How Should the Future of Information Security Look Like?
"Stakeholder Dialogue 2020"
Aspiring for a society in which information technology soundly contributes to people and society, Yahoo Japan Corporation ("Yahoo! JAPAN") is encouraging the entire company under the management and direction of the Chief Information Security Officer (CISO) to continue providing services that can be used safely and with a peace of mind. With a focus on human resource development, all engineers are obligated to take security training. We have invited an expert, Mr. Hiroshi Kawaguchi, Representative Director of Kawaguchi Sekkei, Inc., to discuss what the future direction of information security should be.
- * This discussion was held on March 17, 2020. All affiliations and positions are as of June 2020.
- Hiroshi Kawaguchi (Representative Director, Kawaguchi Sekkei, Inc.)
- Joined a major security company in 2002, where he was initially involved in the maintenance and operations of the company's intranet infrastructure system and eventually he was assigned to the security monitoring center. From 2013 to 2016, was seconded to the National center of Incident readiness and Strategy for Cybersecurity (NISC). In 2018, established Kawaguchi Sekkei, Inc. He has served in several advisory roles for public agencies, such as Informatization Advisor to the Cabinet Office, Chief Information Security Advisor to the Consumer Affairs Agency, and an Information Security Advisor for the Ministry of Economy, Trade and Industry.
- Yuji Umemura (CISO, Yahoo Japan Corporation)
- Joined ALL NIPPON AIRWAYS CO., LTD. (currently ANA HOLDINGS INC.) in 1990, where he was involved in the development of check-in systems and mileage systems in the IT Promotion Office.
Joined Yahoo Japan Corporation in 2004 and has been actively involved in the company's major operations for 15 years, including 9 years in the search business and 6 years in YAHUOKU! (auction) business. Assumed current office in April 2019.
- Noboru Nakatani (EVP, Corporate Officer, President of Public Affairs Group, Yahoo Japan Corporation; EVP, Corporate Officer, GCISO, Z Holdings Corporation)
- Born in Kanagawa Prefecture in 1969. After working at a bank, he joined the National Police Agency in 1993. Renowned for his leading expertise in the field of cybersecurity, he has served in roles such as Director of the Foreign Affairs Division in Kanagawa Prefectural Police, Special Advisor to the National Public Safety Commission, seconded to INTERPOL (International Criminal Police Organization), Executive Director of the IGCI (INTERPOL Global Complex for Innovation), and Director of International Affairs Division in the National Police Agency.
Joined Yahoo Japan Corporation in April 2019.
- Facilitator: Setsu Mori (Chief Editor of Alterna Magazine)
- Joined Nikkei Inc., where he started his career in the Economics and Distribution Department, before assuming the post of Bureau Chief of Los Angeles Bureau from 1998 to 2001. He resigned from Nikkei Inc. in September 2002 and established Global Press in October of the same year where he serves as the Chairman. In September 2006, he established Alterna Co., Ltd. and started Alterna Magazine, a sustainable business magazine in March 2007.
Diversified work style will raise security standards
-- The COVID-19 pandemic has greatly affected our work style and the way we communicate. It may be one of the triggers to revolutionize Japanese society. What are your opinions on this?
Umemura: Yahoo! JAPAN has shortened the core working hours and has promoted staggered commuting times and working from home. The number of employees working in the office is decreasing.
We already had a system of remote working in place and had shared the belief that working in the office was not mandatory for certain job types. For example, for research work, working at home reduces commuting times that can otherwise be used towards their work. Some of our engineers say that working from home has improved efficiency.
On the other hand, from a security standpoint, some jobs are better conducted in the office.
Traditionally, security was like storing important information in a safe. However, as remote working becomes more prevalent, accessing the company's core system in an environment where somebody might be peeking at your computer entails risks, even if telecommunication is encrypted. I feel that what is called for is not a uniform work style, but diversified work styles that are adapted to individual purposes and risk levels.
Nakatani: I am frequently asked to give lectures in seminars. Naturally, online seminars have increased dramatically.
Before now, we couldn't listen to lectures unless we physically went to the venue, but going online has enabled us to participate from anywhere, both in and out of Japan. Payments can also be made online and the audience increased without being limited to the capacity of the venue.
I believe that the trend to go online will draw greater attention to information security and raise the overall standard of information security.
Kawaguchi: Every year the period from February 1 to March 18 is designated as Cybersecurity Month. During this period, there are many security-related events, and I am invited to give lectures and go to companies to train employees at various locations.
This year, several events were canceled due to COVID-19, except Yahoo! JAPAN, which held an online training session in early March. "It's important to hone one's skills working remotely;" this thought pulled everybody together, including the lecturer, secretariat, and participants, to attend this training online. I felt that this forward-looking attitude was typical of Yahoo! JAPAN.
Information security that is necessary for the "Era of Connection"
-- 2020 will probably be remembered as the first year of remote working. Yahoo! JAPAN upholds solving social issues as its mission. What are the issues surrounding information security?
