Interview

Feature2: Where is information security technology headed?Interview with Terilogy Co., Ltd. The Transformation and Future of Cybersecurity

Terilogy Co., Ltd. Director

Nobuo Miyamura

Steady business growth in cyberspace has led to an inevitable increase in the number of cybercrimes, including the hacking of Coincheck at the beginning of 2018. Against this backdrop, Terilogy Co., Ltd. has been continually providing security solutions in the digital world to various companies and government institutions. In this interview, we discuss current conditions in the cybersecurity field with Director Nobuo Miyamura of Terilogy.

Profile of Nobuo Miyamura
Mr. Miyamura graduated from the University of Southern California in the U.S. with an MBA in 2002. From 2004 to 2007, he served as industry solution manager at Cisco Systems G.K. As part of a project reporting directly to the Cisco Head Office in the U.S., Mr. Miyamura worked to promote the adoption of IP-based factory network systems in the manufacturing sector. In 2007, Mr. Miyamura joined Terilogy Co., Ltd. His duties have included the launch of products developed in-house, overseas market development and Asian business expansion of the HFT algorithim trading and monitoring business for securities exchanges and foreign securities firms.
In June 2008, Mr. Miyamura was appointed as director of Terilogy Co., Ltd.
Since 2016, he has been working to shift Terilogy’s business portfolio from the network infrastructure implementation business to cybersecurity solutions. In addition, he has been involved with the launch and development of the Cyber Threat Intelligence Business.
In 2017, Mr. Miyamura was appointed as Director and Executive Vice President of Terilogy Co., Ltd. Since April 2018, he has served concurrently as President and Representative Director of Terilogyworx Co., Ltd.

Terilogy supplies a diverse array of security solutions. What kinds of specific solutions do you provide?

Terilogy provides a wide range of services, but the company stands out with its strengths in network security services. We have been engaged for quite a long time in the work of protecting networks from attacks from the outside.

You noted that Terilogy has been involved in network security for quite a long time. When specifically did Terilogy begin offering network security services?

We have been offering network security services since around 2000, but this depends on when you consider what we offer to be security services. Looking back at the history of Terilogy, our work was centered on the construction of internal corporate networks for our first 10 years in business following our founding in 1989. Thereafter, NTT WEST and NTT EAST rolled out the FLET’S high-speed optical fiber Internet connection service. At the time, Terilogy custom-built and supplied the FLET’S connection tool at the beginning of 2000. This move shifted Terilogy’s business almost all at once to the telecommunications market. It was in this period, when the main focal point of the telecommunications market switched from landline to mobile networks, that people started to recognize the importance of security. Consequently, Terilogy saw a gradual increase in security business from around 2005. Today, the percentage of Terilogy’s business involving security in some shape or form has reached approximately 70%.

Initially, what people referred to as “security” was very simple. In those early years, people like script kiddy with specialized knowledge were working in the security field largely to satisfy their curiosity, and most security threats could be thwarted with relatively simple firewalls. However, the situation vis-à-vis the people on the attacking side has changed dramatically in the past few years or so.

How did the situation change?

In the past, I believe that people on the attacking side were usually individuals with some technical expertise who launched cyberattacks partly to stand out from the crowd and draw attention to themselves. At present, cybersecurity has evolved into a business, even from the attacking side’s perspective. Before, cyberattackers would develop tools and learn various methods of attack on their own. They would then choose their targets as they saw fit and launch cyberattacks. However, today, the division of labor has progressed tremendously.

Let me illustrate what I mean by the division of labor with an example. In the past, cyberattackers who created malware had to create the malware on their own and use it themselves. Today, they can sell the malware they create on the dark web, so all they need to do is focus on creating the malware.

Generally speaking, there are three fundamental elements that cyberattackers must consider when actually planning a cyberattack. The first element is the motivation of the attacker, or the intention to execute an attack. The second element is whether or not the target of the attack has a vulnerability. The third element is whether or not there is an effective tool to exploit the vulnerability. When all three of these elements are in place, the groundwork has been laid for executing a cyberattack.

