22 September 2020

As cyberattacks rise globally, Japan's digital security found lacking

BY OSAMU TSUKIMORI

Japan’s push for digitalization amid the COVID-19 pandemic brings with it an increased risk of cyberattacks.

Ahead of the Tokyo Games next year, new Prime Minister Yoshihide Suga is spearheading efforts to set up a government entity dubbed the Digital Agency as early as next year.

The move comes as a slew of thefts involving bank accounts linked to NTT Docomo’s cashless payments service have been uncovered in recent weeks — highlighting the vulnerabilities of e-commerce — and amid a rise in cyberattacks on critical infrastructure around the world.

Against that background, The Japan Times asked one of the leading experts in the field of cyberdefense, Toshio Nawa, senior director of Tokyo-based security services and incident response provider of the Cyber Defense Institute, about the challenges that the country faces in its pursuit of digitalization and why a national body like the Digital Agency is essential.

After serving in a number of senior roles in charge of secure message coding and transmission in the Air Self-Defense Force, Nawa helped launch a security alert service at the Japan Computer Emergency Response Team Coordination Center before joining the Cyber Defense Institute.

In which area is Japan lacking in cyberdefense?

Japan is lagging significantly compared with other countries when it comes to correctly assessing cyberthreats at any given moment. The government’s situational awareness on threats that are unfolding now or about to happen in the future is so low that the decision-making on the necessary budget, human resources and overall institutional design is not in sync with reality.

Other countries have through the law set up various agencies, such as the National Cyber Security Centre in the United Kingdom, the Australian Signals Directorate, the National Cybersecurity Agency of France, and the U.S. Cybersecurity & Infrastructure Security Agency. But Japan lacks such laws. Many people may point to the Cabinet Secretariat’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC), but it has only five missions, all of which are aimed at improving the cybersecurity of government agencies. Protecting its own citizens is not listed in NISC’s mission, unlike those agencies in other countries. What Japan lacks is the will to address cybersecurity.

Olympics organizers and various companies have been stepping up cybersecurity measures ahead of the opening ceremony next July, which could be a prime target for cyberattackers, but have they taken enough countermeasures?

They have thoroughly analyzed the cyberattacks that were launched during the Olympic Games in 2014, 2016 and 2018 and taken necessary countermeasures. But there will have been a three-year gap by 2021 and we would expect to see cyberattacks that are beyond our imagination, so I would say we are ill prepared for that. Some countries can clearly measure cyberthreats with 20/10 or 15/10 vision, while for Japan, everything looks blurry with only 20/200 vision or worse.

The combined team of Shanghai Jiao Tong University and Tencent in August won the annual capture the flag competition of DEF CON, the world’s biggest hacking conference, with a commanding lead and it became the top news in China, but it was hardly reported elsewhere. They became instant heroes there and created a spawn of followers who want to learn hacking skills.

Amid signs of an unprecedented interest in hacking in China and Russia, some people have started releasing hacking tools online, which could explain the reason for a surge in Emotet Trojan malware attacks in Japan and abroad to steal critical information from Sept. 1.

Is there a possibility that critical infrastructure such as power plants and factories could be hit by cyberattacks during the Olympics?

Previously the chances for such scenarios were considered low, but the government is pushing companies to take advantage of the digital transformation through a local fifth-generation, or 5G, ultrahigh-speed communications network and the Internet of Things (IoT) to raise productivity. That means we’re getting rid of legacy systems and creating the very system that would be a godsend for cyberattackers, so they would for sure be attacked.

So are a broad range of industries under threat from cyberattacks?

Yes they are, but fortunately the majority of small and midsize companies have not taken advantage of information technology yet. Currently the No.1 threat for companies is a distributed denial-of-service attack. The countermeasure for that is to reduce the number of infected devices that would work as a launching pad for the attacks, but setting up an effective countermeasure would be difficult without the cooperation of all the stakeholders in other countries.

We need to be reminded that taking advantage of IT is like we’re heading directly with no protection into the office of an organized crime group at a time when cyberthreats are on the rise.

The recent NTT Docomo e-money thefts have made the headlines, but the companies that make those apps do not know the threats or the tools that the hackers exploit. These incidents will increase from now on as a way of making money.

Which countries are seeing cyber threats with 20/10 vision?

By far Israel is No.1, followed by the United States, which is engaged in a lot of covert reconnaissance operations just like those uncovered by Edward Snowden. Next is Russia and China. Those countries are trying to raise their situational awareness capability to the extreme and are streamlining related laws.

How can Japan learn more about cyberattacks?

The U.S. Department of Defense Cyber Crime Center (DC3), for example, has a program to assess and analyze the threats and has a cybertraining program. The DC3, the European Union Agency for Cybersecurity, the U.K.’s Centre for the Protection of National Infrastructure and other countries such as Sweden, Italy and France have their own institutions in charge and distribute cybertraining programs for free.

In Japan, on the other hand, the organizations in charge of cybersecurity are divided into small groups at the Cabinet Secretariat, the Ministry of Economy, Trade and Industry, the Ministry of Internal Affairs and Communications and the National Police Agency, and even when combined, they are still missing key pieces of information on cyberattacks.

To deepen cyberthreat intelligence, what would be important is to conduct reconnaissance operations on cyberattackers who have the state-of-the-art skills. The most straightforward solution would be to have as team members ethical hackers who know how to access malicious hacking groups. When you observe directly what the cybercriminal groups are up to by spying on their communities, you can tell instantly whether you can face up to them.

Other countries are doing that, and it would be inconceivable to think that they would be willing to share such information with Japan even partially, so we need to set up such a team ourselves.

Security experts are calling for the improvement of transparency in intragovernment communication to raise awareness in the fight against cyberattacks. How do you assess transparency in Japan?

Japan’s transparency has become even worse than before. There’s no unified national institution to improve transparency, and various government agencies have set up an ever-rising number of information-sharing communities in an apparent sign of ministerial sectionalism. Information on cybersecurity is being shared somewhere in those small communities but nobody has a clear overall picture, and resources and people are dispersed. Other countries have laws in place to set up a public organization to protect their citizens and industries, but Japan has no such laws.

So does Japan need to have the Digital Agency to address cybersecurity? What would you say the necessary budget would be?

I think it’s essential for the government to have that. If the Digital Agency were to act as an accelerator and promote the use of cyberspace, we would also need something like the Security Agency to serve as a brake and make cyberspace safe. Setting up such an organization would probably cost around ¥1 trillion a year, which is similar to other countries, and that will allow for the first time for Japan to be able to assess the current cyberthreats with 20/10 vision, to understand the cybercriminals’ activities and predict their ongoing works in the future.

Given cyberattacks can harm a company’s reputation significantly, are tabletop exercises (TTX) to prepare for potential cyber threats becoming more of a necessity for them?

Yes. There are still only a limited number of Japanese companies that conduct TTX, but some companies hold the exercise at least once or twice a year. When the companies were attacked, the management would have to make instant decisions. In Japan, some companies take two months of downtime to fix cyberattacks, for example, but if that happened in other countries, it would have a tremendous impact on their quarterly earnings, so the presidents would be axed easily.

Any last message you want to bring up?

Amid the COVID-19 pandemic, countries are struggling to force people to change their behavior on public hygiene, but behavior modification on cyberspace will be even more difficult to attain. Unless the countries take on cyberhygiene with the same or more intensive efforts than they have in tackling the coronavirus outbreak, we should expect to see a surge in serious cyberattacks in the future.

No comments: