Today, all kinds of devices, including PCs, smartphones, sensors, cars, and home appliances are connected to the Internet, and vast amounts of aggregated data are analyzed with AI to solve problems. Cyber security issues stand at the forefront of such a data-driven society. The Ministry of Internal Affairs and Communications (MIC) and Japan's government are presently working to strengthen cyber security measures in light of the arrival of the IoT era.
[Fujitsu Insight 2017 Security Keynote Report]
This presentation was given by MIC's Mr. Yasuhiko Taniwaki.
The Negative Aspects of a Data-driven Society Using Big Data and AI
Big data consists of vast amounts of data obtained from installed IoT devices, such as sensors and home appliances, that have been accumulated in cyberspace. A data-driven society is a society in which big data is analyzed by AI and the results obtained are put to use to solve various social problems. This idea has been incorporated into the Investments for the Future Strategy 2017 adopted by the government at a June 2017 cabinet meeting.
Cyber security must be considered to realize a data-driven society. There are three points to note about cyber threats. First, such threats are increasing in number and becoming more serious. The National Center of Incident Readiness and Strategy for Cybersecurity (NISC) monitors the information systems of government institutions around the clock, and the number of threats detected by NISC reached 7.11 million in FY2016. Suspicious communications to government institutions were detected once every 4.4 seconds, and the threats are increasingly serious.
Second is the diffusion of threats. In the past, the main targets of cyber security efforts were information devices, such as PCs and smartphones; however, now various things connected to networks, including connected cars and smart meters, have become targets of cyber attacks, threatening their stable operation. In the United States, information security vulnerabilities have been found in vehicles, which in turn led to recalls. With the spread of IoT, the number of devices that must be protected has been increasing rapidly.
Third is the globalization of threats. In France, a cyber attack forced a TV station to suspend broadcasting. In Ukraine and Israel, power supply was suspended when electric power companies were hit by cyber attacks. It should be remembered that today, cyber attacks can not only steal information but may also suspend infrastructure functions.
A Cyber Security Strategy Viewing Security Measures as an Investment, Not a Cost
The Japanese government started implementing full-scale measures against cyber threats around 2015. One of the most important initiatives was to establish the "Basic Act on Cybersecurity," which defines NISC's roles and responsibilities and establishes systems for national administrative organs to perform security audits, identify causes, and give advice if critical security incidents occur.
Another important initiative is the "Cyber Security Strategy" adopted at a September 2015 cabinet meeting. This strategy supports the following three pillars by promoting R&D and HR development: viewing security measures as an "investment," not as a "cost"; strengthening security measures for each entity such as ICT users, critical infrastructure operators, and the government; and strengthening global international cooperation to build up defenses in borderless cyberspace.
The three-year Cyber Security Strategy will be reviewed in 2018. A mid-term review was already conducted in June 2017; as a result, important items for the next year were identified: "developing systems for cyber security toward 2020," "strengthening information sharing systems jointly by the government and private sector," and "bot attack countermeasures in the IoT era." Based on the mid-term review results, MIC announced the "Comprehensive IoT Security Measures."
Threats Related to IoT Devices Already a Reality
Allow me to explain once again why IoT security is important. At present, an estimated 17.3 billion IoT devices are already in use around the world, and this is predicted to increase to approximately 30 billion in 2020. Various devices such as sensors, cars, and home appliances will connect to the Internet.
However, these IoT devices are said to be very vulnerable in terms of security. Attacks targeting vulnerable IoT devices are not science fiction stories; they are actually occurring. In October 2016, a large number of IoT devices including security cameras and digital video recorders infected with the Mirai malware launched DDoS attacks against companies that provide DNS services, thereby disrupting services provided by major Internet companies such as Amazon, Netflix, and Twitter.
In addition, IoT is characterized by linking data across different areas (e.g., administration, medical care, and construction) to form a single large IoT system. Therefore, it is also important to address systemic risk in which the impact of a vulnerability in one system spreads to other areas.
MIC Promoting Vulnerability Countermeasures for IoT Devices as well as Investigations and Responses in Cooperation with ISPs
MIC created the Comprehensive IoT Security Measures based on these circumstances. The measures have five pillars: vulnerability countermeasures for IoT devices, R&D, HR development, promotion of investment by private companies, and international collaboration.
Among these, the vulnerability countermeasures for IoT devices throughout their lifecycles--including design, manufacturing, installation, and use of devices--are considered to be the main security measures. We plan to promote a security-by-design approach to ensure security from the design phase and to certify devices that meet certain requirements.
This certification does not cover existing IoT devices. First of all, the vulnerabilities of IoT devices currently on the market in Japan have not been identified. Therefore, MIC started a vulnerability assessment for IoT devices in collaboration with ICT-ISAC Japan* in September 2017.
Moreover, in cases in which IoT devices are used as a stepping stone to attack third parties, we also consider blocking communications with a command and control (C2) server controlled by an attacker. In the past, MIC established a public-private partnership project, ACTIVE (Advanced Cyber Threats response InitiatiVE), to prevent malware infections. This initiative has successfully reduced the number of infected PCs by blocking a total of 100 million communications during the 15-month period from February 2016 to May 2017.
The second R&D area in the Comprehensive IoT Security Measures includes the development of lighter scanning technology to efficiently investigate the huge number of IoT devices as well as the STARDUST project launched by NICT(National Institute of Information and Communications Technology) in which a cyberattack honeypot platform called STARDUST draws attackers into a dummy environment to analyze their behavior.
A Critical Need for Extensive HR Development from the Perspective of OT Security
Another important thing to keep in mind when considering future security measures is security for Operation Technology (OT), including control systems.
As operation systems for control systems and factory production lines have been generalized, the risk of cyber attacks has increased more than ever before. Given such circumstances, how can we ensure the security of enterprise-wide systems, including IT and OT systems? Amidst increasing integration of IT with OT, it is also important to promote the ideas of "resilience" or "mission assurance" to minimize the impacts of business interruptions when systems suffer damage.
Besides building and enhancing information sharing and collaboration mechanisms by developing information sharing and analysis centers (ISACs), human resource development is another important theme. The National Cyber Training Center, which has been created under NICT, offers hands-on incident response training through Cyber Defense Exercise with Recurrence (CYDER) exercises, combat-style drills based on the systems assumed to be in use in 2020, and the SecHack 365 program to train young engineers.
Considering the future in which IoT will be applied in various business sectors--including distribution, services, and manufacturing--people in various sectors will need to acquire security skills and knowledge, not just those working in the ICT sector. Meanwhile, we want to consider how to develop human resources who can bridge the gap between management and employees in the field.
Lastly, I would like to talk about international collaboration. Nowadays, cyber security relates closely to national security; however, at the moment, there are no international rules about cyberspace which many countries have agreed to. We even see some movement against the free flow of information. Japan believes that an international consensus must be built upon free and open trading.
While there are increasing expectations regarding the convenience brought about by a data-driven society, ensuring security is also becoming more important. Another important issue is privacy. I think that realizing an appropriate balance between the three elements of convenience, security, and privacy is an important theme for the government to tackle. By striking the right balance, trust will be ensured in cyberspace. Looking ahead, the government will continue to strengthen cyber security, working in collaboration with all of you here today.
*: ISAC (Information Sharing and Analysis Center)
Various business sectors have established and operated ISACs to collect, analyze, and share information on cyber attack incidents across sectors.
Yasuhiko TaniwakiDirector-General for Information Security, MIC