is requested that vendors issue self-certification to certify whether or not they conform to SSDF. It is like a partial version of the guideline. The memorandum has been updated on the procedural side. regulation

Next is the EU. The EU is also moving in various ways, and I think it is moving as if it has a stronger degree of regulation than the US. In addition to the third point below, I believe that the EU Cyber Resilience Act (CRA) is a very important move.

Regarding the enforcement of the law in the latter half of the twenty twenty-five, first of all, all products with digital elements are subject to the law. Although there are some exceptions such as medical care equipment, basically all digital products are subject to the law. It says that for digital products, self-declaration of conformity or third party certification will be required depending on the importance of the product, such as compliance with regulation requirements when creating a SBOM or providing an update program. There are penalties, and the maximum is 15 million euros or 2.5% of sales. In addition to certification, reporting obligations and various regulation will be required, but if you violate them, there will be quite high penalties. This law is under discussion now, and will be applied as early as the latter half of the twenty twenty-five. security

This is a reference for the type of digital products I mentioned earlier. The rest is the United Kingdom. The third point, which starts with "Also," is also under consideration for a law requiring security measure to mandate IoT products. This is a list of what is being done in other countries and states, so it is for reference.

In this way, foreign countries are strengthening security on IoT and software regulation. METI is also preparing various guidelines to be introduced in the future. Since the guidelines are not legally binding, I think it is important how we can make efforts so that they can be firmly secured and how we can promote regulation. I believe that reflecting them in the Digi-Rin-like initiatives that are mentioned in today's discussion will be one leverage that will advance IoT software security.

Then, I would like to continue to introduce the efforts of METI. METI's cybersecurity policy is to ask the entire industry to take measures against cybersecurity, to help people recover quickly if something happens, to train human resources, and so on. There have been moves by other countries earlier, and I would like to introduce today what kind of systems METI is trying to create in response to such moves.

Within the Industry and cybersecurity Study Group, we are conducting a broad study, and are divided into working groups to advance specific studies. This is the study system of the cybersecurity policy of the Ministry of Economy, Trade and Industry.

Under the working group, it is divided into various sub-working groups and task forces. In WG1, we first discussed the foundation of our way of thinking, which is called the Cyber-Physical security measure Framework (CPSF). In a word, when the world is factorized, it is divided into three layers: the layer of real space, cyberspace, and the layer between real space and cyberspace. The components located in these layers can be decomposed into six components: social, human, thing, data, procedure, and system. If these components are reliable as the root of Trust and are connected with reliability, security in the world is maintained. We advocate such values and concepts. These are too conceptual, so we are creating a framework and guidelines that are a breakdown of them. This is a reference that we are creating various guidelines.

Next, I would like to talk about specific IoT security. First of all, as a background, the number of IoT devices is currently 35.8 billion in 2023, but it is expected to increase steadily to almost 40 billion in 2024. According to a survey by Ministry of Internal Affairs and Communications, one third of the unauthorized communications we observe are aimed at IoT devices. In addition, in Japan, a survey said that 25% of companies have experienced a temporary suspension of IoT devices and OT systems due to the security incident and accidents, and IoT is considered to be one of the security risks for many companies.

We are doing various things, but first of all, I would like to introduce a study on an IoT conformity assessment system. As I introduced earlier, the United States has started a labeling program. Although I omitted an explanation, Germany, Finland, Singapore, and other countries are also considering an IoT labeling scheme. Since it will be necessary to create such a labeling scheme in Japan, we launched a study group in November last year, compiled an interim report on the creation of an optional labeling scheme for IoT products, and are still considering the development.

Ministry of Internal Affairs and Communications is partially conducting IoT regulation in terms of technical standards, but the equipment is limited there, and the minimum necessary regulation is written. This study covers a wider range of IoT, including consumer IoT. In addition, since there are risk levels depending on IoT, we are considering creating a labeling system according to risk.

As a scheme, we are thinking of cooperating with IPA. As I will introduce later, IPA has a JISEC certification system that is currently performing CC certification, but we are wondering if it can be expanded to cover a wide range of IoT devices in addition to CC certification. There are IoT product vendors, and we want to make it a scheme that allows them to receive some kind of evaluation for the IoT they create, or self-evaluation for low-risk products. Based on this, we will determine some security requirements, so we are thinking of a scheme in which we check whether they are compliant with them, and if they are compliant, we apply to IPA and IPA labels them.

Regarding CC certification and JISEC certification, we would like to further develop JISEC certification in the narrow sense and create a system in which labels can be attached according to several risk levels such as ☆ 1, ☆ 2, ☆ 3, and ☆ 4. ☆ 1 is to respond to low-level risks, so we have set minimum standards. The higher the ☆, the broader the threat, and the more severe the threat. We would like to consider such a system, and we would like to build a system in a way that we can obtain mutual certification in cooperation with foreign countries such as the United States and the EU, which I introduced earlier. If such a system is established, I think it may be possible to have it included in the security check introduced by the Digi-in Secretariat earlier.

Next, although it is similar to the SSDF, we have also formulated guidelines aimed at improving the security of IoT devices and other equipment upon development.

Last fiscal year, we conducted various testing activities, such as penetration validation, for IoT devices from 74 companies and 155 products in demonstration experiments. As a result, 4,789 vulnerabilities were detected for 155 products, and we once again felt the need to take measures against vulnerabilities. Since 80% of the vulnerabilities were primitive vulnerabilities, such as outdated software versions, we thought that most of the vulnerabilities could be eliminated by taking thorough measures in the event of a development.

