Close
  • Français
  • English

Japan plans to fortify its cybersecurity [by Yoko Nitta, Visiting Lecturer, National Defense Academy]

Japan’s dilemma against cyber attacks

Japan regards the transmitting of information as well as an active discussion throughout cyber space as fundamental in a liberal and democratic society. This digital space has become the frontier for economic growth leading to new business models and technological innovation.
However, malicious acts are widespread in this sphere. For example, sensitive information, as well as industries and organizations have recently been exploited one after the next. Even services providers for civilians have had their businesses threatened. This shows that security threats have been growing in Japan.

Given the current situation, Japan’s basic cybersecurity law was put into place last November, 2014.[1] The law clearly communicates the responsibility of the people concerned and has illustrated a legal cybersecurity concept.   The National Center of Incident Readiness and Strategy for Cybersecurity (NISC) was established this January, 2015 as a control tower over government dealings with cybersecurity policies; the NISC holds the authority to recommend strategy initiatives to administrative bodies. The recent cyber attack cases such as the massive leakage of personal information by the Japan Pension Service, [2] which is under jurisdiction of the Ministry of Health, Labour and Welfare, as well as the computer security breach of the Petroleum Association of Japan [3] show that Japanese organizations leave their security environment vulnerable without making corrective measures.
The aim of the new strategy is to create, firstly, “a free, fair and safe cyber space”, secondly, contribute to “enhancing a dynamic economic society and sustainable development”, thirdly, “achieve a society in which citizens can live safely and peacefully,” and finally, establish “peace and stability in the international society as well as in our national security.”

Recent cybersecurity environment in Japan

According to the Information-technology Promotion Agency (IPA) [4] and JPCERT, Japanese industries have been exploited via online attacks most notably this past June. [5]
All possible measures taken to avoid cyber attacks have still not been enough due to new vulnerabilities and the ever changing security environment. The IPA reminds industries as well as governmental bodies to conduct a periodic inspection on operation and maintenance control.

Tokyo struggles to deal with massive data breaches

This May, the Japan Pension Service (JPS) has raised concerns following their massive leakage of personal information of up to 125 million people. [6]  During the press conference, its CEO clearly had no idea about the company’s IT security and cyber threats even though there are lots of cyber attack cases making headlines in major newspapers. This shows just how little attention institutions pay to IT security and their awareness of online vulnerabilities. Public institutions and industries are targets for hackers since they are responsible for personal information. Now JPS has been dealing with questions from victims whose personal information such as their names, date of birth and addresses were stolen. Since JPS does not recognize the extent of data leaked, answers are confused and unclear.
Although JPS recognized this April that several departments did not abide by official rules, such as setting up passwords for saved files; employees left saved files unprotected. If they had begun setting up password protection prior to May 8th, when their computers were infected with virus, this disaster, massive client’s personal information leakage, would have been avoided.

Why is Japan being targeted for cyber espionage?

Several hackers called APT, [7] groups with origins from China regard the Japanese economy advantageous because of Japanese innovative technology, and precision goods) have targeted the Japanese government and defense organizations for cyber espionage.  Chinese hacker groups view Japanese corporations as an agglomeration of intellectual property and competitive intelligence. The US-Japan alliance, regional conflicts and developing defense polices are all reasons for the increasing attacks on foreign intelligence.

Japan’s vulnerabilities against cyber attacks

According to the National Institute of Information and Communications Technology (NICT), [8] the amount of cyber attacks against Japan has doubled and occurs once every 30 seconds. NISC says that only half of Japanese industries have IT security policies in place and the 60% of the existing information security engineers lack the skills needed to deal with cyber threats.
Firstly, the reality is that Japan is uninformed on crisis management and has put off dealing with cyber issues since they are not familiar with it.
Secondly, not only major companies but small and medium-sized enterprises need to face the reality: the scale of an attack does not matter for hackers but the connections and intellectual property do.

Japan’s efforts

Japan has set up efforts with the Tokyo 2020 Olympic Games and Paralympics in mind and intends to fortify cybersecurity given the pressures from constant cyber attacks. [9] The Japanese government has just announced that they will launch new national qualifications called ‘information security management ‘ in 2016,  [10]  aiming for new research and development to detect immediate computer abuse, designing a cybersecurity strategy, as well as outlining guidelines to prevent information leakage.
This license requires the following skills: advanced IT knowledge and the ability to make an information security strategy, capabilities to cope with cyber attacks, knowledge of outsourcing and compliance, and basic knowledge of related laws and guidelines. According to the IPA, Japan needs at least 350,000 more IT security engineers.
Initiatives such as creating new employment opportunities by the Japanese government are demanded to achieve this objective.

Japan’s challenge and further implications 

There are two kinds of institutions in this world: those that have already been cyber attacked, and those that have not yet recognized they have been attacked. Sometimes organizations only notice after six months that their data has been breached.
This sounds lamentable and organizations must not be complacent. Although we should be offline some of the time, if organizations do not want any trouble, they must continue to use cyberspace, remain connected, and protect their sphere.

Also, the government and industries alone cannot ensure their security. The system on which we see “good” hackers, so called white hackers, have been growing in popularity. Individuals should make the effort to update virus-free software. Efforts such as these are crucial. However, only patriotic persons should play a role as a white hacker since unpatriotic persons can be dangerous. We must remember that human beings, not only computers, can and should deal with cyber espionage. Rome wasn’t built in day.

 

References

[1] http://japan.kantei.go.jp/97_abe/actions/201502/10article4.html
[2] http://www.nenkin.go.jp/n/www/english/
[3] http://www.paj.gr.jp/english/
[4] https://www.ipa.go.jp/index-e.html
[5] http://blog.jpcert.or.jp/trends/
[6] http://www.bloomberg.com/news/articles/2015-06-01/over-1-million-japan-pension-records-leaked-in-cyber-attack
[7] https://blog.kaspersky.com/apt/
[8] http://www.nict.go.jp/en/
[9] kantei.go.jp/97_abe/actions/201505/25article1.html
[10] http://www.fanshawec.ca/programs-courses/full-time-programs/ism1/20156/courses