Nakatani: How can we obtain solutions utilizing data and technology, and provide products and services based on them? The historical context will greatly influence the answer to this question.
We are now in the middle of the "Era of Connection." Convenience is enhanced through cyberspace (virtual data space), which originates from connection to the Internet. However, we must not forget that convenience can only be built on the foundation of safety and security.
To control infectious disease in the physical world, it is vital that we physically cut off connections to prevent the virus from spreading. This is also true for the online world where a virus in cyberspace invades through connections.
Now that industrial operation system※ is also connected, malware (malicious software and codes) in cyberspace poses a great threat.
- * System that monitors the control and management of facilities and information of the manufacturing industry, critical infrastructure industries (electricity, gas, water, etc.), logistics industry, etc., to detect abnormalities and vulnerabilities.
However, if we cut connections, we won't be able to continue our day-to-day business and convenience will be lost.
Yahoo! JAPAN, a subsidiary of Z Holdings Corporation, jointly provides "PayPay," a smartphone payment service, with SoftBank Group Corp. and SoftBank Corp. Unless smartphones are connected to the Internet, your smartphone cannot be used as a wallet (PayPay).
The fundamentals of information security have transitioned from a CIA triad to an AIC triad, meaning that we are naturally connected to the Internet. C stands for Confidentiality, I for Integrity, and A for Availability. Availability is a term used in telecommunications, but here it describes the state in which we are connected to the Internet.
The next most important factor after Availability is the Integrity of information. If information itself such as name and account information is incorrect, it cannot be used. And finally, there is Confidentiality, such as measures against unauthorized access.
All three factors are crucial, but if we consider the risks and costs involved of not being connected to the Internet, the priority has changed to an AIC triad which makes Internet connection a major prerequisite. We are indeed seeing a game-changer here.
Kawaguchi: When I do a lecture or visit companies, I am often told by these companies that they are safe because "Our system is not connected to the Internet."
Of course, there may be no problem since there will be no information leakage but this only takes Confidentiality into account. It also means that they are not aware of the risks of system stoppage or failure.
Until now there has hardly been any company that has gone bankrupt due to information leakage alone. However, there is a higher risk of companies failing if their services cannot be continued making business continuity, i.e. "Availability," extremely important.
Umemura: "How much do we spend on security?" is an issue that many companies are faced with. Given the ever-changing circumstances, it is extremely difficult to strike an appropriate balance between business and security. "Efficient and effective protection" is extremely difficult, but I think there is a need to keep working on this issue.
-- The reports of cyberattacks are increasing. How dangerous is cyberspace?
Kawaguchi: How dangerous cyberspace is and what kind of response is required varies from organization to organization.
For example, for small to medium-sized enterprises, the most realistic and effective response after a cyberattack is for the top management to announce a sincere apology.
However, for large scale enterprises with tens of millions of customers like Yahoo! JAPAN, apologies by the top management wouldn't be sufficient. Likewise, government offices cannot fail. Therefore, it is necessary to build a robust security system for these sectors.
Nakatani: Cyberspace is like the "water in Tokyo Bay." There may be no problem rowing a boat in its waters, but you need filters if you want to drink from it. In other words, the level of security required depends on how you use cyberspace.
There are some malicious people on the other side of our devices and based on this assumption, Yahoo! JAPAN is taking necessary precautions for the Era of Connection.
Protection through self-help, mutual aid, and public assistance
-- I believe that both society and businesses in Japan have been established on the belief that human nature is inherently good. Having said that, shouldn't we be more suspicious about the Internet space, and to some extent also apply the belief that human nature is inherently bad?
Nakatani: The Internet is created on the belief that human nature is inherently good, and on the premise to be connected.
In face-to-face situations, we can detect danger with the crisis management abilities we all possess. However, in the online world, there are limited resources to make judgments and assess suspicion. This is especially true for the Japanese who tend to be easily fooled in such situations. Therefore, the use of the Internet as social infrastructure must be made safe, and the measures to meet this purpose differ by governments, corporations, and individuals.
The government needs to show the framework, i.e. to guide society in the direction it is aiming for. Companies need to use their respective resources to develop and to provide services. I also believe that the government should pay for R & D expenses incurred by these companies. Individuals must learn to defend themselves as much as possible.
In the case of infectious diseases, individuals should thoroughly wash their hands and gargle. The government should conduct tests while companies develop vaccines with the support of the government.
Umemura: In Yahoo! JAPAN, we are pursuing measures to raise the awareness of our users. However, raising awareness alone cannot offer 100% protection. As a company, it is imperative to provide safe services and build robust structures.
We have conducted various measures to improve the security level by introducing passwordless logins, shifting to SMS verification (verification function using short messaging service), and introducing FIDO2 which uses face authentication and fingerprint authentication to log in. However, in reality, SMS is also no longer safe as a result of phishing activities using fake apps.
There is no end to this battle, but we must think of countermeasures to new fraudulent activities while we improve our level of security.
