Japan’s Cybersecurity nightmare is also a problem for everyone else

(Bloomberg) — Kojima Industries Corp. is a small company. little known outside of Japan, where it produces cup holders, USB sockets and door pockets for car interiors. But its modest role in the automotive supply chain is a vital one. And when the company was hacked in February 2022, it brought Toyota Motor Corp.’s entire production line. to stop it.

Read more from Bloomberg

The world’s best-selling car maker had to shut down 14 factories at a cost of about $375 million, based on a rough calculation of its sales and output data. Even after the initial crisis was over, it took Kojima months to get operations back to normal.

The company is just one name on Japan’s long list of recent cyber victims. Ransomware attacks alone increased by 58% last year compared to a year earlier, according to the National Police Agency, and hacking incidents have exposed shortcomings ranging from slow incident response times to a lack of transparency. In a nation that exported $42.3 billion worth of chip components last year – leading the supply of some materials – supply chain issues can have global implications.

Comparative data on cyber attacks is hard to come by. But Mihoko Matsubara, the chief cyber security strategist at Japanese telecommunications company NTT Corp., says the nation has had a very difficult time.

“Along with the increase in the number of ransomware attacks, Emotet attacks hit Japan more than any other country in the first quarter of last year,” she said, referring to a type of malware that is often spread through phishing emails . “Japan has had a difficult year dealing with further cyber attacks on industry, government and the healthcare sector.”

But while Japan has its own unique problems with hackers, the US and other technologically strong nations share many of its vulnerabilities. Between the Colonial Pipeline attack in the United States and the Australian telecom hack that exposed the personal data of 10 million users, rich countries have been caught repeatedly ignoring the harsh realities of cybercrime.

Meanwhile attacks on vital services such as Japanese hospitals – which have delayed surgeries and other treatments – are a reminder that money is not at stake.

“The ransomware attacks were a wake-up call for the Japanese,” Matsubara said. “Because human life is now in danger.”

The Kojima attack on February 26, 2022 was what is known as supply chain hacking: hackers broke into the systems of a third-party business partner and used them to access Kojima’s file servers. By 9 pm, they would have encrypted data on several servers and computer terminals, according to Kojima’s spokesman.

The breach was detected at around 11 pm The hackers sent a ransom demand but Kojima’s engineers never responded to any communication with the hackers, the spokesperson said.

Before dawn, Kojima shut down the systems it uses to communicate with external suppliers and the next day, Toyota announced that it would suspend operations at all of its domestic factories. The breach meant that subsidiaries including Daihatsu Motor Co. and Hino Motors Ltd. stop the production.

“Attacks are on the rise in Japan, and more businesses are becoming aware of the risks,” said Shinpei Izumo, an underwriter at Sompo Japan Insurance Inc. He estimates that cyber insurance sales are up 20% to 30% from the previous year.

Smaller businesses have few protections, he said. “They don’t know what to do in an emergency or incident, and they’re not taking steps to prevent the damage from spreading.”

High End Powerhouse

Supply chain hacks have enormous potential to disrupt the economy. Although much manufacturing and assembly takes place in lower-cost markets, Japan is a powerhouse when it comes to producing a select group of high-end goods. Products such as phones, computers and electric toothbrushes often contain Japanese parts.

The country produces about 80% of fine chemicals for electronics and is a leading global supplier of photoresist, a light-sensitive material used to make semiconductor chips, according to Ulrike Schaede, professor of Japanese Business at the School of Global Policy. and the Strategies in the School. University of California, San Diego. Being vulnerable to cyber attacks would have a significant impact on those industries.

“Not a day goes by when you don’t use an item that wouldn’t exist if it weren’t for the Japanese part,” Schaede said.

“Japanese companies are an important part of the global supply chain,” she said. “The more upstream you go, the more Japan there is.”

Last year, manufacturers Fujimi, Denso, Nichirin and TB Kawashima experienced cyber attacks on overseas subsidiaries with Japanese intellectual property. Japanese clothing manufacturers, furniture makers, credit card companies, libraries and a social media service operator were also among the targets of the hackers. And in September, the pro-Russian hacker group Killnet took down 20 Japanese government websites in a denial of service, or DDoS, attack.

In response, the Japanese government said it would introduce new laws to engage in offensive cyber operations to “start monitoring potential attackers and hack their systems as soon as signs of potential risk are detected.”

