(The original article in Japanese was posted on March 25, 2022)

 

On March 22, the Critical Infrastructure Expert Panel of Japan’s Cybersecurity Strategic Headquarters of the National center of Incident readiness and Strategy for Cybersecurity (NISC) held its 28th meeting to discuss the draft of the action plan, "The Cybersecurity Policy for Critical Infrastructure Protection.” The action plan, which is the first general revision in five years, is intended to request private companies to take highly organized security measures based on the economic security perspective.

It is still clearly remembered that an operation of the largest fuel pipeline in the United States was disrupted by a cyberattack in May 2021. And in Japan, an attack on Kojima Industries Corporation, a parts supplier to Toyota Motor Corporation, halted Toyota’s all 28 lines of its domestic 14 plants on March 1 this year.

In response to the cyberattack, the NISC immediately issued a security alert under the joint name of six government agencies including the Ministry of Economy, Trade and Industry, the Financial Services Agency, and the National Police Agency. It was designed to call attention to companies and organizations and urge them to "implement appropriate security measures based on the overview of the entire supply chain by taking into account small and medium-sized enterprises (SMEs) and business partners so that they can control the possible risks by themselves." In short, it indicates the significant ripple effect of the cyberattack that hit a single segment of the supply chain, rather than Toyota’s main body.

Considering the fact that the entire supply network is closely interconnected through IT (Information Technology), risks will arise everywhere. If a piece of vulnerability is neglected, the entire supply network is threatened to cyberattack. Nevertheless, in reality, major manufacturers do not always grasp the whole view of their supply networks that involve all the peripheral subcontractors affiliated with their client companies. In addition, small businesses positioned at the end of the supply networks are likely to be weak in the IT literacy skills, and fundamentally, they do not have enough financial resources to take independent security measures.

In light of the overall risk of the supply network system, it would be an effective way to integrate the entire supply network into the security system of a major manufacturer that serves as the hub of the supply network. However, it implies the risk for inviting the lack of flexibility of the supply network as a whole, as it would create a substantial barrier to restrict new entrants into the business with major manufacturers. Besides, it may also arise concern for the strengthening of the dominant position of leading parent companies in the relationship with small and medium-sized subcontractors

The reality is, we can hardly stop the endless cyberattacks. Critical infrastructure and government agencies are obviously prime targets. In fact, cyber attackers have broadened their scope of targets to include multiple business sectors such as automotive, semiconductor, defense-related, foodstuff industries, and even animation industry. Overseas subsidiaries and their business partners are also subject to cyberattacks. In contrast, the attackers are diversified, including simple sensation-seeking individuals, organized crime groups, and even state-sponsored criminal organizations. In a contemporary society, as far as we take advantage of utilizing the globally interconnected computer networks, the risk of being threatened by cyberattacks is unavoidable. We, as a whole of society, should bear in mind the cost sharing for cybersecurity, including the support for SMEs in terms of both hardware and software securities.

 

This Week’s Focus, March 25

Takashi Mizukoshi, the President