Therefore, as a guide for conducting security measure at the time of development, particularly SMEs lack knowledge and human resources, we have created a guide that is easy for SMEs to understand, focusing on SMEs. I will omit the details, but it describes how to build a system, create a security policy, carefully consider design from the stage, and conduct development and design with the assumption that security validation will be conducted at the time of release. Looking at these, if there is anything necessary, I think it is an idea to include it in the checklist I mentioned earlier. In short, I think it will be a reference for companies that deliver software to see how much security is being considered by development. security

Next is the IoT-SSF and the IoT security Safety Framework. The IoT labeling system, the conformity assessment system, and the development guidelines that I explained earlier guarantee the security of IoT when it is shipped. However, even in a space where IoT is actually used, no matter how much labeling is applied or how much checking is performed at the time of development, new vulnerabilities will appear and attackers will be targeted, so the risk will naturally occur during use. The framework is based on a broader perspective of how to manage the risk during use.

I will explain the details later, but as an axis for viewing the risks of IoT devices, the first is the degree of difficulty in recovery. In other words, there is a risk of injury to people due to IoT, so it is called resilience. If a person dies, he or she cannot recover, so the degree of difficulty in recovery is mapped to a high level. If it is a minor injury, he or she can recover, so the risk is low. That is placed on the horizontal axis. The second is the degree of economic impact. Assuming that IoT is installed on a factory line, if it stops, it may stop for a day and cause hundreds of millions of yen in damage. An index of how much economic impact has been made is placed on the vertical axis. On the vertical and horizontal axes, we propose that the risks of devices can be mapped qualitatively.

This is three dimensional, but I think there are four perspectives in the concept of managing each mapped risk. The first is consideration at the time of design, and from there to the fourth, there are more perspectives of sharing risks in society. The fourth is the need to enroll in something like IoT insurance. This is a framework that shows that sharing risks from various perspectives can be considered.

Various use cases are made and introduced. To give a brief introduction to a series of cases, assuming that AGVs in a distribution warehouse automatically pick up AGVs, the framework also states that stakeholders should be organized. Therefore, AGV stakeholders include manufacturers, system integrators, and distribution operators. This framework shows that there are stakeholders, what risks there are for them, where those risks occur on a system basis, and that they should be shared among stakeholders. It shows the concept of what measures should be taken to reduce the risks. It is a framework in which each stakeholder is asked to voluntarily take measures.

One possible reason for the Secretariat's explanatory materials is that if the security checklist includes the IoT-SSF, such as self-compliance notification, the applicant may be able to voluntarily manage risk mitigation measures in a shared manner with stakeholders. I think that is how it is considered.

Next is Software security. As discussed in the Council of the Ministry of Economy, Trade and Industry and the Software TF in the review system earlier, we are creating a case study on the management of OSS (open source software).

First, we focus on SBOM. You just mentioned that SBOM will be mandatory in the EU, but SBOM is a software bill of materials. There is a lot of OSS in the world, but according to some people, 95% of applications are configured from open source. Open source also has Tier1, Tier2, Tier3, and Tier4, and I think that one application is created by combining components. There is a Issue where it is not managed and vulnerabilities are not managed, and even if an attack is made based on vulnerabilities, it may lead to a delay in identifying the cause. Therefore, SBOM is a method to manage the breakdown of who made the components that make up software, how many versions there are, and what vulnerabilities there are. This is a method of vulnerability management that is highly expected in both Europe and the United States.

The Ministry of Economy, Trade and Industry would like to promote this, and last year, we conducted a demonstration in cooperation with the automobile industry, the medical care equipment industry, and the software industry. Since the Tier is wide, we have conducted a demonstration on how to share and efficiently manage vulnerabilities. Based on these demonstrations, in July this year, we formulated the "Guidance on Introduction of SBOM for Software Management." It is a guidance that describes the concept and procedures related to the operation of SBOM, such as how to build a system, how to create a SBOM, and how to share SBOM with related parties, and it is disclosed.

We are conducting a demonstration this year, and SBOM is a tool for how to manage vulnerabilities. Naturally, various vulnerabilities emerge every day, and they are increasingly registered in NVD and JVN. When these databases and SBOM software are automatically linked, vulnerabilities raised in JVN are automatically reflected in SBOM, and software development operators and Tier1 and Tier2 parties can uniformly identify and manage vulnerabilities. We are also conducting a demonstration to link such vulnerabilities.
There was a checklist for software management earlier, and it depends on how strict it is, but I think one of the considerations is how much SBOM is taken into account.

As a reference, SBOM is discussed not only in one country or area such as the U.S. and the EU, but also in multilateral frameworks such as the Quad. One of the documents in the Summit Declaration held in May this year is cybersecurity, and one of them is the Joint Principles on Software security. In that document, what was written in the SSDF, especially SBOM, is also written. The significance of these measures, the significance of vulnerability management, and the significance of using SBOM are discussed in multilateral frameworks such as the Quad.

Next is OT security. We have a plant SWG, which Professor Ezaki chairs, and we established it in January last year. After repeated discussions, we announced the guidelines in November last year. There are a wide variety of plants, and it is difficult to say that this is all that needs to be done. However, these guidelines present the values that we should build a system by understanding the size of the plant, the equipment and systems that make up the plant, and the number and ability of the personnel that make up the plant, and propose what measures should be taken to protect the value that the plant wants to achieve. They also present the process to make it possible.

This was also made public last November, and is now being used by many people. There are a wide variety of factories, and I think that measures will differ depending on the industry, so I would like to take steps to promote measures for each industry.

