U.S. cyberdefense company Exostar, which is funded by major defense contractors including Boeing, has started full-fledged operations in Japan. By teaming up with Fujitsu, Exostar has begun selling its services. Despite the growing risk of leakage of important information due to attacks against supply chains including business partners and outsourcing contractors, countermeasures by Japanese businesses have fallen behind. With Exostar operating in Japan, more stringent cyberdefense measures required by the U.S. Defense Department are apparently set to gain currency in Japan.
Besides Boeing, major American and British defense contractors such as Lockheed Martin and BAE Systems fund Exostar. The strength of Exostar is its cloud service that can safely transmit highly confidential important information including products’ specifications, etc. Many defense contractors use the service to deliver their products to the U.S. Defense Department, making the service the de facto industrial standard.
The company started selling the cloud service to Japanese companies in September. In tandem with Fujitsu, Exostar interviews employees of companies that want to use the service and issues an ID after a background check determines they are trustworthy. Since Exostar allows only trusted users to connect with the cloud, the company can ensure the security of its cloud service. It is common in the military to use a security clearance system that limits individuals who handle classified information; however, applying the system in the civilian sector is uncommon in Japan.
Behind the introduction of the system in Japan is the intensifying competition between the U.S. and China over advanced technology. In 2018, the U.S., Japanese and other governments all at once denounced the China-influenced cyberespionage group “APT10.” According to PricewaterhouseCoopers (PwC) in the UK, APT 10 repeatedly and unlawfully intruded into target companies including Japanese firms even after 2014 and stole highly confidential information.
This exposed the vulnerability of supply chains across borders. Tens of thousands of companies involved in car and airplane manufacturing exchange various information including specifications etc. When hackers target small- to medium-sized companies where defenses are weak, they can steal important information.
Leading Japanese companies have asked their business partners to tighten security measures. However, it is difficult to check the effectiveness of each company’s security measures. As a result, necessary security measures are not thoroughly implemented throughout supply chains. “American defense contractors are concerned that if a vulnerable Japanese company becomes a link in a supply chain, it may become a source of leaks,” said chief researcher Fumiaki Yamasaki of the Research Institute for Peace and Security who is familiar with cybersecurity.
The Trump administration has also tightened security measures. The Defense Department required its business partners to comply by 2018 with cyberdefense guidelines “NIST SP800-171” set forth by the National Institute of Standards and Technology (NIST). Companies that fail to satisfy about 100 security conditions, including control of access to important information, security clearance for employees and information encryption, are excluded from the procurement list. The U.S. federal government including the Commerce Department and other agencies will apparently take the same measure.
“American rules are so influential that Japanese companies can’t ignore them,” said Fujitsu’s senior evangelist Taishu Ota. The Defense Ministry is considering making its procurement standards, which are slated for revision after fiscal 2020, on par with the Defense Department’s standards.
Under the circumstances, Fujitsu judged that there was a business chance. Exostar’s service is in conformity with SP800-171. Fujitsu will provide the framework for protecting important information including the “two-factor authentication” system that prevents impersonation by criminals and encryption of confidential files. Fujitsu will propose the introduction of the framework not only to the defense industry but also to utilities that operate important infrastructure such as electric power and gas and manufacturing companies that exchange design information with business partners.
Many companies view security measures for supply chains as a business opportunity. In August, NRI Secure Technologies (Chiyoda Ward, Tokyo) started providing a service that enables the centralized control of cybersecurity measures of group companies and business partners.
In partnership with a U.S. cybersecurity company, Tokyo Marine & Nichido Fire Insurance Co., Ltd., started in July providing a service that points out risks that contracted companies and business partners face on the Internet. SOMPO Risk Management Inc. (Shinjuku Ward, Tokyo), which is affiliated with SOMPO Holdings, will provide a similar service.
Information-technology Promotion Agency, Japan (IPA), an extra-governmental organization of the Ministry of Economy, Trade and Industry, released a report titled “Ten Major Security Threats 2019” in January. According to the report, “Attacks exploiting supply chain vulnerability” ranked 4th for the first time. Strengthening cybersecurity measures involving business partners is becoming an urgent necessity for leading companies.