Good cybersecurity has tremendous potential to improve society, business and services we use every day. Because of its very nature, though, it involves discussion of bad actors and defensive measures, which can easily skew public perception. Indeed, big breaches seem to be occurring more and more frequently, and the bad guys are always in the headlines, making it all the more important to pause and take stock of the situation.
In October, international stakeholders from academia, industry and government gathered in Japan for the third annual Cyber3 Conference Tokyo 2017. The two-day event was held at Keio University in conjunction with the Cybersecurity Research Center’s 5th International Cybersecurity Symposium.
Cyber3 takes its name from the three streams of cyber: connections and the connected world we live in; cybersecurity and why we need to protect things; and finally, cyber crime and its impact on privacy against the background of balancing government and law enforcement needs as well as other security issues.
Looking ahead to the Olympics
At this year’s Cyber3, which was the third since the conference was launched in 2015 in Okinawa, about 700 participants discussed the future of the security landscape under the theme of “2020 and Beyond.” Three years is a long time in the world of cybersecurity, but 2020 has special resonance in Japan because it’s when Tokyo will host the Olympic and Paralympic Games, a national event that is helping focus government attention on the issue. This is an opportunity not only for Japanese ministries and agencies, which need to to get on the same page about cybersecurity, but also for the private sector, which can take advantage of the effort to improve its efficiency and productivity – currently, the lowest in the G7.
One of the purposes of the conference is to hold talks that can serve as the basis for recommendations to Japan’s government as well as other bodies. This comes amid the evolution of Society 5.0 and “Connected Industries” - both part of the Japanese government’s strategy for innovation through further digitization and interconnectivity, which fundamentally relies on safety and security that cybersecurity provides.
The need to work together
2017 has seen its share of major cybersecurity attacks, and one of the key challenges highlighted in opening remarks and keynotes at Cyber3 was the need for cooperation. Tatsuo Tomita, chairman of Japan’s Information-technology Promotion Agency, gave attendees an overview of how cyber attacks can have very real consequences in the physical world – for instance, the cyber attack that disrupted electricity supplies in the Ukraine power grid in 2015 – and noted that few business leaders in Japan believe cybersecurity should be discussed at the executive management level.
Many of the other speakers, including Jun Murai, Dean of Keio’s Graduate School of Media and Governance, Minister Seiko Noda from the Ministry of Communication and U.S. Ambassador to Japan William Haggerty IV, echoed Tomita’s words. The consensus was that no single group can fight every form of cyber risk and thus business, government and academia have to work together nationally, regionally and globally. Meanwhile, many small and medium-sized enterprises lack in-house cybersecurity expertise – and governments must provide tools and resources to help them in this area.
Five pillars of cybersecurity
Participants in the conference’s cyber connections stream noted the exploding numbers of devices coming online through the spread of IoT. This makes the need for cybersecurity even more pressing, but it also requires a rethink of overall system design and security.
Participants said that an effective approach is one that incorporates five pillars:
- Structures that can address vulnerabilities
- Progress in R&D
- Promoting security measures among private companies
- Bolstering human resources
- International cooperation
I’ve written about this elsewhere, but it bears repeating that one of the worst things organizations can do is try to conceal incidents – this delays the creation of effective security measures and puts a damper on information sharing and cooperation. As Linton Wells II, former U.S. Principal Deputy Assistant Secretary of Defense and currently executive advisor of George Mason University’s C41 and Cyber Center, noted: “Most problems in cybersecurity begin in the boardroom, not the server room.” While Japan embraces Society 5.0, it must also require that systems be built Secure by Design with Privacy by Design including authentication mechanisms for people, data and devices. That’s one way Japan can lead the way in this new era.
Experts discussing cyber crime at the conference focused on how the identities and motivations of cyber criminals are changing, noting that aside from the “who” behind cyberattacks, the “why,” “what,” and “how” deserve more attention to properly understand what’s going on. As Paul Maddinson of the UK National Cyber Security Centre put it so succinctly: “Geography is irrelevant on the internet. Even if a country’s missiles can’t reach us, their malware can.”
Maddinson described how his headquarters responded to the Wannacry attack that affected 47 medical centers in the UK, and noted the need for clear leadership in the chain of command when a crisis hits, as well as the necessity of collaboration between government and industry. He also shared a valuable anecdote: when he was at the HQ during the crisis, he found himself leading his team of experts, all of whom are under 30, and the only thing he could really contribute to help was to order pizza. The lesson here is that the ability to delegate tasks, trust and empower team members during a crisis is the mark of a true leader. Japan can learn a lot from this approach.
In the security stream, attendees noted the ever-growing importance of artificial intelligence in both preventing potentially damaging activity and in extending the abilities of human security experts. Participants also agreed that Japan has some work to do on general cybersecurity: only about 40% of Japanese companies have a CISO, and where it does exist this role is often held with other executive functions. Regardless of how a company’s leadership is structured, it must have clear accountability for implementing security policies.
Homework for policymakers
Over the past year, we have seen fake news stories swaying elections, ransomware attacks that appear to have been state-sponsored, the enormous Equifax data breach, and the manipulation of markets by hackers. These events have intensified the cybersecurity landscape’s complexity and urgency.
As conference participants agreed, we all have to do a lot more to change the perceptions of cybersecurity from being a technical issue to one of national security. We also have to focus more on building resilience, human resources, and effective processes rather than focusing on specific threats since the threat landscape changes constantly.
The Tokyo Games will be a marketing opportunity for bad actors to show what they’re capable of. As chairman of Cyber3, my hope is that this year’s theme of “Beyond 2020” will help make the Olympics a catalytic event that prepares Japan for the future of an aging and shrinking population. Japan is going to be the first country with a population highly reliant on automation, robotics, AI, driverless cars, and other technologies. We need a new mindset for the future, and now is the time to put in place an infrastructure rooted in security.