Proposal on Incident Investigation and Information Sharing under the Telecommunications Business Act

Summary of the Proposal

In response to the recent large-scale communications outage experienced by KDDI, efforts to identify the root causes have begun. Regardless of this particular incident, in today's society—where telecommunications services have become part of the essential social infrastructure—it is important not merely to pursue the responsibility of individual telecommunications carriers, but also to strengthen mechanisms for investigation and information sharing aimed at identifying and resolving the underlying issues of such outages. This approach, which reflects the challenges raised by the Telecommunications Accident Review Committee, is considered to serve the public interest.

Recognizing that disruptions in telecommunications services can have far-reaching impacts beyond the services themselves, the Policy Research Institute strongly advocates for the establishment of a robust investigative framework. This should involve not only the Ministry of Internal Affairs and Communications, but also domestic and international stakeholders, including telecommunications carriers, network equipment vendors, and cloud service providers. These stakeholders, as part of a multi-stakeholder framework, should collaborate in investigating incidents, identifying causes, and sharing lessons learned and operational know-how. Such information should be treated as a form of "public good" essential to the operation of critical infrastructure, and efforts to share the findings of incident investigations with multi-stakeholders and society at large should be further promoted.

Proposal

In the early hours of Saturday, July 2, 2022, the telecommunications facilities operated by KDDI Corporation and Okinawa Cellular Telephone Company experienced a large-scale failure, resulting in a prolonged and widespread communications outage that primarily affected the subscribers of both companies. The impact of this incident extended beyond individual users of telecommunications services. Through the corporate clients of these companies, the disruption also affected users of various social services—ranging from banking transactions to services such as parking lot access.

Taking this incident as a starting point, this proposal examines the future approach to incident investigation and review under the Telecommunications Business Act.

As digital transformation (DX) advances, expectations for telecommunications infrastructure continue to rise (*1). At the same time, as digital technologies become more deeply embedded in everyday life, systems have grown larger and more complex. These complex systems tend to become "black boxes," making it increasingly difficult to understand or analyze their internal structures.

As a result, telecommunications carriers and network equipment vendors are now required to possess more advanced expertise and know-how than ever before. However, in practice, there are clear limitations to what can be achieved through isolated, individual efforts.

The Ministry of Internal Affairs and Communications has convened the Telecommunications Accident Review Committee since FY2015. Nevertheless, there has been little to no disclosure of information such as the results of risk assessments conducted through accident investigations, aside from the exclusion of confidential details. Furthermore, it has been reported that, “in some cases, telecommunications carriers involved in an accident are unable to obtain sufficient explanations or information from the entities that supplied the relevant equipment regarding the causes of the failure.” (*2)

It is possible that incidents with similar underlying causes have occurred among other telecommunications carriers in recent years; however, the opportunity to draw sufficient lessons from such cases has been lacking. To overcome this situation, it is essential to further develop mechanisms that enable the sharing of efforts to identify and resolve underlying issues.

To promote the sharing of such efforts, it is essential to establish procedures for requesting the disclosure of information from telecommunications carriers involved in incidents and other related parties in the telecommunications sector. Equally important is the design of incentives to ensure the effective implementation of these procedures (*3).

To this end, a regulatory framework should be considered that differs from the administrative sanctions prescribed under the Telecommunications Business Act. Rather than focusing solely on penalizing or sanctioning carriers, the system should explore options such as granting immunity in exchange for the proactive provision of information.

For comparison, the Japan Transport Safety Board, which handles aviation and railway accidents, has long maintained both institutional know-how and a well-established personnel structure for investigation, analysis, and statistical review. In contrast, the Department of Telecommunications Business within the Ministry of Internal Affairs and Communications currently has only a small number of staff responsible for analyzing telecommunications incidents. Therefore, in addition to incentive design, it is also imperative to strengthen the administrative structure necessary for implementing such mechanisms.

At the same time, alongside positive incentives, it is also important to consider disincentives to ensure effectiveness. While a disclosure system should be designed to prevent unjustified refusals to disclose information, in practice, securing appropriate information may be difficult without active cooperation. As such, the possibility of introducing penalties for non-disclosure could also be included as one of the policy options.

With respect to the Telecommunications Business Act, the increasing complexity of information and communications systems is evident due to various developments, including the proliferation of 5G, base station sharing, the implementation of networks on cloud infrastructure (so-called “cloud-native” networks), and the diversification of foundational technologies, including the use of commercial off-the-shelf products.