The last one is related to data security. The third layer TF, which I introduced earlier, is a framework that qualitatively summarizes what kind of stakeholders there are when data is exchanged, how each person holds the data, and what kind of risks there are to it.

It is called a data management framework. For example, in the case of POS data for retail stores, sales data is first registered at the cash register, and when the daily sales are totaled, they are collected on the PCs in the physical stores. Then, they are further collected and become data for each area. The flow of such data, the state of each data, which is called attributes, is first organized. It is written as "place", but it may conflict with laws such as the personal data Protection Act. For example, it may be a violation of the personal data Protection Act if data is transferred without being concealed as personal data. Or, if there are vulnerabilities in the process of transferring data, it may be broken into on the network and lead to personal data leakage or data leakage. There are also such security risks. We are also creating a framework that qualitatively shows what state the data is in, where the risks are, and how they are managed. Understanding the risks related to the handling of such data is also a useful part, since the Digi-in Secretariat has just introduced the handling of data.

In this way, we are building guidelines and frameworks that will allow us to cooperate with the parts that the Digital Extraordinary Administrative Advisory Committee Secretariat is working on, and I hope that this will be one of the materials for consideration. Thank you very much for your attention.

Chairman Ezaki: earlier.

Chairman Ezaki: I have finished the explanation that I prepared today, so the rest of the meeting will be a time for exchanging opinions, which is the main theme of today. I would like to ask any opinions, questions, etc., from the members regarding today's discussion, how to proceed with the discussion at the Committee in the future, and requests for opportunities for future presentations.

SHIMADA Member:

Chairman Ezaki: In particular, regarding transparency, you pointed out that if we do not disclose it, we will become a fawning shrine. I think you are worried, but I would like the secretariat to respond first.

Counsellor Hitoshi Suga: Handout 2, Mr. Shimada agreed to establish a TF and strengthen checks to some extent, but on the other hand, he expressed concern that keeping the members private would be a problem, that is, there would be an increase in items that are not listed in the catalog for reasons that are not well understood. In that regard, if possible, I think we can take an agile approach by first starting it private, sharing with you the data on how much it will drop, and seeing if the percentage is at an appropriate level, or if it is dropped too much or squeezed too much, and if the approach is bad, we can immediately correct it.

The reason for the non-disclosure is that it is not desirable to put some pressure on the members. The talent pool of the members is very small, and if the members decline, the system itself will not be sustainable. Therefore, you proposed that the Secretariat should start with a heavy responsibility. What do you think?

Another point is regarding the point you pointed out about the commitment of the ministries and agencies responsible for regulation at the time of the technology validation, I believe that by conducting the technology validation this time, the ministries and agencies responsible for regulation have already made a deep commitment compared to ordinary procurement cases. In the specifications, what specific functions and performances we want to confirm are written in considerable detail. I believe that there are parts that have not been verbalized until now. As pointed out by Mr. Okada, if we do not carefully examine the performances, cheap and bad technologies will come in, and honest people will be stupid, but there is also the aspect that verbalization has advanced considerably. On the other hand, the difficulty is that even if the ministries and agencies responsible for regulation correct the technology, it is not always the ministries and agencies responsible for regulation that procurement the technology. If a subordinate organization under the jurisdiction of the ministries and agencies responsible for regulation itself goes to procurement, we will firmly request that it be connected to procurement. On the other hand, if the opening of regulation is going to cause companies on the compliance side of regulation to actually move to procurement, the ministries and agencies responsible for regulation will send a signal that the technology can be adopted by all means, and that there are many ways to take a step forward. I think that is what we can ask to the maximum extent. I would like to elaborate measures while following up on when the technology was actually adopted as a result of the technology validation. If you have any good wisdom, I would like to hear your advice.

SHIMADA Member: In that sense, I think there is also fairness in procurement, so I think the certification system is the key.

Chairman Ezaki: Regarding transparency, the main policy is to output processes and data. Regarding the confidentiality of the person who checks, it was explained that it may be a hybrid form.

Hiramoto Member: I will be participating from this time. Thank you very much. I am at the Digital infrastructure Center, and Director Saito of the Architecture Center has been participating until now, but I have decided to participate because I want to focus more on technology.

When I saw the materials this time, I thought it was wonderful that the map was very rich and the technology was listed.

Actually, we at IPA have experience in creating a technology catalog called Technology Reference Model and an OSS catalog in the form of OSSiPedia, so I will talk about it from there. The technology catalog has momentum at the start, but if it is not done while receiving feedback, the technology will spread and it will be difficult to maintain it, so I thought it was important to think about the operation cycle properly.

There are two points I felt at that time. When I look at such technology, I sometimes wonder what kind of company is the company that produces the product. I think it is necessary to devise ways to create multiple types of sorting because it is possible to jump to a site where you can view corporate information such as gBizINFO from the corporate number, or because there are many similar technologies, and it is sometimes pointed out that there is a problem of fairness if the top one is always the same.

Also, as I talked about feedback earlier, I think the secretariat may add it to Technology Map, but I thought it would be necessary to have a system in which we receive suggestions and feedback from general technology companies and engineers and correct it.

Chairman Ezaki: I received a very valuable experience and a suggestion that we must pay attention to continuing the operation.

