Add to collection(s) Add to saved
  1. Social Science
  2. Political Science

Cyber Security in East Asia and Policy Cooperation

advertisement 
Cyber Security in East Asia and Policy Cooperation
Summary of USJI Seminar on
“Cyber Security in East Asia and Policy Cooperation between Japan and the United States”
September 8, 2010
On the Independence Day of the United States in 2009 cyber attacks in a massive scale against
major web sites broke out without warning. Soon thereafter, similar attacks began in South Korea
and they continued in a wavelike fashion. Experts found that these attacks were conducted by the
same group, but could not find who they were.
As Japan maintains close relationships with both the United States and South Korea, these attacks
made the Japanese government realize seriousness of emerging threats in cyberspace.
In this session, experts discussed possible defense methods against cyber attacks, which are
expected to increase in number in the near future, and necessary policy cooperation and
coordination between Japan and the United States.
The four panelists presented on the September 8th, 2010 seminar are Dr. Motohiro Tsuchiya,
Associate Professor of Keio University, as the moderator, Mr. David Hoffman, Director of
Security Policy and Global Privacy Officer, Intel Corporation, Dr. Lance J. Hoffman,
Distinguished Research Professor, The George Washington University, Mr. Tomohiko Yamakawa,
Producer of NTT Corporation, Cyber Security Project, with commentator Mr. Greg Nojeim,
Senior Counsel and Director of the Project on Freedom, Security and Technology at the Center for
Democracy and Technology.
Professor Motohiro Tsuchiya, as a moderator, presented his topic “Cyber Security in East Asia.”
He recalled major security threats happening in the past decade in the region. In 1998, North
Korea carried its Taepodong Missile test over the Japanese main island into the Pacific Ocean;
North Korean Spy Ship violated the Japanese waters, and was followed by Japanese coast guard,
and later sunk by the North Koreans.
2004 saw a Chinese submarine intruding into the Japanese territorial waters. Also in 2004, a
Japanese consul in Shanghai committed suicide, after being blackmailed by secret Chinese agent.
China also wanted to break the two island chains, from Japan, Taiwan, the Philippines, with
Okinawa at the critical point, as China tried to expand into ocean from a continent.
In 2009, massive scale of cyber attacks was recorded in the U.S. and South Korea, including the
Department of Defense (DOD), the U.S. Congress, the Treasury, the Department of Homeland
Page 1 of 9
USJI
http://www.us-jpri.org/
Cyber Security in East Asia and Policy Cooperation
Security (DHS), Federal Trade Commission (FTC), New York Stock Exchange (NYSE),
Washington Post, among others. Servers were slowed down during the attacks.
These attacks are known as “BOTNET Attacks”. Although Japanese networks were not attacked,
eight Japanese servers were involved in the attacks. Owners of the servers had no idea that their
servers were used to attack other computers. It is very hard to find the real attackers.
In 2010 cyber attack broke out between South Korea and Japan over the ice skating title dispute
when Japanese girl lost the game. South Korean net users attacked Japan, because Japanese young
people were upset and commented on BBS about the ice skating judgment, which angered the
South Korean net users. This case showed that non-state groups can start attacks online.
Who cares about the cyber security in Japan? They are the National Police Agency, Ministry of
Defense, Cabinet Intelligence Research Office (CIRO), and National Information Security Center
(NISC).
Following these incidents, Mr. Hirano, Chief-Secretary of the Cabinet, said, “We cannot deny the
possibilities that we could be attacked. Cyber security is an important national security and crisis
management issue.” Thus, the Japanese government strengthens the National Information Security
Center (NISC), which was established in 2005, with officials on loan from several ministries, and
thus marking the Japanese policy change.
The Japanese government issued “Information Security Strategy for Protecting the Nation”
on May 11, 2010, as it realized that the large-scale cyber attack in the United States and South
Korea particularly alerted Japan, and could be a threat to national security.
According to Professor Tsuchiya, cyber attacks pose the following threats:
① Physical Damage to Infrastructures, Utilities, and Premises
② Financial Damage or Theft
③ Psychological Damage or Demonstration
④ Virtual Damage (Not Recognized, but Serious)
Most of the times, it is difficult to identify who the real attackers are, following a massive
international cyber attacking event.
The Keio University professor then talked about geeks, both in Japanese and the United States
societies. Despite their cultural differences between countries and governments, geeks should be
brought in to protect us.
Page 2 of 9
USJI
http://www.us-jpri.org/
Cyber Security in East Asia and Policy Cooperation
Tsuchiya said that “geek” is “a peculiar or otherwise odd person”, but our societies are
increasingly dependent on computer geeks.
