“API Geoeconomic Briefing” is a weekly analysis of significant geopolitical and geoeconomic developments that precede the post-pandemic world. The briefing is written by experts at Asia Pacific Initiative (API) and includes an assessment of burgeoning trends in international politics and economics and the possible impact on Japan’s national interests and strategic response. (Editor-in-chief: Dr. HOSOYA Yuichi, Research Director, API & Professor, Faculty of Law, Keio University)
This article was posted to the Japan Times on August 29, 2021:
API Geoeconomic Briefing
August 29, 2021
Japan has no time to waste in boosting its cyberdefenses
JIMBO Ken,
MSF Executive Director, Asia Pacific Initiative (API);
Professor, Faculty of Policy Management, Keio University
In May, a ransomware attack on Colonial Pipeline Co., the operator of the largest petroleum pipeline in the United States, forced the company to shut down its entire fuel supply network for five days, creating a serious impact on social and economic activities in the U.S. East Coast.
According to an annual report on 10 major information-related security threats issued by the Information-technology Promotion Agency, Japan in February, ransomware has now become the greatest threat to the information security of both the government and the private sector.
What makes this threat even more serious is the fact that it is targeted at key infrastructure that supports people’s lives and economic activities.
There have been countless cyberattacks on critical infrastructure in the past, both successful and attempted. One serious case was an attack on SolarWinds Inc., a U.S. information security firm, that spread to its clients that had software contracts with the company.
SolarWinds’ software is used by major U.S. government institutions, the military and key infrastructure providers. The firm’s overseas clients include NATO and the European Parliament, as well as the U.K.’s Ministry of Defence and National Health Service.
A group of hackers secretly broke into SolarWinds’ systems and added malicious code into the software. The hack was done so stealthily that it went undetected for about 10 months until last December.
It is believed that confidential information was stolen from many users, but the extent of the breach is still under investigation.
Another concern regarding protection of critical infrastructure is the increase in the number of attacks targeting industrial control systems’ vulnerabilities.
A major blackout that hit parts of Ukraine in 2015 was caused by the malicious remote operation of power substations conducted by hackers who intruded into a power grid’s control system via virtual private network (VPN) connections.
In 2019, Norsk Hydro ASA, a Norwegian aluminum products company, was hit by a devastating ransomware attack, affecting its network across the world.
Earlier this year, hackers fraudulently accessed the control system of a water-treatment facility in Oldsmar, Florida, in an attempt to raise the levels of sodium hydroxide in the water by more than 100 times.
A decade ago, Stuxnet, a malicious computer worm that ruined the centrifuges of a nuclear fuel-enrichment facility in Iran, had to be physically installed via USB stick.
But under today’s digital transformation, major companies’ production and management divisions are adopting smart factories, remote control systems, edge computing, artificial intelligence for production optimization and a cloud shared-responsibility model.
Due to digital transformation, more industrial control systems are interconnected with open systems, bringing about a greater vulnerability of operational technologies.
Active defense
In protecting critical infrastructure, the Japanese government places top priority on assuring their functions.
It provides a risk management system by supporting defense capabilities of critical infrastructure operators in 14 sectors and encouraging cooperation among them.
But as new threats are emerging regarding critical infrastructure, is passive defense — a model of cooperation among operators to assure functions — sufficient enough?
In the case of Colonial Pipeline, U.S. President Joe Biden’s administration managed to recover $2.3 million of the ransom paid in cryptocurrency to a criminal cybergroup.
FBI investigators, the Justice Department’s new Ransomware and Digital Extortion Task Force, and financial authorities closely cooperated and used a blockchain explorer to identify a virtual currency wallet that the hackers used to collect payment from Colonial Pipeline.
Such a success sends a signal to cybercrime groups that cyberattacks will be more costly with less returns.
The Japanese government currently lacks such task forces that can quickly respond to incidents.
It is necessary to prepare for a situation in which critical infrastructure is hit by large-scale cyberattacks, threatening people’s lives and leading to other damage.
A day might come in the not-so-distant future when cyberattacks on the nation’s critical infrastructure take control of flights, trains, transportation and electricity supply systems, causing injuries and even fatalities.