Member: Looking at today's materials, I thought they have been improved. There is one comment about security. For details, there is a PDF I made while listening to the explanation, so I will explain it with it.
*Described in [Comments from Members in Chat, etc.] at the end

On page 25, you talked about the jurisdiction of the court in the section on the protection of personal data and security as the information to be entered. I have a comment on this. security is not just saying that it is safe in cyberspace. From the perspectives of Japanese administrative organization, Japanese companies, the people who entrust their data there, and customers, it is necessary to have some kind of security guarantee under substantive law. Otherwise, I think it will end up as a mere abstract concept.

The previous part on page 25 is wonderful, and I think there are three purposes why I let you enter it. I understand that the three purposes are to understand the risk of default, such as the inability to retrieve data due to defects, leaks, or service outages of vendor companies, to always think about how Japanese people can respond legally when it occurs, and to intercept the problem by realizing a situation in which vendors pay great attention and store Japanese people's data so that they do not have to pay compensation by obliging vendors to pay compensation when it occurs.

In that case, as described in (2), I think that important data is not limited to personal data. If you write "individual" in a limited way, it will be misunderstood. Therefore, I think it is better to write "all business data including personal data shall be protected," because it does not mean that data other than personal data is not so important.

What is written in (3) is that the country where jurisdiction is located is certainly important, but in addition to that, what is often overlooked is the applicable governing law. I think jurisdiction and governing law are completely different concepts. Even if it is written that the Japanese court has jurisdiction, there are cases where it is written that the laws of ○ ○ country and ○ ○ state are applied. This will cause unexpected disadvantages to users, so I think the governing law should be written along with jurisdiction.

Regarding (4), as is often the case, when selling products made by foreign vendors to Japanese people, there are times when it is not clear whether the head office is selling them or whether a Japanese subsidiary is selling them. For example, when trying to use a great cloud service with the brand G, users do not know well whether it is a corporation in Ward A of Tokyo Prefecture called "GLLC," a corporation in Ward B of Tokyo Prefecture called "G. Cloud Japan," or "GLLC" in Delaware, USA, and I think they start using it because it is safe with the brand G. When there is an important brand in a foreign company, they use the service of G with peace of mind that it will be safe because they guarantee it and that they will compensate for damage including the personal property of the director. However, they are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. They are very smart. government agency private sector

Regarding (5), even if it is clearly stated that it is a Japanese company, if the company has nothing to do with the property of the head office in a foreign country and there is not much property to be used for compensation at the company, it does not mean that there is nothing to be obtained even if it is tried in a Japanese court, and the user is forced to accept it. However, even if the user is forced to accept it, it is sufficient to enter a means such as cyber insurance in advance. However, in that case, the user company and the user public office need to know how much amount of insurance to insure and whether or not there is a risk of taking out insurance in the first place. Therefore, if the amount of money that the listed foreign vendor has credit collateral of this amount can be self-reported, or if it is confidential, it can be said that it is not necessary to enter it, and if the entry is voluntary and confidential, the contract will be made with sufficient caution, and the cyber insurance will be entered, so I think that there is value in having an entry field.

Finally, when large-scale failures occur at the same time, users ask for compensation, but if you look closely at the terms and conditions, it says in fine print that the maximum amount is for the last year, and that no special damage will be compensated. However, it is virtually difficult for public office and private sector company representatives to read it. The scope of compensation is an extremely important factor when reading the technical catalog and deciding what to do. It is difficult to read the terms and conditions, so I would like you to simplify this for management decision-making and add that the maximum amount should be entered in one or two lines as the self-reported value of the operator, which is as simple as the column for international jurisdiction. I thought it would be good for the operator to say that their service is safe, and it would be good for Japanese users to be able to grasp the security fee. I sent you the comments in scrawl.

Chairman Ezaki: . Basically, we have to provide complimentary service information, but we have to be aware that if we are too strong, the compliance overhead will increase. Do you have any response from the secretariat?

Counsellor Hitoshi Suga:

Someya Member: I would like to make one comment and one question.

First of all, as you said in your first question, I would like to comment to the Secretariat about the fact that the members of the Technology Catalog Operation TF are not disclosed. Usually, decisions such as this are shared responsibility by the entire committee rather than individual risk, so I thought it is not necessarily necessary to be disclosed. In addition, if it is disclosed to the public, everyone will be caught, and I wonder why, I am worried about whether transparency is okay when making important decisions. On the other hand, if the timing and content of disclosure by the members are appropriately managed, I felt that it would be possible to operate it appropriately without taking the trouble to disclose it here.

Another thing is, regarding the presentation by Mr. Okada, I was impressed by the fact that he has continued his activities at the SIP by staying close to the field. In the last item he mentioned, "Universities in area," I sincerely sympathize with the fact that supporting industry-academia cooperation in area is very important for solving the problem. It was a good story, but I think there are actually places that are not easy, so I would like to ask you about Issue and solutions for them, or Digital Agency is also attending today, so if you have any requests for the administration, I would like to ask you.

Chairman Ezaki: for the second half.

Counsellor Hitoshi Suga: Certainly, we also thought that keeping the members "closed to the public" was a quite in-depth proposal, but we also thought that we had to take some measures to protect the members. We thought that it is important to ensure the integrity of those involved in decision-making by flexibly judging the timing of disclosure, including after important decisions are made, and in any case, ensuring that those involved in important decisions are not black boxes forever. Therefore, we would like to review this policy based on your proposal.

OKADA Member: , I think the most important thing is how to find people who are likely to do it. However, in my experience, basically emeritus professors who have reached the retirement age do quite a lot. In other words, active teachers are still mainly working in research and so on, so it is quite difficult to have them do this kind of thing with extra money. On the other hand, even if they have reached the retirement age, everyone is still healthy, so if such people ask young doctoral students to do it, they will do their best.