In the past, one person would have to consider and deal with all three of these elements. At present, there are numerous people, including criminals, who want to commit cyberattacks. With regard to vulnerability, there are specialists who focus only on scanning for vulnerabilities. In other words, these specialists scan a large number of networks and systems 24 hours a day, 365 days a year, rather than creating malware individually. They compile the information they gather into packages and sell the packages to others.

Next, there are people who constantly study those vulnerabilities and develop effective tools to exploit them. These specialists do nothing but create tools that have a malicious intent. Moreover, an infrastructure has been developed to allow people in these three categories to exchange information.

People are able to specialize only in the fields they are good at, without the need for any one person to cover all three categories. As a result, technologies have become extremely specialized and sophisticated. Moreover, the emergence of cryptocurrencies such as Bitcoin have made it easy to settle transactions. Previously, people needed to use banking services to transfer funds, so transactions could be tracked via those services. However, since cryptocurrencies can be used to easily remit funds anonymously, it has become very easy to settle transactions.

Has this ability to settle transactions anonymously led the Financial Services Agency to step up its focus on measures to counter terrorist funding and money laundering?

I believe so. When looking at security incidents (i.e., events that threaten business management and information security), the discussion tends to get bogged down in technologies. However, we must keep in mind that security incidents cannot happen in the first place without the presence of the individual launching the attack. When we focus on the mentality of the attacker, the purpose of the attack often comes down to a financial motive—the attacker simply wants to make money. Going further, there are generally believed to be three patterns of attack. The first pattern involves the “hactivist.” This pattern is led by groups such as Anonymous. These individuals hold strong political beliefs. They seek to make these beliefs widely known and attract like-minded colleagues. Fresh in memory is a recent campaign in February to attack a Japanese electric power company. Terilogy detects these activities and reports them to clients. This type of activity is the first pattern.

The second pattern involves crime syndicates. In the case of these perpetrators, the most frequent type of attack is fraud via cyberspace. The purpose of the fraud is financial gain.

The third pattern involves national governments. Countries (such as North Korea) that have hostile relations with Japan and Western countries may launch sophisticated attacks to steal defense technologies. There are also incidents of cyberterrorism at this level. Considering the crime syndicates and criminals engaged in these three patterns of attack, we can say that out of the many different types of crime, cybercrimes present a relatively low degree of risk to the perpetrators. This is because conventional crimes fall under the purview of law enforcement agencies that possess police powers and the power of arrest in jurisdictions where the crime is commited.

In the case of cyberspace, a person need not be physically present in Japan to execute a cyberattack against the country. Even if a person were to hack into the computer systems of Japanese users from overseas and steal their information or commit fraud, the person is not physically present in Japan, so the Japanese police would not have the power of arrest over that person.

Does this mean that the convenience of being able to easily connect to overseas countries via the Internet could have negative consequences?

Cyberattackers, particularly criminals, can commit crimes with a single mouse click without having to meet anyone. If the crime were to involve drugs, a physical handover would be absolutely necessary, so criminals would run the risk of getting caught during the handover. In contrast, digital crimes present very little risk of getting caught in person, and if the perpetrator is overseas, the Japanese police cannot make an arrest. Naturally, criminals are also aware of this fact.

Due to these and other factors, there is a general belief that crimes in cyberspace have a high pay-off relative to the risk, resulting in a steady influx of people into this area. The other factor is the existence of the dark web. The dark web is a cyberspace that can only be accessed using special tools, and does not permit indexing (information logging and registration) via Google and other web search engines. The dark web is crowded with many different markets resembling a dark online shopping site, made possible by the features of anonymity, encryption, and settlement via cryptocurrencies. In these places, virtually anything can be bought or sold. For example, a person could easily sell personal information that has been obtained illicitly.

If such a platform did not exist, a person who obtains personal information would need to look for a counterpart to sell the information to in the real world. If there is a market where such information can be easily bought or sold, some people will start working very hard to gather information such as credit card data. In the supply component of supply chains, there are people who specialize in gathering information and an infrastructure has been put in place to monetize the information.

