2017 Cybersecurity Predictions: Japan Confronts SMB Cyber Resiliency, Anticipating Tokyo 2020

This post is part an ongoing blog series examining “Sure Things” (predictions that are almost guaranteed to happen) and “Long Shots” (predictions that are less likely to happen) in cybersecurity in 2017. 

In Japan there is much hype around the 2020 Summer Olympics and the expectation that the event will create new business opportunities. There is also concern about cyberattacks disrupting the Tokyo 2020 Olympic Games operations and the theft of national security and/or trade secrets. This type of attack would harm the competitiveness of companies in Japan and damage reputations. With this in mind – and because the Internet of Things (IoT) is rapidly expanding and introducing new attack vectors. Here are some sure things and long shots for 2017, based on these dynamics.

SURE THINGS

Cyber insurance will become more popular.
Cyber insurance services have been available in Japan since at least 2012, but the growth of the market in this country had been slower than in the U.S. While Japanese companies were not motivated to invest in stopping potential risks whose damage scale was unknown before actually suffering from cyberattacks, U.S. organizations across various company sizes are willing to consider such risks and invest in them. Another key difference is that Japanese businesses tend to be more reluctant to reveal cyber incidents (per an article from ScanNetSecurity) to other parties, including their own cyber insurance companies, than American businesses are, probably because of the pressure of the shame culture which we profiled in a recent blog.

The tide changed when the Ministry of Economy, Trade and Industry (METI) and Information-Technology Promotion Agency (IPA) published the Cybersecurity Guidelines for Business Leadership Ver 1.0 in December 2015 and the document encouraged companies to use cyber insurance. NISC’s Cybersecurity Approach for Business Management in August 2016 addresses how major companies and SMBs can seek cybersecurity effectively. The document acknowledges that their limited resources make it difficult to adopt sophisticated security products or solutions, and suggests SMBs use cloud-based security solutions and cyber insurance. As major companies have enhanced their security, attackers have ramped up targeting of SMBs (per an article from MYNAVI News) that often are short of the resources needed to detect breaches. This is the case, even though Japan’s economic strength and major companies are reliant on Japanese SMBs, some of which have high technical competence and provide parts for precision machines and metal-processing.

Cyber insurance for SMBs was born in Japan, and the pressure being placed on SMBs could lead to a variety of cyber insurance types, which would be beneficial for financially and resourcefully challenged companies that use cybersecurity services associated with such insurance. It is important to help those companies proactively invest in cyber defense technologies.

There will be more pressure on SMBs and non-critical infrastructure sectors to take cybersecurity measures.
SMBs and non-critical infrastructure sectors will see mounting pressure to take on more cybersecurity measures due to the Japanese government’s recent publications about the necessity of cybersecurity. Several events lead to this:

First, the Japanese government revised the 2003 Personal Information Protection Act in 2015 to remove an exception for SMBs holding fewer than 5,000 pieces of personal information to protect and prevent breaches of personal information. The Act’s revision was specifically timed to coincide with the January 2016 introduction of “My Number,” a new personal identification system for Social Security and taxation information, which has resulted in SMBs (and all companies) holding more personal information on residents in Japan.

Second, the Japan Tourism Agency’s Advisory Committee to Address Breaches in the Tourism Sector published an interim report in July 2016, and the National Center of Incident Readiness and Strategy or Cybersecurity (NISC) released the Cybersecurity Approach for Business Management in August 2016. The report encourages stronger cybersecurity in the tourism sector and also critical infrastructure sectors governed by the Ministry of Land, Infrastructure, Transport and Tourism (MLIT), which are aviation, logistics, and railways. Since Japan wants to see an increasing number of tourists to Japan during the 2020 Summer Olympics and the smooth operation of the event is key, tourism backed up by convenient and secure transportation services is definitely crucial. That is why both of the documents addressed the dire need for more cybersecurity measures taken by SMBs. 2017 will likely see follow-up guidelines.

Third, the NISC IoT Security Framework in August 2016 indicates the need of IoT security-by-design for manufacturers, even though they are not currently categorized as part of critical infrastructure in Japan. It means stewardship ministries and agencies would need to start drafting such guidelines.

Companies will be more active in cyberthreat intelligence and analysis sharing.
The 2020 Summer Olympics hype has certainly led to a huge expectation of innovation to showcase novel designs and technologies that drive economic growth. This all must be done in a secure manner for the convenience and safety of users. Voluntary cyberthreat intelligence-sharing is important to understanding the latest threat landscape and applying appropriate cyberdefenses. Active cyberthreat intelligence-sharing is encouraged by Cybersecurity Guidelines for Business Leadership Ver 1.0.in December 2015.

In fact, the auto and electric power industry plans to launch such a framework. In October 2015, Prime Minister Shinzo Abe stated at the Annual Meeting of the Science and Technology in Society (STS) Forum in October 2015 that driverless cars will be available in Japan when the 2020 Summer Olympics and Paralympic Games are held. Thus, manufacturers, including those in the auto sector, will be under growing pressure to innovate new and secure cars. That is why car manufacturers and auto parts providers will launch a forum for sharing cyberthreat intelligence in January 2017. In addition, Japanese electric power companies, including Tokyo Electric Power Company, plan to establish Electric Power Information Sharing and Analysis Center (ISAC) to share cyberthreat intelligence and best practices and cooperate with overseas entities, especially the U.S. Electricity ISAC and European Energy-ISAC.

