Fujitsu Security Evangelist Talks about the Concept for Future Cyber Security

There is no end to cyber attacks targeted at companies and other organizations. How should we protect our important assets from increasingly complex attacks? There are many issues surrounding cyber security that companies should tackle. Taishu Ohta, Fujitsu's security evangelist, explains the vision for future security measures based on the latest trends regarding international rules, unique technology development and human resource development for cyber security.

In an Age Where the World is Driven by Digital, the Key is Cyber Security

AI (artificial intelligence), IoT (Internet of Things), big data and other new technologies are bringing about a significant change to our daily lives and businesses. In the Sustainable Development Goals(SDGs)initiatives adopted by the United Nations General Assembly in 2015, digital also plays an extremely significant role.

I believe digital was awakened by the Internet. This is because it is the Internet that allows everything to be connected and any data to be exchanged instantly. What is critical here is cyber security.

Before considering cyber security, we must understand the Internet. The beginning of the Internet was the military network Advanced Research Projects Agency Network, or ARPANET, which was developed in the United States as a national project in 1959. Later, ARPANET was released from military use to academic use in the 1980s. Then, mainly private research institutes and colleges started using ARPANET's infrastructure. In late 1990s, the Internet was spreading explosively.

Fujitsu positioned 2001 as the first year of the Internet and under the business strategy, "Everything on the Internet," we have been promoting the development of infrastructure for a network society so that we can fully utilize the Internet for business.

However, in the September 11 terror attacks in 2001, the Internet was exploited for carrying out terrorist acts. This incident brought a significant change to cyber security thereafter.

The investigation of this incident by the U.S. government revealed that the terrorist organization made the most of the Internet in carrying out the terrorist acts. In response, the U.S. and other countries started taking various countermeasures regarding cyber security.

The Latest Trends in Establishing International Rules in the U.S. and Europe

As the importance of cyber security increases, the U.S. and Europe are leading other countries in establishing international rules. In the U.S., in particular, it is considered that supremacy in cyber space is the absolute condition for ensuring security.

In 2011, the U.S. federal government established security standards for common cloud service procurement practices among its organizations, Federal Risk and Authorization Management Program (FedRAMP).

In addition, the National Institute of Standards and Technology (NIST) has developed the SP800 Series guidelines. In particular, SP800-171 standards for security measures intended for private industries place severe restrictions that non-compliant organizations cannot participate in the supply chain.

In the EU, the European Commission put the NIS Directive and the General Data Protection Regulation (GDPR) into force in May 2018. The NIS Directive dictates network and information system security and the GDPR mandates companies to disclose and report any personal information leak within 72 hours after becoming aware of it. The GDPR also applies other severe penal provisions that include heavy fines.

The NIS Directive provides that important infrastructure business operators shall take the latest cyber security measures and that they shall comply with relevant international standards. The GDPR requires management to implement strict governance by specifying 4% of the annual sales of a corporate group or 20 million euro as the maximum fine for non-compliance.

The Age of No Security, No Digital

Under these circumstances, confidential information is having an extremely high impact on corporate management. The incident that occurred in March 2018, in which personal data held by U.S.-based Facebook was used by a U.K. consulting firm, is still fresh in our memory. It was originally announced that the number of people whose information was leached would be 50 million. However, when the number rose to up to 87 million, Facebook's stock value fell by 20% and the company lost 8 trillion yen in terms of market value.

The importance of protecting confidential information from cyber attacks has become extremely significant, and we so are in an age of 'no security, no digital.'

Also, a new threat due to the emergence of IoT involves companies' CSR activities, and the scope of its impact extends to the entire supply chain.

Security issues surrounding the supply chain should be deemed as society-wide issues, rather than issues of a single company. This requires us to bolster our ability to deal with cyber attacks. We also must have the ability to comply with various security standards. In other words, we need to take action by taking it for granted that we are subject to cyber attacks.