Moreover, this infrastructure has spread globally, making it very easy for criminals to carry out their activities. Additionally, since the tools and other resources are available from the start, attacks that could previously only be successfully executed by highly skilled people can now be easily carried out by ordinary people—all they need to do is to purchase cutting-edge cyberattack tools for several hundred dollars worth of cryptocurrencies. Alternatively, they can even “rent” a hacker by hiring someone to execute the attack on their behalf. From the perspective of cyber-attackers, an infrastructure has been put in place to launch cyberattacks.

On the cyberdefense front, the number of personnel involved in corporate information systems and related areas has hardly increased. In the case of Japan, the country’s aging society with a low birthrate has also played a part in this trend. Many Japanese companies, with perhaps the exception of IT companies, would hesitate to assign new university graduates they have worked so hard to recruit to their back-office IT departments--this is a real issue. The number of corporate IT personnel and their skills have not increased, even as the methods and number of cyberattacks have and will continue to rapidly increase. This has created an imbalance that tips the scales in favor of the cyberattackers.

Another major problem is the Tokyo Olympics scheduled for 2020. It is a well-known fact that the Olympics usually coincides with an exponential increase in the number of cyberattacks. This was actually the case at the time of the London and Rio Olympics, as well as the recent Winter Olympics in Pyeongchang. In Japan, an increase in a wide range of attacks against the country is anticipated in the run-up to the 2020 Tokyo Olympics. Measures to counter these attacks are needed. Heightened geopolitical risks are also a factor. This refers specifically to the risks presented by the aforementioned nations with hostile relations with Japan and Western countries. Moreover, another noteworthy development is the introduction of 5G technology. There are some expectations that the introduction of 5G will be accelerated ahead of schedule. 5G is expected to drive the full-scale rise of Internet of Things (IoT) technology. If this happens, a wider range of devices will be connected to the Internet than ever before. That is expected to present another set of new risks.

Cyberattack technologies have advanced and cryptocurrency infrastructure has been put in place. Coupled with the fact that the awareness and technical skills of personnel responsible for cyberdefenses have not really improved, the cyberattackers currently have an overwhelming advantage. That is why more and more companies are thinking about beefing up their investments in security. Industries designated as critical infrastructure will surely accelerate measures to strengthen security, partly at the behest of the government. That said, overall measures to address security still have a long way to go.

I’m assuming critical infrastructure refers to electric power, transportation and other such industries. Do you feel that there are any differences in the level of enthusiasm between the government and individual companies toward measures to ensure security in these sorts of industries?

Views vary across different industries and companies. Terilogy serves some client companies in the electric power industry. However, even within the electric power industry, we have the impression that sensitivities vary considerably depending on the region. That said, given that electric power is a critical social infrastructure, if a cyberattack of some kind were to impact the supply of electric power, then we can predict that such an effect could threaten human life. I believe that the electric power industry is giving serious thought to those kinds of risks.

Caution is also warranted at companies that have large plants. Cyberattacks could occur for the purposes of financial gain or terrorism. Cyberattacks launched for purposes of terrorism present a high degree of risk for companies that have plants operated by control systems. A cyberattack against the control systems of a plant in operation could lead to a life-threatening accident. There are very few examples of such attacks in Japan. Overseas, there was an example of such an attack in the electric power sector in Ukraine. Partly at the behest of the government, people in these fields have started to give serious consideration to these aspects of cybersecurity.

One problem is that there is a general awareness that cybersecurity is basically part of the IT field and is something that IT personnel must deal with. The personnel involved with plants have been involved for a very long time in operation technology (OT), or production management. Although these personnel must implement cybersecurity measures, they do not necessarily have a strong awareness of cybersecurity. They have always managed all plant operations in an isolated environment that assumes no disruptive external factors. Therefore, I think that measures should be taken to bridge the gap in enthusiasm between IT and OT personnel going forward.