If we support how to get the national budget in various ways, such as going to get the budget for Ministry of Internal Affairs and Communications and area Creation of the Cabinet Office with people in area, I think it will come out in the form of going to get it, including that. By combining area Creation and others, rather than how to get money for digital technology development, we can get other budgets well. Even if it is not only universities that actually go to get it, there are budgets that are easy to get through industry-academia cooperation, so I personally thought that it would be good if someone could guide them well.

In the case of civil engineering, it is done by the Japan Society of Civil Engineers. It is necessary to support such a consortium, and I think that if we can set up an environment that is not just direct but indirect, it will work. I feel that there were surprisingly many people who wanted to do it if they had that.

Chairman Ezaki: I understand that it is to show successful cases like Technology Map and use senior human resources in it. Regarding the first question, is it correct to understand that "to consider" does not mean "not to do" like an official, but that the answer is to think about the method specifically in the direction of disclosure?

Counsellor Hitoshi Suga: I would like to respond in that way.

SUZUKI Member: , and I am participating here in my position as General Manager of Fukushima Robot testing Field.

When I participated in the last time or the time before the last time, as Mr. Okada said earlier, even if you say technology, there are stages depending on the level. So, I asked if it would be good to introduce the low but possible technical readiness level in the form of a catalog, without cataloging only the completed products. At that time, I thought it would be good to create an item so that the viewer can recognize what the technical readiness level is.

Listening to today's story, I think the story of risk-based and performance-based is at the root. There is a story that some things do not need a validation, and I think it is because the risk is low. We have created a drones guideline for flying a risk management at the Fukushima Robot testing Field. There is a Sora risk assessment guideline created by the WG of the International Civil Aviation Organization, a specialized agency of the United Nation. There is a place where it has been re-created to suit Japanese environments. If the risk is low, self-declaration is fine, but if the risk is medium or higher, a third party evaluation is required, and it is not objective to determine whether it is really OK without it.

Therefore, I would like you to consider how to make the third party evaluation function when it is used for high-risk inspections in the future. Since it is performance-based, the new technology presented here does not require itself, and since it is one example, I think that we must consider how to combine and use it among various methods that can be used. Self-declaration is fine for low-risk things, but if the risk is high, third party validation may be necessary to determine whether or not it is really OK. There was a talk earlier from Mr. Okada about creating such a validation organization, but I thought that it is necessary to consider how to build third party certification at a stage when such things have not yet matured in Japan.

Chairman Ezaki: .

Counsellor Hitoshi Suga: Suzuki will be taking care of testing itself, which is validation Field Type 3 in Fukushima. In addition, we are really grateful that we, the secretariat, have been able to attend and explain various opportunities that you are planning.

As for TRL, I have already added it to the catalog based on what you pointed out, but I think many people may not be able to write it if they put it in as it is, so at this point, we are focusing on ease of understanding, and it is divided into three stages: research stage, demonstration stage, and sales stage. If you have any comments on whether it is too summarized, I would like to ask you.

There is another discussion. It is not only about validation, but also about certification and certification starting from labeling. I heard a presentation from the cybersecurity Division of the Ministry of Economy, Trade and Industry, but since rice cake is a rice cake maker, everything is Digital Agency, digital consultation, and without self-reliance, how we can ride on the new system, and by doing so, we can contribute to the enforcement of the system itself. So, if certified and certified functions will be created in the future, we would like to consider riding on it first. I think it is an ongoing discussion, but I would like to follow it closely.

SUZUKI Member: Regarding the level of TRL that I mentioned earlier, I think everyone would recognize it if it was written as a rough item such as "under research," "in development," or "commercialized," so thank you for including it.

Regarding certification, as I explained, it is not that Digital Agency will go that far, but that industry groups dealing with it will play a central role and promote it together with academia. Therefore, I would like Digital Agency to continue to send a message that induces such a move. Thank you.

Chairman Ezaki: I understand that when we think about scalability, we should be aware that it is not a matter of doing it alone.

Nakagaki Member: 's lecture was very helpful. I am sorry for asking a separate question, but I am Issue of data ownership. It is always a problem even in the Smart Security Promotion Committee, but the miss rate and the miss rate, in particular, are often fatal, so if you try to relax the detection, the number of false positives will increase. In order to improve the quality of data, I think device development users want high-quality machine learning training data after release. However, in the case of customers who have installed it, permission is required, and there are many cases where it is not disclosed under various restrictions. Do you have any good examples of how to respond to that?

OKADA Member: : I don't know if it will be an example, but in the case of area University earlier, there were actually several places in area, such as the Infrastructure Center, where civil engineering teachers were creating human resource development centers in a way that connected them with the outside. We collected data from local government at such places, and closed them there. For example, we could create a local network by having those who use technology enter it, such as connecting a comprehensive cooperation with the university. I think it would be possible to open it in the network. For example, in local government, where it was used, it was possible to collect all of it, including data from the city, so that it could be used within the prefecture, or it could be used once you get there.

At first, if we talk about local government, it is said that the prefecture cannot use the city's database. If we leave it to local government, to put it simply, it is no good because there is no connection, it is no good because the prefecture and the city are not on good terms, or there is talk of collusion in the past, so we don't want to work with them. So, if we say we want to store it in a university in area, as I mentioned earlier, people around us can feel safe, including the possibility of securing a certain amount of collateral. So, we will create a center in the university in area to collect such data. If the center does not use all of it, and if the companies in the center can use it by combining with the center, I think we will be able to set up a Minister in charge of Administrative Reform Okada including external parties. In fact, some of them have been successful. In that sense, I think one way is to make good use of the center in the university in area.

