Concept - Security Transparency Consortium

Purpose of activity

The systems and services we use in our daily lives are composed of a variety of hardware and software. All of them are supported by diverse supply chains. The risk that a breach of the security of the environment or products of the businesses that comprise the supply chain may result in a breach of the systems and services they support is referred to as “supply chain security risk”.

In Society 5.0, the hardware and software that make up systems and services will become more diverse and sophisticated, and the supply chains involved will also expand. As a result, these security risks will become increasingly serious. And in the sense that not only the businesses that provide systems and services, but also the businesses that support the supply chain will be required to respond to such risks, supply chain security risks can be said to be “an issue that society as a whole must address”.

Currently, there is a growing interest in visualizing the contents of products and systems (e.g., software configuration) and ensuring security transparency in order to respond to this risk. Specifically, efforts to “create” visualization data, such as standardizing the data format for software configuration lists (SBOM) and requiring business operators to create and provide such data, are gaining momentum.

On the other hand, unless the creation and provision of visualization data as well as its utilization are sufficiently secured, the cost burden associated with the creation and provision of visualization data will not be balanced, and the effectiveness of the efforts will diminish, possibly even becoming a dead letter. In other words, it is important to realize the effects and practical methods of “using” the visualization data that has been created, in order to reduce supply chain security risks and bring value to various security operations, in cooperation with the businesses that make up the supply chain. In addition, it is important to realize the effectiveness and practical methods from the “use” side to bring value to various security operations.

In this consortium, businesses that comprise the supply chain will work together to “co-create knowledge” on measures to improve security based on transparency ensured by “using” visualized data, based on the assumption that visualized data will permeate society. Furthermore, by inviting businesses that are not bound to a specific industry or sector to participate, the Consortium aims to discover and realize the value of transparency in a wider range of areas.

The main activities of the Consortium will include the identification of issues related to the use of visualization data, the study and demonstration of solutions, the co-creation of technical knowledge through the documentation of results, the formation of communities through the expansion of businesses participating in the Consortium, and the promotion of collaboration with other organizations that contribute to the objectives of the Consortium activities.

Aim of the Organization

The Security Transparency Consortium’s goal is to provide system transparency to system operators to enable the operation of highly complete security. One of the major challenges in security has been identified as internal opacity and black boxes. The increasing complexity of systems and the diversification of supply chains make it difficult to understand the inner workings of systems. Therefore, if transparency can be ensured, even if only in terms of security, it will be possible to take appropriate action. However, there is a limit to the efforts of individual companies to ensure transparency. It is necessary to define the data that should be visualized through the cooperation of businesses centered on the consortium, and securely share it with necessary user businesses and other parties.

The Consortium will promote (1) collaborative creation of technical knowledge related to visualized data (e.g., study of issues, study and demonstration of solutions to issues, documentation of results, etc.), (2) community formation (expansion of the number of businesses participating in this activity and strengthening of cooperation), and (3) external collaboration (promotion of cooperation with other organizations that contribute to the objectives of this activity), thereby contributing to more efficient security operations in Japan and abroad.

Activity Policy

Activities
・Collaborative creation of technical knowledge related to visualization data (examination of issues, examination and demonstration of solutions to issues, documentation of results, etc.).
・Community building (expansion of participants in this activity and strengthening of cooperation).
・External collaboration (promotion of collaboration with other organizations that contribute to the objectives of this activity).

Activity Guidelines
・Target businesses in various positions in the supply chain (product vendors, system integrators, service providers, security vendors, etc.) in order to explore applications in a variety of fields.
・In order to create a forum for activities based on mutual trust among businesses, new participants will be subject to consultation by the participating businesses.
・Without creating intellectual property, the scope of activities is the “cooperative area” of participating businesses.
・Activities will not be based on confidential information of participating businesses, and will only use information that each business can disclose.

Organizational Management Policy
・The General Meeting is the supreme organ and decides the management policy of the consortium.
・The Steering Committee is the executive body and decides important operational matters (membership/expulsion, establishment of working groups, etc.).
・The Working Groups will examine themes in line with the Consortium’s activity policy.