Cyber Security & Data Protection in Japan

DOTMAGAZINE: What are the current trends in cyber security in Japan, and do you see any differences to trends in other countries or other regions?

PROF. KOJI NAKAO: That is a very interesting question but not so easy to answer. Looking, for example, at cyber threats – and “threats” include both attacks and incidents, etc. – the threats seem to be very similar to other countries. One of the big ones is DDoS, which is caused by IoT devices or botnets, or maybe botnets composed of IoT devices. So one very important trend is focused on how to eliminate malfunctions in insecure IoT devices/systems/environments, especially in Japan. According to many discussions with experts in European countries, the IoT issue is also a very common or important issue to be solved there. Because the IoT – including web cameras, or sensors located everywhere – is trying to capture data, including personal data. The data should be securely collected, with confidentiality, in a system available to be accessed at any time. Because IoT devices can operate 24 hours a day, seven days a week, every year, and are always connected to the Internet.

This seems to be very dangerous, and there are a lot of vulnerabilities because most IoT devices use very simple user IDs and passwords, default passwords, and they open many ports. So it looks very vulnerable. In Japan, we seriously focused on such kinds of vulnerable environments, and perhaps this is similar in European countries. 

But in the case of APT it’s different. Advanced Persistent Threat is a kind of targeted attack against one particular organization or committee, etc. To give you a simple example: In about 2012, in Japan we got some APT attacks from an unknown country to get into some of the very important critical infrastructure industry and steal some very important information – design information, etc. – and the tech industry companies are connected to the military of Japan. And the same security attacks or incidents may also occur in European countries. So as far as the APTs are concerned, the attack behavior seems to be very similar. 

However, recently the Japanese language used in the attacks seems to have become very natural. That is, it has become easy to be attacked recently by APT in Japan. And our Japanese government also has very serious concerns – not so much for “normal” companies, but especially for industrial control systems or the very important critical information industry. They need to be very concerned about such attacks.

Other attacks that become popular in Japan are ransomware – you know, somebody asking for money to decrypt your files. Banking Trojans, banking malware, and malware injection are also getting popular. But with these types of attacks, there are no differences between the European countries and Japan. That is to say, the basic attacks or threats recognized in European counties and Japan may be similar. 

It should be noted that we're facing the Tokyo 2020 Olympic and Paralympic Games in the year 2020 and some of the very important companies or industry are likely to be targeted by attackers during the 2020 period. So the kind of environment currently may be different from other countries.

Overall, the attack behavior is becoming more sophisticated and seems to include more technology. That is my understanding.

DOT: What level of security awareness do Japanese companies and Japanese end-users have?

NAKAO: There are basically two types of people who need to be aware of security in Japan. The one category is the normal end-users – using the smart home or IoT devices, etc. I'm sorry to say, they have very poor knowledge about cyber security or security solutions. For example, in the case of IoT devices, they purchase an IoT device such as an IP camera, install it in the home network, but they forget almost everything from a security perspective. The data captured by the IoT device can be uploaded to the cloud, and if there's some vulnerability in the IoT device, they have no idea how to patch it. Therefore, the normal user needs to have some kind of training or awareness, and the Japanese government are now producing very understandable security guidelines for the end-user. 

Another category is users in the organization or a government agency. Compared with the normal end-users, they have better practical knowledge based on organizational policies and best practices, including checklists etc. My understanding is that the user inside a big organization may be more knowledgeable about security because of their own security awareness program.  

DOT: Moving from security to data protection, what differences and what similarities do you see between data protection in Japan and other places in the world, and how aware are people about the issues of data protection? 

NAKAO: Data protection or the so-called privacy issue is sometimes very similar to security. But the two issues, security and privacy or data protection, are different.

When we discuss the example of IoT security, IoT devices sense many data, including the location of people, including privacy data – so-called PII (personally identifiable information). Such data should be carefully and securely stored on the cloud server. But this issue is strongly related to privacy regulations. The data should be securely stored – which is a subject of security – but data should be handled based on the privacy regulation – which is a different direction from the security solution. Furthermore, from the technology point of view, cyber security technology is quite different from data protection technology. In the case of data protection technology, we often use technology related to anonymization for the deletion of personal or sensitive data, for example. This means that there are two types of technology which are quite different. They may occur in a common environment, but we need to carefully distinguish one from the other. 

We have two kinds of basic regulations in Japan. One is the Communications Secrecy Law. For example, in the case where an ISP gets information about the user – the source user, the destination user, the communication time, the amount of data, and the content – in order to route and deliver the information, this set of information should not be disclosed outside, because the ISP needs to protect this kind of communication data to comply with this law. This is a very basic regulation for telecommunications carriers in Japan, and Germany has a similar law, I think.  

On the other hand, the Unauthorized Access Law is another regulation in this context. That is, we can access servers which are openly available. But I cannot access specific IoT devices because I do not have access permission from the owner. For example, for the purpose of observing the devices without any malicious intention, we will be able to access (scan) IoT devices and will get some response. But it is not allowed to log into the system because it would be a violation of the Unauthorized Access Law.  In this case, without logging into the system, we cannot get a set of detailed information about the IoT device. This means there is a very sensitive boundary between what we are allowed or not allowed to access, and serious discussion is underway to start reconsidering the regulation in Japan. I have no idea if a similar discussion is highlighted in the EU or not.

DOT: What worries you most with the threat landscape at the moment and into the future? 

NAKAO: I have many concerns. We have a variety of threats, and we need to provide some good solutions against each threat. But my concern is that many experts or many entities located all over the world do this in their own way. And based on the same environment under the same threat, they use different methods. For example, with DDoS attack mitigation, Germany has its own method to mitigate a DDoS attack, whereas in Japan we have a different methodology. But if we could share some of the valuable practical solutions (e.g. early detection of DDoS) among the many experts, many stakeholders and many agencies, it might be much easier to conduct the mitigation, and might also strengthen the counter-measure against a threat. 

Therefore, we need to focus on how to collaborate, how to exchange, how to develop the kind of joint infrastructure for protection, including how to sense or how to observe the attack behavior – this is one of the very strong concerns for me, because we have many honeypot systems, or darknet systems, or kinds of sensors and we only handle the sensors inside Japan, but not in Germany, or the UK, or France. However, if we collaborate, it will improve how we observe such a threat environment. And maybe it will become much easier for us to respond very quickly against attacks. The technology is getting very sophisticated and very complicated, but having such a kind of collaboration in research and amongst ISPs and experts might be the core issue for us to consider. That is my current impression. 

Koji Nakao is a Japanese IT security specialist working for several research entities, including as a Distinguished Researcher at the National Institute of Communication Technology, and as Guest Professor at the Yokohama National University, focusing on cyber security, including IoT security. He also works as an Adviser to the Japanese government on cyber security, and is the Executive Director of ICT ISAC, the ICT Information Sharing Analysis Center located in Japan.