-- Mr. Kawaguchi advocates that self-help, mutual aid, and public assistance are also necessary for information security.
Kawaguchi: These are keywords used in disaster countermeasures that can also be used for cybersecurity. When I became independent and established my own company, I believed it is important to balance the aspects of self-help, mutual aid, and public assistance.
Although it is vital to protect oneself, i.e. self-aid, the government must also play its part through public assistance. Mutual aid can be fostered through communities and horizontal connections, so I started an initiative to vitalize the community of engineers.
Cybersecurity is not only a technological issue; it is also important that it blends well with business. To put this thought into practice, I've held a competition since 2012 called "Hardening Project" to enhance security technologies and foster the ability to respond to cyberattacks in a game-like fashion.
The competition is held twice a year and with a wide variety of participants such as civil servants, lawyers, students as well as engineers.
When I was around thirty, I was told to be the one who bestows awards to others instead of being the one awarded. I am active in community services with the desire to turn the spotlight on those who are striving to achieve something. There was no established knowledge of information security twenty years ago, but there are now many students who are doing their best to study and research this field. I want to support such individuals.
The evaluation system and human resource development hold the key
-- Yahoo! JAPAN established the CISO-Board in 2014 and has strengthened its information security management. Mr. Umemura is in charge of cybersecurity for the Yahoo Japan Group as CISO (Chief Information Security Officer).
Umemura: Our CEO has delegated me to become CISO with the authority to instruct and make judgments on information security for the Yahoo Japan Group. In October 2019, Yahoo! JAPAN became Z Holdings Corporation (ZHD) and now I concurrently serve as the CISO of the Yahoo Japan Group and ZHD. From April 2020, Mr. Nakatani is the CISO for the Z Holdings Group and is strengthening governance and information security for the whole operational supply chain. Also, the reports received from group companies are reported to the Board of Directors.
-- Isn't it quite rare for Japanese companies to have CISOs?
Nakatani: You're right. The United States is more advanced in this area with full-time CISOs working at about 80% of US companies and around 70% at European companies. The number of CISOs in Japan is increasing but is still small at roughly 30% of all Japanese companies.
I also serve as the Senior Executive Director of Information Technology Federation of Japan. While many say that Japanese companies must seriously undertake cybersecurity measures, there are few incentives for companies to do so.
I believe that there will be more companies that will be motivated if institutional investors evaluated ESG (environment, society, and governance) rankings or if preferential rates of interest were applied to them as a result of having a CISO. In Europe and the United States, being in charge of security is a highly recognized and respected role. Unfortunately, its value is not recognized in Japan.
Given this situation, from 2020, the Federation has begun to evaluate the level of companies' cybersecurity measures, ranking them with stars like the Michelin Guide.
-- That is a very interesting initiative. For information security, what is Yahoo! JAPAN doing to develop the necessary human resources?
Umemura: We haven't had any problems in relaying the importance of security internally. We conduct security related e-learning programs once every two months for all employees of Yahoo! JAPAN (including temporary staff and subcontract employees) and some ZHD group companies, which have helped cultivate a common understanding within the group. However, understanding and acquiring knowledge are two different stages, therefore posing some difficulties.
Yahoo! JAPAN requires all programming engineers to take the secure programming training and pass a test. This is held for each programming language, with the engineers obligated to take lectures between January 2019 and March 2020 to learn about information security.
We also participate in a high-level security human resources development program led by the Ministry of Health, Labour and Welfare, and plan to introduce this on a trial basis from fiscal 2020.
Nakatani: What you imagine as "security personnel" varies depending on the person. It is almost impossible to have ten professionals like Mr. Kawaguchi in every company. The problem is that there are very few companies with such personnel.
It is just as important to have people who can take practical steps to work on the company's security issues as it is to have people who can make security products. Therefore, it is necessary to have the personnel to fulfill the management and technology needs at a slightly lower layer, to pull technologies together, and to operate them at required skills for differing roles.
Kawaguchi: It means that in Yahoo! JAPAN, one doesn't have access to programming languages unless one has obtained knowledge of information security. I doubt that there are even ten companies in Japan with a scale of more than 1000 employees that have this type of system in place.
Even if an engineer wants to learn about security, there are not many opportunities to do so. Even under such circumstances, security risks can be managed by creating a corporate culture in which everyone works together and by having a system in place for security risk management. I'm sure this will also lead to a heightened sense of security for users.
Yahoo! JAPAN's KURO-OBI system (a black belt program that awards experts that have outstanding knowledge and skill in certain fields) is also cool. Investments in hardware alone will not suffice if the society itself changes. Investing in human resources will allow companies to create businesses for the future for which nobody knows the exact solutions. This is certainly Yahoo! JAPAN's strength. Engineers are the source of business, and human resource development is an investment.
Nakatani: Striking a balance between convenience and safety is what Yahoo! JAPAN aspires to achieve. Strengthening hardware, software, as well as personnel is the essence of building our security structure.