By Hiroyuki Arie, General Manager, Business Stream Systems at TÜV Rheinland Japan
On Nov. 28, I was working on this article about cybersecurity in Japan, when shocking news spread quickly across the nation.
Major news media, including Kyodo News, simultaneously reported that the Ministry of Defense (MOD) had suffered a cyberattack. Ministry sources announced that a hacker had penetrated the Japan Ground Self-Defense Force’s computer system.
A Cyberattack against the Ministry of Defense
According to the news reports, the hacker appeared to have gained unauthorized access to computers at the National Defense Academy of Japan and the National Defense Medical College. The intruder then used these computers as a gateway to enter the JGSDF’s computer system through the Defense Information Infrastructure (DII), a high-speed large-capacity communication network connecting JGSDF bases and camps.
The extent of damage and the details of the attack, such as the attack method used, what kind of information was targeted and whether any important information was stolen is not yet clear. The Defense Ministry completely denied these reports that their military computer network had suffered a cyberattack.
Various conjectures appeared, such as: “the MOD’s computers did suffer a targeted attack,” “this attack may have involved a state actor,” and “it is highly likely that internal JGSDF information was accessed.” It is important to note that serious cyberattacks that can affect the security of nations occur routinely and that the attack methods are becoming increasingly more numerous and sophisticated every day.
The National Center of Incident Readiness and Strategy for Cybersecurity (NISC)
Rapid improvements in Information Technology and its spread into many aspects of life have increased the risk of cybersecurity threats, making cybersecurity an urgent issue. To address this issue, the “The Basic Act on Cybersecurity” was enacted in 2014.
According to this law, the “Cybersecurity Strategic Headquarters” and the “National Center of Incident Readiness and Strategy for Cybersecurity (NISC)” were made part of the Cabinet and the Cabinet Secretariat, respectively, in January 2015, to be the organizations responsible for mapping basic cybersecurity policy in Japan and the medium- and long-term measures to pursue.
The NISC consists of six groups. They include the “Basic Strategy Group” in charge of annual and mid- and long-term planning for Japan’s cybersecurity policy as well as investigations and research into technical trends in cybersecurity; the “International Strategy Group,” which acts as a liaison office for international coordination; the “Governmental Organization General Measures Group” responsible for the establishment, operation and auditing of information security standards for governmental organizations, etc.; and the “Information Management Group,” which collects the latest information including the occurrence of cyberattacks, monitors governmental organizations’ computer systems, and operates the Government Security Operation Coordination (GSOC) team.
The country’s “Cybersecurity Strategy” was announced in September 2015. According to the Strategy, the NISC has been carrying out a variety of activities, together with related private sector elements, to secure Japan’s cyberspace.
The Cybersecurity Strategy
The Cybersecurity Strategy decided upon by the Cabinet in September 2015 identifies cyberspace as indispensable infrastructure, necessary to our life and social organization, “an intangible frontier of infinite value.”
On the other hand, taking into consideration the present situation wherein all kinds of electronically controlled things are connected to networks and deeply integrated with each other, it also emphasizes the need to understand the effects and threats of cyberattacks and to take necessary protective steps.
For example, the Tokyo Olympic and Paralympic Games will be held in 2020. To make a success of such huge international event, which attracts public attention all over the world, it is necessary to make absolutely sure that all possible cybersecurity measures are taken.
The Cybersecurity Strategy laid down the following three policy points as guidelines which the government (including relevant ministries and agencies) and the private sector should observe in the performance of their activities.
1) Improving the vitality of our socio-economic system and our pursuit of sustainable development
Holding that cybersecurity measures are not “costs,” but “investments” that increase corporate value and international competitiveness, the following three targets were established: “Creation of a secure IoT system and new IoT-related industries,” “Promotion of enterprise management that has a security mindset,” and “Improvement of the business environment for cybersecurity-related industries.”
2) Building a safe and secure society for the people
The following three measures were laid out, with an eye to the year 2020, when the Tokyo Olympic and Paralympic Games will be held, and the years to come: The “Measures for protecting people and society” are intended to promote security measures taken by cybersecurity-related businesses, awaken public awareness of cybersecurity and enhance measures against cybercrime; the “Measures for the protection of critical information that affects our public infrastructure” include protecting the electricity grid, water and sewerage lines, gas supply, and transportation; and the “Measures for the protection of governmental bodies” are intended to enhance the ability of governmental bodies to defend themselves against cybercrime.
3) Ensuring national security and the peace and stability of the international community
The following three actions were identified as crucial to achieving the above policy: “Ensuring national security” in cyberspace; “Building peace and stability within the international community” for promoting the establishment of international rules for cyberspace and building trust among the world’s many countries; and “Cooperating and collaborating with other nations” to attain this purpose.
