UN-BUILDING TRUST

Back to Contents of Issue: February 2000


The World's Safest Nation Takes Its Sense of Security Offline

by Amy Webb

Japan is probably the safest place on the planet. Only 0.07 percent of all crime reported in 1997 involved bodily injury, a mere 16,986 cases among 110 million citizens, according to a survey by the National Police Agency (NPA). Even fewer cases -- 12,133 -- involved criminal trespass. Businessmen leave their imported Armani leather uppers in hotel foyers without a second thought. Women stand alone on subway platforms at night free of unnerving thoughts. Parents even send their children off to school without warning them not to take candy from strangers.

But what about cyber cookies? While the NPA reports that the street-crime rate is among the world's lowest, Japan has seen a marked increase in high-tech crime involving the abuse of Internet technology since 1995. Many IT professionals aver that the bulk of this cyber treachery results in e-commerce scams and data leakage -- affecting the 26 percent of Japanese households in Japan owning three or more Internet-ready devices (International Data Corp.).

Ask anyone on the street in Tokyo whether he's afraid to walk down a dark alley at night. More often than not, he'll smile and shake his head, "Of course not!" Then ask the same man about high-tech crime -- you'll get a confounded expression and the inevitable, "I'm just a salaryman -- why would I worry about that?" In Japan, it is generally accepted that throughout the country, trends remain constant because foreign penetration is still low and aversion to crime remains steadfast. But as more and more people gain access to digital technology, the nation's relatively uniform "Japanese" society will morph into a global network -- including millions of people of countless nationalities who all have very different experiences with crime.

For many years, the threat of cyber-treachery remained a nonissue, as the Japanese media kept specifics hush-hush to avoid public unrest. But burgeoning rumors of wireless-data-transfer security holes and local ISP vulnerability have begun to perk ears. Osamu Yamano, president and CEO of RSA Japan and security bermensch, says that compared to last year, "security is hot and is expanding rapidly in Japan. Recently, some attitudes have changed, and security awareness has definitely increased." IT nonchalance since the late 1980s allowed for the hacker community to gain entry into systems and data, but it appears as though the public may at long last be ready to strike back.

While not as widely publicized as incidents in the West, Japan has experienced abundant cybertreachery. In 1997, police began investigations into a major breach at NTT, Japan's major telecom carrier. NPA officials later found that NTT's Information and Communication Systems Laboratories had been illegally accessed, and sensitive data compromised. In the same year, the NPA discovered the hacker community had found its way into an Oita Prefecture ISP, releasing gigabytes of sensitive information and setting several governmental entities at risk.

In the private sector, individual Internet users encounter data leakages and virus attacks regularly in Japan. In one instance, rumors of the BubbleBoy virus began to surface in early December 1999 as Microsoft Japan frantically offered software patches to help combat the problem. Yamano says unsuspecting Japanese consumers are often the targets of online fraud, citing several cases of credit card racketeering and product misrepresentation.

But the big news is NTT DoCoMo's i-mode service, which debuted in February 1999. Touted by IT professionals as Japan's first proprietary mobile phone with full digital capability, NTT estimates that it will likely have 10 million i-mode users -- lured by the capabilities to shop, pay bills, send email, trade stocks, and make phone calls -- within the next three years. Not surprisingly, rumors of security holes began circulating as early as May 1999, according to research analysts at Nikkei.

As of December 1999, 163 million virtual strangers were wired internationally, and 27 million individual purchases had been made on the Web to the tune of about $226 billion, according to Forrester Research. Knowing the risks involved in interacting with hundreds of strangers, Westerners presuppose that the world's second-largest group of online users approaches Net transacting with the requisite amount of "common sense." Japan, though, is a country that's had very little experience with online crime.

Internet-related offenses rose 58 percent in Japan from 1997 to 1998, from 262 reported cases to 415, according to a study by the National Police Agency, which fears the trend will continue. "Most Japanese companies have experienced leakage," says Yamano. "And individuals in Japan are still not aware of security problems."