Nakagaki Member: I think the answer you just gave is related to the answer to the next question, but there is a reluctance of the front-runner, and as I showed in the questionnaire last time, if there is a track record somewhere, we will try to do it, but on the other hand, when a new technology is at the implementation stage for the first time, there is no one who takes a risk at the development stage and offers voluntary field tests. Do you think there is a good way to overcome this, but is it possible if the university is involved?

OKADA Member: In fact, in local government, there are people who seem to have come as university researchers, so if you follow them through a very local network, you can see that they are working as key people. Or, if there is a special assistant to the mayor who is a technical official as if he were the vice mayor of some city, if you try using him, you can see that he is doing this. Or, if you try to look at technology in that way, or if you try to look at it through a local network, you can see that there are some people in local government who are unexpectedly doing this. In addition, if you catch a section chief who actively comes to events, he or she may say that he or she wants to do it. So, instead of doing only remote web conferences as I mentioned earlier, if you actually have a real conference, there is a person who comes to you saying that he or she wants to talk to you, and if you talk to that person, it will be like he or she wants to do it. On the other hand, I think that the more digital it is, the more realistic the meeting or event is, and the more interested people are caught there, in terms of local administration.

Nakagaki Member: It was helpful.

Chairman Ezaki: neutrality.

Kawabata Member: chat, so I will tell you the important things.
*Refer to [Comments from Members in Chat, etc.] at the end

I was convinced because I understood the analysis and analysis of the conventional legal development in Material 2. I understood the order of the legal development well. On the other hand, I think that the ease of digitalization will be an add-on in the future, but at the same time as the analysis that the conventional legal development was like this, I thought that it is necessary to be what the digitalization should be like. For example, rapid response to problems was required in the conventional legal development, but in digitalization, I think that preventive maintenance and mitigation data can be obtained. I think that the conventional legal development was to define the purpose and method of inspection to inspect broken parts. For example, sensors have been developed, so sensor and measurement data can be shared, and in some cases, feedback from the measurement data to the platform can be made, so I thought that it would be good to add a form that can promote it when the legal development is made in the future.

Therefore, in addition to conventional legal analysis, in the future, the number of workers will decrease due to the low birth rate, and it will cost money and data to inspect broken parts. For example, at a building site, the introduction of BIM will not only simplify the method of design, but also make it possible to use design data for preventive maintenance and inspection in the future, so I think that the introduction of BIM will advance if such legal development can be made.

As it leads to Material 3 below, infrastructure monitoring is not only about monitoring where things have been done and broken, but also about installing sensors. Especially in civil engineering work, when budgets are tight, there is no mechanism to actively introduce new sensors when setting budgets. However, I think that if the law is developed to promote preventive maintenance technology, such a thing can be promoted.

I believe that Materials 2 and 3 are related to each other.

In addition, as other members have pointed out repeatedly, there are very difficult parts between regulation and procurement. In the case of private sector operators, even if they participate in the PoC at the stage of technology establishment, which requires both people and cost, the cost of procurement is low even if it is approved, so it is common for different operators to join. It is natural that bidding is based on budget, but it may be difficult for private sector operators to participate until the PoC stage, so I thought it would be good to create a mechanism to balance them.

I'm sorry that I don't have an idea for the last part, but I would be happy if you could reflect the points made in Materials 2 and 3.

Chairman Ezaki: , so I would like to ask Members Kawabata and Ogino to write down what they wrote in the chat and put it firmly in the minutes.

Counsellor Hitoshi Suga: Ogawa all right?

Ogawa member: time, I will list it in the chat.

Chairman Ezaki: , we will respond by having people chat or e-mail us and making sure that they are included in the minutes.

Ogawa member: I understand.
*Described in [Comments from Members in Chat, etc.] at the end

Chairman Ezaki: , can you give us a brief response on these three matters?

Counsellor Hitoshi Suga: These are all valuable points, so we will discuss the revised proposal again in consideration of our response.

Chairman Ezaki: time, but this is all for today's agenda.

Chairman Ezaki: Finally, I would like to ask the Secretariat for an explanation on the next Committee, etc.

Counsellor Hitoshi Suga: We will inform you of the schedule and other matters at the next Committee meeting later. The handling of minutes and materials is the same as before. Thank you very much for your continued support.

Chairman Ezaki: Thank you very much for your very constructive and essential opinions.

I think that "I will consider it" does not mean "I will not do it" of the official, but it will reflect the opinions received, so please continue to support us. Thank you very much for your support today.

[Comments from Members via Chat, etc.]
Member:
This is a comment on the secretariat material "Progress of the 6th Technology-based regulatory reform Promotion Committee' Technology-based regulatory reform' and how to proceed in the near future".

Regarding "(ii) Add items corresponding to cybersecurity and software supply chain risks to the items to be entered" (the purpose is clearly stated as "to support appropriate risk judgments, etc. by technology catalog users") among the items to be entered in "Additional Responses to cybersecurity and Supply Chain Risk Management" on page 25.

In the first place, I think the word "security" (security) has a strong meaning of "security (of safety)." It is essential for risk management to understand the security for safety, not just saying safety.

(1) The purpose of this measure is to reduce the security risk of product and service suppliers defaulting on their obligations (defects, data breaches, inability to retrieve data due to service outages, etc.).

