With three years left until the 2020 Tokyo Summer Olympic Games, the Japanese government is regularly reviewing its national cybersecurity capability and policies. Just this year, the government is releasing three national cybersecurity strategies: the 4th Information Security Action Plan for Critical Infrastructure and the Program for Cybersecurity Human Resources Development, which were announced in mid-April, and the Cybersecurity Research and Development Strategy scheduled for later in the year.
Compared to the Information Security Action Plan for Critical Infrastructure and the Program for Information Security Human Resources Development, first released in May 2014, the new strategies have two notable changes. First, both strategies recognize that business executives need to be proactively involved in cybersecurity and should manage its risks by treating it as an integral part of their strategy. This is in line with the philosophy first presented by the Japanese government’s Cybersecurity Guidelines for Business Leadership in December 2015 (revised in December 2016). The 4th Information Security Action Plan for Critical Infrastructure outlines that the leadership of organizations within this vertical need to be more involved in information security by incorporating risk assessment and management in their business strategies.
This is also true for the Program for Cybersecurity Human Resources Development, which points out that cybersecurity produces more business values and international competitiveness. The document echoes the Cybersecurity Guidelines for Business Leadership and asserts that cybersecurity brings opportunities instead of being treated as a cost center. The guidelines play an important role in the future of Japanese cybersecurity policies and strategies to encourage the involvement of business leaders and accelerate cybersecurity measures.
That being said, the Program for Cybersecurity Human Resources Development offers some alarming statistics that indicate Japanese business leaders are still behind in cybersecurity awareness compared to their American and European counterparts. When the Japanese National Center of Incident Readiness and Strategy for Cybersecurity, or NISC, asked business executives if they consider cybersecurity a management challenge, 63 percent answered “yes”, yet 34 percent still said “no”. In fact, according to a 2017 report by the Information-Technology Promotion Agency, or IPA, more Japanese companies believe their leadership is not sensitive to risks (30.9 percent) and their cybersecurity budget is insufficient (33.9 percent) than American (27.1 percent and 27.5 percent) and European (20.7 percent and 27.9 percent) companies.
Although the Program for Cybersecurity Human Resources Development argues that cybersecurity is an enabler to innovation, the lack of business leadership’s interests in cybersecurity disempowers those organizations from such opportunities. It is crucial to raise awareness of cybersecurity in Japan, explain the cyberthreat landscape and best practices, and describe potential risks from business strategy and risk management perspectives by using simple, easy-to-digest terms.
Second, both strategies emphasize the need for cross-sector collaboration and information sharing. The 4th Information Security Action Plan for Critical Infrastructure encourages companies in this sector to take another look at their organizations for ways to bridge and train employees on the difference between information technology and operational technology. Whereas IT departments, which include cybersecurity teams, tend to prioritize confidentiality over availability in the “CIA” – confidentiality, integrity and availability – principle of information security, OT teams working at plants and factories prioritize availability and safety to ensure operations and services are running smoothly. Thus, OT may not understand the urgency of security patching if the action slows down their operations. This is in spite of the fact that control systems of critical infrastructure companies are connected to the internet, and cyberattacks have been launched to steal sensitive information and disrupt their operations, such as by causing power outages.
Although cooperation between IT and OT teams is crucial to prevent successful cyberattacks from disrupting critical infrastructure operations, the acute differences between their cultures and priorities make it challenging for these functions to talk to each other. Even if OT teams recognize the importance of cybersecurity, they often find their departments do not have sufficient budget to fund it, or that the budget belongs to IT. Thus, team-building to bridge IT and OT is required to encourage collaboration for budget, culture, and structure.
In April 2017, the Japanese Ministry of Economy, Trade and Industry launched the Industrial Cybersecurity Center of Excellence under the IPA to train 100 mid-career and business executives from critical infrastructure companies to understand both IT and OT, and craft cybersecurity strategy for their companies every year. Since this is not just a one-year-only project, the COE is expected to serve as a platform for professionals from different sectors to get connected and create a trusted, helpful community.
As pointed out in the 4th Information Security Action Plan for Critical Infrastructure, cyberthreat intelligence sharing is a must to prevent successful cyberattacks against critical infrastructure. The document also urges critical infrastructure companies to take the first step in sharing cyberthreat intelligence between their IT and OT functions. Since confidence-building takes time through face-to-face dialogues, COE initiatives would be a great opportunity for critical infrastructure companies to get to know IT and OT people from other organizations.
The new Program for Cybersecurity Human Resources Development focuses on sharing the types of cybersecurity professionals that can bridge the gap between C-level and technical people. This is what is required to educate and evaluate them between the academia, industry and government, rather than cyberthreat intelligence. Collaboration between the three sectors was mentioned for the first time in the strategy.
The program refers to the Industry Cross-Sectoral Committee for Cybersecurity Human Resources Development, which was established in June 2015 and included 48 major Japanese companies from the energy, finance, IT, manufacturers, media, and railway sectors, which further emphasized the importance of industry’s involvement. The Industry Cross-Sectoral Committee aims to establish an ecosystem to educate, recruit, hire, train, and retain cybersecurity professionals in cooperation with schools, universities, and the government. The committee published a report in September 2016 to share various cybersecurity jobs and skill mapping Japanese companies should have, and what cybersecurity actions should be outsourced or not.
The committee has participated and shared its activities at NISC’s Cybersecurity Committee on Awareness Raising and Human Resources Development in August 2016, December 2016, and February 2017. While there’s still some distance to go, this hopefully has helped Japanese thought leaders in the government sector and academia understand the industry’s perspectives and incorporate them into the new strategy.
In addition to guidelines provided to organizations, non-Japanese governments and trade associations globally should map the relevant guidelines, legislation, and policies Japan needs to consider, and work with their Japanese counterparts on future strategies to protect critical infrastructure as well as share best practices to cultivate next-generation cybersecurity professionals and C-suites to prevent cyberattacks in the digital age.