There is no end to cyber attacks targeted at companies and other organizations. How should we protect our important assets from increasingly complex attacks? There are many issues surrounding cyber security that companies should tackle. Taishu Ohta, Fujitsu's security evangelist, explains the vision for future security measures based on the latest trends regarding international rules, unique technology development and human resource development for cyber security.
In an Age Where the World is Driven by Digital, the Key is Cyber Security
AI (artificial intelligence), IoT (Internet of Things), big data and other new technologies are bringing about a significant change to our daily lives and businesses. In the Sustainable Development Goals(SDGs)initiatives adopted by the United Nations General Assembly in 2015, digital also plays an extremely significant role.
I believe digital was awakened by the Internet. This is because it is the Internet that allows everything to be connected and any data to be exchanged instantly. What is critical here is cyber security.
Before considering cyber security, we must understand the Internet. The beginning of the Internet was the military network Advanced Research Projects Agency Network, or ARPANET, which was developed in the United States as a national project in 1959. Later, ARPANET was released from military use to academic use in the 1980s. Then, mainly private research institutes and colleges started using ARPANET's infrastructure. In late 1990s, the Internet was spreading explosively.
Fujitsu positioned 2001 as the first year of the Internet and under the business strategy, "Everything on the Internet," we have been promoting the development of infrastructure for a network society so that we can fully utilize the Internet for business.
However, in the September 11 terror attacks in 2001, the Internet was exploited for carrying out terrorist acts. This incident brought a significant change to cyber security thereafter.
The investigation of this incident by the U.S. government revealed that the terrorist organization made the most of the Internet in carrying out the terrorist acts. In response, the U.S. and other countries started taking various countermeasures regarding cyber security.
The Latest Trends in Establishing International Rules in the U.S. and Europe
As the importance of cyber security increases, the U.S. and Europe are leading other countries in establishing international rules. In the U.S., in particular, it is considered that supremacy in cyber space is the absolute condition for ensuring security.
In 2011, the U.S. federal government established security standards for common cloud service procurement practices among its organizations, Federal Risk and Authorization Management Program (FedRAMP).
In addition, the National Institute of Standards and Technology (NIST) has developed the SP800 Series guidelines. In particular, SP800-171 standards for security measures intended for private industries place severe restrictions that non-compliant organizations cannot participate in the supply chain.
In the EU, the European Commission put the NIS Directive and the General Data Protection Regulation (GDPR) into force in May 2018. The NIS Directive dictates network and information system security and the GDPR mandates companies to disclose and report any personal information leak within 72 hours after becoming aware of it. The GDPR also applies other severe penal provisions that include heavy fines.
The NIS Directive provides that important infrastructure business operators shall take the latest cyber security measures and that they shall comply with relevant international standards. The GDPR requires management to implement strict governance by specifying 4% of the annual sales of a corporate group or 20 million euro as the maximum fine for non-compliance.
The Age of No Security, No Digital
Under these circumstances, confidential information is having an extremely high impact on corporate management. The incident that occurred in March 2018, in which personal data held by U.S.-based Facebook was used by a U.K. consulting firm, is still fresh in our memory. It was originally announced that the number of people whose information was leached would be 50 million. However, when the number rose to up to 87 million, Facebook's stock value fell by 20% and the company lost 8 trillion yen in terms of market value.
The importance of protecting confidential information from cyber attacks has become extremely significant, and we so are in an age of 'no security, no digital.'
Also, a new threat due to the emergence of IoT involves companies' CSR activities, and the scope of its impact extends to the entire supply chain.
Security issues surrounding the supply chain should be deemed as society-wide issues, rather than issues of a single company. This requires us to bolster our ability to deal with cyber attacks. We also must have the ability to comply with various security standards. In other words, we need to take action by taking it for granted that we are subject to cyber attacks.
Taking More Effective Measures with Less People
Then, what is needed to boost our ability to deal with cyber security? Fujitsu considers that correctly understanding international rules developed by the U.S. NIST and how Japan efficiently and effectively responds to cyber security threats are important.
