Assessing Japan’s Internet of Things (IoT) Security Strategy for Tokyo 2020

(This blog post is also available in Japanese.)

In August 2016, the Japanese National Center of Incident Readiness and Strategy for Cybersecurity (NISC) released a document called the General Framework for Secured IoT Systems (Japanese link).  The framework suggests Japan will start seeking security even in noncritical infrastructure, including manufacturers, and pursuing a global multi-stakeholder approach to security in IoT. The framework is a follow up to Japan’s Cybersecurity Strategy released in September 2015, which acknowledged the importance of sustainable economic development by IoT innovation and security for the first time as a Japanese national strategy. The strategy was released after Tokyo was selected to host the Summer Olympic Games in 2020 (Tokyo 2020) to show what Japan needs to do over the next three years to make Tokyo 2020 successful.

Both the scale of IoT devices and the demand for IoT security will be very different at Tokyo 2020, compared with London 2012 and Rio 2016. The development of an IoT security-related policy is crucial for Japan, and the government and industry must work together for Tokyo 2020. The NISC framework incarnates the Cybersecurity Strategy’s IoT security vision and helps to prepare for the 2020 event.

The NISC document recognizes that IoT services create a complicated security landscape among IT, physical, and connected domains, because IoT systems are the fusion of IT and physical systems. Furthermore, since IoT systems range from critical infrastructure to consumer products, such as connected refrigerators, each type demands a different level of security for users and operators. That is why the NISC framework notes a two-stage approach: first, the NISC document states it will push for the creation of comprehensive security requirements for the design, development and operations of IoT systems; and second, NISC will identify requirements for each sector’s use of IoT later.

Because IoT is multi-layered, NISC plans to create a risk-based security model for each layer, covering such factors as devices, networks, platforms, and services. It is noteworthy that NISC introduced the concept of “mission assurance” to IoT security. The Cybersecurity Strategy in 2015 used the term for the first time, defining mission assurance as, essentially, an approach for the government and critical infrastructure companies to analyze and communicate about risks and provide the leadership with the analysis and residual risk information to ensure the function and services of the government and critical infrastructure (this is paraphrased).

The NISC IoT framework seems to emphasize resiliency. It aims to clarify mission assurance requirements for IoT, e.g., how to recover services promptly after system failure. The document also intends to ensure the confidentiality, integrity, availability and security of IoT systems and prompt service recovery after cyberattacks. Since NISC encourages security-by-design for IoT systems, the targeted audience for mission assurance needs to include manufacturers in addition to critical infrastructure unlike the Cybersecurity Strategy, which was aimed at the latter.

Currently, manufacturers are not categorized as part of critical infrastructure in Japan, unlike the United States. While sector-specific security requirements will be released in the future, the NISC document will prompt Japanese manufacturers to take more action. Prime Minister Shinzo Abe stated at the Annual Meeting of the Science and Technology in Society (STS) Forum in October 2015 that driverless cars will be available in Japan in 2020 when the Tokyo Summer Olympic and Paralympic Games are held. However, the car industry is working on driverless cars and is understandably concerned about potential cyber risks. A presentation at the recent Black Hat US 2016, one of the largest security conferences in the world, demonstrated that remote car hacking is possible. Not only car manufacturers but also manufacturers in many other industries will be more security-minded as a result.

Resiliency is an indispensable component of security, but a resiliency strategy by definition counts on sufficient resources for incident response. To effectively and efficiently respond to cyberattacks, cyberthreat intelligence is needed to prepare for potential risks and make the systems and network more robust. Also, to reduce the cost and time of incident response, it is imperative to prevent cyberattackers from successfully achieving their objective, such as stealing intellectual property.

Since IoT bridges devices across national borders, global multi-stakeholder cooperation is essential by any government involved in IoT security policy, to be able to have compatible approaches—whether legislation or policies --and understand the interests and concerns of other countries. The NISC IoT framework confirms their multi-stakeholder approach, declaring that the framework will be revised and modified to keep up with IoT innovation and sophistication, based on dialogues with domestic and international multi-stakeholders. The document also intends to stay aligned with domestic and international guidelines and standards and cooperate with those crafting those standards and guidelines. In fact, mention of global stakeholders and approaches  is a new addition to the original draft of the NISC document released in June 2016, which stated NISC would use a multistakeholder approach moving forward, but did not specify that global stakeholders would be part of the process.

NISC took a groundbreaking step before publishing the final version of the framework: for the first time, NISC asked for public comments on one of its draft policies both in Japanese and English. The fact also proves that the Japanese government appreciates the value of insights brought by global multi-stakeholders in the borderless IoT era. The trend is commendable, given how global cooperation and public-private partnerships are needed for the success of Tokyo 2020. It will allow Japan to gather expertise from all over the world and create a positive legacy to last well beyond the Olympics.  It would be desirable for all governments around the world to similarly commit to working across borders as they develop their IoT security approaches, given the borderless nature of IoT.  Global harmonization is essential for the most effective security in IoT.