According to the Japan Computer Emergency Response Team Coordination Center, some of the more prevalent business-related damage is caused by "port scanning." Port-scan attacks are dangerous because they search a server for security vulnerability without actually intruding. The attacks come later. In June 1998, the Japanese hacker community made available a download par excellence with instructions on how to run a port scan on any Japanese domain (.jp). This immediately put millions of Internet users at risk, according to Yamano, but the real damage surfaced later when businesses noticed that their files had been searched and used against them.

With e-commerce in Japan still in its nascent stage, corporations have only recently begun to address security problems. "Most firms here have not adequately prepared to protect themselves against hackers," explains Yamano. A 1999 survey by research firm Network Wizards revealed 1.68 million hosts with the domain .jp -- a 44 percent rise from the previous year. Yet only 1.9 percent of the Japanese firms questioned in a recent Nikkei Communications survey said they felt fully armed against illegal access to servers. And those firms that do have the right technology often don't know what to do with it. "It's not enough anymore to just install a firewall," says Yamano. "You have to know what to do with it. You have to keep updating, monitoring, and protecting."

In the past, Japanese businesses eschewed firewalls, antivirus upgrading, and consulting due to budgetary restraints. "Businesspeople often lack the resources to mesh technology and their business needs," says Richard Keirstead of SAIC Global Integrity, a California-based firm that provides IT security engineering and consulting services to companies around the world. Of the 2,000 Japanese firms surveyed by Nikkei, a staggering 71 percent replied that they allocate less than 10 percent of their total IT budget funds to security. Most Japanese companies budget more for bad coffee than for network security.

"E-business equals e-security," says Yamano. But to many Japanese, e-security still equals confusion. Most Japanese businesses are conducting what their Western counterparts would call very scary e-commerce. E-commerce often happens in a nonsecure environment, as many businesses conduct it via email. "The Simple Mail Transfer Protocol (SMTP) is used extensively in email and is notoriously full of security holes," says Keirstead. "A clever person can use it to crack servers and networks with remarkable ease."

As e-commerce continues to grow in Japan, so does the community it serves. Japan only recently began using computers en masse. In 1999, the number of plugged-in Japanese topped 14 million, according to a study by research firm Access Media International. That represents a 58 percent increase over the last quarter of 1998. Analysts estimate that the total number of Japanese Net users will have surpassed 20 million by the millenium.

Some suggest the Japanese lack the healthy paranoia needed to surf safely. "The Japanese are nave," says Yamano. "They're not reluctant to send personal information or high-security information over the Net." Keirstead says that most Japanese choose simple passwords and usernames, and enter real street addresses and phone numbers when prompted, without ever questioning who might be on the other end. And while many commercial sites have a disclaimer at the bottom of the screen prompting users to "click here" if they don't want their name, account information, and vital statistics sold to the highest bidder, few Net surfers in Japan ever think to look there.

As Internet capability spreads throughout the countryside and i-mode sales increase, the convenience factor of digital communication is enticing users to click before thinking. "We use email as a common method of distributing information," says Mark Goldberg, VP of business development at Entegrity Solutions, an American network security firm. "We move everything with email. We treat it like the phone -- and that's the problem. It isn't the phone. Anyone can listen in." This, of course, takes the challenge out of the game for hackers specializing in user profiling and code cracking.

And then there are the cyber criminals "helping" those online by offering to update account information or donate software for free. A typical Japanese user, treated to an email reading Good afternoon, Takeshi. Our records show that your email account needs to be updated. Please re-enter your name, password, and payment information will honestly answer all questions without a second thought as to where that sensitive information may be going.

People haven't yet developed instinctive "good computing behavior." Entering real information and choosing identifiable usernames -- things most cyber-savvy folks would never consider doing -- have become commonplace. Keirstead notes that "weak passwords are one major reason that systems are easily compromised. The convenience factor has people selecting easy-to-use passwords, such as a four-digit birthdate."

Deference to window pop-ups is as prevalent as obedience to elders. In Japanese society, a well-constructed Web page seems uncompromisingly authoritative. Many Japanese users venture out into cyberspace, see elaborate sites that look sincere, and willingly give out information. To some this looks like a lack of common sense. "If just anyone came and knocked on your door and said I'm from the bank and I need your name and account number,' would you give him your information?" asks Richard Kubbernus, CEO of Canadian corporation JawsTech, a leading security-product developer and consulting company. "You wouldn't do that under normal circumstances, so why would you do that on a computer?"