Cybersecurity conditions

The first crucial step in considering cybersecurity is to grasp the situation and the environment. Looking at the situation surrounding Japan, the country will face external factors such as hosting the Tokyo Olympics in 2020, the start of 5G, geopolitical tensions, and further widespread adoption of IoT.

Overseas, the number of cyberattackers has been increasing, an infrastructure to support cyberattackers has been put in place, and the value chain to monetize cyberattacks has been completed. Based on these factors, Japan must consider its next responses to cyberattacks.

Am I correct in understanding that the dark web and cryptocurrencies have played a huge part in the increase in cyberattacks?

There is no doubt about it. I would say that the dark web and cryptocurrencies have drastically reduced the costs of cyberattacks. Previously, individuals needed to develop a tool, search for a target, execute an attack, steal something and then sell it on their own. That is very difficult. In fact, it would be virtually impossible. Only a large crime syndicate could manage to pull off all of those tasks. However, what is frightening is that today, even individuals can accomplish these things.

Last year, the Nikkei newspaper reported that a Russian hacker had developed a phishing tool targeting Japanese financial institutions and was selling it for around 20 dollars. Research showed that the hacker was only 22 or 23 years old and didn’t have very much experience. A person with just a little bit of knowledge about computers had actually developed a tool targeting Japanese financial institutions and was selling it on the dark web. I found this reality to be very alarming.

In the U.S., there have been many shooting incidents. I believe that these shootings occur because it is very easy for people to buy a gun. In Japan, people cannot buy a gun anywhere, so there are very few shooting incidents. The circumstances are the same in cyberspace. Anyone can access the dark web by using a tool called Tor. When you enter the dark web, you will find malware, malware tutorials and lists of targets for sale. These items are not expensive at all. They can be purchased for several hundred dollars. At this price, it is not surprising to see that people would want to try it.

In other words, the support infrastructure for cyberattackers has been developed at a tremendous pace. I believe that this is one of the root causes of the various cyber incidents we see today.

Finally, there are cyberattacks at the national government level. An overt cyberattack against an adversary would run the risk of escalating into a full-blown war. For this reason, nations such as the United States, North Korea, China, Russian and Iran have devoted significant funds and personnel to developing covert methods of stealing their adversaries’ information in cyberspace or disrupting their adversaries’ operations through cyberattacks. These professionals who have been trained at the national government levels have continued to hone their technical knowledge and skills in cybersecurity, and the tools and methods they have developed ultimately find their way to the dark web and black market. In essence, this is similar to how highly lethal rifles and missles found their way into the black market after the collapse of the Soviet Union, leading to incidents. Although the nuance is slightly different, I believe that this example and cyberattacks are alike in that the tools for attacking an adversary that are developed at the national government level are eventually used to attack the private sector.

If we assume that the dark web is comprised of the negative side of encryption technologies, I think that it will not go away anytime soon. Will the dark web remain the primary source of cybersecurity threats going forward?

Considering that encryption technologies are ceaselessly evolving, I believe an environment will emerge that dwarfs the capabilities the dark web. Today, large numbers of people are using the dark web. In a few years time, we may see the creation of a robust network that offers even higher anonymity and is virtually impossible to trace.

You noted that there has been a rapid increase in the knowledge and skill levels of attackers. In the past five years, have there been any notable changes in, for example, how security systems are implemented and operated?

In our view—and this reflects our own beliefs as a company—one major trend has been that customers have gradually started to realize that they must not take a reactive approach to security. A “reactive approach” means pre-arranging cybersecurity products capable of fending off every kind of cyberattack, and dealing with any intruders if and when they are detected. Rather than adopting such a reactive approach, customers are starting to shift to a proactive approach where they properly check to see if there are any vulnerabilities in their systems that would expose them to attackers and then remove any vulnerabilities that are identified.

I mentioned earlier that the three fundamental elements of a cyberattack are the intentions of the attacker, the vulnerabilities of systems, and the tools for attacks. Of these three elements, we have no control over the intentions of attackers, nor do we control the tools for attacks as we do not necessarily create them ourselves. However, we do have control over the vulnerabilities of our systems. Therefore, our first step should be to look at and remove those vulnerabilities.

