June 12, 2020
In light of the fact that cyberattacks targeting the weaknesses in supply chains of large enterprises and SMEs have been increasing and becoming more sophisticated, the Ministry of Economy, Trade and Industry (METI) organized characteristics of recent cyberattacks and specific case examples thereof and compiled directions of future efforts for addressing cyberattacks into a report. Based on these directions, METI will embark on coordination between stakeholders, e.g., industrial players, in order to specify and implement cybersecurity measures across entire supply chains.
1. Background
Multiple companies in Japan uncovered that they have received sophisticated cyberattacks since January 2020. Moreover, cases of cyberattacks that might cause a leakage of corporate information have ceaselessly been reported.
As METI recognizes these situations as serious cases, on January 31, 2020, METI issued a letter of request titled “Alerts to Companies in light of Recent Cases of Cyberattacks and Request for Submitting Reports thereon” (hereinafter referred to as the “Report Request”) requesting, through industrial associations, that companies holding sensitive information inspect their own security measures and submit a report on a possible leakage of important information that may be caused by cyberattacks, if any, to METI by February 14, 2020. As a result, METI received a little less than 40 reports by the closing date of submission.
Moreover, in FY2019, METI started the Project for Demonstrating Measures for Supporting SMEs in Conducting Post-Accident Measures Involving Cybersecurity (Cybersecurity Support Ranger Project), an initiative for supporting companies, with1,064 SMEs as participants, in taking initial responses after the occurrence of cyberattacks against the SMEs. Through this project, METI has been uncovering the current situations of cyberattacks against SMEs.
The report shows METI’s recognition of characteristics of cyberattacks and specific case examples, which were uncovered through reports submitted by companies in accordance with the Report Request and the results of the demonstration project mentioned above. It also presents directions of future efforts for addressing cyberattacks.
2. Overview
(1) Recent situations involving cybersecurity: Continuous responses to cyberattacks which are becoming more sophisticated daily, will become key
In response to the issuance of the Report Request, METI eventually received a little less than 40 reports, but no report was submitted on any leakage of important information caused by cyberattacks (except one case under ongoing inspection, which METI found after the closing date of submission).
Meanwhile, the details of the submitted reports and recent cyberattack-related cases uncovered that cyberattacks are continuously becoming increasingly more sophisticated, and this fact shows that it is more and more important for companies to continuously inspect the current situations of their cybersecurity measures.
The report presents three characteristics of recent damages to companies affected by cyberattacks: “increasing sophistication of targeted cyberattacks”; “cyberattacks against the weaknesses in supply chains”; and “continuous occurrence of damage caused by unauthorized logins,” and it provides explanations of these characteristics.
(2) Case examples of cyberattacks to which Cybersecurity Support Rangers responded: Current situations where SMEs are also targeted by cyberattacks are highlighted anew
In advancing the demonstration project in which 1,064 SMEs participated, alerts were issued to 910 cases in total in eight areas across Japan. Out of these alerts, Cybersecurity Support Rangers decided on 128 cases as potentially serious cases and responded to them, and for one of these cases, in particular, the value of damage that may be caused by the cyberattack was estimated to be nearly 50 million yen if the company failed to respond.
The report explains characteristic case examples to which Cybersecurity Support Rangers responded, such as use of old OSs and use of private terminals, use of Wi-Fi services at hotels and cyberattacks against supply chains.
(3) Activities that companies are required to fulfill for ensuring security of entire supply chains
Responsibilities that companies should fulfill are not limited to securing continuity of their own businesses. These responsibilities are considered diverse: responsibility for ensuring security of supply chains, social responsibility that companies should bear, such as proper management of sensitive information on technologies which companies are required to appropriately control under laws and regulations due to the potential serious impact of such information on any security environment.
The report presents three actions that companies should take to fulfill these responsibilities: (1) close information sharing between entities sharing the same supply chains; (2) submitting reports to METI in cases where a leakage of sensitive information on technologies is concerned; and (3) announcement (of cyberattack-related cases) if appropriate.
In parallel with this, the report also recommends that Japan should hold discussions on approaches to making SMEs’ efforts for cybersecurity measures visible in order to fortify cybersecurity measures across entire supply chains, including SMEs.
Based on these directions of future efforts, METI will enhance dialogues with industrial players, hold discussions on details of specific efforts and strive to lead the results to campaigns for promoting cybersecurity measures under a public-private cooperation framework.