Cybersecurity Nightmare in Japan Is Everyone Else’s Problem Too

Jamie Tarabay, Min Jeong Lee and Takahiko Hyuga
Updated ·9 min read
2

(Bloomberg) -- Kojima Industries Corp. is a small company and little-known outside Japan, where it produces cup holders, USB sockets and door pockets for car interiors. But its modest role in the automotive supply chain is a critical one. And when the company was hacked in February 2022, it brought Toyota Motor Corp.’s entire production line to a screeching stop.

Most Read from Bloomberg

The world’s top-selling carmaker had to halt 14 factories at a cost of about $375 million, based on a rough calculation of its sales and output data. Even after the initial crisis was over, it took months for Kojima to get operations close to their old routines.

The company is just one name on Japan’s long list of recent cyber victims. Ransomware attacks alone soared 58% last year compared to a year earlier, according to the National Police Agency, and hacking incidents have exposed shortcomings ranging from slow incident response times to a lack of transparency. In a nation that exported chip components worth $42.3 billion last year — dominating the supply of some materials — supply chain issues can have global implications.

Comparative data on cyberattacks can be hard to find. But Mihoko Matsubara, the chief cybersecurity strategist at Japanese telecommunications company NTT Corp., says the nation has had a particularly tough time.

“Along with the increasing number of ransomware attacks, Japan was hit by Emotet attacks more than any other country in the first quarter of last year,” she said, referring to a type of malware often spread through phishing emails. “Japan had a difficult year to deal with more cyberattacks on industry, government and the health care sector.”

But while Japan has its own particular problems with hackers, many of its vulnerabilities are shared by the US and other technologically strong nations. From the Colonial Pipeline attack in the US to the Australian telecoms hack that exposed 10 million users’ personal data, wealthy countries have been repeatedly caught underestimating the harsh realities of cybercrime.

Meanwhile attacks on vital services such as Japan’s hospitals — which delayed surgeries and other treatments — have served as a reminder that money is not all that’s at stake.

“The ransomware attacks were a wake up call to the Japanese,” Matsubara said. “Because now human lives are at risk.”

The Kojima attack on February 26, 2022 was what’s known as a supply chain hack: Hackers penetrated the systems of a third-party business partner and used them to access Kojima’s file servers. By 9 p.m., they’d encrypted data on some servers and computer terminals, according to a Kojima spokesperson.

The breach was detected at about 11 p.m. The hackers had sent a ransom demand but Kojima’s engineers never responded to any kind of communication with the hackers, the spokesperson said.

Before dawn, Kojima shut down the systems it uses to communicate with external suppliers and the following day, Toyota announced it would suspend operations at all of its domestic plants. The breach meant subsidiaries including Daihatsu Motor Co. and Hino Motors Ltd. also had to halt production.

“Attacks in Japan are on the rise, and more firms are becoming aware of the risks,” said Shinpei Izumo, an underwriter at Sompo Japan Insurance Inc. He estimates cyber insurance sales are up 20% to 30% from the previous year.

Smaller firms have few protections, he added. “They don’t know what to do in the event of an emergency or incident, and they aren’t taking measures to prevent the damage from spreading.”

High-End Powerhouse

Supply-chain hacks have huge potential to disrupt the economy. While much manufacturing and assembly happens in lower-cost markets, Japan is a powerhouse in producing a select group of high-end goods. Products like phones, computers and electric toothbrushes often contain Japanese parts.

The country produces about 80% of fine chemicals for electronics and dominates the global supply of photoresist, a light-sensitive material that’s used in making semiconductor chips, according to Ulrike Schaede, professor of Japanese Business at the School of Global Policy and Strategy at the University of California, San Diego. Having those industries be vulnerable to cyberattacks would have an untold impact.

“Not a day goes by where you don’t use an item that wouldn’t exist if it weren’t for the Japanese part in it,” Schaede said.

“Japanese companies are an important part of the global supply chain,” she added. “The more upstream you go, the more Japan is in there.”

Last year, manufacturers Fujimi, Denso, Nichirin and TB Kawashima all experienced cyberattacks on overseas subsidiaries that hold Japanese intellectual property. Japanese clothing manufacturers, furniture makers, credit card companies, libraries and a social media services operator were also among hackers’ targets. And in September, pro-Russian hacker group Killnet downed 20 Japanese government websites in a distributed denial of service, or DDoS, attack.

In response, the Japanese government said it would introduce new laws to engage in offensive cyber operations to “begin monitoring potential attackers and hack their systems as soon as signs of a potential risk are established.”