Given this trend toward Tokyo 2020 and the importance of manufacturers, tourism, and transportation-related services, more cyberthreat intelligence sharing frameworks will be born in those sectors. Tourism agencies have begun to have regular information-sharing meetings to prevent massive personal information leaks and a guest lecturer recommended creating a tourism ISAC at the third meeting in September 2016. Thus, the Japanese government would appreciate best practices of the U.S. or other countries’ cyberthreat intelligence sharing, such as ISAC, and are interested in acquiring cyberthreat intelligence to add geopolitical context to technical analysis and serve governments’ and industry’s decision-making processes for risk management. The Cybersecurity Strategy in September 2015 recognized that it is important to fuse cybersecurity analysis with technical, legal, international relations, security, and social-scientific perspectives. NISC started to list potential cyber risks to Tokyo 2020 in Japan Fiscal Year 2016 and will continue to review the list and take cybersecurity measures to address the risks. This effort would also require the support of good cyberthreat intelligence and analysis from different types of expertise.

The Japanese traditional procurement system only allows one to buy visible and countable items, and this makes it challenging to procure cyberthreat intelligence, which is not necessarily “countable” unless it is put in reports. Yet, the pressure of Tokyo 2020 is gradually changing the Japanese mindset, and the country is definitely seeing more interest in cyberthreat intelligence and analysis, in a variety of formats.

LONG SHOTS

Increased focus in securing remote medical services used for disaster relief in the aging society.
Japan is known for its high frequency of natural disasters, such as earthquakes and typhoons. It is also dealing with the reality of an aging society. These challenges have led to demands for remote medical services for disaster relief and elderly people by taking advantage of IT and IoT, such as drones. This also requires cybersecurity services to protect the convenience of these services and to protect human lives.

Japan had a few major natural disasters in 2016, including the Kumamoto Earthquake and the East Japan typhoon. The aging population already passed 25 percent in 2013, and the Japanese government expects the number will reach 39.9 percent in 2060, or two out of five people at 65 years old or older. At the same time, the population has been shifting from rural areas to major cities. The Japanese government expected in 2012 that those rural areas would see a drastic decrease in population from 2.89 million people in 2005 to 1.14 million people in 2050 by 61.0 percent. This affects the availability of doctors in rural areas. According to a report by the Japan Hospital Association in May 2016, 80.0 percent of hospitals all over Japan said that they do not have a sufficient number of doctors. While 72.7 percent of hospitals in big cities said they have a shortfall of doctors, the figure is 92.5 percent in rural areas. The gap between cities and rural areas is widening.

This is even more problematic for disaster relief activities, especially because the Japanese government used to ban remote medical services, except for special cases in isolated islands or rural backwater areas, where face-to-face medical treatment is physically difficult. Finally, in August 2015, the Ministry of Health, Labour and Welfare issued a document to acknowledge the needs and benefits of remote medical services and approve remote medical services if they are combined with face-to-face medical treatment although it does not require face-to-face service before remote service. New medical services have become available since then and the first case for disaster relief was in April 2016 when two companies in Japan provided free remote health consultation by using smartphones and volunteer doctors to help Kumamoto Earthquake victims. This type of new disaster relief effort will be in high demand in the future.

Drones also expand the scope of remote medical services by delivering medicine. Since the revised aviation law was enacted in December 2015 to add rules for drones, tests for proof of concepts have started in rural areas, such as the Yabu City (an article from Nikkei Digital Health), Hyogo Prefecture and western part of the Japanese mainland.

Associated cybersecurity services will be in demand to ensure the convenience of such services and to protect patients from disruption to the services by cyberattacks. Proactive, prevention-based cybersecurity is needed.

Massive My Number personal information leak will happen.

Japan faced massive breaches in May 2015 and in summer 2016. The May 2015 incident saw the leak of 1.25 million pieces of personal information from a government-associated organization, and the June 2016 incident suffered the leak of personal information belonging to 7.93 million people from a tourism agency. In July 2017, the Japanese government will start to share My Number-related information with local governments for welfare services. Since all of the organizations now have more personal information from their employees, thanks to My Number, they are more worried about potential breach risks.

According to an ABeam Consulting Ltd.’ survey, of the 1,917 publicly listed Japanese companies (105 companies responded) between May and June 2016, almost all had finished gathering My Number information from their employees. Nonetheless, in most cases, security measures taken for My Number remain expedient. For example, only 49 percent of companies have audit policies in place to check the data regularly. While 72 percent say they have strengthened access control for the systems to store My Number information, only 16 percent had improved prevention and detection of potential hacking. Although half of the companies plan to provide training for people who are newly assigned to deal with My Number, only 39 percent plan to review the training program regularly, and 32 percent plan to provide such training in a repetitive manner.

If those problems remain unresolved, Japan will most likely see a bigger scale of personal information breaches in the near future. Of course, cybersecurity efforts cannot be made overnight. It takes time because they entail the reform of corporate governance, as we pointed out in our September blog. But if Japan can combine My Number security efforts with cybersecurity governance for the success of Tokyo 2020, it will prevent damage by potential cyberattacks to steal or leak personal information.

What are your cybersecurity predictions for Japan? Share your thoughts in the comments and be sure to stay tuned for the next post in this series where we’ll share predictions for ICS.