This series introduces trendy and popular themes from among those covered in Fujitsu Research Institute's information magazine Chisounomori by interviewing consultants and experts who are working on actual business projects. The second theme is "security."
Enhance Managers' Sense of Security Risks through undisclosed-scenario based exercise
― With the advancement of the IoT, the threat of cyberattacks and security risks have gained prominent attention. The Fujitsu Research Institute (FRI) places importance on post-incident action capability in terms of business continuity management (BCM) and educates its clients on the mental attitude and physical preparation necessary at all times. The same applies when combating cyberattacks. We call this concept security resilience as well as business resilience. Professor Watanabe, you are a BCM expert and have hosted many cybersecurity exercises. Are there any important issues that have come to your attention lately?
Watanabe: I provide exercises to key infrastructure industries as well as individual companies. Executive managers are finally starting to realize that they need to make the shift from training to exercises. Lots of training is given to people around the world, but I focus on training for the brain - exercises that require critical thinking and flexible decision making. I believe that accurate incident understanding and accumulation of decision making experience make up the foundation of resilience. When an incident occurs, bits of information must be collected and decisions must be made within a limited amount of time and information. Through our exercises, which offer meticulously designed and challenging scenarios, more and more clients are glad to learn what they were missing.
Ohta: I think that making the "shift from training to exercises" is an excellent idea. We often hear stories about white hat hackers* saving the world, but I sincerely think we need to build a framework for exercises.
Watanabe: Companies where people in the top of management lack a sense of crisis never learn. When an incident does occur, companies must provide more than "We never expected that would happen. We are sorry. We will try to avoid the same problem from happening in the future," at a press conference.
Miura: In many cases, when companies organize a computer security incident response team (CSIRT) using a top-down approach, incident management often involves not only the systems division but also other divisions. On the other hand, companies that organize a CSIRT using a bottom-up approach tend to lack cross-divisional collaboration. It is important that the top management recognizes and treats cyberattacks as risks.
Watanabe: We can trust companies that properly recognize risks, estimate the business impact if a vulnerability is attacked, and communicate this estimate to their clients. This is exactly the same as the idea of business continuity.
Show Cyberattack's Projected Business Impact to the Executive Manager
― What kind of creative ideas are necessary for developing a sense of security risk?
Watanabe: Business continuity (BC) has the same concept in both dealing with natural disasters and cybersecurity. Presenting managers with actual figures that illustrate their business impact will be effective. Actual costs and projected market share decreases are some examples.
Miura: For natural disasters like earthquakes, we understand more about the extent of the damage with time. Cyberattacks are different; they are malicious and involve the falsification of traces and destruction of evidence. Therefore, it is important for CSIRT to reconstruct the situation using bits of information and report this to the manager in an easy-to-understand way.
Ohta:Traditional security measures deal with problems after they occur. Since 2011, we have been focusing on the attacker's behavior--which are defined patterns. We studied these patterns and finally put them into a model in 2015. While the investigation of the cyberattack on the Japan Pension Service took almost three months, our current technology could identify all of the correlations within an hour. This technology has already produced results for us as well as our clients. We plan to explore how to apply it not only to information systems but also control systems.
The Importance of Assuming that Incidents will Occur: from Information Assurance to Mission Assurance
Ohta: While managers often associate cyberattacks with information leakage, I had always claimed that cyberattacks are all about mission assurance. Unlike cyberattacks, natural disasters are easy to understand for managers because the damage is visible. Exercises are an effective means for teaching managers that cyberattacks are about mission assurance.
Watanabe: Instead of persons in charge of security, I would rather see executive managers participate in exercises. If they work with the assumption that their systems are under attack, managers must decide to stop further attacks and to protect their core of business, even if they have to make difficult decisions.
― BC exercises with undisclosed scenarios have been implemented at FRI for more than 10 years. Then, from July 2016, FRI started cyber incident exercises using the know-how learned from the BC exercises. Were there any points you gave special attention to when creating these exercise scenarios?
Miura: When a cyberattack occurs, it takes a few weeks to a few months before the whole picture becomes clear. Only bits of information are available at the initial stage. Our scenarios are designed to make the participants gather these incomplete pieces of information and estimate the situation, identify how it could impact their business, and to give them the decision making skills to escalate the incident.