The Japanese media hasn't done much to alert the public. In 1998, there were scant stories on crime in the major media, while high-tech crime regularly makes front-page news in America. In the West, Net users can read about cases involving breaches, but the average computer user in Japan would have to read far beyond the local newspapers to find a story on IT problems. But with half of Japan's population relying on digital communication, a barrage of bad publicity could arouse mass panic in Japan. "Nobody wants to freak out the consumer," says Kubbernus. High-tech crime is alluded to -- but it rarely makes the six o'clock news.

Case in point: The Melissa macro virus, which plagued computers worldwide, was discovered in Japan in March 1999. But it wasn't reported on in the national media until much later. "Until Melissa appeared in the local media and in the Japanese language, most people were not aware of it," Kubbernus says. "This means that the window of risk was greater in Japan than in other countries -- this is how most Melissa-related damage occurred." He says that Melissa eventually caused more problems in Japan than elsewhere because the media failed to report on potential dangers and suggest preventative measures.

Because the media seldom runs stories on security attacks and the people who cause them, most Japanese underestimate the capability of hackers. "We have an incredibly sophisticated hacker community here," Kubbernus says. "There are special individuals being cultivated in Japan -- they're creative, they're intelligent. They're cloaked and hidden away from society, living a subculture life." And hackers are everywhere, of course -- their ability to reach international shores makes Japan as vulnerable as any other country in the world.

While it may appear as though Japan is a nation of newbies, oblivious to the terrors of cyberspace and utterly ambivalent of security protocol, awareness of high-tech security problems and the willingness to incorporate preventative measures has gradually gained momentum over the past few years.

As of June 1996, the government began to intervene, creating tech-related agencies and studying cyber crime. And according to Nikkei, the demand for information security products and services has increased dramatically since 1998. By the end of 2000, legislation outlawing illegal access to computer networks will go into effect. The bill, jointly sponsored by the NPA, MITI, and the MPT, will ban "any unauthorized logging in to a computer network using another person's ID or password, or any attack on a security hole in an operating system or application." Penalties include fines of up to $5,000 or imprisonment of up to one year.

A new cyber-crime center headed by the NPA should also help. "The NPA is one of the few Japanese government organizations that truly recognized the threat from IT security to Japanese businesses," says Keirstead. "Their efforts to identify criminal activities and support legislative action to counter the problems have been admirable, even if somewhat late."

Meanwhile, retail sales of firewall and antivirus software have risen dramatically since the last half of 1998, according to Network Associates. The most widely used products include FireWall-1 (accounting for over a third of the entire market), Gauntlet (Network Associates), BorderWave (Secure Computing), and Japan's lone domestic-made Goannet (NEC).

Norton AntiVirus (Symantec) and Virus Buster (Trend Micro) remain top sellers at computer stores. "The Japanese computer and network security market provides excellent business opportunities to vendors from Asia, the US, and Europe," says Annabella Wheeler of encryption specialists Xcert International.

But security products alone aren't enough, says Kubbernus: "You've got a huge educational overhang that you have to work through in Japan."

More and more companies are beginning to realize this, and are seeking out consulting firms for guidance. "Security isn't sold in a box," Kubbernus says. "There are solutions out there you can kind of buy in a box, but the total security solution is not a box product. It needs to be adapted to the environment and the challenges that those individuals and corporations are dealing with."

New technological advancements help transform Japanese society each year, and digital communication is becoming more accessible and accepted throughout the country. With e-commerce increasing steadily and consumer awareness of security-related issues beginning to emerge, opportunities in the information-security market will continue to propagate.

If you're Japanese and feel like venturing out to Gion at night to shop, chances are your safety is guaranteed. But if you're looking for bargains in cyberspace ... Yamano shakes his head. "Security is not an option anymore for e-business or the individual user," he says. "It's a necessity."

Note: The function "email this page" is currently not supported for this page.