Webinar Video + Report - Keeping Ourselves Safe in Cyberspace with Mihoko Matsubara & Marcus Willett
On 2 December 2021, the latest edition of our ongoing webinar series focused on the challenges faced by the UK and Japan within the domain of cyberspace, as well as highlighting areas for future cooperation in this field between both countries. Japan Society Chairman Bill Emmott welcomed two respected voices in this field: Mihoko Matsubara, Chief Cybersecurity Strategist at NTT Corporation in Tokyo, and Marcus Willett, senior adviser for cyber at the International Institute for Strategic Studies.
Willett opened by providing a global perspective on cyber activity, encompassing six key points: the criminal use of ransomware, in which he stressed the responsibility of the hosting states in addressing the attackers within their borders; the implications of the SolarWinds hack in the US, resulting in companies and governments understanding that some attacks will go through their defences, as well as the importance of knowing their supply chain and demanding proof they have implemented cybersecurity measures; proliferation of sophisticated and dangerous cyber capabilities, resulting in, for instance, failure of states to protect powerful secret tools; the problem with thresholds, to which Willett commented that “there is a lack of clarity over how thresholds in international law apply to cyber operations (…) and I don’t think the international agreed voluntary norms of behaviour, as currently formulated, have helped in that regard”; responsible cyber actors, meaning that cyber operations must be carefully controlled to ensure that the actors are responsible; and, the overwhelming reliance on the internet, which will only deepen as time goes on, resulting in malign activity growing exponentially. Consequently, “there is a massive superpower competition for the control of the internet”.
From a Japan-focused perspective, Matsubara highlighted how Japan has been addressing cybersecurity concerns in recent years, especially after the selection of Tokyo as the host city for the 2020 Olympic Games. This is exemplified by the launch of the Japanese Cross-Sector Forum in 2015. Several crucial Japanese companies, such as NTT and Hitachi, have worked together to achieve two main common goals: defining what classifies a cybersecurity specialist and what their mission is, as well as creating an ecosystem to educate, hire, train and retain cybersecurity experts in collaboration with academia and governments. Members of the Forum have been involved in cybersecurity policy-making and have sponsored university courses on cybersecurity. Regarding Japan’s future, Matsubara expects further sharing of intelligence between Japan and other countries. To achieve this, there must be proper supply chain risk management, not only for ICT but also for 5G, for example, which can be attained with bilateral/multilateral cooperation (AUKUS, G7, Quad Senior Cyber Group). These next steps are needed not only to protect cybersecurity, but also economic security.
The first topic discussed during the subsequent Q&A session was the course of action companies and governments should take when faced with a ransomware attack. Willett explained how complicated navigating this kind of situation can be. In the UK, for instance, the question of whether companies should pay ransoms is frequently debated. Currently, while it is not advised to pay attackers, there is no regulation of this, as there is the recognition that in some cases a company will not be able to recover from having their data leaked. Willett also stated that paying a ransom is no guarantee that the data will be returned, and advised companies to start with their basic cybersecurity, “assume that will stop 95% of what’s coming your way, and then building resilience and redundancy to handle the final 5%”. Matsubara also added that paying attackers will finance future ransomware attacks against other companies or governments, and that only 8% of victims who pay the ransom are able to retrieve their data, and that the Japanese government advises companies to not pay ransoms.
Matsubara also provided some insight regarding the cooperation between the UK and Japan in the cybersecurity domain. Cooperation between both countries has been frequent, especially due to the London 2012 and Tokyo 2020 Olympic Games, as the UK assisted Japan by sharing its knowledge and experience, contributing to the success of the 2020 Olympics. Moreover, Japan and the UK have been deepening their security cooperation by participating injoint exercises, which also include the sharing of cybersecurity intelligence.
The issue of AI was also addressed within the Q&A session, namely how it is being mobilized in relation to cybersecurity attacks. Matsubara stated that AI can help cybercriminals to create a variety of computer viruses, synthesise the voices of CEOs, or easily create phishing emails. However, this is countered by the fact that defenders can also use AI to their advantage. Willett reinforced that AI gives advantages to both attackers and defenders. Nevertheless, the attackers will invariably have the advantage, as they will only need to get through the defenses once, while defenders must stop all attacking attempts in order to successfully protect their data.
Report by Gonçalo Navega