He listed some of the most famous geeks, including Apple’s CEO Steve Jobs, Microsoft founder
Bill Gates, Google’s founders Larry Page and Sergey Brin.
Professor Motohiro Tsuchiya reminded the audience that technology affects national security, and
our society is dependent on computer networks, and called for cooperation between Japan and the
US, and the world on this issue.
Professor Lance J. Hoffman, from Cyber Security Policy and Research Institute at the George
Washington University in Washington D.C. presented his topic “Cyber Security in the U.S.”.
After a brief introduction of threats and attacks in the telecommunication sector in the past century,
Professor Hoffman pointed out that communication security has always been an issue, and in
today’s Internet Age, national security is a big concern, and therefore, for the first time, the United
States issued a presidential statement on cyber-security on May 29, 2009 when President Obama
said: “…We count on computer networks to deliver our oil and gas, our power and our
water. We rely on them for public transportation and air traffic control. Yet we know that
cyber intruders have probed our electrical grid and that in other countries cyber attacks
have plunged entire cities into darkness. In short, America's economic prosperity in the 21st
century will depend on cybersecurity. ”
Cyber-security is now prominent on the policy radar screen. Professor Hoffman described the
Comprehensive National Cybersecurity Initiative, outlining three Major Goals: (1) To establish a
front line of defense against today’s immediate threats; (2) To defend against the full spectrum of
threats; (3) To strengthen the future cybersecurity environment.
Despite increasing studies and research, and accelerated legislation on the matter, there are many
issues that need more attention and further actions. Professor Hoffman cited material developed
by his colleague Prof. Eva Vincze, that stated:
1.
Cyberspace is a complex problem for the following reasons: (1) Cyber security is a collective
concern that is comprehensive in scope—the Internet has no national boundaries. (2) Security
is typically regulated at the government level; (3) Cyber security is at once national,
international, public and private in character; (4) It touches many domains – business,
finance, control systems for power, gas, drinking water and other utilities; airport and air
traffic control systems, logistical systems, health care, government services, etc.
Page 3 of 9
USJI
http://www.us-jpri.org/
Cyber Security in East Asia and Policy Cooperation
2.
Technology alone is insufficient because (1) an interdisciplinary discussion with international
stakeholders is necessary; (2) human factors must be considered; (3) laws, mores, and
practices vary from country to country. It is imperative that countries develop improved lines
of communication based on trust to discuss cyber security both within and among themselves.
Professor Hoffman particularly discussed cyber crime, noting that according to the FBI estimates,
the average loss for a technology-oriented crime is nearly $500,000, and, further, the added cost to
the consumer is $100 to $150 per computer sale. Other estimates indicate that losses related to
high-tech crimes in the United States are $10 billion to $15 billion per year.
Major organized crime groups are known to be operating in over 30 countries spread across 6
continents.
He analyzed the increasing cyber crimes citing the volatile combination of:
–
Technically empowered segments of population
–
With the capacity to conduct sophisticated criminal operation
–
Limited economic opportunities to make an honest living
–
Few policies/laws/investigative/prosecutorial focus on cybercrime.
The George Washington professor cited that in the U.S. over 500,000 websites were successfully
compromised in 2008; malicious intrusions were up 40%; services like Google Earth were
reported to be used for several terrorist attacks; and in the developing world, foreign direct
investment as a whole may eventually be affected by the safety and integrity of data networks
available to investors in host countries.
Professor Hoffman called for countries facing the dual challenge in integrating cyber-security,
policy and law to maintain an environment that promotes efficiency, innovation, economic
prosperity, and free trade, while also promoting safety, security, civil liberties, and privacy rights.
Yet, the world community cannot avoid the dilemmas, because discussion has just begun, with
difficulty in defining cyberspace – is it a unique domain or part of a whole? Obviously, practice is
out-distancing policy.
Cyberspace developments happen rapidly and policy/law lag a lot behind.
Responsibilities for cyber-security are distributed across a wide array of federal departments and
agencies, many with overlapping authorities, none with sufficient decision authority to direct
Page 4 of 9
USJI
http://www.us-jpri.org/
Cyber Security in East Asia and Policy Cooperation
actions that deal with often conflicting issues in a consistent way. Total 80% of information
infrastructure is owned or managed by the private sector.
Secrecy is costly, until fairly recently there has been lack of awareness of the gravity of the
problem, and thus only recently has there been sufficient pressure on government to change.
Transparency involves intangible costs and information sharing. We know there is a problem, and
think it will get worse over time. But we don’t know if proposed solutions will be effective.
