Rethinking Cybersecurity: Japan Pension Service Hack Forces New Strategy
Tsuchiya Motohiro October 5, 2015
This article is available through a partnership between Sasakawa Peace Foundation USA and Nippon.com. Article was originally written and published in Japanese on September 3, 2015. For original posting, click here.
Money Was Not the Objective
The May 2015 hack of the Japan Pension Service, in which personal information of 1.25 million enrollees was leaked, has become a major political issue. The incident has been described as a cyberattack, although, narrowly defined, such attacks usually refer to attempts to harm people or destroy vital IT systems and critical infrastructure. Although the event only resulted in data being stolen, it may still be considered as a cyberattack in a broad sense.
In all likelihood the theft will not directly result in any serious damage, as the information pilfered included only names, postal addresses, telephone numbers, and pension numbers. Without credit card or other account numbers, these will not be enough to tap into personal finances, but money was probably not the thieves’ motive.
The culprits were most likely looking to use internal information hacked from the pension service’s computer system as an inroad to other agencies and organizations. Japan’s central ministries have continued to beef up their cybersecurity systems, and accomplishing a breach would be no easy task. Hackers have instead turned their sights on peripheral targets, including government-affiliated organizations, think tanks, private companies working with the government, and universities. Media attention has focused largely on the theft of pension records, but this breach may represent only the tip of a more extensive operation.
A far more serious incident that came to light at around the same time was the hack of the US Office of Personnel Management, which resulted in the theft of data on 22.1 million employees, including millions with security clearance. Gaining high-level clearance entails providing a long list of extremely private information, including family members, a complete list of previous residences and phone numbers, all foreign cities and countries visited, friends, record of debts, a history of illnesses, sexual orientation, and instances of infidelity. The purpose of such a thorough investigation is not to dig up dirt but to gauge a person’s propensity to lie.
The potential that this information may be used to nefarious ends is very real—not just for financial gain but also for political motives. One possibility would be for hackers to coerce Asian-Americans with security clearance working in the US government into spying by exploiting family connections in their home country.
Japan’s Commitment to Cybersecurity
In November 2014 the Diet of Japan enacted the Basic Law for Cybersecurity. Based on the law, the government’s Cybersecurity Strategy Headquarters laid out its draft of a new Cybersecurity Strategy on May 25 this year. The chief cabinet secretary, who heads the group, immediately ordered a review of the draft, though, when the Japan Pension Service was found to have been hacked. The new strategy was finalized on August 20 and was approved by the cabinet on September 4. While the cabinet approval does not make the strategy law, it does confer it quasi-legal status. The plan demonstrates Japan’s high-level commitment to cybersecurity and will form the basis of measures to be implemented henceforth at ministries, agencies, and other government organizations.
Looking at the language of the revised strategy, the 40-page document contains 51 derivations of the word “sharing” and 80 usages of “cooperation.” By comparison, “sharing” appeared 48 times and “cooperation” just 62 times in the earlier, 43-page Cybersecurity Strategy approved in June 2013. Information sharing in the wake of hacking incidents, and cooperation among organizations can be seen as pillars of Japan’s cybersecurity strategy.
Features of the New Strategy
Looking at the new strategy, the first point to note is the stepped up capabilities of the Government Security Operation Coordination team. As a part of the National Center of Incident Readiness and Strategy for Cybersecurity (NISC), GSOC has mainly been responsible for watching over the computer systems and networks of central government ministries. It was GSOC that first caught wind and informed the pension service of the hack, although the breach could not be addressed quickly. In response to this, the government has extended the GSOC’s monitoring abilities to cover government-affiliated organizations as well, including incorporated administrative agencies and special public corporations (the Japan Pension Service falls under the latter). It is also expected to bolster the budgets and staff of the NISC and GSOC to enable them to fulfill their roles as cybersecurity control towers.
A second point of the strategy is the government’s efforts toward not only post-incident response but also proactive prevention. The strategy promotes understanding among relevant parties of the need to report even small-scale damage and signs of suspicious activity to safeguard against large-scale cyberattacks. It also puts an emphasis on bolstering both internal and external systems of cooperation and information sharing. It goes without saying that a speedy response and recovery is essential following a cyberattack, but it also should be possible to prevent incidents from occurring by monitoring networks and systems and sharing information about hacking incidents among different agencies and with global partners.
A third point is the strategy’s efforts to strike a balance between security and free access. It underscores the impossibility and impracticality of tasking the government with maintaining order in cyberspace. In global cybersecurity talks, China and Russia have called on states and governments to take greater roles in policing unlawful activities by boosting surveillance and control measures. In response, Japan, the United States, and European countries have argued for the need to guarantee freedom of speech and the free flow of information. Entrusting cybersecurity solely to the state may result in the kind of surveillance society that exists in China and Russia. Japan has openly expressed its opposition to such a scenario. The Japanese strategy articulates the government’s firm stance against state use of cyberspace to control, censor, steal, or destroy information as well as its illicit use by terrorists and other nonstate actors. It goes on to establish the government’s commitment to proactively contributing to conserving cyberspace for peaceful purposes while also ensuring the safety of the country.
No Perfect Security
There is more to cybersecurity than building sturdy walls and hiding behind them. The value of an interconnected society comes from the free flow of information. We need to realize that there is no such thing as a perfect defense system, as hackers will exploit the tiniest holes and cracks in fortifications to infiltrate and steal information.
The first step, as called for in the strategy, in guarding against cyberattacks is to develop highly capable human resources to work both in government and the private sector, overcoming sectionalism to “share” information and promote “cooperation” both at the individual and organizational levels. Going forward, this will form the core of Japan’s approach to cybersecurity.