|

Japan’s cybersecurity upgrade — too little, too late?

by

Special To The Japan Times

The Internet facilitates rapid data-sharing and increased communication between individuals, firms and government entities. This generates significant risks but, for most of the 2000s, Japan did not take commensurate countermeasures. The complacent attitude toward information technology security has persisted in Japan too long due to a combination of ignorance, wishful thinking and the belief that cybersecurity is only a cost, rather than a prudent investment.

It doesn’t get any more embarrassing than the discovery that the Wi-Fi network at the lodging for reporters covering the G-7 Ise-Shima summit was tampered with and can infect users’ computers with a virus that has been traced back to Russia. Government officials maintain, however, that strict cyber-terrorism measures have been implemented at the summit venues to prevent any such problems. Well, that’s their story and they’re sticking to it.

The theft of data from police departments in recent years has exposed thousands of people’s personal information and many years of investigation data. These breaches highlight that authorities can’t even safeguard their own information, raising questions about their ability to enforce cybersecurity and spreading awareness of the threat. There have also been breaches affecting politicians, the Diet’s servers and various ministries and agencies, not to mention the theft of data from major firms such as Benesse Corp. and websites such as Ashley Madison, a social networking service for adulterers.

Despite so many instances of hacking worldwide, authorities in Japan have not responded effectively. In May 2015 the Japan Pension Service was targeted, exposing the personal data of more than 1.2 million people. This came after the Diet passed legislation in 2014 designed to beef up cybersecurity, granting a sweeping mandate to the Cabinet’s National Center of Incident Readiness and Strategy for Cybersecurity. It is supposed to strengthen international cooperation on cybersecurity and also overcome the notorious stovepipe mentality of Japan’s agencies and ministries by coordinating and unifying their efforts — not an easy task in the turf-conscious world of the bureaucracy.

These various attacks demonstrate Japan’s cyber-vulnerabilities at all levels: from private citizens to the military and corporations to the government.

Online attacks cost relatively little and are fast, difficult to detect or to pin on the responsible party. Moreover, they can be devastating — such as the attack on Iran’s nuclear power plants and enrichment facilities by the malicious Stuxnet worm.

The covert GhostNet cyberattack, discovered in 2009 and thought to have originated in mainland China, took control of more than 1,000 computers belonging to diplomats, military attaches, politicians and their assistants, as well as journalists. In addition to stealing data, it allowed for covert surveillance using the microphones and video cameras in targets’ computers.

Past attacks highlight Japan’s cybersecurity weaknesses. Back in 2005, the computers of approximately 400,000 to 500,000 broadband users were infected with bots, which can inflict crippling distributed denial of service (DDoS) attacks. Japan could be subject to unimaginable chaos if transportation systems like railways or air traffic control were attacked. Cyberterrorism against nuclear plants, dams and other important infrastructure represent potential nightmares.

In 2007, classified data on the Aegis weapons system, including targeting information, was exposed on a peer-to-peer network when a Maritime Self-Defense Force officer shared pornography files that the classified information was buried within. Subsequently, in 2011, Chinese hackers gained access to Mitsubishi Heavy Industries Ltd., Japan’s largest defense contractor, compromising classified submarine, missile, fighter jet and nuclear power plant data.

In 2014, the Japan Business Federation, better known as Keidanren, created a task force involving 30 major companies encompassing the transport, finance, computer technology and communications sectors. In 2015 this group made recommendations calling on the government to do more in terms of sharing information about threats, training human resources and supporting technology development. Keidanren has also taken on the task of raising awareness in the business community that cybersecurity is an essential management task requiring significant investments to reduce associated risks.

NTT is spearheading efforts to promote cybersecurity standards and information sharing across Asia, drawing on its experience in the United States and participation in Federal Communications Commission advisory groups. NTT sees this as a way to promote the resilience of cybersecurity internationally, but also as a major business opportunity — it generates about 85 percent of revenues in Japan and sees better growth prospects in Asia. In June 2015, NTT convened the Cross-Sector Cybersecurity Forum, involving a few dozen firms, to promote info-sharing and personnel development, which perhaps generated increased interest in cybersecurity.

On March 1, IT security company Trend Micro issued a report on cyberattacks and the so-called deep Web, noting that malicious Chinese hackers are less likely than their European or North American counterparts to rely on the deep Web, possibly because of the obstacles created by Beijing’s “Great Firewall” and stricter enforcement of cybercrime in Europe and North America that requires more elaborate methods of subterfuge.

Regarding Japan, the report finds that “The Japanese underground veers away from tradition (creating and distributing malware) and instead caters to those on the lookout for the taboo.” This refers to child porn, supposedly banned in 2014.

Reportedly, China is a trendsetter in terms of cybercrime innovation, with a range of powerful hacking tools and even some unusual offerings, such as a service to protect paying customers from having their sensitive leaked data appear in search engines. China’s hacking tools are reportedly easily available worldwide, and apparently this encourages cybercrime.

“It is not a locked vault accessible only to the tech-savviest of hackers but rather a glass tank, open and visible to both cybercriminals and law enforcement,” according to the Trend Micro report.

The cyber-arena is another facet of the U.S.-Japan alliance. In 2015, Tokyo and Washington agreed to promote the principles and standards of the Cybersecurity Framework created by the U.S. National Institute of Standards and Technology. The aim is to share best practices and organize, train and equip government entities and corporations to thwart cyberattacks. This reflects a desire to establish a code of conduct, but this is unlikely to prove useful since bad guys don’t follow the rules.

Hirotaka Osawa, a computer sciences professor at Tsukuba National University, is skeptical that Japan’s recent initiatives will prove effective. He says that the Japanese government is still vulnerable to cyberattacks and suggests that bureaucrats without relevant training are one of the impediments to improving cybersecurity. Although a raft of announcements and alerts indicates that much is being done, he remains unconvinced. For example, the Information-technology Promotion Agency (IPA) is on the job, carrying the following reassurance on its website: “Cyberattacks on the government and companies, or cybercrimes such as theft of company information and illegal transferring of personal deposits at banks are reported in the newspaper almost every day. It’s an urgent issue to protect IT society from increasingly advanced and sophisticated cyberattacks and cybercrimes for embarking new era” (sic).

Well, at least they follow the news.

The IPA even has a password-awareness slogan — “I want to protect you more strongly” — and a related image shows a couple embracing with a dialogue balloon saying “I will find a password that suit me (heart icon)” and the response: “OK.”

That should do the trick.

“The trouble with cybersecurity is that you’re only as secure as your weakest link,” says Velisarios Kattoulas, CEO of risk management consultancy Poseidon. “Japan is an archipelago of weak links, and the likelihood is that you couldn’t even assess the amount of data that has been stolen. Even Japan’s biggest companies have a long way to go, and until they get there you should assume that any data you share with them is fundamentally not secured.”

Jeff Kingston is the director of Asian Studies, Temple University Japan. The Beasley School of Law at Temple University’s Japan Campus will be holding its “International Cybersecurity Conference” on May 25. For more information about how to attend, visit www.tuj.ac.jp/law/events/2016/0525.html.