He cautioned the audience that new devices may be more easily hacked if security and privacy not
sufficiently considered in their design. Professor Hoffman pointed out the dilemma for
governments that wish to carry out surveillance of citizens, residents, and everyone, while
maintaining privacy, free speech, and freedom and noted that there are no easy options for
governments.
He noted Internet monitoring in China, with more than 298M users. He also cited the recent Green
Dam fiasco, where China originally proposed that all PCs sold in China would be required to
install government-proved monitoring software. It’s recently backed off to some extent on this,
after widespread protests from many, including manufacturers.
The George Washington professor also discussed unresolved legal Issues in cybersecurity that
have privacy implications, like, when government is permitted to protect privately owned critical
infrastructure; the use of automated attack detection and warning sensors; data sharing with third
parties within the Federal government, among others.
Mr. Tomohiko Yamakawa, Producer of NTT Corporation, Cyber Security Project, Research and
Development Planning Department, delivered a speech titled "Industry Side Views of Cyber
Security in Japan".
He discussed the following ideas: (1) cyber security as a cost; (2) cyber security as a challenge,
along with Computer Security Incident Response Team (CSIRT) activity (NTT-CERT) in Japan.
He also discussed his observations on identifying "cyber attack", and called for global
collaboration in cyber security.
Regarding cyber security as a cost, Mr. Yamakawa said it is a cost for most business enterprises to
implement governmental regulatory compliance.
As a provider of IT Service and Information Systems, NTT provides service for government,
critical Infrastructure (Telco, Finance, Electric Power supply, Gas, etc.), and business enterprises.
Page 5 of 9
USJI
http://www.us-jpri.org/
Cyber Security in East Asia and Policy Cooperation
NTT is committed to ensure the secrecy of communication, information assurance, and personal
DATA protection, as Japanese constitution guarantees it as basic human rights.
The NTT cyber expert also see cyber security/threat as a threat or opportunity based on his
observations, as the United States, under Obama administration, has initiated a leadership strategy
in cyber security issues. As for Japan, he discussed “CSIRT”, which means Computer Security
Incident Response Team, in response to and cope with vulnerabilities such as incident
management, incident response, vulnerability management, and gradually, the idea of “Cyber
Defense” emerged to protect customers from cyber attack, as NTT-CERT, as an incident
coordination center for NTT group companies.
Mr. Yamakawa said it is difficult to define “Cyber attack” clearly, as it may come in many
different forms at the same time, such as Jack’s PC is infected, Betty cannot access this website,
Taro’s website is not accessible, etc. Furthermore the intention of “attacker” is not clear whether
he/she really intended to have “unauthorized attack.”
The NTT expert reminded people of what happened in cyber attacks, or not, over the last few
years, as Estonia in 2007, Georgia in 2008, Korea in 2009, and Google case in 2010.
Therefore, global collaboration in cyber security is an urgent agenda on many aspects.
Most executives, both in government and industry, recognize cyber security as most significant for
management, and should be ready paying some money for “cyber security,” though what cyber
security issues they may have are not clear yet; or they should invest in firewalls, virus identifier,
certification for their own networks.
On the operation level, Mr. Yamakawa called for “your best doctor for cyber security” at your
hand to help identify the disease, give best medicine, and give best support, citing CSIRT as an
example.
Though policy framework of cyber security may differ in each country, there must be a common
“culture of cyber security” in the world, sharing knowhow and expertise.
In his speech, Mr. David Hoffman of Intel Corporation presented his talk titled: “The Future of
Computing” which direction would computing evolution go at Intel.
Among all computers in office, at home, or at coffee shop, and on a plane, we now see a great
diversity, an ongoing evolution that people may have a device in their car, or in the air, with all
data and applications to share information, with security and privacy being protected.
Page 6 of 9
USJI
http://www.us-jpri.org/
Cyber Security in East Asia and Policy Cooperation
As commercial aviation became global in the 1940s, and since 1977s and 1980s, cost of
commercial aviation has come down, and more people rely more on commercial aviation, but
threats could distract aviation, like volcano in Iceland recently, which became a global issue.
Similarly, people rely more on remote device for their daily life, in terms of managing their data,
therefore providing a challenge and opportunities for Intel and others to protect the security in
cyberspace. There are four different kinds of things to our attention: malware, hardware,
operational system and application wares.
David Hoffman said that last year (2009) over 6 million young participants competed at Intel
Science and Education Fair competition. Over 6,000 finalists from 59 countries displayed their
products in California to compete for the prize money of four million dollars, and so many of them
have products all based on the Internet application and global structure.
There was a time at Intel when we had design center in California, Europe, and Japan. Now design
centers from around globe to collaborate on new products.