Looking at things from the perspective of an attacker, there will naturally be differences between targets that are easy and those that are difficult to attack. An attacker might hold a grudge against an electric power company and have a strong desire to attack only that specific company, but there may be very few vulnerabilities. However, if an attacker’s purpose is financial gain, the attacker will find it far easier to go after vulnerable targets that are riddled with security holes.

So cyberattackers are just like burglars who target homes that are not locked properly?

The mentality is identical. It just goes to show that everyone knows that systems will be targeted if they have a lot of security holes. Our customers now have a fairly heightened awareness of the importance of reducing security holes. In terms of changes in customer awareness, although the phase of deploying technologies as security measures is bound to continue indefinitely, I believe this phase has run its course to a certain extent. While the technologies will certainly need to be updated regularly and so on, I think that the security services that have the strongest growth potential are services that check and clearly identify system vulnerabilities and remove them in advance, along with services that gather and provide cyber threat intelligence.

Vulnerability checks are usually restricted to checking a company’s own systems. However, it has become important to conduct research and analysis in advance into broader questions such as what kinds of attackers are out there, what kinds of attacks are they carrying out and whether they could be targeting your company.

Major companies, government institutions and business enterprises involved in the 13 critical social infrastructure sectors identified by the Japanese government are gradually starting to focus on priorities such as assessing what kinds of tools of attack are available, and confirming whether or not those tools could threaten their infrastructure and systems.

The infrastructure necessary to provide fortress-like protection has already been put in place. Going forward, I think we will shift to a phase where we carry out the process of regularly checking for any security holes in our security infrastructure. Even when we know that the infrastructure has been properly designed, we will search for information about attackers through the use of intelligence and using what we learn to devise and execute better cybersecurity strategies.

Does this mean that people’s awareness of security has been shifting beyond building firewalls to systems maintenance and knowing the enemy?

Yes, I think you’re right. Terilogy has adopted a strategy of supplying products and services that fit those needs.

In the course of providing cybersecurity, one key question is whether to tolerate connections from the outside or isolate systems. How do you think the approaches of tolerance and isolation will evolve in the future?

In the cybersecurity field, we refer to the isolation of a system from a network as an “air gap.” The term “air gap” reflects the fact that nothing but “air” surrounds the system. One approach is to select an “air gap” as a measure to prioritize security. I believe that the future course of this approach will be determined by the competitive landscape faced by each business enterprise. Each company must compete fiercely to fulfill customer needs in society. If customers seek even higher levels of convenience, demand will likely increase for new services harnessing technologies such as IoT. If this happens, we will undoubtedly find ourselves living in a world where everything is connected to networks, whether we like it or not.

For example, in the automobile industry, Tesla, Inc. is an emerging force that is very eager to harness IT and spur integration with networks. Tesla has been developing a variety of innovative, highly convenient services premised on the use of network-enabled infrastructure. If these services are embraced by consumers, then other companies are bound to follow suit. I’m sure that each company has its own ideas, but I believe that ultimately, the direction will be set by leading companies in each industry, or the emerging forces that are able to clear away the existing players. In other words, the key question of whether to tolerate connections from the outside or isolate systems will not be determined by security technology considerations, but by trends in society. As far as the current situation is concerned, it will be next to impossible to choose isolation.

Let me also say a few words about the security of “air gaps.” Even if a system is physically isolated from networks, information could be easily leaked by insiders. Unfortunately, society has no shortage of people who are disgruntled with their employers, so we cannot say with complete confidence that systems are secure just because they are physically isolated. I think that one of the the real issues is human in nature; it is not enough to discuss security only in terms of the technical aspects. The attackers and the defenders are both people. Therefore, I believe insights into human behavior will play a crucial part in future security measures.

What kinds of impacts will AI start to have on security measures?

