Cyber Security in East Asia and Policy Cooperation

Transcription

1 Summary of USJI Seminar on Cyber Security in East Asia and Policy Cooperation between Japan and the United States September 8, 2010 On the Independence Day of the United States in 2009 cyber attacks in a massive scale against major web sites broke out without warning. Soon thereafter, similar attacks began in South Korea and they continued in a wavelike fashion. Experts found that these attacks were conducted by the same group, but could not find who they were. As Japan maintains close relationships with both the United States and South Korea, these attacks made the Japanese government realize seriousness of emerging threats in cyberspace. In this session, experts discussed possible defense methods against cyber attacks, which are expected to increase in number in the near future, and necessary policy cooperation and coordination between Japan and the United States. The four panelists presented on the September 8 th, 2010 seminar are Dr. Motohiro Tsuchiya, Associate Professor of Keio University, as the moderator, Mr. David Hoffman, Director of Security Policy and Global Privacy Officer, Intel Corporation, Dr. Lance J. Hoffman, Distinguished Research Professor, The George Washington University, Mr. Tomohiko Yamakawa, Producer of NTT Corporation, Cyber Security Project, with commentator Mr. Greg Nojeim, Senior Counsel and Director of the Project on Freedom, Security and Technology at the Center for Democracy and Technology. Professor Motohiro Tsuchiya, as a moderator, presented his topic Cyber Security in East Asia. He recalled major security threats happening in the past decade in the region. In 1998, North Korea carried its Taepodong Missile test over the Japanese main island into the Pacific Ocean; North Korean Spy Ship violated the Japanese waters, and was followed by Japanese coast guard, and later sunk by the North Koreans saw a Chinese submarine intruding into the Japanese territorial waters. Also in 2004, a Japanese consul in Shanghai committed suicide, after being blackmailed by secret Chinese agent. China also wanted to break the two island chains, from Japan, Taiwan, the Philippines, with Okinawa at the critical point, as China tried to expand into ocean from a continent. In 2009, massive scale of cyber attacks was recorded in the U.S. and South Korea, including the Department of Defense (DOD), the U.S. Congress, the Treasury, the Department of Homeland Page 1 of 9

2 Security (DHS), Federal Trade Commission (FTC), New York Stock Exchange (NYSE), Washington Post, among others. Servers were slowed down during the attacks. These attacks are known as BOTNET Attacks. Although Japanese networks were not attacked, eight Japanese servers were involved in the attacks. Owners of the servers had no idea that their servers were used to attack other computers. It is very hard to find the real attackers. In 2010 cyber attack broke out between South Korea and Japan over the ice skating title dispute when Japanese girl lost the game. South Korean net users attacked Japan, because Japanese young people were upset and commented on BBS about the ice skating judgment, which angered the South Korean net users. This case showed that non-state groups can start attacks online. Who cares about the cyber security in Japan? They are the National Police Agency, Ministry of Defense, Cabinet Intelligence Research Office (CIRO), and National Information Security Center (NISC). Following these incidents, Mr. Hirano, Chief-Secretary of the Cabinet, said, We cannot deny the possibilities that we could be attacked. Cyber security is an important national security and crisis management issue. Thus, the Japanese government strengthens the National Information Security Center (NISC), which was established in 2005, with officials on loan from several ministries, and thus marking the Japanese policy change. The Japanese government issued Information Security Strategy for Protecting the Nation on May 11, 2010, as it realized that the large-scale cyber attack in the United States and South Korea particularly alerted Japan, and could be a threat to national security. According to Professor Tsuchiya, cyber attacks pose the following threats: Physical Damage to Infrastructures, Utilities, and Premises Financial Damage or Theft Psychological Damage or Demonstration Virtual Damage (Not Recognized, but Serious) Most of the times, it is difficult to identify who the real attackers are, following a massive international cyber attacking event. The Keio University professor then talked about geeks, both in Japanese and the United States societies. Despite their cultural differences between countries and governments, geeks should be brought in to protect us. Page 2 of 9