This is a significant uptick in the government’s approach to cyber security, which previously adhered to the spirit of Japan’s constitutional commitment to pacifism after the end of World War II. The changes are reflected in the new cyber command being established within the Japanese defense force.

Western allies are waiting for the country to admit it needs to do more, says David Suzuki, managing director for Japan at security firm Blackpanda.

“I think there is finally an understanding in Japan that cyber security is not an IT issue. It’s a security issue, right?” he said. “Because it’s not a machine that’s hacking you. It’s a bad guy, using machines.”

Recovery Costs

Because of its advanced technological knowledge, Japan is also a place where traditional ways of doing business are deeply rooted. When ransomware attacks occur, companies are often able to keep operations running using paper inventories and offline backup systems – reliable and unhackable, but also slow and cumbersome. And as companies slowly restore their systems, breaches don’t always go unreported, according to industry officials and cyber experts.

Historically, Japanese companies have avoided paying ransoms by relying on data recovery firms that were slow to piece together compromised networks, says Tatsuhiro Tanaka, a retired major general who is now research principal at Fujitsu System Integration Laboratories Ltd. But the increase in the frequency of attacks means. the cost of recovery is also increasing.

“Very few companies hire a type of incident commander, the person who deals with the cyber attack and business continuity,” Tanaka said. “We have to change the mindset.”

Some Japanese companies are also resistant to disclosing attacks and upgraded systems, stemming from societal norms about assigning blame, according to Scott Jarkoff, who heads the strategic threat advisory group for cyber firm CrowdStrike and is based in Japan. for over thirty years.

That culture hinders the nation’s ability to build a local population of security experts, said Hiroshi Sasaki, an associate professor of manufacturing and innovation at Japan’s Nagoya Institute of Technology.

“They must be accountable and responsible when a cyber security incident occurs. Other countries that pay attention to their critical infrastructure will learn the importance of the supply chain from the case of Japan,” he said.

But while Japan may be a prime example of such vulnerabilities, it is far from the only country at risk.

In the United States, cybersecurity regulation is patchy, and the government has long relied on businesses to voluntarily comply with cybersecurity guidelines. But in releasing its national cybersecurity strategy in March, the Biden administration endorsed tougher measures, pushing federal agencies to use existing authorities to set minimum cybersecurity requirements in critical sectors.

In Australia, businesses that failed to mitigate easily preventable security breaches faced minimal financial penalties until last year, when the government introduced fines of up to A$50 million ($33.5 million) or 30% of adjusted turnover company in the relevant period. Meanwhile, the European Union noted in a recent report that much of its software originates in the US, and that its own cyber security industry needs to grow to address vulnerabilities. Cyberattacks in the region grew 26% in 2022 compared to the previous year, according to Check Point Software Technologies Ltd.

The government agency in charge of overseeing Japan’s network security says the country’s disclosure rules are not that different from those of other countries.

“No country makes it mandatory for companies to publicly disclose accounts of their cyber security attacks,” said an official from the National Center for Incident Preparedness and Strategy for Cyber ​​Security, who asked not to be named. “This is because they contain information that could affect their business operations.”

Instead, Japan asks companies that provide critical infrastructure such as telecommunications, power, gas and railways to voluntarily report any cyber security incidents. Over a thousand companies fall under this category and a total of 407 reports were made in 2021.

“Although it is not mandatory, the reports are done properly and the necessary information is shared,” said the NISC official. “One unique thing about Japanese culture is that people obey what is asked of them regardless of whether it is voluntary.”

Japan has some cyber victories to celebrate. NTT Matsubara’s cyber security strategies indicate that the country has fought off thousands of unprovoked cyber attacks targeting the 2020 Tokyo Olympics. Japan has also been included in NATO’s annual cyber exercises for the past two years, she said, even though it is not a NATO member.

“Even the Japanese I’m talking to didn’t know that,” she said. “But this year everyone is more interested in cyber security because they are worried about financial or geopolitical cyber attacks.”

Japan is far from the only country reluctant to admit its cyber security failures. But the relentless attacks its manufacturing industry has suffered in recent months are a cautionary tale for other wealthy nations with supply chains to protect. Japanese executives are “still lazy” compared to those in other countries, according to Kouji Morii, head of security at Segue Group Co., an information services firm.

“Japanese employers tend not to think that cyber attacks have anything to do with them unless they are attacked. We have to change the thinking.”

–With assistance from Reed Stevenson.

Read more from Bloomberg Businessweek

©2023 Bloomberg LP

Leave a Reply

Your email address will not be published. Required fields are marked *