Japan’s CyberSecurity Upgrade — Too Little, Too Late?

f:id:josephshack:20161221091758j:plain

The Internet facilitates rapid data-sharing and increased communication between individuals, firms and government entities. This generates significant risks but, for most of the 2000s, Japan did not take commensurate countermeasures. The complacent attitude toward information technology security has persisted in Japan too long due to a combination of ignorance, wishful thinking and the belief that cybersecurity is only a cost, rather than a prudent investment.

It doesn’t get any more embarrassing than the discovery that the Wi-Fi network at the lodging for reporters covering the G-7 Ise-Shima summit was tampered with and can infect users’ computers with a virus that has been traced back to Russia. Government officials maintain, however, that strict cyber-terrorism measures have been implemented at the summit venues to prevent any such problems. Well, that’s their story and they’re sticking to it.

The theft of data from police departments in recent years has exposed thousands of people’s personal information and many years of investigation data. These breaches highlight that authorities can’t even safeguard their own information, raising questions about their ability to enforce cybersecurity and spreading awareness of the threat. There have also been breaches affecting politicians, the Diet’s servers and various ministries and agencies, not to mention the theft of data from major firms such as Benesse Corp. and websites such as Ashley Madison, a social networking service for adulterers.

Despite so many instances of hacking worldwide, authorities in Japan have not responded effectively. In May 2015 the Japan Pension Service was targeted, exposing the personal data of more than 1.2 million people. This came after the Diet passed legislation in 2014 designed to beef up cybersecurity, granting a sweeping mandate to the Cabinet’s National Center of Incident Readiness and Strategy for Cybersecurity. It is supposed to strengthen international cooperation on cybersecurity and also overcome the notorious stovepipe mentality of Japan’s agencies and ministries by coordinating and unifying their efforts — not an easy task in the turf-conscious world of the bureaucracy.

These various attacks demonstrate Japan’s cyber-vulnerabilities at all levels: from private citizens to the military and corporations to the government.

Online attacks cost relatively little and are fast, difficult to detect or to pin on the responsible party. Moreover, they can be devastating — such as the attack on Iran’s nuclear power plants and enrichment facilities by the malicious Stuxnet worm.

The covert GhostNet cyberattack, discovered in 2009 and thought to have originated in mainland China, took control of more than 1,000 computers belonging to diplomats, military attaches, politicians and their assistants, as well as journalists. In addition to stealing data, it allowed for covert surveillance using the microphones and video cameras in targets’ computers.

Past attacks highlight Japan’s cybersecurity weaknesses. Back in 2005, the computers of approximately 400,000 to 500,000 broadband users were infected with bots, which can inflict crippling distributed denial of service (DDoS) attacks. Japan could be subject to unimaginable chaos if transportation systems like railways or air traffic control were attacked. Cyberterrorism against nuclear plants, dams and other important infrastructure represent potential nightmares.

In 2007, classified data on the Aegis weapons system, including targeting information, was exposed on a peer-to-peer network when a Maritime Self-Defense Force officer shared pornography files that the classified information was buried within. Subsequently, in 2011, Chinese hackers gained access to Mitsubishi Heavy Industries Ltd., Japan’s largest defense contractor, compromising classified submarine, missile, fighter jet and nuclear power plant data.