JAPANESE DISCOVER THAT CYBERSPACE IS NOT
ALWAYS A NICE PLACE
--- by Jon Choy
To the shock of many Japanese but absolutely no surprise to computer experts overseas Japanese government and corporate sites and servers on the World Wide Web have been penetrated and vandalized in a very public fashion by unauthorized Internet users. Although the cyberthugs defaced some Web pages and erased others, they did not as far as authorities can determine gain access to sensitive government or corporate information. Computer security specialists know, however, that a skillful intruder can enter and exit a system without leaving a trace. From the moment they were connected to the Internet, Japanese systems have been under the scrutiny of potentially hostile cybernauts. While some government and corporate information technology managers have installed security software, the recent spate of computer break-ins has put the topic in the limelight.
The home page of the Science and Technology Agency was vandalized January 24 in what was the first publicly acknowledged cyberattack on a Japanese government Web site. The intruder added several derogatory messages as well as a link to a pornographic Web site. The same day, publicly available statistics and other data were erased from the Management and Coordination Agency's Internet servers, and its home page was replaced with one criticizing right-wing extremists for their attempts to deny that Japanese troops massacred thousands of Nanjing inhabitants in 1937. The next day, the message, which was posted in Chinese, appeared on STA's Web site, further embarrassing and alarming Tokyo. These attacks presaged other cyberintrusions in late January that hit a wide range of central and local government agencies.
In the past, Japanese computer networks and Web sites were mostly ignored by hackers persons whose primary goal is to get past computer security systems and crackers those who break into protected Web sites to steal, alter or destroy data in part due to the difficulty of dealing with the Japanese language but also because weak Japanese security measures did not present a challenge. Apparently, however, the exercise of attacking a Japanese server is a novelty that is in vogue among hackers. Moreover, porous security systems are attracting crackers bent on stealing corporate or government secrets.
At a January 26 emergency meeting, the cabinet of Prime Minister Keizo Obuchi decided to advance a just-approved plan to strengthen the government's computer security systems. The original timetable called for raising Japan's standards and requirements to U.S. levels by 2003 and for Tokyo to formulate countermeasures against cyberterrorists by the end of this year. Now, however, both actions will be implemented as soon as possible.
The Ministry of Posts and Telecommunications announced, for example, that it would create in early February an anti-cyberterrorism advisory group that would release its first report by June. In addition, the Japan Defense Agency said January 28 that it would earmark ¥3.8 billion ($31.7 million at ¥120=$1.00) in FY 2000 to defend its computer systems from crackers and hackers.
In the meantime, the National Police Agency and its municipal counterparts are investigating the incidents using powers granted under a law passed in 1999 that makes it a criminal offense to break into a secure computer network or system (see JEI Report No. 21B, May 28, 1999). However, since the perpetrators presumably are foreigners operating outside of Japan, what investigators can accomplish is not clear.
One likely impact of the recent cyberattacks is that sales of security software and services will skyrocket. Japanese IT managers can take advantage of the years of experience that foreign software firms have in fending off sophisticated cyberattacks. U.S. software developers, which dominate this market, stand to gain substantial new business from Japanese government agencies, companies and individuals.
One potential negative fallout from the incursions has both Japanese policymakers and corporate executives on edge, however. If the buying public begins to see on-line shopping as a risky activity, the promise of electronic commerce in Japan may be nipped in the bud (see JEI Report No. 16A, April 23, 1999). Publicized, large-scale thefts of customer information, including credit-card data, from some American and European cyberretailers have given credence to these concerns. Firms that have been rushing to embrace business-to-business e-commerce also might pause to reconsider, slowing their efforts to become more efficient and internationally competitive.
Japanese IT managers can respond quickly to perceived security threats by installing off-the-shelf software. Defense against the ever-changing menace of an elite cadre of Internet outlaws, however, requires a first-rate understanding of computer hardware, software, communications protocols and networks. Such experts already are in very short supply in Japan, and they cannot be produced overnight by the nation's educational and vocational training institutions.
Even though Tokyo has accelerated its plans to improve the security of Web sites and servers, many observers argue that the government is moving too slowly to combat hackers and crackers operating at the lightning pace of Internet time. Even if computer and network administrators install shrink-wrapped security programs tomorrow, the heterogeneous nature of many of Japan's government and business computer systems mixtures of legacy mainframes, old operating systems and applications software with the latest in personal computers and servers makes it difficult to plug all the entry points and weak spots that intruders exploit. The fact that many computer systems now must be connected to the Internet to perform their intended tasks makes protecting such complex systems from unauthorized access even more difficult. While experts agree that computer security is a very real problem in Japan, they also concur that generating increased public awareness of the issue is a major step toward an answer.