In an era where even telecommunications infrastructure is increasingly being migrated to public cloud platforms worldwide, it is essential not only for telecommunications carriers but also for a wide range of multi-stakeholders—including domestic and international equipment vendors, cloud service providers, and, in some cases, businesses that offer other services via telecommunications networks—to disclose relevant information and share analysis results.

The Telecommunications Business Act requires telecommunications carriers—entities that provide telecommunications services using telecommunications facilities—to properly maintain those facilities. Accordingly, when an incident occurs, the relevant telecommunications carrier is obligated to bear a certain level of responsibility.

However, given that telecommunications services now serve not only as stand-alone services but also as foundational infrastructure for a wide range of other services—in a “B to B to X” structure that impacts not only direct customers but also a broader range of end users—it is no longer appropriate to leave the responsibility for responding to incidents solely to telecommunications carriers.

As previously discussed, it is necessary to seek the cooperation of a broader group of multi-stakeholders. At the same time, sharing the outcomes of investigations with these stakeholders—excluding information that constitutes serious trade secrets or classified data—serves the public interest.

The Ministry of Internal Affairs and Communications, which oversees the Telecommunications Business Act, also addressed these issues in the “Fifth Report of the IP Network Facilities Committee, Information and Communications Technology Subcommittee, Information and Communications Council,” published in September 2021. The report presents recommendations to strengthen functions such as the OODA loop and risk assessment in response to significant risks.

These recommendations include quantitative and qualitative revisions to the reporting system, consideration of third-party verification and the design of appropriate institutions to fulfill that role, and the promotion of multi-stakeholder efforts through the publication of investigation and risk assessment results and through effective risk communication (*4).

In general, social infrastructure relies on the shared use of specific facilities by an unspecified and large number of users. Accordingly, rather than pursuing a zero-risk (infallible) system at unlimited cost, it is more reasonable to assume that incidents are inevitable and to focus on achieving recovery as quickly as possible.

In the context of digital technologies, where systems tend to become increasingly complex, the key to enhancing risk assessment among stakeholders and minimizing damage lies in identifying the causes of incidents and sharing that information. Such practices contribute directly to the resilience and robustness of infrastructure.

Since telecommunications services provided by telecommunications carriers form the foundation for other forms of social infrastructure and services, discussions concerning the Telecommunications Business Act should not be confined to the legal framework alone. It is vital that these discussions be approached with the recognition that they concern the broader development of foundational systems for society as a whole.

Building upon the above considerations and this shared understanding, it is hoped that the Ministry of Internal Affairs and Communications will take the recent incident as an opportunity to treat the identification of root causes and the sharing of lessons learned and technical know-how as a form of “public good.” In doing so, the Ministry should not limit itself to working with telecommunications carriers alone, but should also collaborate with other relevant stakeholders and external experts.

Such efforts should include not only direct responses—such as collecting incident information, analyzing causes, and formulating recurrence prevention measures—but also the treatment of insights gathered from a broad range of multi-stakeholders as assets for society as a whole. Additionally, we hope the Ministry will pursue the exploration of international systems and case studies, and secure the cooperation of diverse domestic and international actors, thereby promoting realistic measures to strengthen telecommunications infrastructure as essential social infrastructure.

(*1) The revised Telecommunications Business Act, passed during the 2022 ordinary session of the Diet and promulgated on June 17, includes an explanation in its summary materials stating that “for broadband services, the number of subscriptions has been increasing year by year, and in addition to ‘development,’ the importance of ‘maintenance’ is also growing.” Based on this recognition, certain broadband services have been designated as basic telecommunications services (universal services) under Article 7, Item 2 of the amended Act.

(*2) See the description regarding the current status and challenges of the Telecommunications Accident Review Committee in the “Fifth Report of the IP Network Facilities Committee, Information and Communications Technology Subcommittee, Information and Communications Council” (September 2021), pp. 57–59.

https://www.soumu.go.jp/main_content/000770320.pdf

(*3) In Japan, examples of institutional development include the establishment of independent third-party bodies such as the Japan Transport Safety Board under the Ministry of Land, Infrastructure, Transport and Tourism. Other examples related to the regulation of critical infrastructure include the Consumer Safety Investigation Commission and the Electricity Safety Subcommittee of the Ministry of Economy, Trade and Industry.

(*4) For discussions related to the accident investigation system, see especially pages 56 to 65 of the document referenced in footnote 2.

 Contact Information

For general inquiries regarding this proposal, please contact:

Atsumi & Sakai

Policy Research Institute

Email: public-inst.contact@aplaw.jp

(Published on August 1, 2022)