3 Tsuchiya said that geek is a peculiar or otherwise odd person, but our societies are increasingly dependent on computer geeks. He listed some of the most famous geeks, including Apple s CEO Steve Jobs, Microsoft founder Bill Gates, Google s founders Larry Page and Sergey Brin. Professor Motohiro Tsuchiya reminded the audience that technology affects national security, and our society is dependent on computer networks, and called for cooperation between Japan and the US, and the world on this issue. Professor Lance J. Hoffman, from Cyber Security Policy and Research Institute at the George Washington University in Washington D.C. presented his topic Cyber Security in the U.S.. After a brief introduction of threats and attacks in the telecommunication sector in the past century, Professor Hoffman pointed out that communication security has always been an issue, and in today s Internet Age, national security is a big concern, and therefore, for the first time, the United States issued a presidential statement on cyber-security on May 29, 2009 when President Obama said: We count on computer networks to deliver our oil and gas, our power and our water. We rely on them for public transportation and air traffic control. Yet we know that cyber intruders have probed our electrical grid and that in other countries cyber attacks have plunged entire cities into darkness. In short, America's economic prosperity in the 21st century will depend on cybersecurity. Cyber-security is now prominent on the policy radar screen. Professor Hoffman described the Comprehensive National Cybersecurity Initiative, outlining three Major Goals: (1) To establish a front line of defense against today s immediate threats; (2) To defend against the full spectrum of threats; (3) To strengthen the future cybersecurity environment. Despite increasing studies and research, and accelerated legislation on the matter, there are many issues that need more attention and further actions. Professor Hoffman cited material developed by his colleague Prof. Eva Vincze, that stated: 1. Cyberspace is a complex problem for the following reasons: (1) Cyber security is a collective concern that is comprehensive in scope the Internet has no national boundaries. (2) Security is typically regulated at the government level; (3) Cyber security is at once national, international, public and private in character; (4) It touches many domains business, finance, control systems for power, gas, drinking water and other utilities; airport and air traffic control systems, logistical systems, health care, government services, etc. Page 3 of 9

4 2. Technology alone is insufficient because (1) an interdisciplinary discussion with international stakeholders is necessary; (2) human factors must be considered; (3) laws, mores, and practices vary from country to country. It is imperative that countries develop improved lines of communication based on trust to discuss cyber security both within and among themselves. Professor Hoffman particularly discussed cyber crime, noting that according to the FBI estimates, the average loss for a technology-oriented crime is nearly $500,000, and, further, the added cost to the consumer is $100 to $150 per computer sale. Other estimates indicate that losses related to high-tech crimes in the United States are $10 billion to $15 billion per year. Major organized crime groups are known to be operating in over 30 countries spread across 6 continents. He analyzed the increasing cyber crimes citing the volatile combination of: Technically empowered segments of population With the capacity to conduct sophisticated criminal operation Limited economic opportunities to make an honest living Few policies/laws/investigative/prosecutorial focus on cybercrime. The George Washington professor cited that in the U.S. over 500,000 websites were successfully compromised in 2008; malicious intrusions were up 40%; services like Google Earth were reported to be used for several terrorist attacks; and in the developing world, foreign direct investment as a whole may eventually be affected by the safety and integrity of data networks available to investors in host countries. Professor Hoffman called for countries facing the dual challenge in integrating cyber-security, policy and law to maintain an environment that promotes efficiency, innovation, economic prosperity, and free trade, while also promoting safety, security, civil liberties, and privacy rights. Yet, the world community cannot avoid the dilemmas, because discussion has just begun, with difficulty in defining cyberspace is it a unique domain or part of a whole? Obviously, practice is out-distancing policy. Cyberspace developments happen rapidly and policy/law lag a lot behind. Responsibilities for cyber-security are distributed across a wide array of federal departments and agencies, many with overlapping authorities, none with sufficient decision authority to direct Page 4 of 9

