Putting the METI Cyberthreat Information Sharing Recommendation Into Action in Japan

(This blog post is also available in Japanese.)

In our May 2016 blog post, we described Japan’s new Cybersecurity Guidelines for Business Leadership Version 1.0, issued by the Japanese Ministry of Economy, Trade, and Industry (METI) and its Information-Technology Promotion Agency (IPA), and the positive progress seen in Japanese industry since the Guidelines’ release in December 2015. This follow-up blog post analyzes one of METI’s specific recommendations: that companies undertake more cyberthreat information sharing. We provide our thoughts on what more can be done to improve and enhance the cybersecurity of Japanese industry to benefit both Japan and the world.

METI puts information sharing as the Cybersecurity Guidelines’ Action Item 8, which states that leadership should “actively participate in and contribute to cyberthreat information-sharing activities” to the extent possible to minimize incidents or damage to companies’ networks. This is an essential recommendation. To dramatically shift the balance of power, close the competitive gap between the attacker and victim, and realize exponential leverage against cyber adversaries to restore trust in the digital age, we must operationalize cyberthreat information sharing. What is the current status in Japan, what are the obstacles to greater cyberthreat information sharing by companies, and how might things be improved?

Despite varied levels of success, all countries are struggling to establish effective cyberthreat information sharing frameworks in which members can exchange information about threats and incidents—such as botnet command and control servers, malware samples, malware analysis results, and indicators of compromise—in a timely manner. There are myriad reasons that might slow adoption of this practice: technical (many systems cannot adequately share at volume, and there are still a number of different sharing standards), regulatory and legal concerns, and trust issues.

Although all countries need to improve cyberthreat information sharing, Japan seems to lag behind its global peers in adopting the practice. PricewaterhouseCoopers (PwC) reported in its Global State of Information Security Survey 2016 that Japanese companies are less willing to share information about cybersecurity threats than other companies across the globe. While 30.4 percent of Japanese companies share such information, PwC reports that 64.7 percent of companies in the world do. (PwC interviewed more than 10,000 C-level executives and board members in charge of IT in 127 countries between May and June 2015 for this survey report.)

The top reason Japanese companies reported for not wanting to share threat information is that they do not have adequate information sharing frameworks (39%). Until cyberthreat information sharing programs are set up to leverage automation – which requires both technical work and strong privacy protections – such frameworks are dependent upon skilled people to actually do the work. At present, Japan lacks adequate human resources to participate more in information sharing. According to a 2015 METI study, Japanese companies lack IT and cybersecurity professionals who can judge which threat intelligence should be shared, when, and with whom, largely because Japanese companies tend to outsource cybersecurity-related work to system integrators. METI compared Japan to the United States, where large companies, such as banks, sometimes have a cybersecurity team and even an in-house cyberthreat intelligence team. According to METI’s statistics, 24.8 percent of IT professionals in Japan work in-house, whereas 75.2 percent work at IT services companies (e.g., system integrators and others providing cybersecurity to other companies). By comparison, in the United States, 71.5 percent of IT professionals work in-house, with 28.5 percent at IT services companies. Other top reasons cited in the PwC study for low participation of Japanese companies in information sharing are the lack of trust in competitors and in third parties’ information.

We believe cultural attitudes also may contribute to reluctance to participate in cyberthreat information sharing in Japan. As described by anthropologist Ruth Benedict in 1946, Japanese culture has a shame factor, where the desire to avoid “loss of face” is extremely powerful. Although many companies around the world may not wish to admit they have been the victim of a cyber incident, or reveal the fact that they were targeted, admitting so—even within a “trust”-based environment, as cyberthreat information sharing groups are meant to be—may be inordinately difficult for Japanese companies.

Additionally, volunteerism—in the sense of contributing to a community—is likely a factor in the success of information sharing among participants. A Japanese government-affiliated foundation has noted that the United States has had a long history of volunteer-based activities to complement public administration and social welfare, dating from as far back as the 17th century. Japan, on the other hand, started to develop American-style volunteerism only after the end of World War II, and Japanese volunteer activities have tended to focus on social welfare activities for their own residential communities. This history could make it challenging for the Japanese to contribute to a larger, much more distributed volunteer community for information sharing.