The NIST adopts the Cyber Security Framework (CSF) approach with regard to the concept and policy of cyber security measures as well as to taking such measures. Under the CSF, the stages before and after a malware intrusion are viewed from five perspectives: identify, protect, detect, respond and recover. Organizations in Japan are considered to be less prepared from the respond and recover viewpoints for stages after the malware intrusion when compared to organizations in the U.S.
Specifically, Japanese organizations are less prepared for the so-called cyber kill chain, a framework that structures attackers' behavior in targeted attacks.
Although many Japanese companies and other organizations have established mechanisms that are compliant with the ISO 27000 series (ISMS) international information security standards, there are some areas in the cyber kill chain that they should supplement from the five viewpoints of the CFS. I think we at Fujitsu should support in supplementing these areas.
As methods employed by attackers are increasingly diversified, important assets must be protected by the defense in depth strategy. This strategy costs a significant amount of money and requires personnel who are capable of choosing or deploying appropriate products. According to the IT Personnel White Paper 2018 from IPA (Information-technology Promotion Agency, Japan), however, 70% of IT personnel belong to IT vendors. Only the remaining 30% belong to user companies. Compared to the U.S., in which the percentage is reversed, it can be said that lack of personnel is an issue in Japan. Also, according to the Ministry of Economy, Trade and Industry statistics, we will face a shortage of as many as 193,000 information security workers.
In response to such existing conditions, we feel that we need an operation platform that enables us to efficiently respond to incidents with fewer people.
Fujitsu Addresses a Challenge from a Unique Perspective
Fujitsu has been developing our unique security technologies from a fresh perspective. There are infinite tools and methods employed by attackers and so continuing to search for such tools and methods requires much work. Therefore, instead of putting work in analyzing malware behavior, we have been developing and commercializing technologies that recognize suspicious activities as attack processes, capturing the transition of the attacker's behavior.
One such technology is the attacker's behavioral transition model technology. An attacker combines a certain number of behavioral elements to attack the target. This technology monitors the characteristics of nearly 100 attack patterns on the communication and traces the attacker based on the communication transition. Then, it visualizes the transitions in chronological order to present the overall picture of the attack. This technology allows even operators to make judgments without advanced engineers having to analyze. Accordingly, effects such as reduced time for responding to the attack and overcoming the personnel shortage problem can be expected.
Another such technology is high-speed forensic technology. This technology, which we have established, captures all packets and extracts only commands used by the attacker among them. Analyzing attack commands enables the range of impact of such commands to be displayed in a bird's-eye view and allows us to quickly ascertain the overall picture of the attack. For example, we simulated using the case of Japan Pension Service, in which personal data of 1.25 million people leaked. As a result, we were able to reduce the time required to investigate--which actually took nearly three months--to only one hour.
The other such technology is high-speed packet capture technology. In the future when we face the 5G era, it is expected that the amount of packets will be 1,000 times the current amount. The attacks to be infected into such packets will also be large quantities. Fujitsu participates in the Cross-ministerial Strategic Innovation Promotion Program (SIP) / Cyber-Security for Critical Infrastructure (Management entity: NEDO) of the Cabinet Office. In the program, we research the capturing of packets covering virtual network created in a virtual space.
No Co-creation Without Security
Technologies and human resources are great cores for developing industries. At Fujitsu, we are focusing our efforts on developing human resources by establishing the Security Master Certification System in 2014, while simultaneously researching and developing technologies.
In order to prepare for increasingly complex cyber attacks, we must take action by taking it for granted that we are subject to cyber attacks. Instead of offering security as business to customers, Fujitsu supports customers in developing business safely with peace of mind as a partner. To this end, we will continue emphasizing the development of human resources who can ensure security by design through the Security Master Certification System.
Fujitsu will continue aiming to support customers' businesses as a digital transformation partner. Such efforts are supported by security. Co-creation is impossible without security. Going forward, Fujitsu will continue striving to develop our unique technologies related to security as well as human resources.
Cyber Security Business Strategy Unit