5 actions that deal with often conflicting issues in a consistent way. Total 80% of information infrastructure is owned or managed by the private sector. Secrecy is costly, until fairly recently there has been lack of awareness of the gravity of the problem, and thus only recently has there been sufficient pressure on government to change. Transparency involves intangible costs and information sharing. We know there is a problem, and think it will get worse over time. But we don t know if proposed solutions will be effective. He cautioned the audience that new devices may be more easily hacked if security and privacy not sufficiently considered in their design. Professor Hoffman pointed out the dilemma for governments that wish to carry out surveillance of citizens, residents, and everyone, while maintaining privacy, free speech, and freedom and noted that there are no easy options for governments. He noted Internet monitoring in China, with more than 298M users. He also cited the recent Green Dam fiasco, where China originally proposed that all PCs sold in China would be required to install government-proved monitoring software. It s recently backed off to some extent on this, after widespread protests from many, including manufacturers. The George Washington professor also discussed unresolved legal Issues in cybersecurity that have privacy implications, like, when government is permitted to protect privately owned critical infrastructure; the use of automated attack detection and warning sensors; data sharing with third parties within the Federal government, among others. Mr. Tomohiko Yamakawa, Producer of NTT Corporation, Cyber Security Project, Research and Development Planning Department, delivered a speech titled "Industry Side Views of Cyber Security in Japan". He discussed the following ideas: (1) cyber security as a cost; (2) cyber security as a challenge, along with Computer Security Incident Response Team (CSIRT) activity (NTT-CERT) in Japan. He also discussed his observations on identifying "cyber attack", and called for global collaboration in cyber security. Regarding cyber security as a cost, Mr. Yamakawa said it is a cost for most business enterprises to implement governmental regulatory compliance. As a provider of IT Service and Information Systems, NTT provides service for government, critical Infrastructure (Telco, Finance, Electric Power supply, Gas, etc.), and business enterprises. Page 5 of 9

6 NTT is committed to ensure the secrecy of communication, information assurance, and personal DATA protection, as Japanese constitution guarantees it as basic human rights. The NTT cyber expert also see cyber security/threat as a threat or opportunity based on his observations, as the United States, under Obama administration, has initiated a leadership strategy in cyber security issues. As for Japan, he discussed CSIRT, which means Computer Security Incident Response Team, in response to and cope with vulnerabilities such as incident management, incident response, vulnerability management, and gradually, the idea of Cyber Defense emerged to protect customers from cyber attack, as NTT-CERT, as an incident coordination center for NTT group companies. Mr. Yamakawa said it is difficult to define Cyber attack clearly, as it may come in many different forms at the same time, such as Jack s PC is infected, Betty cannot access this website, Taro s website is not accessible, etc. Furthermore the intention of attacker is not clear whether he/she really intended to have unauthorized attack. The NTT expert reminded people of what happened in cyber attacks, or not, over the last few years, as Estonia in 2007, Georgia in 2008, Korea in 2009, and Google case in Therefore, global collaboration in cyber security is an urgent agenda on many aspects. Most executives, both in government and industry, recognize cyber security as most significant for management, and should be ready paying some money for cyber security, though what cyber security issues they may have are not clear yet; or they should invest in firewalls, virus identifier, certification for their own networks. On the operation level, Mr. Yamakawa called for your best doctor for cyber security at your hand to help identify the disease, give best medicine, and give best support, citing CSIRT as an example. Though policy framework of cyber security may differ in each country, there must be a common culture of cyber security in the world, sharing knowhow and expertise. In his speech, Mr. David Hoffman of Intel Corporation presented his talk titled: The Future of Computing which direction would computing evolution go at Intel. Among all computers in office, at home, or at coffee shop, and on a plane, we now see a great diversity, an ongoing evolution that people may have a device in their car, or in the air, with all data and applications to share information, with security and privacy being protected. Page 6 of 9

