As information and communication technology (ICT) has extended into all areas of society, we have become ever more reliant upon it. The subtle ways in which it is changing the world, though both exciting and frightening, are not widely recognized or understood. This year, Japan will host the G-7 summit in the Ise-Shima region, and in four years the 2020 Tokyo Olympic and Paralympic Games. As these large-scale, global events have now become completely dependent on ICT, the threat landscape has also evolved. There is greater concern about a hybrid threat that would use computers as cyberweapons to carry out attacks on physical infrastructure. Data breaches worldwide are now so common that we hardly pay attention to the news. Even the recent theft of personal information records from the Japan Pension Service had little lasting impact. Yet the frequency and severity of such attacks is certain to increase. The ease and borderless nature of this threat ensures that no one is immune from such attacks, yet individuals and corporations are complacent about both the threats and the risks.
At the same time, Japan is investing heavily in the “Internet of things” (IoT) technologies, as the ability to automate and innovate various services will bring significant benefits to Japan’s aging society. Because many nations will face the same issues in years to come, Japan is ideally positioned to take a leadership role in this area. However, being truly successful in the IoT will require an ability to deliver those products and services reliably and securely over time — something that Japan cannot currently guarantee. To date, the race to add new features and functionality has only resulted in flawed security implementations that achieve little more than “keeping honest people honest.”
The rapid pace of technological change presents enormous challenges for governments around the world, as they face tight budget constraints and competing priorities. Political realities mean that by the time cyber-related legislation is passed it is usually out of date, and sometimes new regulations actually make things worse. Another concern is the ease with which businesses can relocate to a different country to avoid any increase in financial or operational burden.
Three key themes
I believe that a new mindset is vital if any economy (but particularly Japan’s) is to survive and thrive in the coming decade. Governments must recognize that ICT and cybersecurity are no longer separate issues, and must take innovative approaches to address both concurrently. Unfortunately, the technical aspects of cybersecurity make it complex and difficult even for professionals, much less policymakers, to grasp. However, the most critical elements needed to bolster cybersecurity are not technical, but strategic. I see at least three key strategic issues — changes in approach or perspective — that are essential to promote true cybersecurity.
First, we need to recognize the relative importance of preserving data integrity versus data confidentiality. While it is essential to confirm that users are who or what they claim to be, and try to prevent information leakage, assuring and maintaining the integrity of information is an even higher priority, much more so than most people appreciate. In many cases, not being able to rely on the accuracy of information (e.g., medical data) could be much more serious than having it revealed to others. Yet most security systems, policy and research overwhelmingly focus on preserving confidentiality rather than integrity. An apology may be enough if your blood type is disclosed, but no apology will suffice if your blood type data is changed just before you go into surgery. Breaching confidentiality is embarrassing; losing integrity can be deadly.
Second, there is the key concept of resilience. Security experts accept the premise that there is no such thing as perfect, 100 percent security. The most practical defense is to find the right balance between security protocols, total cost of implementation and ease of use, with a focus on ensuring system resilience, that is, minimizing losses rather than trying to anticipate and prevent every possible type of attack. Billions of years of evolutionary biology show that the fittest not only survive, but also prosper. Thus, cybersecurity should not be seen only as a means of self-defense, but also as an opportunity to build up one’s corporate, national or even individual resilience, to become stronger in an increasingly uncertain and challenging world. By getting this approach right, cybersecurity actually becomes a key differentiator and a competitive advantage rather than a cost center that often feels like a “tax.”
Most importantly, building resilience in one area often leads to unforeseen benefits in others. I have experienced many government-driven programs that have enhanced resilience in one area while proving even more valuable in dealing with completely different, unrelated exigencies for which they were never intended. Specifically, resilience is versatile: Once people develop resilient thinking, they realize it requires a comprehensive review of the area that supports and surrounds a system. The unintended consequence is that it results in the entire system becoming stronger. Similarly, I am confident that developing resilience in cybersecurity will be the catalyst to naturally strengthen other parts of Japan’s infrastructure and mindset, leading to improved outcomes from natural disasters, epidemics and other “freak” events, which seem to be increasingly common these days.
Third, now that ICT is inseparable from economic activity, we need to shift from a 20th-century mindset where cybersecurity is an afterthought to one where security is both fundamental and indispensable. Security must be designed as an integral part of all systems, with resulting benefits in terms of ease of use, functionality, resilience, productivity, efficiency, competitiveness, reduced total cost of ownership and positive return on investment. Both Japanese businesses and governments should seize this opportunity to become global leaders by addressing the challenges that lie ahead.
Global community, security
Because it transcends borders and old concepts of sovereignty, cybersecurity is by definition a multistakeholder issue, and addressing it requires global cooperation. In November, the Japanese government helped move the discussion forward by hosting an international cybersecurity event, the Cyber3 Conference Okinawa 2015, which was supported by the World Economic Forum (WEF). Over 400 global experts came together to propose solutions to cybersecurity issues involving businesses, governments and law enforcement agencies. The participants in this multistakeholder discussion agreed that the problems are far too complex to be addressed by any single organization or government. The only viable response, they concluded, is to create a global cooperative mechanism that facilitates meaningful communication and information exchange among stakeholders.
As one participant put it, the Internet is now a global commons where we must share information in order to protect ourselves and protect each other. This information should not be considered proprietary to any one organization, as similar threats are borne by all and a shared global resource is necessary for mutual defense. We need to work together, as a global community and work through our differences, in cybersecurity as in other areas, and understand these issues from multiple perspectives within an international context.
The Cyber3 conference laid the foundations for a fruitful exchange of ideas and proposals at the WEF annual meeting in Davos, Switzerland this week. The theme of Davos 2016 is “Mastering the Fourth Industrial Revolution” and will examine the changes being brought about by rapid systems innovation, ubiquitous mobile Internet access and the proliferation of sensors (IoT). Global leaders gathering in Davos will discuss these topics and seek ways to achieve meaningful progress, and the outcome of their meetings will help to shape policy discussions around the world.
In Japan, strong government leadership is necessary to develop a coordinated ICT and cybersecurity strategy without shackling the economy with overregulation. Japan has certainly lagged behind in this area, but it can no longer afford to do so. Instead of playing whack-a-mole with security problems, today’s challenges should be seen as an opportunity to innovate and turn cyber resilience into a competitive differentiator for the nation, a new arrow for the economy and a foundation for the revitalization of Japanese industry and the economy as a whole.
William H. Saito is an entrepreneur, venture capitalist, public policy consultant and educator, who has contributed to global information security policy over the past two decades. He currently serves as special advisor to the cabinet office for the government of Japan in charge of science and technology and information technology policy and is on the board of the World Economic Forum.