The components we design, in decentralized environment, as Prof Hoffman mentioned, affect
global supply chains, create global strategy, from India to China.
Japanese government is in collaboration with the U.S. and EU for a coordinated policy in this
regard.
Commentator, Greg Nojeim from Center for Technology and Democracy, invited the panelists to
address the three following questions.
On the question of “good geeks” and “bad geeks,” how do we ensure that we have the best good
geeks so they can prevent the bad geeks from harming us?
The second question is who is the best doctor for cybersecurity – the government or the private
sector? It seems that there are three key cybersecurity players: the government, the private sector
and consumers. Each plays a different role when it comes to healing a cybersecurity problem.
What about the role government and consumers play to secure our cyber networks?
Also, as we know the Internet has no national boundaries, all domains depend on the Internet.
Securing everyone will be expensive. What kinds of costs should we prepare to bear?
Hoffman at GW University: I like the idea of bad vs. good geeks. The Federal government is
sponsoring scholars to engage in cyber security studies, and the sponsored scholars are to work for
Page 7 of 9
USJI
http://www.us-jpri.org/
Cyber Security in East Asia and Policy Cooperation
the government for a number of years after completion of their studies. Industry needs their own
people now and would benefit from a similar program.
Yamakawa: It is sometimes difficult to tell good geeks from bad geeks in cyber space in Japan.
Hoffman at Intel: Investment in cyber security is critical, as international collaboration is required,
though some of the scholarships are not open to non-US citizens. Israeli government is doing a
great job in this regard by sponsoring and recruiting experts in cyber security.
Nojeim: Regarding the secrecy of communication, it is a Constitutional right in Japan, while in the
U.S., 4th Amendment also provides similar protection. But in other countries, like India,
governments demand free access communications information from private business. For
example, India recently demanded that RIM (Research In Motion) locate a server in India so the
government there would be better able to gain access to private communications. How do we
reconcile privacy issues and government actions in global context?
Yamakawa: Different countries have different practice, while Japan, the U.S. and the EU have
laws to protect privacy of communication, but in other countries, like in India, governments tend
to try to have surveillance on mobile communication, like BlackBerry.
Hoffman at Intel: To answer a question from audience regarding email security from abroad into
the U.S., it is different for the U.S. government toward U.S. citizen vs. non-US citizen, global
context is difficult.
Nojeim: The US Foreign Intelligence Surveillance Act permits the U.S. government to eavesdrop
more readily on the communications of people who are not U.S. citizens or U.S. green card
holders. The criminal law, which also permits some eavesdropping, does not draw a distinction
between citizens and non-citizens.
An international investor on the floor: I want to ask Mr. Yamakawa on privacy issues. Law
enforcement uses GPS. For example, police tracks suspects who use an iPhone. How is people’s
privacy protected? Another question for Intel. As chip creator, what is your responsibility and
policies to protect your end users, when law enforcement agencies come in for information about
the customers, with or without warrant?
Yamakawa: Large corporations are likely to cooperate with law enforcement agencies, or jointly
work with them on global issues.
Hoffman at Intel: Large corporations, like Intel, depend on trust of customers to use our services,
as we have a robust policy to guarantee safety of customer information; sometimes there are
situations that we want law enforcement agency to help find out the problems facing us.
Page 8 of 9
USJI
http://www.us-jpri.org/
Cyber Security in East Asia and Policy Cooperation
Question: In terms of the Internet cyber security, do you think China’s firewall is making the
security work easier or harder?
Hoffman at GWU: It’s tough enough at this moment, but will be harder to get all countries to
agree to the same rule when it comes to punishment. This is why we need technical management,
public policy experts, etc. He cited the George Washington University cyber security scholarship
program where 30-40 percent of the students are from non-technical studies in these areas (but do
not graduate until they get enough technical expertise as well).
Page 9 of 9
USJI
http://www.us-jpri.org/
Related documents
apdf nov 4 - 0910 sakada
apdf nov 4 - 0910 sakada
Jorge Valenzuela
Jorge Valenzuela
Day 4 Index - 507 Access 13, 15, 40, 56, 71, 76
Day 4 Index - 507 Access 13, 15, 40, 56, 71, 76
solving national security challenges with information technology by
solving national security challenges with information technology by
Need for New Approaches to Security PowerPoint
Need for New Approaches to Security PowerPoint
Internet SafetyK5
Internet SafetyK5
Cyber-Security Awareness PowerPoint
Cyber-Security Awareness PowerPoint
“Current Cyber Security Landscape” Dr. Josh Pauli Presentation
“Current Cyber Security Landscape” Dr. Josh Pauli Presentation
Download
advertisement