The Journal The Authority on Global Business in Japan

On December 9, Prime Minister Shinzo Abe saw his website fall victim to hackers. A message on Twitter from a user called _RektFaggot_ read “Whaling IS NOT Cultural Right! Your website is #TangoDown!” A screenshot attached to the tweet showed that connections to the website were timing out worldwide.

Attacks such as this are increasing in number. The latest affront came after another painful year online for Japanese business and government.
Anonymous, a loose online collective, had hacked around 100 websites in Japan between September and the end of last year to protest whaling, according to police.

That, however, is the tip of the iceberg. Japan’s pension system was hit by a virus that had been opened by an employee in May. About 1.25 million pension records were leaked in that incident. Two airports had their websites taken down, including Narita International Airport, in October.

In recent years, hacks at organizations such as Benesse, Waseda University, Sony, and Japan Airlines have proved humiliating for companies and institutions, and have put consumer data at risk.

Part of the problem is that the sheer volume of attacks today is overwhelming for the unprepared. “In 2014, there were more than 25 billion cyberattacks in Japan, compared with 310 million in 2005,” says John Kirch, regional director for North Asia at security company Darktrace.

Kirch argues that companies and the government face huge issues because attacks often come from “insiders.”

“Everyone and every network interaction should be considered [with a degree of suspicion],” Kirch says.

Modern cybersecurity thus faces problems on multiple levels. Threats can come from anywhere; the increasing number of connected devices augments risk; and the number of attacks is rising. Japan needs to work on legislation, train workers, and look to the latest technology to ensure security.

Staff wanted
A primary concern for Japan is the lack of people trained to do the work needed to secure networks.

According to a government estimate, the nation would need 350,000 fully trained staff to assure secure networks. There are 265,000 people working in cybersecurity today, and 160,000 of them need additional training.

“In the short-term, Japan needs to depend on and trust its partners to help with this shortage,” says Ed Adams, CEO of Security Innovation, a Massachusetts-based company.

“[We] had so many high profile Japanese customers that we realized Japanese organizations were starting to take cybersecurity seriously,” says Maureen Robinson, Security Innovation’s marketing director. “And, given the Japanese culture—[when they are committed they do it right]—we decided that investment [in the country] made sense.”

Having worked with companies such as Sony Corporation, Rakuten, Inc., Bank of Tokyo-Mitsubishi UFJ, Renesas Electronics Corporation, and Honda Motor Co., Ltd., Security Innovation in 2014 made 44 of its courses available in Japanese. Since then, its presence in the country has increased.

“Our main activity in Japan is selling our online secure software engineering training product,” says Adams. “We do this via a partnership with NRI Secure [part of the Nomura family of companies.]”

Security Innovation is also involved in providing cybersecurity to the Japanese government. With the Olympic and Paralympic Games coming up in 2020, Japan is likely to face increasing attacks from hackers looking for the glory of a high-profile hit during a prestigious event.

Additionally, many of the plans for making Tokyo into a smarter city will also increase the areas in which there are potential vulnerabilities.

“Tokyo plans to deploy RoboTaxis for the 2020 Games; these cars need to be secure and accurate in terms of delivering passengers to the desired destination,” Adams says.

Other organizations in the private sector are also looking to Japan. “The U.S. Department of Commerce is organizing a Cybersecurity Business Development Mission to Japan, [South] Korea, and Taiwan that will visit Japan on May 16 and 17, with about 20 companies participating,” says Erick Kish, a commercial attaché at the U.S. Embassy in Tokyo.

Screenshot from a Twitter page in December targeting Prime Minister Shinzo Abe’s website.

Screenshot from a Twitter page in December targeting Prime Minister Shinzo Abe’s website.


From the top
Beyond working with private companies, Japan is also moving on legislation to ensure the government can better manage security threats.

Last year, the nation unveiled a new cybersecurity strategy. The paper, updated after the pension records were lost in a hack, increases the government’s power to monitor for threats and tackle them if necessary. The Government Security Operation Coordination team now oversees cybersecurity for all government bodies.

Recommendations in the paper, which was approved by the cabinet, include developing a strategy for sharing and communicating relevant information more clearly.

In the event of an attack, “the Government will extensively share obtained information on the occurred incident, including attackers’ methods, with the governmental bodies, critical information infrastructure operators, and other relevant parties, to prevent the damage from becoming more serious,” according to the paper.

Admiral Dennis C. Blair, who served as director of US National Intelligence from 2009 to 2010, believes Japan’s cybercrime strategy will take time to become effective. “Both the strategy and the organizations are new, and will require strong implementation and dynamic adjustment, since [technology] is evolving rapidly.”

Modern solutions
Training can help address these issues. For Security Innovation, changing some preconceived cultural notions in Japan would help tackle cybersecurity problems.

“The premise of almost every Japanese national is that all people in Japan are good. Hence, there is no need for security,” Adams says.

Robinson adds that the changes brought about by the Internet require changing the cybersecurity culture of the country.

“There are no ‘borders,’ so the concept of protecting yourself via isolation and strict border and immigration laws doesn’t really apply anymore. Japan is less likely to be attacked with planes and guns than with cybersecurity volleys,” she says.

Technological advances over the past few years also mean that businesses and other organizations today have more options for protecting themselves than ever before. Darktrace, for example, does not protect companies in a conventional manner.

“As the world becomes more connected, the potential for data and network breach is causing companies to realize that they have maybe already been hacked,” Kirch says. “For instance, when Japan Airlines was hacked, the hacker had been traveling around the company’s network for about a month before the attack was discovered.”

To solve this problem, Darktrace uses a method it calls “Enterprise Immune System.” Instead of looking for known issues, its system learns the routines of devices, users, and networks, while looking out for anomalies.

“We use advanced filtering, categorization, and mathematics to connect the dots and take different types of activity that may be a small trace of possible wrong behavior and look for other incidents. Then you can make a judgment call on whether there is a trendline, and if this is a growing threat. If it is, you can identify the device in question, which may have malware, or the perpetrator.”

For years, a game of cat and mouse has been playing out between hackers and cybersecurity companies. New technologies, however, are giving organizations an increasing amount of firepower to tackle threats.

Kirch believes this may be a tipping point in favor of businesses. “A lot of people have the mindset . . . ‘I’ve been lucky so far, so I am probably going to be lucky next year, too.’ I think it is time for organizations to be able to find a way to analyze what’s going on . . . to understand the normal behavior of every network, device, and person.”

Blair says that, however, will take time.

“I believe that over time companies will learn what measures they must take to manage the risk of cybercrime, and that cooperation among cybersecurity companies, law enforcement organizations, and the companies victimized by cyberattacks will increase. When these two positive trends reach a critical point, cybercrime can be first contained, and then reduced. However I believe we are at least a decade from that point.”

Richard Smart has been living and writing in Japan since 2002.
In 2014, there were more than 25 billion cyberattacks in Japan, compared with 310 million in 2005