In a 2019 survey by the Osaka Chamber of Commerce and Industry, 29% of companies said they would consider suspending their business dealings with suppliers that had suffered damage as result of cyberattacks.
Toru Onodera of Canon Marketing Japan, which supports small and mid-sized companies in implementing cybersecurity measures, says the automotive and construction sectors have seen increases in companies suspending business relationships.” Onodera says there have been many instances where deficiencies in post-incident investigation and response were viewed as problematic.
There are two reasons that major companies are nervous about the cybersecurity measures of their business partners.
One reason is the rapid increase in cyberattacks targeting supply chains. Several tens of thousands of companies are involved in the manufacture of automobiles and aircraft, where various information such as design plans is exchanged. An attack on a small or mid-sized company with weak security measures could lead to the leakage of confidential information. Suppliers to Toyota and Mitsubishi Heavy Industries have suffered cyberattacks.
The other reason is enhanced regulations. Since 2018, the U.S. Defense Department has required vendors to conform to NIST SP800-171 cybersecurity guidelines. Companies that cannot meet the approximately 100 requirements for encryption and incident response are left off the list of vendors. Japan’s Ministry of Defense will include similar requirements in its procurement standards in 2021.
Companies in the defense industry are required to ensure the safety of not only their own companies but their entire supply chains. Methods of exchanging data are strictly stipulated. A top official at an aircraft parts manufacturer said that “there has been an increase in face-to-face discussions in place of email” and that “websites that can be viewed from the [company] computers are strictly controlled.”
The situation is not limited to the defense industry. The U.S. government regulates the use of devices made by Huawei and other companies, which is causing telecommunication companies to rethink their supply chains.
The impact began to spread to the automotive industry this year. The World Forum for Harmonization of Vehicles (WP.29), an organization under the United Nations Economic Commission for Europe (ECE), adopted guidelines in June that require cybersecurity measures to be taken for automobiles. The guidelines will go into effect in January 2021. The European Union (EU) will require new cars sold after July 2022 to comply with the guidelines.
The focus is on the system of remotely updating vehicle control software over the Internet. If abused by hackers, this could lead to serious incidents. Automotive manufacturers are required to obtain international certification by implementing cybersecurity measures that involve their suppliers. If manufacturers fail to take adequate measures, they may not be able to sell automobiles in over 50 countries and regions worldwide.
The crackdown on suppliers has already begun. An Aichi automotive parts supplier received an unannounced security audit in October 2019 from an automobile manufacturer to which it supplies parts. An official of the parts supplier says the company “managed to pass,” but there were several companies whose business dealings with the manufacturer were suspended.
There is no time to waste in formulating a response to the regulations, but it’s a difficult situation. The Ministry of Economy, Trade and Industry and the Information-technology Promotion Agency (IPA) set up a “cybersecurity help squad” last year to survey the cybersecurity measures of small and mid-sized companies. METI and IPA invited 1064 companies to participate, and identified 128 incidents. There were many cases in which companies were unaware that their computers were infected with a virus and continued to use infected computers to contact their customers or to deliver their products.
In a 2019 IPA survey, 84.5% of companies with under 300 employees said they “lacked information technology (IT) personnel,” a 5.2 point increase compared to the previous year. Tsuyoshi Doi, head of the cyber risk department at MS&AD InterRisk Research and Consulting, notes that “many small and mid-sized companies may not be able to handle cybersecurity measures even if they implement the latest security systems.” (Abridged)