Cybersecurity measures in 2024 can be summed up as “Keeping Your Business Running.” What is demanded today is a shift from the conventional approach, of concentrating measures for defending against attacks, toward not shutting down services. So argued Jun Murai of Keio University, who chairs the steering committee for this forum, in his opening remarks.

The rapid advance of digitalization has made all kinds of business fields directly vulnerable to cyber threats. Professor Murai, pointing to the need to build sustainable operations such as by bolstering and distributing services, suggested that one option might be to have some key infrastructure operated by private enterprises or multiple companies in the same business field.

A new issue arising in 2024 is ensuring the credibility of content, given the spread of fake news and misinformation. Murai further emphasized the need to raise the credibility of traffic, make use of information concerning communication security, and employ active defense for detecting and preventing threats in advance.

Appearing in a panel discussion on the theme of “Threats and Countermeasures of Generative AI” were Panasonic Connect CTO (Chief Technology Officer) Akira Sakakibara, Japan AI Safety Institute Deputy Executive Director Kenji Hiramoto, and Mori Hamada & Matsumoto partner Atsushi Okada. Drawing on their respective fields of expertise, they discussed the risks associated with the use of generative AI, and countermeasures. Serving as moderator was Tomoo Yamauchi, Director-General in charge of Cyber Security and CISO in Japan’s Ministry of Internal Affairs and Communications.

Generative AI was the IT trend drawing the most attention in 2024. Even as generative AI can dramatically improve the efficiency of many tasks, security issues that have been noted include the risk of leaking confidential information and the credibility of the information output by AI. Along with the problems of AI “hallucination”-mistaken awareness or making up information that differs from the truth-and the technical risks such as quality control and data poisoning, there are concerns about safety assurance in the real world and copyright infringement or other legal risks.

Much of the focus in the discussion was on copyright issues and the use of generative AI in development processes. The Japanese Copyright Act is relatively lenient regarding the use of widely available digital content as AI learning data. At the same time, the potential for copyright infringement was pointed out in cases when, in the generation phase, the generative AI output resembles existing copyrighted material.

In software development, the use of AI-driven tools like Microsoft AutoDev for automating development is accelerating. Sakakibara commented on the potential of generative AI use for greatly changing the role of developers, and noted the importance of continuing to take on the technical challenges while being aware of the risks.

Hiramoto said it was important to gather and make use of information on world trends, stressing the need for information gathering from a global perspective. Okada pointed to the importance of making aggressive use of generative AI while properly understanding both the risks and advantages.

Today when cyber threats are becoming more severe, the role of the CISO (Chief Information Security Officer) is of growing importance. Appearing in the panel discussion on “Priorities for CISOs in 2025” were executive officers serving as CIO (Chief Information Officer) in the manufacturing industry while also taking on the responsibilities of CISO. The topics ranged from security measures specific to their industries to the strengthening of governance across the entire group, and the relationship between security and quality control in the manufacturing industry.

Yuri Tsuji, SUBARU Executive Officer and CIO, stressed the idea of security as one part of quality. “SUBARU is pursuing the safety performance of cars, toward our goal of achieving zero deaths from traffic accidents by 2030. We consider security as part of quality, including safety and assurance” (Tsuji).

Nissin Foods Holdings Executive Officer and CIO Toshihiro Narita talked about his company’s philosophy as a food manufacturer of giving top priority to product safety and assurance. He commented that in making use of methodology developed in quality and safety control, the company viewed security not as simply a technology matter but as a management issue having the same materiality as quality control.

JFE Steel Senior Vice President Akira Nitta talked about the importance of security measures from the standpoint of a company’s sustainable growth. As business expands, with investments in DX (digital transformation), overseas M&A, outside sales solutions and the like, security risks rise. Nitta talked about how JFE Steel spent two years achieving system integration with 260 group firms and established a security platform.

Taking part in the Panel Discussion, “Learning from Incidents: Ransomware Response and Countermeasures” were Edvardas Sileris, Head of the European Cybercrime Centre, EUROPOL; Tatsuya Kitao, Chief Information Security Advisor to Japan’s Ministry of Land, Infrastructure, Transport and Tourism; Masakatsu Morii, Professor Emeritus of Kobe University; and Kouzou Kanai, ICT Solution Division Executive Officer at Ｓｋｙ. With Fumihiko Abe, Deputy Director General for Cyber Affairs Bureau in the National Police Agency (NPA), serving as moderator, the panel members discussed actual cases of harm and countermeasures.

The impacts from ransomware attacks are spreading rapidly. According to NPA data, 114 cases were reported in Japan just in the first half of 2024. Of the victimized organizations, around 40 percent took a week or more to recover; and 45 percent of the organizations spent at least 10 million yen on the recovery effort.

Two typical incidents reported in the discussion were those targeting Tsurugi Municipal Handa Hospital in Tokushima and the Nagoya Port container terminal. At the Handa Hospital, the attackers encrypted the electronic medical records system, which required three months for recovery. Prof. Morii pointed out that the hospital had not taken sufficient internal measures, believing the system was safe since it was on a closed network.

In the Nagoya Port ransomware case, the system was restored in two and a half days because data had been backed up properly. Kitao said these incidents demonstrated the importance of business continuity planning (BCP) that takes into account the possibility of a complete system shutdown. Sileris warned that preparations must be taken on the assumption that an attack is certain to happen someday.

Kanai, meanwhile, said that most ransomware damage can be prevented by proper management of client PCs, appealing to the importance of security patch management. He pointed in particular to the problem of overlooking that the VPN (Virtual Private Network) hardware set up by a vendor had been left out of the management covered under the maintenance contract, and the danger of overreliance on OS automatic updates. He further emphasized that an organization needs to create a framework for keeping track of and managing application of the latest security patches and acting quickly to prevent harm.

Appearing in the closing session was Joichi Ito, Co-Founder of Digital Garage and President of Chiba Institute of Technology. He talked with Prof. Murai about coming developments in cybersecurity and the outlook for AI.

What Ito emphasized most strongly was the responsibility of top management. He pointed out the need for management themselves to understand and become involved in security, without simply leaving everything up to security personnel and vendors. Especially when responding to an incident, important decision-making is necessary, such as whether to shut down services. “Advance scenario planning at the management level is essential. If such measures are not taken, business continuity will be hard to achieve,” he warned.

Ito further expressed a sense of urgency regarding the safety of large-scale artificial intelligence models (AI foundation models) and geopolitical issues. A potential future risk is the theft of learning parameters of an AI model that was built at great cost. Noting that vulnerabilities in Japan’s cybersecurity readiness could pose an obstacle to the domestic development and operation of important AI models, Ito said such readiness would need to be established at the national government level.