Cyber security in Japan

Tokyo FinTech was honored to host Mihoko Matsubara, Chief Cybersecurity Strategist at NTT Corporation, at one of our last Tokyo FinTech Meetups before we ceased in-person events, discussing her perspective on the domestic cyber security landscape. Here are some of the key points from her presentation.

Japan has been stepping up its cyber security efforts after being selected to host the 2020 Olympics. This was a game changer not only for the Japanese government, but also Japanese industry. To have a successful event like this, it is not just a sports event, it is also a platform for innovation, and a great platform to welcome tourists from around the world. It is also a political stage with presidents and prime ministers from all over the world coming together to see the opening ceremony. To be successful, you have to have good security not only in physical space, but also in cyber space, for both the Japanese government and all of the Japanese industry.

So I am seeing more sensitivity towards strategy, policies and guidelines from the Japanese government. There is also much more dialogue and information sharing, within industry sectors, across industry sectors, or even globally.

The telecom industry was the first one to launch the Information Sharing & Analysis Center (ISAC) almost two decades ago, and it was reformed into an ICT-ISAC four years ago, to also include media, like NHK or newspapers. You can also see from the above chart that the selection of Tokyo as an Olympic host in 2013 was a catalyst to bring other industries to the table.

Although sharing of cyber threat intelligence between Japan and the US has been ongoing for a long time, this was institutionalized through a formal Memorandum of Understanding (MoU) between the Japan ICT-ISAC and the US IT-ISAC in November 2019.

Another great example where the Japanese industry has been stepping up is the number of Computer Security Security Incident Response Teams (CSIRTs). Japan did not really have any CSIRTs until 2011, when Mitsubishi Heavy Industries got hacked, and it was the first time that major Japanese newspapers and TV broadcasters started to talk openly about cyber attacks and cyber security. As a result, the public also become much more sensitive towards these issues.

Because in Japan, the population is aging and shrinking, Japanese companies
needed to reconsider their business strategy. They started to acquire companies outside of Japan, becoming more globalized and diverse. This also brought some new challenges, as often these acquisitions run totally different IT systems and use different services.

So it has become quite difficult for Japanese companies to holistically understand the cyber security status across all their global entities. And often, a breach into Japanese companies originates from somewhere in their global network, from subsidiaries outside of Japan, because the headquarter does not have a good grasp on the global situation — they need to first spend more time understanding the issues, and then also invest more into their subsidiaries.

Small- and medium-sized enterprises (SMEs) pose another challenge for cyber security in Japan. While this is not unique to Japan, because every single country has SMEs, in Japan it is more pronounced since 99% of our companies are SMEs. A recent survey in Osaka found that only 50% of companies have someone dedicated to cyber security. And 80% of those companies have less than USD 4,700 per year to spend on cyber security. You cannot get much for that budget, maybe some anti-virus software for your laptops?

Cyber attackers exactly know about the weaknesses in SMEs, and it is much cheaper for them to hack into SMEs, rather than large corporates or government institutions, which spend much more money on their cyber defenses. Therefore 80% of cyber attacks target SMEs. Of course, both the Japanese national and the local governments are aware of this situation, so for example the Tokyo Metropolitan Government provides funding to buy cyber security products and services, and they have also been using manga to educate on cyber security since 2017.

Lastly, the Japanese government, through the Ministry of Economy, Trade & Industry (METI) and the Information Technology Promotion Agency (IPA), have started a proof-of-concept for a Cyber Security Rescue Unit in 2019, with involvement from IT & cyber security companies, insurance companies, and local chambers of commerce, to provide consulting and advisory services to SMEs to bring them up the learning curve.

If you found value in this article, please “clap” (up to 50 times).

This article is part of our Tokyo FinTech Publication, please follow us to read more from our writers, like hundreds of readers do every day.

Should you live in Tokyo, or just pass through, please also join our Tokyo FinTech Meetup. In any case, our LinkedIn page, Facebook page and our Instagram account are there for you as well.