I believe that, in order for any economy – including Japan – to survive in the coming decade, governments must recognize that information and communications technologies (ICT) and cybersecurity are no longer separate issues, and they must take innovative approaches to address them concurrently.
The technical aspects of cybersecurity make it complex and difficult even for professionals, much less policymakers, to grasp. However, the most critical elements needed to bolster cybersecurity are not technical, but strategic.
Japan is placed uniquely on this issue. While we are preparing for the rapidly aging society and shrinking population, as well as the Tokyo Olympic Games that will be held in 2020, Japan strives to be more advanced than other countries in the usage of automotive vehicles and robotics. Whether these efforts will truly be productive depends on the progress of ICT and cybersecurity.
I see at least three key strategic issues – changes in approach or perspective – that are essential to promote true cybersecurity.
First, we need to recognize the relative importance of preserving data integrity versus data confidentiality. While it is essential to confirm that users are who or what they claim to be, and try to prevent information leakage, assuring and maintaining the integrity of information is an even higher priority.
In many cases, not being able to rely on the accuracy of information (e.g., medical data) could be much more serious than having it revealed to others. Yet most security systems, policy and research overwhelmingly focus on preserving confidentiality rather than data integrity.
An apology may be enough if your blood type is disclosed by a hacker, but no apology will suffice if your blood type data is maliciously changed just before you head into surgery. Breaching confidentiality is embarrassing; losing integrity can be deadly. Unfortunately, many view cybersecurity as just the former: something that is an acceptable risk and can be covered with an apology – and perhaps some compensation. This way of thinking will no longer suffice in the near future.
Second, there is the key concept of resilience. Security experts accept the premise that there is no such thing as perfect, 100 percent security and not all attacks can be prevented. The most practical defense is to find the right balance between security protocols, total cost of implementation and ease of use, with a focus on ensuring system resilience – that is, minimizing losses rather than trying to anticipate and prevent every possible type of attack.
Billions of years of evolutionary biology show that the fittest not only survive but prosper. Thus, cybersecurity should not be seen only as a means of self-defense but also as an opportunity to build up one’s corporate, national or even individual resilience to become stronger in an increasingly uncertain and challenging world. By getting this approach right, cybersecurity becomes a key differentiator and a competitive advantage rather than a cost center that, to some corporate entities, often feels like a tax.
Most importantly, building resilience in one area often leads to unforeseen benefits in others. I have experienced many government-driven programs that have enhanced resilience in one area while proving even more valuable in dealing with completely different, unrelated exigencies for which they were never intended.
Specifically, resilience is versatile: Once people develop resilient thinking, they realize it requires a comprehensive review of the area that supports and surrounds a system. The unintended consequence is that it results in the entire system becoming stronger.
For example, with the WannaCry ransomware that swept the world recently, I believe that the reason as to why there were so many affected is that the victims believed they were not the ideal candidates for the attack, thus putting off OS and security updates. However, while these actions are a bit of a nuisance, it is important to deal with them to assure ourselves and protect us from cyberthreats that are increasing in size and quantity daily.
Third and foremost, now that ICT is inseparable from economic activity, we need to shift from a 20th-century mindset where cybersecurity is an afterthought to one in which security is both fundamental and indispensable.
Security must be designed as an integral part of all systems, with resulting benefits in terms of ease of use, functionality, resilience, productivity, efficiency, competitiveness, reduced total cost of ownership, and a positive return on investment. Additionally, we must design security with prevention in mind; if our systems can only analyze attacks after they happen, the attackers have already won.
The most effective way to focus on cybersecurity is to imagine a triangle: One needs to balance the three “sides” of security, cost and usability with an eye toward resilience. Too many businesses and governments only focus on two sides of the triangle: cost and security.
However, it is also important to focus on usability. After all, even a person of good intentions can find ways around a great security protocol. Just as requiring employees to select a 10-digit password and change it every 30 days decreases overall security, it is also not a good idea to have too many security devices churning out endless false alerts and alarms that ultimately get ignored. In my opinion, discussions on cybersecurity should be held on a regular basis in Japan, instead of only when major incidents, such as WannaCry, have occurred.
Cybersecurity is now an essential enabling technology for our ICT-based future. Thus, the limits of cybersecurity are the limits of the internet, and the limits of the internet profoundly affect the efficiency, growth and competitiveness of the so-called internet economy, which is now really the economy.
Companies no longer have a choice but to connect their internal networks to the rest of the world – and to link with customers, suppliers, partners and their own employees. But with that connection comes new threats: malicious hackers, criminals, industrial spies, etc.
These network predators regularly steal corporate assets and intellectual property, cause service breaks and system failures, sully corporate brands, and frighten customers. Unless companies can successfully navigate around these, they will not be able to unlock the full business potential of the internet.