― It sounds like the clients must estimate the impact of an attack from the same perspective regardless of the type of business they run.
Ohta:Unlike office systems, a factory system stoppage immediately impacts sales. So I thought it might be a good idea to use scenarios that motivate clients to prepare decision-making criteria for shutting down their systems.
Miura: A member of the National center of Incident readiness and Strategy for Cybersecurity (NISC) told me in an interview that there are many procedures on recovering systems from stoppages, but they do not specify who should decide to turn off systems that are uncontrollable due to high CPU usage. In future exercises for control systems, I plan to develop scenarios in which systems are operating but cannot be controlled.
Watanabe:In decision making, it is important to consider about how it would impact business, such as "How long will it take to recover systems if I stop them immediately? How will it impact stock volumes? What happens if I stop them an hour later?" It is also important to learn what could have happened if, for example, decisions were made 30 minutes earlier.
Improving the Self-sufficiency Ratio for Security Technology will Make Japan more resilient
― What can we do to prepare for incidents regularly? What should we learn and pay attention to in cybersecurity exercises?
Ohta: As we mentioned when we discussed the current security level in Japan just now, Japan has no programs for supporting development of original security technology. It is said that the security business market is expanding at an annual rate of 7%, but this market should not really be growing. ICT management costs cannot be increased at the current low economic growth rate. Meanwhile, cyber investments will further slow the economy. Therefore, security technology must be achieved using only ICT investments, meaning that the development of high level security technology should not be outsourced to other countries.
― So you are calling it an "improvement of the self-sufficiency ratio for security technology."
Ohta: The National Institute of Information and Communications Technology (NICT), an affiliate of the Ministry of Internal Affairs and Communications, has created testbeds and evaluated overseas products for darknet** monitoring and research. In this project, we all agreed that some kind of core was necessary for developing engineers and we are now asking NICT for support.
Miura: Although large companies do have a reasonably robust security system, I think the floor for security knowledge needs to be raised for industry as a whole, including for small and medium sized companies. This, however, will not be achieved unless it becomes easier for small and medium sized companies to collect security information or participate in virtual cyberattack exercises.
Watanabe:Since small and medium sized companies do not have abundant human or financial resources, their security needs to be monitored to some degree by a third party service provider. This monitoring across industries will identify attacks on a particular business field or on companies that use a particular tool. Therefore, the government should provide some support for this using, for example, subsidies.
Company Risk Management Skills Show their Real Strength
― How should human skill be developed to quickly raise the level of cybersecurity resilience awareness at a national level?
Watanabe: Employees must be taught to not hesitate in reporting incidents, and the companies must also value the reports. Employees must be encouraged to escalate incidents, and companies must ensure that the employees hold no liability even if escalation leads to a negative result. These are all already practiced in regular risk management. Exercises that encourage escalation are good ideas too.
Ohta: Company risk management skills show their real strength and can be demonstrated during normal days. More effective human skill development can be expected in the future when risk management exercise are run in the market.
Watanabe: Trainings are necessary because they allow the participants to learn and remember the procedure from hands-on experience, but that is not enough. If "checking off the list of procedures" becomes the sole focus, it may backfire when a real incident occurs.
Miura: Exercise to check how unexpected events are handled is also important. The best way to do this is to mix multiple patterns of training and exercises, depending on the objective.
Watanabe: For mid-level employees to rise to executive positions, they need to be able to gather business expertise and imagine, through exercises, the impact and chain reactions possible from an incident.
― When a severe incident occurs, people are unable to think clearly and can even panic. An incident report to the manager in that state of mind will fail to effectively communicate a sense of reality and danger. I would like to work on developing risk management personnel and next generation managers by involving them in the collaborative exercise scenario creation process, instead of just on the day of the exercise. Thank you all for joining us today.
*: Among hackers who have high level computer and network knowledge and skills, white hat hackers are those who use their skills for good.
**: Among IP addresses accessible on the Internet, these are the address spaces to which no specific host computer is allocated.
Chisounomori (Focus Series) SecurityApproaches to Security Resilience
The details of this article are available in PDF format.