With only three years left before the Tokyo Summer Olympic Games in 2020, Japan is facing a shortfall of cybersecurity manpower. According to the Ministry of Economy, Trade and Industry (METI), the current shortfall of IT professionals to available opportunities is 132,060, which will further increase to 193,010 in 2020. About half of end-user companies believe they are deficient in IT security employees, and only 26 percent think they have enough talent in these roles.
The Japanese government plans to issue a new national cybersecurity strategy for human resources development, the Program to Develop Cybersecurity Human Resources, in 2017. The draft released in March 2017 emphasizes that cybersecurity is not a cost center, but it provides opportunity to invest to create new business values and increase companies’ international competitiveness. Reflecting the Cybersecurity Guidelines for Business Leadership in December 2015, the draft encourages business executives to take cybersecurity measures as part of their social responsibility and raise cybersecurity awareness. This is crucial now, because the government learned 34 percent of Japanese business executives do not consider cybersecurity part of their business challenges.
In Japan, end-user companies tend to believe IT is a tool to increase efficiency and cut costs (not something to invest in), and outsource IT-related work to vendors and system integrators. Only 24.8 percent of IT engineers work in-house in Japan, compared to 71.5 percent in the United States.
The current business environment, however, demands end-user companies find a balance between outsourcing and insourcing IT or cybersecurity-related work. Business operations heavily rely on computers, hardware, software, cloud computing, cell phones, tablets and SaaS, and more adopt general purpose technologies for cost-saving and efficiency. Each technology requires specific security expertise. Moreover, business risk management, critical infrastructure operations, finance, legal, human resources and even national security touch upon cybersecurity. Business executives must take the lead to craft a business strategy to deal with a wide variety of risks – including cyber risks – and take advantage of innovative technologies for security and convenience.
METI and the Japanese Ministry of Internal Affairs and Communications (MIC) are tackling the aforementioned challenges to cultivate cybersecurity-driven C-level executives and next-generation professionals for end-user companies and critical infrastructure companies. Both ministries are launching separate cybersecurity training centers in 2017. While MIC focuses on IT research and development, METI covers both the operational and information technology sides of critical infrastructure protection, including industrial control system/supervisory control and data acquisition (ICS/SCADA).
As cyber risks against ICS/SCADA are growing, METI established the Industrial Cybersecurity Center of Excellence (COE) under the Information-Technology Promotion Agency (IPA) in April 2017. COE has three pillars for their mission: the development of human resources; the evaluation of the security and reliability of ICS/SCADA; and the research and analysis of cyberthreat intelligence.
COE will serve a total of up to 100 students per year, and provide two courses: one for mid-career people and one for C-level executives. Both courses will be a golden opportunity for professionals from different sectors to get connected, create a trusted community, and help each other later.
While the course for C-suites will consist of several classes over a short term, the course for mid-career people will run from July to June. It will aim to cultivate professionals able to propose cybersecurity strategy drafts and brief business executives about cyber risks, using business management and financial terms; who understand the current cyberthreat landscape and best practices overseas and in other sectors to apply to such cyberattacks, and can use the information to craft cybersecurity tactics and strategy; and who can evaluate the safety and reliability of cybersecurity solutions, technologies, and costs to employ and deploy the best one. The course starts at Primary level (July to September), and moves onto Basic (October to January), Advanced (February to April), and Graduation Project (May to June), though more advanced students do not need to participate in Primary classes. It covers IT/OT basics, such as corporate governance, business continuity, forensics, ICS/SCADA risks and cyber exercises; business management and ethics, such as leadership, accounting/finance, presentation skill, budgeting and relevant legislations; and global case studies.
COE began accepting applications for the mid-career course in late February, after more than 30 companies from the automobile, utility, railway and real estate industries had expressed interest in enrolling their employees.
IPA already runs the Cyber Rescue and Advice Team against targeted attack of Japan (J-CRAT) and supports a cyberthreat information-sharing framework, the Initiative for Cyber Security Information sharing Partnership of Japan (J-CSIP), to protect critical infrastructure companies. IPA also started monitoring the next-generation Government Security Operation Coordination Team for the central government and nine government-affiliated agencies in April 2017. The COE project for cyberthreat intelligence will be an additional means for IPA to bring in the intelligence and expertise of white hat hackers to eventually help with human resources development and the system evaluation project.
MIC released the IoT Cybersecurity Action Program 2017 in January 2017 to enhance IoT security and prepare for Tokyo 2020. One of the main pillars of the program is to accelerate the national effort to cultivate cybersecurity workforce by hosting cyber exercises and establishing a training center. The National Cyber Training Center was created under the National Institute of Information and Communications Technology (NICT) in Tokyo this April. NICT was chosen for its assets: NICTER (Network Incident analysis Center for Tactical Emergency Response) to watch cyberattacks and visualize them; and a cloud-based StarBED platform for cyber exercises.
The National Cyber Training Center offers the SecHack365 program to train 40 students under 25 years old each year; implement 100 Cyber Defense Exercise with Recurrence (CYDER) exercises for 3,000 central and local municipal government officials and critical infrastructure personnel all over Japan; and host the Cyber Colosseo exercises for the Tokyo Organising Committee of the Olympic and Paralympic Games. The center accepted 359 applications from young industry people and college and university students including teenagers in April. SecHack365 students can take classes remotely to develop computer programs and participate in cyber exercises and hackathons. Competent students will be sent overseas for additional education. The center also aims to build a community for next-generation engineers to lead IT-driven innovation in Japan and develop computer programs to resolve unsolved challenges, rather than relying only on existing technologies.
CYDER used to target only Tokyo. In Japanese Fiscal Year 2015 (April 2015 to March 2016), 200 people from the central government and critical infrastructure people participated in CYDER. In JFY 2016, however, CYDER was also provided in eleven places outside Tokyo, and 1,500 people attended. CYDER expanded to cover local municipal governments because they have residents’ My Number information (a new personal identification system for Social Security and taxation information), and more cybersecurity is required as cyberattacks and breaches are growing.
Cyber Colosseo exercises allow Tokyo 2020 cybersecurity personnel to simulate potential cyberattacks on Tokyo 2020 and review and enhance defensive capabilities with Blue and Red Teams. The exercises are expected to help team-building between security personnel and relevant organizations.
These METI- and MIC-led initiatives will allow IT and OT personnel to learn from each other, power mid-career professionals by business operation mindset to bridge between technical engineers and business executives, make C-level executives more mindful about the current cyberthreat landscape and cybersecurity, and cultivate next generation R&D engineers. They will also form tight bonds between professionals from different sectors and cultures. Of course, it will take at least one year for students to bring back what they learn to their organizations and make reforms for better IT/OT balance. Still, this is a positive step forward for Japan and the world’s cybersecurity. Unfortunately, almost all information about these projects is only available in Japanese, but this is definitely worthy of a global audience.
[Palo Alto Networks Research Center]