As mentioned above, the Cybersecurity Strategy advocates many approaches at various levels, including the nation’s socio-economic system, the daily-life environment of the citizenry, and security at the level of nations and the global culture.
When it comes to protecting the socio-economic system, measures were particularly stressed to prevent cybersecurity threats that increase as the use of Internet of Things, or IoT, equipment spreads. For example, the reality is that we have already experienced many problems caused by large-scale botnets constructed by taking advantage of the vulnerability of web cameras and routers.
These botnets are capable of being used for intensive Denial of Service (DoS) attacks. This kind of cybercrime can only be addressed by enhancing cybersecurity for everyone, everywhere.
Now that virtually all electronic devices are about to be connected to networks, “cybersecurity by design” is urgently needed. We need to emphasize the principle of considering cybersecurity from products’ planning and design stages, and establish guidelines and standards for IoT equipment so that it can be sold and used safely, without exposing anyone to cybercrime threats.
Businesses must continue their efforts to address cybersecurity issues. In addition, it is important for management to develop the awareness that a company’s measures to protect its products, services and organizational operation through its provisions for cybersecurity are not costs, but investments. They increase the added value of the company’s products and services as well as its competitiveness.
This is why the government is now establishing mechanisms whereby corporations that aggressively address cybersecurity issues are appropriately recognized. They will receive favorable financial benefits. In addition, the government is also offering some program to promote the development of personnel with the skills to contribute to industrial cybersecurity.
The government has identified cybersecurity-related business as a growth industry. It is planning to encourage the development of cybersecurity-related corporations that can do business both in Japan and abroad. It wants to see venture capital directed to these businesses, an increase in large-scale and concentrated investments in this field (taking advantage of the Sovereign Wealth Fund (SWF)), and the promotion of the safe use of cloud services by small and medium-sized businesses.
Applying international standards to the issue of information security
With a big event for the nation coming in 2020, it is anticipated that government and private sector efforts to address cybersecurity issues will be accelerating. Businesses must clearly identify and understand what kinds of approaches toward information security their stakeholders, suppliers and employees expect them to take and what the purposes of these approaches are. Then they must make strenuous efforts to attain those ends.
The ISO/IEC 27001 international standard for information security management systems (ISMS) for organizations has been adopted and applied by many corporations around the world to assist in attaining corporate information security. We believe that ISO/IEC27001 may be applicable to the broader issue of cybersecurity, as well.
The installation of ISMSs enables an organization to establish the policy and purposes of its information security management system and to plan measures against information security risks within the organization, identified through risk analysis and to implement the ISMS measures.
An ISMS’s performance is reviewed periodically through internal audits and management reviews, to assure continuous improvement of the organization’s information security measures.
The 2013 version of ISO/IEC27001 (JIS Q27001:2014) states in 6.1.1 that the organization shall determine the risks and “opportunities” that need to be addressed in order to “ensure that the ISMS can achieve its intended outcome(s)”; “prevent, or reduce undesired effects”; and “achieve continual improvement.”
In the past, it was thought that ISMSs chiefly addressed risk management and risk assessment. The current standard, however, maintains that information security should also be addressed, since it is also crucial to safe business operation, the provision of reliable products and services, and continued satisfactory relationships with stakeholders.
This idea comports with the afore-mentioned Cybersecurity Strategy of the Japanese Government that “addressing cybersecurity is an investment.” It is believed that businesses will be able to operate ISMSs more effectively as they come to recognize more deeply the central importance of this idea.
After an ISMS is installed, it needs to be audited regularly by a third party certification body. This certifies that the ISMS is being operated according to the relevant standard. That is, the use of a certification system allows businesses to evaluate and check their management system regularly and makes it possible for them to publicize to outsiders, including stakeholders and customers, that the organization’s ISMS is being operated efficiently and effectively.
Risk management and the use of cloud services
It is anticipated that small and medium-sized enterprises will be using cloud services more frequently and energetically in the future.
In August this year, JIPDEC started to offer an “ISMS cloud security certification service” based on ISO/IEC27017, a code of practice for information security controls applied to cloud services.
ISO/IEC27017 is an international standard that is an add-on to ISO/IEC27001 and specifies a code of practice specifically for controlling cloud services.
This standard will provide useful guidance on information security management to address risks that might occur when businesses use cloud services to handle business information and processes on the cloud service.
In addition, businesses will be able to publicize the fact that, since they have acquired “ISMS cloud service certification” under an international standard, the cloud services they provide or use are operated according to the ISMS-based information management system.
Cyberattacks and security risks are already everyday events and businesses are required to recognize that reality when carrying out their operations. As shown in the “Cybersecurity Strategy,” they are facts that must be addressed by both the government and the private sector, acting together.
In the process of developing a cybersecurity-related industry, we should take advantage of the variety of “opportunities” created for improving the quality of products and services, as regards cybersecurity, and for strengthening our corporate competitiveness.