It’s a marked escalation in the government’s approach to cybersecurity, which previously adhered to the spirit of Japan’s constitutional commitment to pacifism following the end of World War II. The changes are being reflected in the new cyber command that’s being stood up within Japan’s defense force.

Western allies have been waiting for the country to acknowledge it has to do more, says David Suzuki, managing director for Japan at security firm Blackpanda.

“I think there’s finally been a realization in Japan that cyber security, it’s not an IT issue. It’s a security issue, right?” he said. “Because it’s not a machine that’s hacking you. It’s a bad guy, using machines.”

Recovery Costs

For all of its advanced technological knowledge, Japan is also a place where traditional ways of doing business are deeply entrenched. When ransomware attacks occur, companies are often able to keep operations running using paper inventories and offline backup systems — reliable and unhackable, but also slow and cumbersome. And as companies slowly restore their systems, breaches are not always reported, according to industry officials and cyber experts.

Historically, Japanese companies avoided paying ransoms by relying on punishingly slow data-recovery firms to piece together corrupted networks, says Tatsuhiro Tanaka, a retired major general who is now a research principal at Fujitsu System Integration Laboratories Ltd. But the rising frequency of attacks means the recovery cost is increasing too.

“There are very few companies that employ a kind of incident commander, the person who deals with the cyber attack and business continuity,” Tanaka said. “We have to change the mindset.”

There’s also resistance within some Japanese companies to disclosing attacks and upgrading systems, which stems from societal norms around assigning blame, according to Scott Jarkoff, who heads the strategic threat advisory group for cyber firm CrowdStrike and has lived in Japan for more than three decades.

That culture hinders the nation’s ability to build a local population of security experts, said Hiroshi Sasaki, an associate professor of manufacturing and innovation at the Nagoya Institute of Technology in Japan.

“They need to be both accountable and responsible when a cybersecurity incident happens. Other countries that pay attention to their critical infrastructure will learn the importance of the supply chain from Japan’s situation,” he said.

But while Japan might be an extreme example of such vulnerabilities, it is far from the only country at risk.

In the US, cybersecurity regulation has been patchy, and the government has long relied on businesses to voluntarily adhere to cybersecurity guidelines. But in releasing its national cyber strategy in March, the Biden administration endorsed tougher measures, pushing federal agencies to use existing authorities to set minimum cybersecurity requirements in critical sectors.

In Australia, businesses that failed to mitigate easily preventable security breaches faced minimal financial penalties until last year, when the government introduced fines of up to A$50 million ($33.5 million) or 30% of a company’s adjusted turnover in the relevant period. Meanwhile the European Union noted in a recent report that much of its software originates in the US, and that its own cybersecurity industry needed to grow to address vulnerabilities. Cyberattacks in the region grew 26% in 2022 compared to a year earlier, according to Check Point Software Technologies Ltd.

The government agency in charge of overseeing Japan’s network security says the country’s disclosure rules aren’t that different from those of other advanced nations.

“No country makes it mandatory for companies to publicly disclose accounts of their cybersecurity attacks,” said an official from the National Center of Incident Readiness and Strategy for Cybersecurity, who asked not to be named. “This is because they include information that could impact their business operations.”

Instead Japan asks companies that provide critical infrastructure such as telecommunications, power, gas and railways to voluntarily report any cybersecurity incidents. Over a thousand companies fall under this category and a total of 407 reports were made in 2021.

“Even though it’s not an obligation, the reports are done properly and necessary information is shared,” the NISC official said. “One unique thing about Japanese culture is that once people are committed, they comply with what’s asked of them regardless of whether it’s voluntary.”

Japan has some cyber victories to celebrate. NTT cybersecurity strategist Matsubara points out that the country fought off tens of thousands of cyberattacks targeting the Tokyo 2020 Olympics without fanfare. Japan has also been included in NATO’s annual cyber exercises for the past two years, she said, even though it’s not a NATO member.

“Even Japanese people I talk to didn’t know that,” she said. “But this year everyone is more interested in cybersecurity because they’re worried about financially motivated or geopolitical cyberattacks.”

Japan is far from the only country that is reluctant to admit its cybersecurity failings. But the relentless attacks its manufacturing industry has suffered in recent months serve as a cautionary tale for other wealthy nations with supply chains to protect. Japanese executives are “still hesitant” compared to those in other countries, according to Kouji Morii, the head of security at Segue Group Co., an information services firm.

“There’s a tendency that Japanese employers don’t think cyberattacks have anything to do with them unless they’re attacked. We have to change the thinking.”

--With assistance from Reed Stevenson.

Most Read from Bloomberg Businessweek

©2023 Bloomberg L.P.