The $500 Million Coincheck Hack Exposes Deeper Security Flaws In Corporate Japan – Summary

Background & premise:

In January 2018, hackers stole more than $500 million in cryptocurrency from Coincheck, one of the largest crypto exchanges in Japan – the article explains why it happened, and why it is likely to happen again.

This is a Summary of an article written by BIJ Member, leader in the Tech Startup scene, Podcaster oft featured here on BIJ and longterm Japan resident; Tim Romero

Read the full original article here: https://www.forbes.com/sites/tromero/2018/02/14/how-the-500-million-coincheck-hack-exposes-deeper-security-flaws-in-corporate-japan/

In a nutshell:

Japan’s Information Security is very poor, it is endemic to the culture and isn’t changing any time soon.

Officials from the Financial Services Agency arrive at Coincheck’s Tokyo headquarters to conduct a search on February 2, 2018. (STR/AFP/Getty Images)

Key points and soundbytes:

  • (IT) Security problems are systemic and deeply interwoven in Japanese business culture.
  • Japanese IT systems have been largely spared due to a unique combination of linguistic and system isolation that is now coming to an end.
  • The person in charge of IT security often has no background in the field.
  • Comments from a Japanese CEO of Japanese security startup:
    • Most Japanese CIOs and Chief Security Officers (CSOs) are in their 50s, but these positions are much more junior than in the West
    • CSOs are expected to be skilled at managing technology projects but are not generally expected to have a technical background.
    • Japanese firms have a history of outsourcing their systems, so they often lack… institutional knowledge.
  • Compliance (is) valued far more than actual security in Japan.
  • Since startups and enterprises both tend to favor compliance over detection and mitigation, there is a wide range of security audit and consulting services available, but penetration testing is rare and expensive.
Sony executives were forces to apologize in 2011 for the massive theft of personal data from users of the company’s PlayStation Network. (TORU YAMANAKA/AFP/Getty Images)
  • Japanese engineers who alert their firms to security flaws are often taking significant career risk in doing so.
  • Documenting, or even fixing, security vulnerabilities provides no immediate benefit (to Engineers).

Why Things Are About To Get So Much Worse

  • In the past, Japanese IT systems have been largely spared due to a unique combination of linguistic and system isolation that is now coming to an end.
  • The Japanese language itself provided an effective layer of obfuscation over poor security practices.
  • The widespread availability of free, automatic translation tools has changed this.
  • Corporate Japan is becoming more vulnerable to cyber attacks at the very time they are moving more and more valuable information onto Internet-connected computers.

From the Comments on the article on Social Media:

“Cyber security in Japan is a joke. If you’re still using Windows XP with IE8 then don’t even bother. Japan is the only country in the world where corporations pay MS millions just to keep XP unofficially supported because of all the legacy software that the person who made has retired long ago and nobody knows what to do. It’s a use till it breaks mentality and then figure something out. “

Tim ends with:

“Unfortunately, it looks like things will have to get a lot worse before they get better. It will take a few more expensive and embarrassing hacks the scale of Coincheck before Japan stops viewing them as isolated incidents and begins treating computer security as the serious and systemic problem it truly is.”

Tim Romero is a Tokyo-based founder, consultant, author, teacher and host of the Disrupting Japan podcast. He also teachs corporate innovation at NYU’s Shinagawa campus.

You can find him on LinkedIn here and listen to his Podcast: Disrupting Japan here.