7 As commercial aviation became global in the 1940s, and since 1977s and 1980s, cost of commercial aviation has come down, and more people rely more on commercial aviation, but threats could distract aviation, like volcano in Iceland recently, which became a global issue. Similarly, people rely more on remote device for their daily life, in terms of managing their data, therefore providing a challenge and opportunities for Intel and others to protect the security in cyberspace. There are four different kinds of things to our attention: malware, hardware, operational system and application wares. David Hoffman said that last year (2009) over 6 million young participants competed at Intel Science and Education Fair competition. Over 6,000 finalists from 59 countries displayed their products in California to compete for the prize money of four million dollars, and so many of them have products all based on the Internet application and global structure. There was a time at Intel when we had design center in California, Europe, and Japan. Now design centers from around globe to collaborate on new products. The components we design, in decentralized environment, as Prof Hoffman mentioned, affect global supply chains, create global strategy, from India to China. Japanese government is in collaboration with the U.S. and EU for a coordinated policy in this regard. Commentator, Greg Nojeim from Center for Technology and Democracy, invited the panelists to address the three following questions. On the question of good geeks and bad geeks, how do we ensure that we have the best good geeks so they can prevent the bad geeks from harming us? The second question is who is the best doctor for cybersecurity the government or the private sector? It seems that there are three key cybersecurity players: the government, the private sector and consumers. Each plays a different role when it comes to healing a cybersecurity problem. What about the role government and consumers play to secure our cyber networks? Also, as we know the Internet has no national boundaries, all domains depend on the Internet. Securing everyone will be expensive. What kinds of costs should we prepare to bear? Hoffman at GW University: I like the idea of bad vs. good geeks. The Federal government is sponsoring scholars to engage in cyber security studies, and the sponsored scholars are to work for Page 7 of 9

8 the government for a number of years after completion of their studies. Industry needs their own people now and would benefit from a similar program. Yamakawa: It is sometimes difficult to tell good geeks from bad geeks in cyber space in Japan. Hoffman at Intel: Investment in cyber security is critical, as international collaboration is required, though some of the scholarships are not open to non-us citizens. Israeli government is doing a great job in this regard by sponsoring and recruiting experts in cyber security. Nojeim: Regarding the secrecy of communication, it is a Constitutional right in Japan, while in the U.S., 4 th Amendment also provides similar protection. But in other countries, like India, governments demand free access communications information from private business. For example, India recently demanded that RIM (Research In Motion) locate a server in India so the government there would be better able to gain access to private communications. How do we reconcile privacy issues and government actions in global context? Yamakawa: Different countries have different practice, while Japan, the U.S. and the EU have laws to protect privacy of communication, but in other countries, like in India, governments tend to try to have surveillance on mobile communication, like BlackBerry. Hoffman at Intel: To answer a question from audience regarding security from abroad into the U.S., it is different for the U.S. government toward U.S. citizen vs. non-us citizen, global context is difficult. Nojeim: The US Foreign Intelligence Surveillance Act permits the U.S. government to eavesdrop more readily on the communications of people who are not U.S. citizens or U.S. green card holders. The criminal law, which also permits some eavesdropping, does not draw a distinction between citizens and non-citizens. An international investor on the floor: I want to ask Mr. Yamakawa on privacy issues. Law enforcement uses GPS. For example, police tracks suspects who use an iphone. How is people s privacy protected? Another question for Intel. As chip creator, what is your responsibility and policies to protect your end users, when law enforcement agencies come in for information about the customers, with or without warrant? Yamakawa: Large corporations are likely to cooperate with law enforcement agencies, or jointly work with them on global issues. Hoffman at Intel: Large corporations, like Intel, depend on trust of customers to use our services, as we have a robust policy to guarantee safety of customer information; sometimes there are situations that we want law enforcement agency to help find out the problems facing us. Page 8 of 9

9 Question: In terms of the Internet cyber security, do you think China s firewall is making the security work easier or harder? Hoffman at GWU: It s tough enough at this moment, but will be harder to get all countries to agree to the same rule when it comes to punishment. This is why we need technical management, public policy experts, etc. He cited the George Washington University cyber security scholarship program where percent of the students are from non-technical studies in these areas (but do not graduate until they get enough technical expertise as well). Page 9 of 9