Japanese companies must take cybersecurity more seriously

Situation will almost certainly get worse before it gets better

Article by David J. Farber and Dan Gillmor
This post is originally published on Nikkei AsiaJapanese companies must take cybersecurity more seriously

David J. Farber is distinguished professor and co-director of the Cyber Civilization Research Center at Keio University in Tokyo. Dan Gillmor, professor of practice at Arizona State University, is a senior fellow at Keio’s Cyber Civilization Research Center.

The Japanese government will order the nation’s major infrastructure companies in industries such as telecommunications, finance and transportation to start taking digital defense more seriously. The move is welcome, if overdue.

But it also highlights the immense difficulty of the task and the ever-morphing nature of attacks and intrusions. This is a situation that almost certainly will get worse before it gets better. And that makes the need to shore up defenses all the more crucial.

The attackers include criminal gangs and governments. Their major targets include government and companies, and individuals they deem dangerous. Their motives include money and power.

For the moment, the malefactors have the advantage. They enjoy two key realities: first, that digital technology as currently deployed is inherently insecure, and second, that the rewards have greatly outweighed the risks so far.

Cyberdefense is a headache-inducing process. The complexities of our digital ecosystem are so enormous technically and legally, among other ways, that just understanding the problems is difficult, much fewer solutions. Software lives in more and more of what we use every day, and software means vulnerability. The internet was built on chains of trust, and never has there been more truth to the cliche that a chain is only as strong as its weakest link.

But we have to try, with layered approaches that will not be ideal solutions by themselves yet can offer better protection than we have. We also need to build more resilience into our systems, on the assumption that no matter what we do, there will continue, at least for the foreseeable future, to be successful attacks.

It is not only major infrastructure companies that need to take cyberdefenses seriously. Every Japanese enterprise, corporate and otherwise, and large or small, should be planning for the day it faces a crisis, just as they plan ahead for earthquakes. They need to shore up their own defenses and be ready to respond and recover when the inevitable does occur.

What can enterprises do?

Software updates are an essential line of defense. Countless successful intrusions have been attributed, for example, to penetration of a networked PC running an older version of Microsoft Windows, or a recent version that had not been patched with security updates. When a software vendor offers an update, install it. This is as true for phones and home computers as corporate ones.

Devices such as internet routers, Wi-Fi devices and file servers may have older versions of internal software that has not been maintained by the manufacturer, who may no longer be in business. This can provide points of attack. Unprotected, or unprotectable, devices should be replaced.

Pay attention to disclosures of vulnerabilities. A number of security-oriented organizations keep track of exploits, and as do some manufacturers. The Japanese government should consider providing such a service itself, similar to the product safety notices that governments supply for foods, automobiles and other appliances.

In an era when more and more people are working remotely, a trend that is likely to expand even when the COVID pandemic recedes, there are risks when employees and visitors connect their personal computers to your internal systems. If the outside computers have been compromised before connecting to your networks, your systems are at risk.

Related: Be on the alert for supply chain hacks. You may have granted third parties, such as suppliers, access to your systems. But if they have been hacked, you are vulnerable, too.

On a routine basis, create and store, including off-site copies, redundant backups of critical data. The massive data loss at Kyoto University’s supercomputing center does not appear, from press reports, to have been the result of hackers’ work, but it is no less damaging. Storage is inexpensive and getting more so every day. Buy it and deploy it.

Offer your employees training in cybersecurity practices for personal devices as well as company-owned hardware and software. Consider making it mandatory. For nontechnical employees, the training should be basic and engaging, a way to help them adopt sound practices at work and at home and to understand why this matters.

Management should have a well-understood plan for handling a failure and an attack. This should include both a technical recovery plan with assigned responsibilities as well as notification to government agencies, customers if affected, and the public.

Above all, assume that your defenses are constantly being probed. You may not be a target of a nation-state’s elite hackers, but the array of widely available and easy-to-use hacking tools is growing all the time.

As many security experts have said, protection of vital data and services from increasingly dire threats is not an outcome. It is a process and an arms race.

We are glad to see Japan’s government’s initiatives to push for better security. But there is no need for enterprises of all kinds to wait for orders or suggestions from official sources. The time to start is now.

For Full Article & Photos, please visit the original page.