5 lessons on cybersecurity from the Charter of Trust’s Tokyo Roadshow

Trust is essential to fight cybercrime: trust along the supply chain; trust among companies, even if they are usually competitors; and trust between government and industry.That was the overriding message from speakers and panelists at the Charter of Trust’s virtual Tokyo Roadshow 2020, held in October. Set up two years ago, the Charter of Trust (CoT) is a coalition of leading global companies that work together on improving cybersecurity. Initiated by Siemens in Germany, it has grown to include a range of European companies, as well as IBM, Cisco and Dell from the US, and NTT and Mitsubishi Heavy Industries (MHI) of Japan.The CoT’s members believe its work is growing ever more critical. “COVID-19 has separated our physical economies, but in the digital world we are connected more”, said Eisaku Ito, the Chief Technology Officer of MHI. “We feel that digital transformation is moving faster than before. Under these circumstances, activities to build trust in the cybersecurity world are very important.”Here are five takeaways from the recent Tokyo Roadshow:

1. Trust is the key

If it all comes down to trust, how do you create it?

Shared principles are the first step and the CoT has set out 10 of these, covering everything from who bears responsibility for ensuring digital security to how to educate the next generation of cyber experts.A common understanding, however, must go deeper – right down to establishing detailed rules that set out, for example, which components can be used in specific products and emerging technologies. After all, “not only technologies but people and processes and organizations, the implication of these elements become much more important”, said by Shinichi Yokohama, the Chief Information Security Officer of NTT.Trust but verify is an important rule of thumb, especially given rising protectionism and political tensions around the world. The best way forward is to step up communication: open channels to suppliers, customers, even rivals; set up joint exercises to practice fighting cybercrime attacks; and, above all, keep talking to build understanding.

The CoT certainly provides a forum to do so. “That’s why we called it the Charter of Trust”, Julian Meyrick, Vice President of Security Strategy Risk & Compliance at IBM pointed out.

2. Public-private co-operation sets the framework

Co-operation is essential to cover all the aspects of cybersecurity, whether it is strategy, incident management, critical infrastructure protection or a longer-term focus on the culture and skills the IT sector needs. As Benjamin Ang, a Senior Research Fellow from RSIS/NTU in Singapore pointed out, this is where the CoT can play a very important role given its ability to bring together governments, the private sector and academia in a public-private partnership.The Tokyo Roadshow did indeed hear about the latest initiatives from the Japanese government to ensure cybersecurity. Toshikazu Okuya, Director of the Cybersecurity Division at Japan’s Ministry of Economy, Trade and Industry (METI) shared its Cyber/Physical Security Framework, designed to guard against the risks that come with increasing digitalization, such as the growth of the Internet of Things (IoT). Atsushi Umino, Director of the Office of the Director-General for Cybersecurity at the Ministry of Internal Affairs and Communications (MIC) showcased new Telework Security Guidelines and practical templates that his office has crafted in response to the huge spike in homeworking. As Mr. Ang pointed out, however, there are a plethora of national, regional and local standards operating across the world right now. Harmonizing these will be a considerable challenge.

3. Information sharing makes it real

Sharing information on cyber threats is the test that will determine if all the principles established by organizations such as CoT will actually make a difference in the real world. If companies are willing to share data, then threats and new attacks will become quickly visible, their spread from industry to industry can be prevented or slowed, and best practice in combatting them can be easily shared. Japan’s MIC, for example, worked with national internet service providers (ISPs) last year to alert users to new IoT devices infected with malware. They found over 150 a day during 2019. Setting up so-called ISACs, non-profit organizations that gather information on cyber threats and share them between the private and public sectors, is another way forward. In a positive sign that a global response is emerging, Japan and the US have set up a collaboration between the ISACs in their respective countries.

4. Secure the supply chain

Ensuring a robust (digital) supply chain is vital, particularly at a time when COVID-19 is disrupting logistics around the world. Government regulations can only get you so far in this area and it is therefore vital that each company works with its suppliers to ensure they meet the standards it has adopted.The CoT was set up to be cross-sector by design, representing the supply chain from chip manufacturers to industrial users, and onwards via digital infrastructure and service providers to end users and certification providers. Ensuring responsibility throughout the digital supply chain is a CoT principle and the more it can build trust between the various players, the easier this will become.

5. Support SMEs

A chain is only as strong as its weakest link and often that link is a small or medium-sized enterprise (SME) – making sophisticated, often technologically advanced products, but without the resources to protect itself adequately from cybercrime. Their bigger customers can share best practices and advice, but when it comes to recruiting personnel with the requisite skills or buying more modern equipment, some level of public support is often required. In Japan, METI last year launched a pilot project that brings together insurance companies, security vendors and local chambers of commerce to support SMEs on a regional basis.