Batter Up! Why Is Japan Still Batting In The Minor League Of Cybersecurity?

so welcome everyone my name is Ben and today I'll be talking to you about Japan and it's Cy security SC so firstly who am I I'm a Cy security consultant for a Japanese cyber security company called Nihon cyber defense uh during my time with NCD I specialized in cyber intelligence and for the past three years I have um been fortunate to call both Tokyo and Belfast home so on that not let's get this all come the way so what am I actually going to be talking to you about well to start off we'll be examining Japan and its suby landscape before exploring the issues that play it then to finish it off I'll be discussing what Japan needs to do

next to step up its side security game so now for the next question why am I standing up here talking about Japan to most people Japan is the land of anime weird TV shows amazing food massive Mets and wacky futuristic technology but maybe some of you may even call it one of the kings of Technology however when you look behind its curtain you find the world's the world's third biggest economy that contains Global household names including Toyota Canon Sony and Nintendo but Japan has also been in the international Spotlight over the last few years as it's uh due to its hosting of significant Global events such as the uh Tokyo 2020 Olympics and the recent

409th G7 Summit but what does Japan mean for us as cyber Security Professionals well for many of you who call Belfast and the rest of the UK home Japan has become a close Ally in recent years because of things like the Free Trade Agreement the Hiroshima Accord the global combat air program that we share with Italy and Japan's allies have also increased in numbers recently with the recent Partnerships with Australia and the recent trilateral movement trilateral uh leader Sumit at Camp David uh this August now why are these Partnerships important to us as individuals interested in cyber security and outside of Japan well hopefully majority of you know Japan's interesting neighbors such as China North Korea and Russia and of

their recent cyber activity that impacted not just Japan but the global landscape and understandably Japan has found itself on the front lines of the cyber world with one question needing an answer is Japan secure against cyber attacks unfortunately the answer isn't yes or no but a saying does come to mind defenses are only as strong as their weakest link and when it comes to C security Japan is still in the age of Slammer eyes compared to its allies and enemies so why is Japan the weakest L but let me introduce you to this gentleman ad see and this me adal Dennis C Blair adal adal Dennis C Blair is a former US Director of National Intelligence and

has has had an acific interest in the uh indic cific region in recent years he recently conducted a review of Us's closest allies and their Cy compliance and discovered Japan was the lowest in class and last year he even described Japan as being in the Minor Baseball League compared to the rest of us allies of Australia in the UK so does that mean any consequences you know ultimately someone has to be the weakest link unfortunately yes one consequence for Japan has been economic one case of this is of the recent $80 billion contract from the US Department of Defense which was awarded to a Japanese company but 6 months later was dropped by the dod because they weren't

reassured of the company cyber resilience right okay private sector is struggling but does that mean the public sector and everything else is well the private sector is only the tip of the iceberg the public sector includes the government Ministries and have had which have had their own cyber security issues as seen in the recent Washington Post talking about the US experiences of Japan's malstrom of cyber security issues over the past few years now this does include a compromise on Japan's Cyber Network cyber defense network by Chinese FR actors which has taken over a year to resolve and now this is only just one example the Japan's Center of uh National National Center of instant Readiness and strategy so security

disclosed breach of their email system only last month and actually one of the oldest instances from this year was a compromise 261 River surveillance Camas across the Kenai region now this all supports Japan being the weakest link although every country has its horror stories however most of these instances are being B up by the Japanese authorities or Ministries but by external sources like the Us and other security researchers but what happens if the situation was recognized from the inside well let me introduce you to someone else uh Amar Amari was the former Secretary General of Japan's leading political party the ldp so why is a Japanese politician the key to recognizing Japan's cyber security situation well

back in October last year amarian was representing the Japanese government at a large International cyber security conference in uh Tokyo where he was talking about Japan situation and mentioned some of the things that Dennis Blair had said about to path but what caught my interest is what he said about Denis C blers baseball minor league common he Express he was actually surprised by the review and he thought that the review was too generous and as a mar as a Maran actually sees Japan being in the baseball School league now I expect none of you actually expected that to be honest another interesting point from his speech was in preparation was in preparation for the latest full review

