Home > News
  print button email button

Saturday, Oct. 27, 2012

Japan woefully vulnerable to cyber-attack

Security needs more human and physical resources

Staff writer

This summer, while most of the rest of the world was watching the Olympic Games, dozens of Japanese students were mesmerized by the world of computer viruses and bugs.

Some locked themselves in a room and spent six hours analyzing a malware worm called Gumbler that had tampered with the websites of Japanese companies like Honda in 2009. Others spent hours writing code to check the vulnerability of websites.

"When I ask the instructor to attack my website, he immediately spotted the vulnerability," said Yoshihiro Ura, a 19-year-old student at Osaka Prefecture University College of Technology. He was one of 40 participants at the cybersecurity camp in August, selected from some 300 candidates.

The Information-technology Promotion Agency has been sponsoring the security camp since 2004 to raise awareness about computer security among potential IT experts under age 22 and to nurture their talents.

Some people might call the participants geeks, or worse, potential hackers if they should go astray. But they also could be the foot soldiers fighting on the side of good in the wars of cyberspace.

While the government hurries to set up organizations to counter Internet-based attacks, the nation remains vulnerable due to a lack of sufficient numbers of cybersecurity specialists and effective systems and infrastructure to prevent security breaches.

According to a 2012 white paper on information security published by the Information-technology Promotion Agency, Japanese companies need 22,000 more people to engage in cybersecurity. Much worse, of 230,000 cybersecurity specialists at companies, more than 60 percent of them need additional training to keep up with the ever-evolving range of attacks.

"In Japan, companies see cybersecurity as a cost, while foreign companies see it as an investment," said Kunio Miyamoto, a senior expert in NTT Data's information security office.

Miyamoto, who was instrumental in the student security camp, said Japan's human resources in this realm are limited to midlevel people and lack the highly skilled programmers who can deal with the serious levels of attacks some companies and government institutions have experienced.

The white paper also points out that there is no clear career path for such specialists. Either in the private or public sectors, security specialists are often regarded as mere misfits, and there are few ways such specialists can advance their careers within companies.

Lack of a clear career path discourages many students from pursuing cybersecurity. Every year, only about 1,000 university students take courses on computer security, far fewer than are needed to keep Japan safe.

Last year, the computer network for Mitsubishi Heavy Industries Ltd., a primary defense contractor, was infected with a rash of viruses. Sony's PlayStation Network meanwhile came under a sophisticated attack that saw the personal information of some 77 million registered users compromised.

Experts predict such attacks will increase as firms globalize their systems and products.

Japanese products used to be like the endemic species that Charles Darwin encountered in the Galapagos Islands — they evolved without any outside influences. Standard in Japan, they weren't compatible with much of the rest of the world. This Galapagos syndrome protected Japanese firms from security breaches.

But as more firms produce global-standard products with open source information, it becomes easier for hackers to find ways in. Much worse, the latest antivirus software can detect only 1 percent of existing malware.

"Few Japanese corporate managers are sufficiently aware of the risks to take action," said Toshio Nawa, senior security analyst at Cyber Defense Institute, which provides security assessments. "If they use one-tenth of the money they use for disaster prevention, their systems would be much better."

The problem is not limited to the private sector, as the government has become a frequent target by "hacktivists," who pursue political or social agendas by breaking into computer systems.

Since the government announced its purchase of three of the disputed Senkaku Islands in September, numerous attacks blamed on Chinese hackers hit public Japanese websites, including the Supreme Court's.

Experts agree that a military confrontation over the territorial dispute is unlikely, but cyber-attacks have the potential to destroy critical infrastructure and it is hard to identify perpetrators.

"The worst case would be the combination of cyber-attacks and conventional war. They will first attack computer systems to cripple the entire control system," said Motohiro Tsuchiya, a professor in Keio University's Graduate School of Media and Governance.

The Defense Ministry announced in September it will set up a cybersecurity division in fiscal 2013 and earmarked ¥10 billion for the project, less than 1 percent of the ¥4.7 trillion defense budget.

By comparison, the United States spends roughly $8 billion (¥624 billion), about 21 times more than Japan. Also, the cyber command is in charge only of security involving the Defense Ministry, and Japan lacks an organization overseeing the entire security picture, both public and private.

Experts also point out that Article 9 of the Constitution could make it difficult for the Defense Ministry to prevent or respond to computer attacks in a timely manner because protection of secure systems requires some pre-emptive efforts. Whether a cyber-attack could be considered "use of force" under the Constitution is currently subject to debate in the government.

"The Defense Ministry has to be clear on what the cyber command can and cannot do," said Tsuchiya.

Network defense also requires close cooperation among stakeholders and the exchange of intelligence, especially at the governmental and military level. Even though Japan and the U.S. issued a joint statement to confirm the importance of cooperation in cybersecurity last year, concrete strategies have yet to be hammered out.

Experts say the U.S. has misgivings about the information assurance system in Japan. There is no shared security clearance system that allows ministries and agencies to exchange classified information, which makes it difficult for the U.S. to share computer security information.

"Many in the U.S. believe that some of the current laws and practices in Japan" are not satisfactory. "We definitely support strengthening of information security, cybersecurity laws in Japan," said James Schoff, a senior associate in the Asia Program at the Carnegie Endowment for International Peace.

Back to Top

About us |  Work for us |  Contact us |  Privacy policy |  Link policy |  Registration FAQ
Advertise in japantimes.co.jp.
This site has been optimized for modern browsers. Please make sure that Javascript is enabled in your browser's preferences.
The Japan Times Ltd. All rights reserved.