IT September 2014

Cyber Security Needs for Japan’s future

bannerA quick question needs to be asked, answered and understood at its most fundamental level before Japan moves forward with any cyber security laws, regulations, policies and so on. This question is simple: can anyone achieve perfect cyber security?

The answer seems quite simple, but is actually devilishly complex due to expectations, culture, approach and politics. That answer is, quite honestly, no.

Every defensive system that has ever been built or is likely to be built within the next generation will always have points of access.

The most vulnerable of these is people themselves, for example: victims of spear phishing (email spoofing fraud attempts to get access to confidential data); those who—curiously or otherwise—pick up a USB stick and put it into a computer; and causalities or perpetrators of acts such as bribery and corruption.

However, technology itself is often full of “attack surfaces” that are very difficult to monitor and control unless you have tens or even hundreds of cyber experts on staff or available through a managed security service provider.

What’s worse is that a lot of software is developed without any thought of security, or the value of security is deprecated due to costs, time to market, or the perceived difficulty of doing it well.

For instance, the Bluetooth Smart (also called Bluetooth low energy or BLE) specification has a direct reference to reducing security in order to offset costs.

In both spec version 4.0 and the newest version, 4.1 (December 2013), the document states: “None of the pairing methods provide protection against a passive eavesdropper during the pairing process as predictable or easily established values for TK [Temporary Key, the passkey derived directly from the common 6-digit PIN] are used”.

Also on the same page: “Note: A future version of this specification will include elliptic curve cryptography and Diffie-Hellman public exchanges that will provide passive eavesdropper protection”.

It is no surprise therefore to find out that the technology has already been easily hacked, and the hacker can inject their own fake data into the stream of data to or from the device. Yet, this device is being embedded into the parts of glucose monitors, heart-rate monitors, and other medical-device technology.

In this environment, what can Japan do to address cyber security in the run-up to the 2019 Rugby World Cup and the 2020 Olympic and Paralympic Games?

The key factor to obtaining the best possible security profile entails working internationally with countries and major global firms to bring in as much knowledge as possible.

A collaborating team can create baseline scenarios, plan for different situations, cooperate on simulations and “war gaming”, share cyber-intelligence, and offer education activities to help people avoid phishing and scams.

Japan has started this process by making initial agreements with both the UK and the USA, but the country needs to act quickly on these agreements.

To do this, Japan can bring in experts from both the government and private sectors to help set up and share, among other things, appropriate policies, regulations, training regimens, best practices and lessons learned.

The world of cyber security is moving very quickly, especially so due to the prevalence of the Internet of Things—the interconnection of uniquely identifiable embedded computing devices within the existing Internet infrastructure.

It is estimated that in the future there will be sensor technology of all kinds, including smart watches, smart utility meters, smart homes and appliances, seismic monitoring equipment and so on.

Moreover, as there are so many potential cyber criminals of various types that are constantly looking for weaknesses in the system, a global community is needed to help guard against the most damaging types of attacks.

Just imagine if ransomware (malware that blocks access to a system and demands a ransom be paid in exchange for its restoration) moves from simple distributed denial-of-service attacks against corporate websites to targeted attacks against critical national infrastructure or individual heart rate monitors.

No one country or firm can possibly guard against all these attacks, so it is extremely important to create global communities.

A key area that needs to be examined is the psychological reasons people move into the black or criminal realm. Through interventions such as internships, award initiatives and monitoring that leads into formal management programmes, it may be possible these people instead consider the white-hat side of IT security.

The British Chamber of Commerce in Japan is well-positioned to facilitate this type of cooperation, intelligence and personnel sharing. It can help to create a collaborative cyber security public-private team that can work with the Japanese and Tokyo governments.