(a) Identify the risk;
(b) To understand the scope of legal action that User organization may take in the event of an actual problem.
(c) By ensuring that the obligation to compensate for damage in the event of irreparable damage is fully met, a situation is realized in which a business operator voluntarily wishes to supply products and services with due care, thereby reducing the probability of problems occurring.

I think it is in the point of realizing.

(2) In that case, first of all, it is unreasonable that the infringement under security that may occur due to the responsibility of the business operator is limited only to the "protection of personal data." Rather, it is misleading and disadvantageous to describe it as "personal data" in a limited way. Therefore, I think it should be "protection of all business data (including personal data)."

(3) Next, in addition to "the country where the jurisdiction is located," I think "the applicable governing law" should be added to the input item. "Jurisdiction" and "governing law" are completely different concepts, and I think both are equally important. (There are cases where the terms and conditions, etc., say that the governing law is a foreign law even if you are relieved that the Japanese court has jurisdiction. In this case, the Japanese court must apply the foreign law to the case even if the victim user is Japanese, which will be extremely disadvantageous to the Japanese user. The risk must be understood by the user in advance.)

(4) We believe that it is necessary to make it mandatory for Japanese users to write the "official name of the corporation and the country in which the corporation was established" so that the "corporation name" of the counterparty to the contract can be clearly identified for all vendor products and services. The reasons for this are explained below.

In the case of foreign vendors, the head office is in a foreign country, but there are also cases where it directly sells. There are also cases where there are branch offices, subsidiaries, and agencies in Japan. In this case, there is a problem that it is not clear who the supplier (debtor) of the product or service is in the contract with the user (creditor) before the introduction. (For example, it is only written as "Company G," and the user does not know well whether it is "GLLC (a corporation in A Ward, Tokyo)," "G. Cloud Japan LLC (a corporation in B Ward, Tokyo)," or "GLLC (a corporation under the laws of the State of Delaware in the United States)," and the "G" brand is strong, so it will be safe, so the user applies for it and starts using it.)

In other words, in the case of overseas companies, even if Japanese users mistakenly believe that they are dealing with a "U.S. ○ ○ company with a large amount of liability and property (multiple foreign rich people are serving as directors, and ultimately, in addition to the company, the personal property of those directors should be pursued)," in fact, they may not be dealing with a "Japanese affiliate ○ ○ company with only a small amount of liability and property, but only a director with insufficient funds."

In addition, foreign companies are very smart. For example, in the case that a large-scale data leakage occurred due to negligence in the same period for the data of many Japanese users, even if compensation claims are made at the same time, they are often protected by legal measures (risk isolation) that only compensate within the scope of the property of a small Japanese company and do not affect the head office. As a Japanese user, even if you think you have a security, it is often the case that it was actually unsecured. It is necessary to protect users from such a misunderstanding. Of course, if a "nominal corporation" is the front desk, there are cases in which liability can be pursued by lending a signboard, but this is a very limited case, and the burden of proof lies with the user. The hurdles are very high, and the user is at a considerable disadvantage.

In modern times, data confidentiality and availability are extremely important assets. Users entrust their own organization and citizens with valuable data and data processing (important assets), and in exchange for the price, they ask the business operator to bear the "debt" of security.

I think it is normal to carefully examine the credit resources of the counterparty to the contract and the presence or absence of collateral when entrusting important assets to others. This is essential for risk management. It is exactly the same as lending money to others.

In this way, particularly for overseas companies with a large number of subsidiaries, etc., it is essential to be able to clearly determine "who will be the debtor under the contract with the Japanese user" in order to independently investigate the credit resources and collateral of each user.

(5) In relation to (4), in order to realize (c) above, we believe that it should be required that the corporation to be the business partners enters and describes in the self-assessment how much and what kind of collateral assets it has in Japan.

If a large number of Japanese users are simultaneously using a service via a Japanese subsidiary of a foreign vendor, and all of the data has been leaked due to a flaw in the service, such as a vulnerability, all of them will claim compensation from the company.

If a Japanese public authorities or private sector organization has a large amount of data on citizens or customers, and if it is leaked due to a foreign vendor, the Japanese organization is required by the citizens or customers to pay state compensation or civil damages, which must be paid. However, even if Japan has jurisdiction, if Japan does not have much property, the subsidiary company of the vendor cannot pay damages. Therefore, compensation cannot be obtained from the foreign vendor that caused the leakage (even if a court wins, if there is no money, it cannot be received), and the user ends up crying over spilt milk for most of the amount.

In such a case, the user needs to enroll in cyber insurance in advance. However, in order for the user to appropriately understand the necessity / unnecessity of insurance and the amount to be insured, it is necessary to understand the amount of collateral property in Japan of the foreign vendor used by the user.

In order to manage such risks, I think it is necessary to have users enter the outline and status of their Japanese collateralized liability assets by self-reporting. This does not require entry, and it is also good to allow it to be "private." In this case, as a user, it is possible to recognize that "Since the credit is a private company, we should make a contract with sufficient caution and enter into a cyber insurance," so I think it is still worth it.

(6) Finally, I think that the outline of the upper limit of the amount of damage compensation by the business operator in the terms and conditions of the product / service contract, which is related to the damage in the case that the user data, etc. is leaked, damaged, or cannot be taken out due to the negligence of the business operator, should be clearly stated in about 1 or 2 lines.

Most users trust that they will be fully compensated, but if you actually read the terms and conditions carefully, it says, "The maximum amount is one year's worth of the last fee payment. We will not compensate you for any special damage." Users sign contracts without reading the detailed terms and conditions, and when problems actually occur, they fall asleep. On the user side, it is possible to take measures such as subscribing to cyber insurance, data distribution, encryption, and the use of multi-cloud, but in order to make management decisions on how much risk should be managed, it is necessary to know briefly whether or not there is an upper limit on the amount of compensation, as described above, or the content thereof.