of Japan's key infrastructure action plan that's coming into effect soon a cyber risk assessment was conducted of 14 major Japanese infrastructure sectors including electricity gas water Etc so what did the assessment find well one Maj finding was that they discovered exactly 877 cyber risks now that isn't great but it should be zero but it could be a lot higher so what else did the assessment find well it was determined that many places didn't actually have an established cyber instant response or secuity mechanisms now I don't think anyone here wants to hear your critical infrastructure has no plan on what to do if it was targeted by a Cyber attack but it could be worse it's not like someone

doesn't know the possible risks and threats well actually the assessment found one person who was responsible for managing some water infrastructure who didn't actually know what cyber risk was and actually never heard of it so I think we've established there's a problem so the question is how does the Shogun of Technology end up like this well Japan faces many challenges and many of these challenges actually impact not just cyber but the whole of Japan these challenges are aging population shortage of Workforce and old technology and this isn't just me saying this the government of Japan in its 2021 cyber security strategy highlighted there is a short of Workforce caused by Japan's aging population which is led to Japan

depending on foreign foreign countries and organ gz ation for their sity capability and yes okay Japan might have some of the most advanced technology but that doesn't mean day-to-day technolog is new I mean how many of you actually know what a fax machine is let alone how to use it another social issue is losing face we've all lost face and tried to save face to be honest being a barrass is part of life but when it comes to Japanese organizations Saving Face is a critical life-saving skill in the Japanese market now in my opinion losing face is one of the biggest problems Japan's Society faces the issues that can come with losing faith sometimes result in bad solutions to get around

the issues that it produces and in the sub security world that isn't good an example of trying to save Fai in the cyber world is when companies don't admit they've been breaked for months which then lead to more problems now one of the main reasons for this is because um seet often get fired or ask to resign and when it comes to telling the public the Japanese don't exactly do it peacefully as I assume most people most of you have seen the large press conferences with flashing lights and the whole board doing a 45 degree angle bound now what about something more closer to home something more cyber security Centric well this figure from PWC is quite old now but it is still

relevant to this day as that actually hasn't been much Improvement in the sharing of threat intelligence now to be clear there's been some really good utilization of threat intelligence not just by Japanese companies but by around company fi companies around the world although that's not sharing Cy FR intelligence so why is that well there were four reasons given in the report and when I think about those four reasons given back in 2016 I think maybe they could be Sol through something like an ISAC uh for those who don't know an ISAC stands for information sharing analysis Center they would provide a framework to process the intelligence they'd act as a neutral organization in any Market they wouldn't

be a competitor and they could be trusted with the information plus organizations could share the information with an ISAC through many methods like a fact machine unfortunately there's one problem that was bugging me when I first thought of this why has no one else thought of it the answer is they have and as and they actually quite a few and as you may notice some of them are actually older than the PWC report so maybe there's another reason well one another possible reason that was given is there is too many possible NS of information currently both Dennis C Blair and amarian acknowledged there was an issue of sharing intelligence one of the reasons for this is even though Japan

has a national Center of incident Readiness and strategy for S security it still needs a command center and clear incentives to sharing the information another topical issue is article 9 Japes Constitution it's become a massive Topic in recent years with all the military activities seen by Japan's interesting neighbors so what is article 9 article 9 basically states that Japan has no right to wage war or declare war and therefore does not all does not is not allowed the capability to maintain offensive of capability that includes Land Air sea space and interestingly enough it does apply to cyber and that's where Red Team falls into now this has led to hesitation in terms of having a red team

for even defensive reasons now okay let's be honest domestically it's not really a problem but at a national level where you're going to test a networking systems like it's going to be targeted by an ATP F actor you're going to have a headr moment there's actually one last thing that dragged s Security in the art into the article 9 discussion Spotlight counteractive defenses using halfbacks so here's a question to think about for a second does Japan's con tion allow their government to defensively counteract threats and sies so how does Japan go from being in the lowest in the class to an norstar plan well first action I think we should recognize some of the positives and

marisan himself said he's not actually totally in despair of the situation in Japan why is that well he noted during his speech that the UK suffered 2 million cyber attacks during the 2012 Olympics but that record was actually broken during the 2020 Olympics where over 450 million attacks were identified and mitigated now this is the result of government agencies and large private sector companies like NT working together what about more recently well these three points listed on the slides are updates from the jackes government from the RO pass through months now this ranges from increasing the number of cyber related Personnel in the ministry of Defense to new legislation that will cover cuted secession costs to an