To help Japanese companies rapidly embark on more information sharing, it would be useful for other countries to discuss their information sharing best practices with Japan. In fact, some Japanese organizations already are modeled on U.S. approaches. For example, the United States has numerous industry-specific Information Sharing and Analysis Centers (ISACs) which are now being complemented by a broader category of Information Sharing and Analysis Organizations (ISAOs). In fact, Japan launched its first ISAC, the Telecom-ISAC, in 2002, followed by the Financials ISAC in 2014. This ISAC is modeled after the U.S. Financial Services ISAC, or FS-ISAC, arguably one of the most successful ISACs, and it is trying to learn lessons from this body. The Japanese Financial Services Agency’s guidelines for the financial sector encourage financial institutions to share threat intelligence via relevant information sharing frameworks, including the Financials ISAC.

Like its counterpart in the United States, the Financials ISAC has multiple levels of membership for financial institutions and vendors to disseminate and access threat intelligence. Core and associate members—banks and insurance companies—can receive more sensitive threat intelligence, and they can participate in working groups on such issues as best practices, cyber exercises, global information sharing with the FS-ISAC, and incident response. This type of arrangement generates a comfortable environment in which to exchange sensitive information among trusted members belonging to the same industry.

Japan realizes it needs more ISACs. The Japanese Ministry of Internal Affairs and Communications (MIC) plans to expand and rename the Telecom-ISAC to the “ICT-ISAC” to include not only telecom companies and Internet Service Providers (ISPs), to which membership has traditionally been restricted, but also ICT companies—including security vendors—and system integrators. In addition, a new Electric Power-ISAC will also be established in Japan and work closely with both the U.S. Electricity ISAC and European Energy-ISAC.

These cross-border efforts are commendable. For one thing, they can help to raise the global bar by allowing Japanese companies to share intelligence uniquely seen in Japan to help multinational companies with a presence in the market better protect themselves from threats.

ISACs have traditionally developed in industry verticals (e.g., financial services, healthcare, energy) in which each participating company uses the information it receives to protect its own network and share threats to their specific sector. However, ISACs are not the only form of information sharing organizations in the U.S.

For example, the Cyber Threat Alliance (CTA), established in September 2014 is a group of cybersecurity companies who have chosen to work together in good faith to share threat information for the purpose of improving defenses against advanced cyber adversaries across member organizations and their customers. Palo Alto Networks is proud to be one of the four founding members of the CTA. The CTA reflects a departure from the traditional philosophy of cybersecurity companies, which are known for competing against each other based on the threat information each company has. The CTA enables security companies to act upon a common knowledge of shared cyberthreats. Unlike ISACs, the CTA is tailored to the unique capabilities of the security industry, and a requirement for every member to share previously unknown – or zero-day – threats. Consequently, the shared information is then used by the participating companies to protect their clients across all verticals (financial, health, energy, etc.).

Trust and cultural factors that might impact information sharing are important for any country to address. In fact, trust is a key ingredient to cyberthreat information sharing. It takes time to build mutual confidence and share cyberthreat intelligence among members of any information sharing framework. Personal relationships often make a big difference and can lead to institutionalizing those ties. Japanese companies are beginning to talk more frankly with each other about cybersecurity and share ideas and best practices, as we noted in our May blog, which we believe will lead to greater trust.

Thought leadership engagements are indispensable in helping reduce feelings of shame. Business executives in any country need to understand that all companies are being targeted by cyberattacks and that threat intelligence sharing is an essential ingredient to prevent the expansion of similar attacks. Being targeted is not a shame. It is simply another risk to business operations.

As with many of Japan’s cybersecurity activities, the actions toward greater cyberthreat information sharing reflect the fact that Japan’s government and industry aim to enhance cybersecurity to make the Tokyo Olympic Games 2020 successful, setting the stage for a positive legacy and national cybersecurity capability toward 2020 and beyond. But there also is the larger goal of building cyber resilience throughout the economy. We agree with the Japanese government that cyberthreat information sharing is a crucial part of that equation, as highlighted in METI’s Cybersecurity Guidelines.

This is the third in a series of blogs co-authored by Mihoko Matsubara and Danielle Kriz aimed at introducing Japan’s cybersecurity efforts and their significance to a global audience, including governments, global industry, and other thought leaders. Subsequent blogs are expected to cover Japan’s role in global cybersecurity capacity-building, the cybersecurity ramifications of planning for the Tokyo Olympic Games 2020, and other topics.