In the security industry, it has been said consistently for the past few years that cyber threat intelligence and AI will gain importance as the key themes for future. AI is expected to have various impacts on the security industry. In practice, I believe that the most realistic option is to use AI as a tool to support human decision-making. The notion that AI will eventually be able to perform all tasks is probably unrealistic. Every day, we already obtain far more information than the human brain is capabile of processing. It is impossible for people to monitor all the information. However, I think there is value in having human beings serve as the ultimate judge of matters. Therefore, it is important to narrow down the volume of information in advance so that people can make correct judgments. Let’s suppose we have 1,000 pieces of information. If we assume that there are various correlations with that information, we may need to look at 1,000 x 1,000 pieces of information. That would be impossible for a human being to process. We should leave these tasks up to AI. Human beings should look at and deal with information that AI has filtered after it has gone through a certain learning process. If we can make this happen, I think it would be an ideal way of using AI at this time.

I believe that AI will have a tremendous impact on security technologies. However, we must bear in mind that the attackers are also likely to use AI. In the end, both sides will be fighting each other with the same weapon, so the battle will carry on indefinitely. Ultimately, the people using the technology will be crucial, along with the training they receive.

Recently, more and more former military, law enforcement and intelligence agency personnel have been serving as internal cybersecurity managers at U.S. companies, particularly large corporations and financial institutions. Last year, Terilogy invited an expert who had previously been engaged in cyber intelligence activities as a former member of the British Armed Forces and had subsequently helped to ensure cybersecurity at the London Olympics at private-sector companies such as BT Group plc. The purpose of inviting this expert was to provide training on the use of cyber intelligence, an area of focus for Terilogy, to personnel at private-sector companies and law enforcement agencies. More than 40 people participated in the training session from law enforcement agencies alone. There were more than 120 participants in total from private-sector companies, primarily personnel from the electric power industry and other social infrastructure sectors, major financial institutions, broadcasting-related sectors, and Olympics-related fields. This event demonstrated the importance of human resources development in the cybersecurity field.

As I said earlier, while technology will be an important part of cybersecurity in the future, I believe that strengthening the human component will ultimately be the crucial factor. Japan is the only developed country without an intelligence agency and the number of intelligence experts in Japan falls completely short of the numbers needed at law enforcement agencies and in the defense sector. It will become increasingly vital for Japanese companies and government institutions to incorporate cutting-edge expertise from foreign countries and to introduce not only technologies but also a wide range of expertise on human systems.

In the field of security, there is a need for services that go beyond the mere supply of technologies. Customers need services that will gather cyber threat intelligence and check for vulnerabilities, as well as provide expertise on how to organize and make use of this intelligence. At present, there are still only a handful of companies in Japan that are able to provide these types of services. Our mission is to provide those services. We believe that these services are opening up new business opportunities.

You have identified technologies, intelligence and human resources as the factors needed to ensure security. Do you think that we will need action at the national government level to develop human resources?

Terilogy provides training of human resources, but the absolute number of cybersecurity professionals is low. Therefore, I think that human resources will present the greatest challenge for the country as a whole.

How far does Japan’s cybersecurity lag behind overseas countries?

It turns out that the countries with the most advanced cybersecurity capabilities are the countries that have been attacked the most. As you might expect, the U.S. has unparalleled strengths in cybersecurity. Israel has extremely advanced cybersecurity technologies. The U.K. stands out in terms of its intelligence capabilities. Russia and China, as well as North Korea, have a fairly advanced level of cybersecurity capabilities. I don’t want to say this too loudly, but I have the impression that Russia, China and North Korea have greater strengths in the dark aspects of cyberspace. Compared with these countries, Japan is far behind the pack, lagging behind the leading countries by 3 to 5 years.

Technology can be purchased. I think that Japan could purchase the technologies used in the U.S. immediately if it were willing to pay for them, and expensive consulting firms could be retained to introduce processes. However, the human resources problem cannot be solved with money. Rather than describe Japan as lagging behind other countries by several years in terms of human resources, it might be more accurate to say that Japan and the Japanese people have never really had these sorts of cybersecurity functions in the first place. That is precisely why human resources involved in cybersecurity will become a crucial theme moving forward.