It is practically difficult for the user to read the terms and conditions in detail, and there is also an interpretation risk. Therefore, I think that the outline of the method for determining the upper limit of liability (about one or two lines) should be entered as the self-reported value of the business operator who is listed in the catalog.

Ogino Member:
There is an overlap between matters related to cybersecurity and matters related to the software supply chain. Regarding the secretariat materials this time, each item is issued independently. I think it is necessary to organize them so that those who apply and those who publish can appropriately describe them. (pages 26 to 31) In addition, I think we should reconfirm the materials to confirm the completeness (page 32).

Kawabata Member:
Regarding Material 2: Regarding the analysis of conventional legal development, I think it is wonderful because the content is well understood. On the other hand, I think it is better to reflect the merits of digitalization. I think it is necessary to have a framework that promotes preventive maintenance as well as quick response to problems. In addition, acceleration of sharing and F/B to the platform are also the merits of digitalization, so I think it would be good to include those points.

Regarding material 3: Infrastructure monitors, in particular, already think that there is no time to wait. I think that it is necessary to develop laws that can promote preventive maintenance technology. Regarding regulation and procurement, I think that it is possible to change the degree of freedom of procurement until the PoC, which is the stage of technology establishment, and after that, mass production. This is because there is a reasonable cost for initial technology development and approval, but in the diffusion stage, the bidding budget is the key, and private business may be reluctant.

Ogawa member:
Since I did not have an opportunity to speak today, I will write this down at the end as directed by the Chairman. I would appreciate if you could expand on this and publish it.

I would like to make three comments today.

First, regarding the necessity of dynamic monitoring of "minimum checks," we also evaluate it as a big step. On the other hand, since technology is evolving rapidly, it is easily assumed that it will be upgraded and updated after being evaluated once. In this case, it may naturally affect the supply chain. In addition, changes such as a change in the owner of a company providing technology or acquisition may also affect the risk. We believe that a dynamic evaluation and monitoring mechanism, including change management, should also be introduced for such changes in risk.

Next, as Mr. Okada said earlier, in the purchasing process of each local government and the government agency in charge of the regulation, I think it is necessary to have a program to foster sufficient knowledge to understand the necessary and sufficient performance requirements. If there is not enough knowledge about the performance requirements, the decision will be made only on the price side. This is common in the private sector, and as a result, it may not be connected to the final decision of appropriate purchase, and it may be a cause of retrogression after purchase, and as a result, the cost may be greatly exceeded. I think it is also necessary to have a training program to improve legal, performance, technical literacy, and knowledge to ensure the maintenance of the performance requirement level on the side of each local government and the government agency in charge of the regulation.

Finally, regarding the technologies for regulation, so-called RegTech and TrustedData, I think it is necessary to consider the appropriate return process to private sector. As a result, I believe that this initiative will contribute to the reduction of costs in society as a whole.

We have been conducting research on RegTech since 2015. The UK authorities were very alarmed by the emergence of the competitive areas of FinTech in the US Silicon Valley and the fact that a large amount of capital began to flow to the US. Therefore, we focused on RegTech. We classify the degree of RegTech creation in stages. The first level is automation of regulation reports, etc., by RPA, etc., and visualization analysis of compliance risks. The next level is cognitive technology, risk assessment by AI, and assistance in judgment, for example, temporary classification of suspected persons in anti-money laundering by cognitive technology.

The highest level of development of RegTech, which is not competitive areas, is the formation of a consortium to share regulation compatible technologies and data. At that time, for example, the construction of a KYC (KnowYourCustomer) platform was considered by several companies in private sector. However, they face many difficult development issues in different interests, such as who will be responsible in the event of a mistake and who will bear the cost of maintaining Issue. As a result, they learned the limits of private sector alone, and expectations for the country grew.

I feel that the country's commitment this time is very valuable in this regard. I have high expectations that the technology mentioned here will contribute to greatly reducing social costs if it is used as a compliance response by private sector companies. In addition, I believe that the TrustedData generated this time will contribute to creating new businesses and creating start-ups if it is properly opened.

Regarding the newly launched RegTech Consortium, we expect that it will not only collect information for Technology Map, but also discuss more specifically how to return money to private sector.

Toyota Member:
I did not dare to speak at today's meeting because I ran out of time and it is a bit off from the more specific main topic this time, but I would like to add one point.

Until now, these moves have been exhausted by internal coordination with various Japanese companies and local government, and it seems that there are few successful cases in which international standardization, particularly wide-area cooperation with Europe and the United States, has been strategically incorporated.

Prior to the start of individual internal adjustments, I think that we should thoroughly research overseas movements from a more macroscopic perspective, and should also firmly budget for activities to cooperate with them or strategically take the lead. It is difficult for private sector companies to provide a perspective that prevents Japanese domestic standardization from becoming a local knowledge in global standards. Even if it is impossible to cover all of them, I feel that it is good for the government to take the lead in extracting strategic areas, conducting surveys, and compiling a coordinated budget.

Today, you talked about SIP, but I think that there is a potential problem that international standards cannot be obtained even if implementation advances, one more than the fact that social implementation is difficult, so I thought that we should raise the issue at this point.

This is just a supplementary opinion, but I would appreciate it if you could add it to the minutes. Thank you for your continued support.
End