But the next cybersecurity strategy should also refer to cloud security to ensure comprehensive protection of IT resources — not just for the government but also for industry. The draft emphasises pursuing innovation through artificial intelligence and the Internet of Things (IoT) as well as security measures for the government’s private ‘cloud’.
Big data is key to machine learning and to the IoT’s ability to create new business value and opportunities. IBM estimates that 2.5 quintillion bytes of data are created daily. To keep up with exploding data, it is impossible to remain dependent on on-premise computers, since they are neither as flexible nor as scalable as the cloud.
Yet Japanese companies have taken more time than other countries to introduce IoT and cloud services. The Vodafone IoT Barometer 2017/18 report shows that 36 per cent of organisations in the Asia Pacific have implemented IoT, compared to 27 per cent in the Americas and 26 per cent in Europe. But in Japan, the adoption rate was only 12 per cent — a rate achieved by the Asia Pacific more broadly in 2013. As of 2016, 47 per cent of Japanese companies used cloud computing for emails, data storage, and/or file sharing, whereas the adoption ratio was 70 per cent in the United States.
There are a few reasons why IoT adoption in Japan is lagging.
First, Japanese companies tend to begin conducting IoT proof-of-concept projects without setting a clear goal or deadline. They end up pursuing these projects indefinitely rather than turning them into new business operations.
Second, compared to their counterparts in other countries, fewer Japanese business leaders understand the potential effects of the digital revolution on employment and work. While 92 per cent of non-Japanese business leaders are familiar with the potential effects, the rate is only 80 per cent in Japan.
Third, Japanese business leadership is becoming more risk averse, which makes it difficult to adopt new business models. 43 per cent of Japanese business leaders were risk averse in 2014, and this rate went up to 60 per cent in 2016.
The Japanese government has started to incentivise investments in the IoT by offering to reduce companies’ corporate tax if they can prove that their investments in IoT devices (such as sensors or robots) will increase productivity and cybersecurity. This movement could be a game changer to galvanise the IoT and IoT security in Japan. If industry wants to be able to keep up with the big data produced by IoT, they will need to rethink how they use cloud.
According to the Japanese Ministry of Internal Affairs and Communications’ 2017 White Paper, 47 per cent of Japanese companies responded that they do not use the cloud because they do not need to, and 35 per cent responded that they do not use it because they are concerned about cloud security.
Japanese corporate employees do acknowledge the convenience of cloud services though. Shadow IT — products and services that employees use within their organisation without explicit approval from their employer — in fact poses a huge challenge to corporate governance and cybersecurity.
NRI Secure Technologies’ Cyber Security Trend Annual Review 2017 report shows that only 40 per cent of Japanese companies believe they use software-as-a-service (SaaS). Yet the same report also shows that 61 per cent of those companies use Office 365 and 59 per cent use Dropbox. Corporate employees have begun to use such cloud services for accessibility and convenience, even though their IT team is not necessarily aware of such SaaS usage and cannot apply security to it.
Forty-two per cent of Japanese companies believe that SaaS usage is not an issue as long as employees use it carefully. This optimistic view of cloud security and governance has led to insufficient knowledge of cloud security solutions.
For example, a cloud access security broker (CASB) provides visibility, access control and data protection to corporations. Gartner expects that 85 per cent of major companies worldwide will use CASB by 2020. But Cloud Security Alliance’s Japan Chapter revealed that 63 per cent of Japanese companies do not even know about CASB. Japan urgently needs to raise awareness of cloud security and to increase the visibility of IT assets connected to the internet or in the cloud.
Japan’s economic prosperity and success depend substantially on cybersecurity as IT resources are a fundamental part of innovation. It is Japan’s responsibility as an economic power and global leader to ensure comprehensive and robust cybersecurity. A cyberattack can have cascading impacts, and its damage may not be contained within one organisation, one sector or even one country.
It is crucial for the government’s future cybersecurity strategy to acknowledge the gap between Japan and other countries in cloud and IoT adoption and provide a vision of how Japan should accelerate its cybersecurity efforts. It is time to craft a new strategy to encourage risk-averse business leadership to tackle shadow IT and bring visibility and control to endpoint and cloud security.
Mihoko Matsubara is an Adjunct Fellow at Pacific Forum. Starting her career with the Japanese Ministry of Defense, she later worked at Hitachi Systems as a cybersecurity analyst, Intel Corporation as Cyber Security Policy Director, Palo Alto Networks as Chief Security Officer in Japan and Vice President & Public Sector CSO for Asia-Pacific in Singapore.
A version of this article was originally published here at RSIS.
As a Japanese national, I find this kind of “the grass is greener everywhere else” or “Japan lags behind all the with it countries” writing extremely tedious. It is a strategy that Japanese have used since at least the time of Ogyu Sorai in the 17th century to push whatever policy or “reform” they are trying to peddle.
The comparisons are always cherry picked and are typically based on data that is mushy at best, very often plucked from “surveys” that do not even come close to meeting the standards for such research in disciplines such as sociology and political science.
While the emphasis on security in this article is appropriate, other points are not. IoT is a disaster waiting to happen. The more digital systems that are linked to gather, the more power is given to those that hack them. And by their vary nature devices that are part of the IoT are dangerous because they are dispersed, most will be in the hands of people with no knowledge of digital security, indeed many devices will not even be recognised as being IoT.
If even companies with the technical expertise of Cisco Systems and HP are unable to produce hardware and software without security holes that can be and have been exploited, there is no reason to believe that companies producing various IoT devices will do better.
IoT is one area in which the words of Renho apply. “What’s wrong with being number two?” Or, to use another analogy, when walking through a minefield, better to be a follower than a leader.
Moving data to “the cloud” should not be an end in an of itself as seemingly portrayed in this article, but one of many strategies that a business might consider.
There are obvious issues with “the cloud.” One is what country has legal jurisdiction over data. This is being fought over in numerous court cases. Another is reliability and availability. What happens when the communications infrastructure is disabled or overloaded to the point of being unusable as it was in parts of Japan following the 3.11 earthquake and tsunami. Given the frequency of natural disasters in Japan, there is good reason to be cautious about relying on something that does not work without continuous, high speed, error free communications.