Feature2: Where is information security technology headed?From the Frontlines of Financial Cybersecurity

System Risk Planning Dept., Sumitomo Mitsui Banking Corporation

Koutaro Mochida General Manager, Head, System Risk Planning Office (photo: Front)

Satoru Suzuki Group Leader, Cybersecurity Management Group (photo: Center)

Hiroki Nakayama Acting Manager, Cybersecurity Management Group (photo: Back)

Interview & text by FISCO FINANCIAL REVIEW, Photograph by D.Araki

It is impossible to predict how a cyberattack may be planned and executed. In fact, cyberattacks could be perpetrated at any time, by anyone, using any kind of method. Therefore, cyberattacks are an urgent issue that could have serious repercussions on the management of business enterprises. Notably, cybersecurity is a matter of life or death for financial institutions, which are entrusted with vast amounts of customer assets, personal information and other valuable resources.
What kinds of cybersecurity measures are being taken at the frontlines of a major Japanese megabank? Sumitomo Mitsui Banking Corporation (SMBC) has set up a System Risk Planning Office within the System Risk Planning Dept., and has been continuously developing and strengthening its cybersecurity management framework. We sat down with key SMBC cybersecurity personnel and asked them to share their perspectives on the current cybersecurity situation and related topics.

Cyberattacks Continue to Grow Exponentially

“Mitsui Bank, a predecessor of SMBC, was founded in 1876 as Japan’s first private-sector bank. Ever since, we have strictly managed the cash and other assets entrusted to us by our customers, based on the awareness that these assets must be properly returned when they are needed by customers. Now that over 140 years have passed since our founding, advances in IT mean that cash and deposits have been largely replaced with digital data. Even so, the bank’s DNA has carefully been handed down the generations and remains very much intact today. Even when undertaking current cybersecurity measures, there has been no change in our awareness of the need to strictly manage customer assets.”
Our discussion began with comments from Mr. Koutaro Mochida, who is the General Manager of the System Risk Planning Dept. of SMBC, and also serves as Head of the System Risk Planning Office.

Koutaro Mochida

According to an announcement by the National Institute of Information and Communications Technology (NICT), the number of cyberattack-related communications targeting networks in Japan reached a record-high of about 128.1 billion in 2016, roughly 2.4 times more than in the previous fiscal year. Cyberattacks have been increasing every year, and their methods have become more and more sophisticated and crafty year after year. Moreover, services using the Internet have been continuously increasing in the financial sector. This has only heightened the risk of cyberattacks against financial institutions and their customers.

Financial institutions are highly susceptible to becoming targets of cyberattacks for financial gain. That is all the more reason why financial institutions must put even stronger cybersecurity measures in place.

The private and public sectors have both started to implement cybersecurity measures. For example, in 2015, the Financial Services Agency compiled policies to implement in order to combat the threat of cyberattacks against the financial sector. Ultimately, though, every financial institution must take their own initiatives to protect their customers’ assets, personal information and other resources from cyber criminals.

SMBC Begins Implementing AI-Driven Cybersecurity Measures

Financial institutions have implemented various measures in a process of trial and error to ensure cybersecurity and enhance the resilience of their systems. Notably, SMBC has been attracting significant attention for its cutting-edge cybersecurity initiatives.

In one of these initiatives, SMBC, working together with The Japan Research Institute, Limited, which serves as the system integrator of Sumitomo Mitsui Financial Group (“SMFG”), has applied artificial intelligence (AI) to cybersecurity ahead of other financial institutions.

Specifically, SMBC has applied and introduced IBM Watson (Watson), an IBM-developed AI platform that augments decision-making capabilities, to cybersecurity measures. Watson performs (1) automated analyses of information related to cyberattacks and (2) automated searches of information related to the search content of security surveillance.

Previously, when suspicious communications or behavior was detected by the surveillance system, security technicians would have to investigate every case and then seek optimal cybersecurity measures from vast amounts of security information and take the best course of action. However, Watson will be used to swiftly and accurately gather the most relevant and up-to-date information from vast amounts of information on cyberattack-related methods and trends from around the world. This will enable security technicians to deal with cybersecurity threats far more rapidly and accurately than ever before. They will also be able to conduct cyber defense measures and detect newly confirmed cyberattacks more swiftly than before.

However, the deployment of AI will not necessarily solve everything. According to Mr. Mochida, Japan faces the problem of a shortage of security personnel.