If such a situation occurs, depending only on passive defense aimed at assuring functions of infrastructure could mean a substantial lack of ways to effectively prevent future attacks.
To cope with new threats to critical infrastructure, the government should adopt a system of active defense, including directly approaching attackers, in addition to strengthening existing passive defense measures and the resilience of critical infrastructure.
Specifically, the government must look out for signs of cyberattacks by monitoring potential attackers, boost capabilities to attribute the source of the attacks, have the ability to negotiate with attackers or make a countercharge against them, prepare to designate cyberattacks as contingencies according to the level of threats and cooperate internationally, especially with the U.S.
Introducing deterrence
The first stage of active defense is boosting deterrence by detection.
By detecting and identifying the movements of potential attackers, the government can make them aware that they are being monitored constantly, thus reducing the possibility of them behaving opportunistically.
The second stage is deterrence by denial.
Japan can lower the incentive to attack if it is able to present multilayered defense systems and the capability to recover quickly from cyberattacks.
The third stage is to introduce deterrence by punishment, including criminal prosecution and counterattacks, so that cybercrime groups will give up attacking Japan in fear of having to pay a high price.
The government is planning to compile a new cybersecurity strategy by the end of this year and will launch a new digital agency in September to accelerate the digitalization of the economy.
At this crucial time, the government must update its crisis awareness toward defending critical infrastructure, strengthen measures including active defense, propose necessary legal revisions and systems and clarify responsibilities, authorities and the sharing of roles among different organizations.
A draft for the new cybersecurity strategy calls for the improvement of deterrence against cyberattacks and proposes boosting the capability to prevent the use of cyberspace by attackers and dealing with attacks through such steps as criminal prosecution.
If Japan is really serious about adopting active defense, it is necessary to promote such measures in a more systematic manner.
The government should also focus more on protecting cutting-edge technologies and the defense industry from the standpoint of economic security.
Under the new cybersecurity strategy, it is necessary to step up security for sensitive technologies and prevention of the transfer of such technologies, as well as accelerating protection and decentralization of data centers.
Moreover, the government must enhance international cooperation around managing global supply chains and helping developing economies to improve their information security capabilities.
No cybersecurity leader
The biggest issue for Japan’s critical infrastructure defense policy is that the government lacks a ministerial-level authorized person with a high level of expertise.
It is extremely important for the National Security Council to enlist someone to be in charge of the nation’s cybersecurity.
To connect key infrastructure defense with national security policy, it is obvious that a person responsible for cybersecurity needs to coordinate policies with the prime minister, the chief Cabinet secretary, the foreign minister, the defense minister and the Self-Defense Forces’ Joint Staff Office.
The Biden administration nominated John C. Inglis as the first U.S. National Cyber Director and established the Office of the National Cyber Director within the Executive Office of the President, tasked with leading the implementation of cyberpolicy and strategy, including supporting efforts by the private sector and reviewing budgets related to cybersecurity.
In the U.S.’ National Security Council, Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger leads cyberdefense efforts.
In addition, the Department of Homeland Security, the director of national intelligence and the Cyber Threat Intelligence Integration Center are working together to build up a system against cyberthreats.
Japan should also have a system that can serve as an appropriate counterpart.
The country also urgently needs to nurture personnel and organize an operations team in charge of cybersecurity.
The draft for the new cybersecurity strategy calls for the need to create a framework for the National Computer Security Incident Response Team to realize comprehensive cyberdefense.
It will become necessary to allocate a large budget to secure personnel for the framework, as well as greatly strengthening the Government Security Operation Coordination team and the Cyber Incident Mobile Assistant Team of the National center of Incident readiness and Strategy for Cybersecurity within the Cabinet Office.
These teams will become the base of cyberdefense, including situation monitoring, incident response, impact assessment, forensics and legal response, in cooperation with the National Police Agency, the Defense Ministry and the digital agency.
Even if systems and legal foundations for cyberdefense will not be created in a short period of time, it will be necessary for Japan to prepare active defense measures for the future.
Disclaimer: The views expressed in this API Geoeconomic Briefing do not necessarily reflect those of the API, the API Institute of Geoeconomic Studies or any other organizations to which the author belongs.