Cyber Attacks

Public Relations Office        October 20, 2017

Motohiko Isaka

Professor, School of Science and Technology, Department of Informatics(Information theory and its application, coding techniques)

Motohiko Isaka

One of the most pressing challenges in the lead-up to the 2020 Tokyo Olympics is the development of measures to counter cyber attacks. Attacks on infrastructure, communications, finance, transport and other sectors could potentially cause massive social upheaval. Many public institutions and corporations have suffered major damage as the result of disruption of operations or information leaks caused by cyber attacks, and there is a growing need to position cyber attacks as a business risk. Recently, the question of whether cyber attacks had an impact on the U.S. Presidential elections has become a major topic, and cyber space, which is considered the fifth battleground after ground, sea, air and space, is seen as already being in a state of war.

In 2017, a rampant attack by malware called WannaCry became a global problem. This malware is classified as ransomware, in that it arbitrarily encrypts a device’s internal data, thereby rendering it unusable, which is then followed by a demand for money to unlock it. Encryption is an important tool for information security, and it is ironic that it is actually being abused in this way. Incidentally, due to the difficulty in identifying the recipients, Bitcoin is being used to pay these ransoms. This is a virtual currency based on blockchains, which is also adapted from encryption technology.

The most typical form of cyber attack exploits weaknesses in information and communications systems. These weaknesses, or vulnerabilities, are usually in the form of programming defects or setting flaws. WannaCry targeted vulnerabilities in the Windows operating system. With large and complex systems, it is technologically very difficult to maintain normal operations while ensuring detailed security measures. Many of these vulnerabilities only become apparent when they are attacked, and they are often just the tip of the iceberg of potential threats. When IoT, which will link a massive number of things over the internet, becomes more widespread, the situation is bound to become even more serious. An example of a defense measure is to provide financial incentives for “good” hackers to discover vulnerabilities and report them before they can be attacked.

On the other hand, it is said that by far the biggest vulnerability is people, and their negligence and inadvertent actions have the potential to cause widespread damage and run the risk of being used as a springboard for future attacks. An example of this kind of attack is targeted attacks, in which a fake e-mail pretending to be from someone the recipient knows is sent, and opening a file attached to that e-mail causes the computer to be infected with malware. A higher awareness of the risks on the part of individuals and the enforcement of basic counter-measures, including regular updating of basic software and virus pattern files, will become increasingly important in the quest to protect the assets and safety of organizations and individuals.
(This article has been translated by Public Relations Office of KG.)

Kanehiko Toyota

Professor, Law School (Criminal law, complicity)

Kanehiko Toyota

Cyber attacks have become a major social problem. Recently, damage from targeted e-mail attacks and DDoS attacks has become increasingly widespread.

In targeted e-mail attacks, viruses and the like that cannot be detected by retail anti-virus software are attached to e-mails disguised to look like regular business e-mails. Opening these attachments infects the recipient computer with the virus, which attempts to steal information from that computer. There was a targeted e-mail attack at this university last year, in which students suffered leaks of personal information.

DDoS attacks involve multiple computers accessing the computers of a company or other organization, making it impossible for others to view that company’s website.

There has also been a spate of DDoS ransom threats, in which companies are being threatened with a DDoS attack unless pay a ransom to the perpetrators. What, then, is the legal position against these kinds of attacks? If a perpetrator attempts to infect a computer with a virus through a targeted e-mail attack, this would constitute a crime or attempted crime of unauthorized command by provision of electromagnetic record under the Penal Code, which would be subject to up to three years imprisonment or a fine of up to ¥500,000. If a company or other organization’s operations are disrupted by a DDoS attack, this would constitute a crime of obstruction of business by damaging a computer, which would be subject to up to five years imprisonment or a fine of up to ¥1,000,000, a harsher punishment than regular disruption of business.

The police are also putting efforts into understanding the situation regarding cyber attacks, as well as preventing and investigating them. These efforts include establishing dedicated departments to deal with the problem.

However, neither the law nor the police are omnipotent. For a start, it is not easy to find the perpetrators of cyber attacks. Cyber attacks are a borderless crime, so the perpetrator may not even be in the same country as the victim. Moreover, even if they somehow manage to find and punish the perpetrators, the damage caused by these attacks cannot be undone.

For this reason, self-defense is vital. If you receive a suspicious e-mail, do not click on the attached file or URL. You need to take action to prevent damage yourself, such as contacting the Organization for Information Management and Communications if it is on a KGU computer, for example. If you do inadvertently click on it, you will need to take action to prevent the damage from spreading, such as disconnecting the computer from the network.