“Financial institutions are a crucial infrastructure, equal in importance to electricity, gas, and communications infrastructure. Positioning cyber risk as a serious management risk, SMBC has been taking various cybersecurity measures. Cyberattacks are becoming increasingly sophisticated and crafty day by day. We must grasp early indications of and information on cyberattacks at the earliest opportunity, analyze them and implement cybersecurity measures. In order to swiftly and accurately analyze the vast amount of threat information we have amassed to date, we will need security experts who have advanced knowledge and technical proficiency. However, in reality, it is generally believed that Japan will face a shortage of about 200,000 information security personnel by 2020. The shortage of security personnel has become a perennial problem afflicting the entire industry. Nurturing cybersecurity personnel has also become an urgent priority.” (Mr. Mochida)

Currently, regardless of how much AI is introduced, human beings must still decide whether the answer generated by AI is truly correct. Therefore, human decision-making will ultimately still be needed. In conjunction with introducing AI, the System Risk Planning Office of SMBC has also been focusing on nurturing cybersecurity personnel in cooperation with NEC Corporation (NEC). It is accelerating measures to put even stronger cybersecurity measures in place.

Cyber-attackers Have a Decisive Advantage in Cyberattacks

Incidentally, what kinds of cyberattacks have been launched against financial institutions? According to Hiroki Nakayama, Acting Manager of the Cybersecurity Management Group of the System Risk Planning Office, cyberattacks can be broadly divided into two different types by the purpose of attack.

“The first type of cyberattack is launched for financial gain and includes unauthorized remittances, phishing scams and other such attacks. The second type of cyberattack seeks to cause social disruption by, for example, attacking the infrastructure of financial institutions and causing it to crash. We don’t have a clear picture of the exact identities of the criminals who are attacking us from the other side of the network, but they are said to be organized like companies.”

Hiroki Nakayama

While the financial institutions that are defending themselves from cyberattacks have valuable assets to protect, such as assets entrusted from customers and their private information, the attackers don’t have anything of that sort. Moreover, financial institutions can obviously be located easily. On the other hand, financial institutions do not know the identities of the cyber criminals who are hiding in the shadows and launching cyberattacks against them from the other side of the network. Financial institutions find themselves in a situation where protecting themselves from cyberattacks is almost like being thrown into darkness and having to defend themselves against an enemy equipped with night-vision goggles, if you will.

Fighting such an enemy may seem like an impossible task. However, what is surprising is that cyber criminals often employ well-known classical methods.

“The most common method of cyberattack is to attach malware (malicious software or code created to trigger an unauthorized or harmful operation) to an e-mail message and send it out. By having bank employees or customers open the attached file, cyber criminals send malware into the user’s PC and use that access as a foothold to invade the network. That method is actually easier than trying to obtain direct access to servers and other resources that are protected by strict cybersecurity measures. For this reason, cyber criminals still use this longstanding method. That said, their tactics have become increasingly crafty and ingenious year by year. Apart from this, financial institutions must be prepared for various other methods of cyberattack. However, we are able to take steps to counter these attacks in advance by obtaining information and knowing the main methods of attack used by cyber criminals. In simple terms, we strive to develop multiple firewalls around our “house” to prevent a thief from breaking in. Even if the first firewall is broken, we could still stop the attack at the second firewall, and if the second firewall is broken, we can still protect ourselves with a third firewall.” (Mr. Nakayama)

However, even if we were to increase our level of cyber defense in this manner, cyber criminals would still try to get through our defenses by increasing the sophistication and craftiness of their methods. Since this type of cat-and-mouse game has continued for some time, we must constantly pay close attention to the latest developments. There is certainly a limit to how much a single company can accomplish in terms of comprehensively and swiftly staying on top of developments surrounding cyberattacks that are committed across national borders.

Initiatives by the Entire Financial Sector to Stand United Against Cyberattacks

“If multiple companies in the same industry were able to share and analyze information, and share their insights with their peers, this would serve as a major force against the threats of cyberattack. For this reason, in recent years, financial institutions have taking active steps to cooperate in the cyber security field. For example, financial institutions have been actively exchanging information with one another,” said Mr. Satoru Suzuki, who is the Leader of the Cybersecurity Management Group of System Risk Planning Office. As he says, although financial institutions are rivals in business, a culture is being fostered in which financial institutions are standing united against “a common invisible enemy” that threatens their cybersecurity.

Satoru Suzuki

The Financial ISAC (Information Sharing and Analysis Center) plays a central role in this effort. The Financial ISAC is an industry forum in which 319 major financial institutions in Japan are enrolled as regular members. The organization actively shares and analyzes cybersecurity related information, with the aim of continuously ensuring the security and peace of mind of users of financial services. In addition, the organization has also built a global cooperation framework through such means as sharing the latest information with the Financial Services Information Sharing and Analysis Center (FS-ISAC), its counterpart in the United States.

If major losses were to be inflicted on SMBC through a cyberattack, this could shake the foundation of absolute trust that its customers have placed in the bank since its founding. These losses could also escalate into a serious problem that has major repercussions for management.

“Fortunately, no serious incidents that could have a major bearing on management have occurred yet. However, in the age of the Internet, there is no telling who could break into our systems, or when or how they could go about doing so. In order to provide our customers with the value of “security and peace of mind,” along with highly convenient financial services, we will work tirelessly to update our information and implement cybersecurity measures on a daily basis.” (Mr. Mochida)

SMBC is determined to continue fighting an unending battle to protect customers’ assets and private information.