The threat of cyberattack is increasing. In addition to attempts to obtain classified information, recent cyberattacks have included a growing number of instances of state-sponsored hacking with the intention of disrupting other countries’ political activities and society. The Nikkei interviewed Toshio Nawa (45), a cyberdefense specialist at the Cyber Defense Institute, an affiliate of NEC Corporation. Nawa is a former Air Self-Defense Force (ASDF) member in charge of air defense system security. He joined the Cyber Defense Institute in 2009.
Question: It was reported that the communications networks of the Defense Ministry and the SDF were cyberattacked.
Nawa: Normally it is nearly impossible for outsiders to hack the SDF networks. The hacker reportedly hacked into the system via Science Information Network5, which connects universities across the country including the National Medical Defense College. It is unusual that the hacker was able to find that such a route exists. This proves that the hacker is very advanced. We have every reason to suspect the involvement of foreign government agencies.
Q: How has Japan prepared for cyberwarfare?
N: Cyberattacks used to be a futile cat-and-mouse chase between hackers and defenders. That phase ended in Japan around 2010, however. Japan’s current defense capabilities lag significantly behind those of hackers, and the gap is even growing wider. We need first to recognize this reality.
Major industrialized countries have intelligence agencies for national defense. The U.S. has the Central Intelligence Agency and the National Security Agency, and the UK has Military Intelligence Section 5, the government intelligence service, and Military Intelligence Section 6, a secret intelligence agency. Thanks to these intelligence agencies, these industrialized countries can continue playing a cat-and-mouse chase with hackers. As hackers become more sophisticated, these government intelligence agencies take countermeasures accordingly. However, Japan has no such intelligence agencies, which is why the country lags behind in terms of cyberdefense capabilities.
Q: There are more and more cyberattacks involving the state or the military.
N: Cases involving the state or the military began surfacing after the period from 2007 to 2008. This is because the U.S. began developing cyber weapons at that time for attacking enemies’ air defense systems. In 2010, a computer virus reportedly developed jointly by the U.S. and Israel was used to attack Iran’s nuclear facilities. In response to this attack, Russia and China started gathering hackers from all over the world to mount countermeasures.
With regard to China, there have been many cases in which Chinese manufacturing companies cyberattacked companies in advanced countries, attempting to steal classified information. Among major industrialized countries, Japan is the most vulnerable to cyberattacks. This is more so on account of the language similarity between China and Japan. There is no reason for China not to target Japan.
Q: How should Japan prepare for the Tokyo Olympics?
N: In Brazil, host of this year’s Rio de Janeiro Olympics, the number of cyberattacks tripled between 2014 and 2016. In addition to the Olympics, Brazil hosted many other international events, including the 2014 World Cup. This is why there was an increase in the number of crimes targeting foreign tourists’ financial information.
More than 20 million foreign tourists now visit Japan annually. According to documents compiled by the Cabinet’s National center of Incident readiness and Strategy for Cybersecurity (NISC), “There were no significant cyberattacks that disrupted the Rio de Janeiro Olympics.” But focusing only on the Olympics is insufficient. The government needs to take measures to protect foreigners visiting the nation.
Q: What will be needed for Japan to enhance its response capabilities to the level of other advanced countries?
N: In Japan, companies that lose personally identifiable information (PII) through cyberattacks are required to immediately announce the fact to prevent secondary damage. However, if the stolen information is intellectual property or trade secrets, companies don’t have to publicize the fact. If companies issue a gag order, the fact would be kept internal.
Some U.S. companies are trying to make it mandatory for companies, if cyberattacked, to report the attack even if the company did not lose PII. The Department of Homeland Security has a unit specialized in helping cyberattacked companies. Unless people are aware of what is going on in a timely manner, they falsely perceive that the given situation is safe, which will hinder the necessary response from being taken in a timely manner. Japan needs to develop a similar arrangement.
Q: We are entering the era of “IoT,” where various things are connected to the Internet. The makes a growing number of products vulnerable to cyberattack.
N: Information technology (IT) has been regarded as a means of reducing costs in Japan, so human resources related to IT are overconcentrated in IT sections or companies. As we enter the era of IoT, therefore, there are many engineers with insufficient security knowledge who work for consumer electrical appliance companies newly launched by entrepreneurs. There is concern that knowledge on security measures that has been accumulated in the IT field will not be effectively utilized.
We should also pay attention to the advancement of artificial intelligence (AI). Hackers overseas have begun using AI in cyberattacks. Once AI detects vulnerable points in networks, human beings will not be able to take countermeasures. Joint R&D between the government and the private sector in this field is an urgent need.