Information Network that will assist Pacific iseland countries that have weak cyber security counter measures and these are only three updates there are plenty more and new ones come out quite regularly before we have a look at what Japan should do next there's actually one last positive so after I submitted this talk I actually got some feedback why does it matter to Belfast well actually doesn't specifically relate to about let's be honest it's talk about security but whil I was writing this talk I came across this this is an umbrella un uh organization which is made up of universities from the UK the US and Japan which holds an international capture the flag for for the students of

the universities within the organization now this is cool this is all cool and everything although I did notice something new University joined at the beginning of this year and I don't think you guess which one quin's University Belfast great so all these positives are great and everything but this is only the start so how does Japan go from being in the lowest class in All Star plan well the first thing should be talking about the challenges it faces No matter how uncomfortable the discussion gets secondly in my opinion Japan should take on the UK's National model now to be clear the model on the slide which is probably flashing currently fors of bit um is a simplied version of the cyber

security strategy from the past few years however it still valid compared to the more recent ones and I've been using this model to check to see how Japan has been doing over the past few years so let's actually go through it does it have a national C security Center well it does have a national Center of instant Readiness and strategy for C security and they also have a Cy Security Council as part of their basic act on cyber security mentioned in the talk they don't actually have a command center somewhere which will take the RS okay what about collaboration well the purpose of the council is actually to enhance information sharing between the members of the council and to help

promote cyber security but sharing information is still low and this is because of things that are list that were listed and also the fact that social norms like sa face has impacted it what about awareness well the Japanese do take take part in cyber awareness month and the national Center of instant Readiness and strategy for cyber security regularly release blogs about cyber threats but this is not the level of countries like the UK where cyber hying is talked about from a young age upwards finally capacity well the government's plans to increase the total number of cyber related Personnel in the ministry of defense will start filling the Gap but that isn't a solution for the private sector there is still a lack

of educational routs to C Judy in Japan which would provide the workforce that is required for the Japanese market so to sum this up Japan is making some good progress but there's still a long route ahead of them now ultimately this is only a glimpse of what Japan's sub security scene actually looks like so what do I want people to take away from this TR well apart from the usual message of encouraging people to have a look at Japan and sub security scene the main mage is to recognize there will always be a weakest link when it comes to things like cyber security Partnerships and Supply chains but we as Subud industry are responsible for

making sure that those weak links and all the other links in the chain are as strong as possible for the day when someone decides to break the chain thank you very much any questions if I have

time [Music]

thinky so there's actually two points I want to make with this really quickly yes possibly but here's a question for you as such let's say the US and and China in a couple years time decide they're actually buddy buddy and Japan gets removed from that umbrella what should Japan do this is the point of this talk and the point of why I'm talking about this is to say and anyway in Japan is recognizing this you can't rely on other people you have to rely on yourself and the Japanese the Japanese government recognized that in the 2021 Olympic uh cyber security strategy which talked about hey we're depending on foreign countries and organizations for security we need to work on it ourselves

any other

questions yes with the right things done now this is where I can make a sales pitch but I'm not going to um but with the way things are looking yes and one of the points that I hadn't actually put in this talk was there's actually a lot of discussion around article n and the uh Information Network that I mentioned is actually looking to do hack backs they are looking at basically rewriting the way that they read article 9 so ultimately will they catch up yes but are we comparing it to their closest allies like the US and UK maybe not as quickly but I think with the realization currently going on the Glo globally eventually yes they will catch

up to an AIC level and hopefully will become a part of the workforce that we're seeing trying to keep the whole of the globe safe instead of just being their own any other [Music] questions thank you very much then