|

INTERNET SECURITY

New SDF unit shores up thinly protected cyberborders

by Mizuho Aoki

Staff Writer

Japan has embarked on an effort to improve cybersecurity as an ever-increasing number of sophisticated computer viruses threaten to endanger national security.

On March 26, the Self-Defense Forces activated a cyberspace defense unit, the “saiba boeitai,” tasked with monitoring and responding to attacks on the Defense Ministry’s networks. That same month, the government held its first large-scale cybersecurity drill to counter simulated attacks on the ministries and 10 industry associations, including banks and distribution firms.

Observers say Japan has made progress in defending its cyberspace in recent years but still lags far behind major players like the United States, China, Russia, Israel and South Korea, which acted much earlier than Tokyo.

As Japan gears up for the 2020 Olympics, the government is being urged to move faster to patch up Japan’s security holes and protect critical social infrastructure, classified data and military computer systems.

Here are some questions and answers on cybersecurity in Japan.

What is a cyberattack and how many have targeted Japan?

There is no established definition, according to the Defense Ministry, but the term is generally used to describe intrusions into computer systems resulting in the theft, destruction or alteration of data or the disruption of the machines themselves.

According to cybercrime experts, most of the computer viruses created in the early ’80s were aimed at showing off hackers’ skills. Many of them posed no serious threat to the targeted computers, they say.

As more of the world started taking to the Internet, however, criminals became more malicious and started going after people’s private information. They also started extending distributed denial of service (DDoS) attacks to crash corporate and government computer servers to paralyze websites with torrents of online traffic.

In September 2011, the websites of the ministry and the National Police Agency were hit by DDoS attacks, as was Mitsubishi Heavy Industries Ltd., Japan’s biggest defense contractor. MHI said its 83 computers and servers were infected with virus, sparking concern that it lost classified information.

In July 2012, the Finance Ministry also disclosed the possibility that it was hit by a data leak after finding 123 of its computers infected with a virus that allows unauthorized access.

Cybersecurity hazards are even endangering the nation’s nuclear reactors. In January, a computer in the central control room of the experimental Monju fast-breeder reactor in Fukui Prefecture was found infected with a virus. The Japan Atomic Energy Agency, which manages the prototype reactor, said the images on the monitor, including the computer’s file and folder names, were leaked but that no critical information on the plant was compromised.

The JAEA later said the computer was infected via a fake upload website for GOM Player, a free video player developed by a South Korean software company.

In Japan, 1.08 million illegal attempts to access government computer systems were detected in 2012, up 64 percent from 2010, according to the Cabinet Office. Experts say the real figure is much bigger because many attacks go by unnoticed.

Another problem, however, is that the attacks are usually carried out via computer hosts overseas, making the culprits extremely hard to track down, experts said.

Which organ is responsible for Japan’s cybersecurity?

The main player is the National Information Security Center, which was set up under the Cabinet Office in April 2005 to monitor, analyze and support the defense of state organizations.

The NISC is mostly composed of officials borrowed from ministries and the National Police Agency, which experts say makes it difficult to come up with effective countermeasures because the officials return to their ministries in two or three years.

The NISC also lacks the authority to investigate other ministries, even when they are attacked.

In light of these issues, under the cybersecurity strategy adopted in June 2013 the government plans to strengthen NISC’s authority and manpower by around fiscal 2015.

It also plans to establish a system that allows information related to cyberattacks to be shared across state organizations and with operators of crucial infrastructure.

The strategy also sets goals for doubling Japan’s information security market and for increasing the number of potential cybersecurity partners 30 percent by 2020.

Can the new SDF unit launch counterattacks?

Not under the SDF law.

The law states that armed forces can only be mobilized by the prime minister when there is an “armed” attack against Japan, which does not include cyberattacks.

Even if cyberattacks are eventually considered armed attacks in the future, given Japan’s “defense-only defense” posture under the war-renouncing Constitution, it will be difficult to authorize counterattacks in cyberspace.

Article 9 of the Constitution bans the use of armed force to settle international disputes, but “force” in cyberspace has yet to be officially defined. It is also difficult to verify whether an attacker is a civilian or military hacker, a terrorist group or a country, experts said.

Mobilization of the SDF will thus be highly unlikely during a cyberattack on Japan.

Nevertheless, the midterm outline for developing Japan’s defensive capabilities, adopted by the Cabinet in December, stipulates that the government will “examine a policy option for obtaining a capability to obstruct an enemy’s cyberspace use.”

The cyberspace defense unit under the SDF’s Joint Staff Office is charged with monitoring the networks of the Defense Ministry and SDF, and with analyzing computer viruses. It has a staff of about 90.

The ministry plans to dispatch SDF personnel to the U.S. to improve Japan’s ability to counter cyberattacks.

Can the state organizations defend their cyberspace if it bolsters the current system?

Hiroshi Ito, an associate senior executive director at cybersecurity firm Lac Co. and former head of the Ground Self-Defense Force’s security unit, said that when it comes to defending cyberspace, there will always be a weak point that hackers can penetrate.

But that does not mean monitoring cyberspace is meaningless, he said.

“Just like an armed attack, cyberattacks leave signs as well. If we spot that sign and prepare for it, (hackers) may change their minds,” Ito said.

Does Japan have enough people to deal with cybersecurity?

No, according to observers and government officials.

According to the NISC, there are some 265,000 information security engineers in Japan, which is about 80,000 less than needed. Among the working engineers, about 60 percent don’t have enough skills to counter a new computer virus, NISC said.

Under Japan’s new cybersecurity strategy, the government is aiming to halve that shortage by 2020.

The Weekly FYI appears Tuesdays. Readers are encouraged to send ideas, questions and opinions to hodobu@japantimes.co.jp