Promoting International Understanding and Trust
Our guest is Mihoko Matsubara, chief cybersecurity strategist at Japanese telecommunications company NTT Corporation in Tokyo, where she’s responsible for cybersecurity thought leadership. Previously, Mihoko worked at the Japanese Ministry of Defense and was VP and public sector chief security officer for Asia-Pacific at Palo Alto Networks.
Our conversation explores the different approaches to cybersecurity seen in Japan, and the impact those cultural differences have on that nation’s security. We’ll also learn more about Mihoko’s efforts to bridge that gap of understanding, and to help build trust and safety around the world.
This podcast was produced in partnership with the CyberWire.For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Dave Bittner:
Hello everyone, and welcome to episode 157 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.
Our guest is Mihoko Matsubara, chief cybersecurity strategist at Japanese telecommunications company NTT Corporation in Tokyo, where she’s responsible for cybersecurity thought leadership. Previously, Mihoko worked at the Japanese Ministry of Defense and was VP and public sector chief security officer for Asia-Pacific at Palo Alto Networks.
Our conversation explores the different approaches to cybersecurity seen in Japan, and the impact those cultural differences have on that nation’s security. We’ll also learn more about Mihoko’s efforts to bridge that gap of understanding, and to help build trust and safety around the world. Stay with us.
Mihoko Matsubara:
So I'm currently chief cybersecurity strategist at NTT Corporation in Japan, which is a global IT service and telecommunication company based in Japan. And I'm responsible for cybersecurity thought leadership to talk to leaders in government, academia, and industry all around the world, including Japan.
Dave Bittner:
And what led you to having that position? What positions did you have previously?
Mihoko Matsubara:
So, I started out my career in the Japanese Ministry of Defense, because I was very interested in national security and security issues in general so I decided to join the defense. And it made me interested in cybersecurity even though we didn't call it cybersecurity back then, and why I decided to go to graduate school in Washington, D.C. in the United States to do more study on international security.
And back in between 2009 and 2011, when the United States, even general media outlets in the United States started to talk about more cyberattacks and cybersecurity on a daily basis. So, it opened the door for me to do a cybersecurity job from an Asian perspective to try to bridge the different cultural gap between Asia and the United States.
Dave Bittner:
And what sort of culture gaps are there? What sort of things have you worked with?
Mihoko Matsubara:
Even though now there are so many articles and blogs about the Southern part of Asia from a cybersecurity perspective, especially China and North Korea, we don't usually talk very much about what's happening in Japan. Even though Japan is the host country for the next Summer Olympic and Paralympic Games. And physical security and cybersecurity are the key to have the success of the global event.
So I am trying to share what's happening in Asia, especially in Japan, in Japanese and English so I can share the Asian perspectives for the non-Asian people, and I can bring what I hear from the global audience back to Japan to try to promote the mutual understanding and also trust because everybody says that trust is the key foundation to move forward cybersecurity.
Dave Bittner:
And what are the different perspectives that the different cultures bring to cybersecurity? Or are there differences in the way that it's approached in Japan versus, for example, the United States?
Mihoko Matsubara:
So there are actually a lot of differences. So, let me start with cybersecurity professionals. So when you say cybersecurity professionals, it can mean anything, right? Because it can be a host of the CyberWire, and you can be a chief information security officer, or you can be a system engineer or help desk.
So even though it's one word, cybersecurity professional, it means everything. But when you talk about cybersecurity professionals in Japan, it's usually very narrowly defined and more tech-focused. It also depends on what kind of cybersecurity career paths you can pursue in your job.
So in Japan, cybersecurity, not just cybersecurity people, but in general, companies and organizations, still value very much a lifetime environment. But it is not necessarily the case in the United States or other developed countries because especially in the tech field, people move around every few years to get promoted or get more compensation or to have more experiences to have a better job.
But in Japan, in the lifetime employment system, people rotate every two to three years to have a different position and to get promoted, but within the same organization. So it helps you to have a holistic picture and big picture of what kind of business your organization has.
But it makes it challenging to keep up with the fast-changing environment, especially tech and cybersecurity. So it gives a unique challenge to the Japanese business people, which will not necessarily be shared by American cybersecurity professionals or business people.
Dave Bittner:
So there's a different approach there than there is here in the States?
Mihoko Matsubara:
So in the United States, the career paths are more flexible because you can move around between different organizations, and there's a thing called a “revolving door” because, well, you can start out your career in the defense or military or law enforcement, and you stay there for six years, or nine years, or 20 years.
And then, you have a job in industry, because now you can bridge a different culture between the industry and the government, or law enforcement and industry, so it's a win-win. But the Japanese do not necessarily have that kind of arterial pass model. It's more rigid to change or shift your jobs between different organizations.
Dave Bittner:
When you are serving as that translator between the folks in Asia and the folks here in North America for example, what are some of the things that you have to keep in mind when you're bridging the gap between those two cultures?
Mihoko Matsubara:
It's always better to have a short briefing session with my colleagues, or if possible, with my counterparts in other parts to have an additional little background knowledge to try to avoid misunderstanding and miscommunications. Career paths and the expectation for a job or the specialty expectations are totally different.
So even though I was not necessarily translating between Japanese and English, maybe we are only speaking in English, but because we have totally different cultural backgrounds from two different countries, it can be really easy to find ourselves lost in translation — like a movie.
So, you don't want to find yourself in that kind of environment, especially for a job. So it's better to have the short briefing also because this will be the difference or this will be the cultural difference we will face during our next conversations. So probably, then, it’s better to have these little expectations before getting from point A to point B.
Dave Bittner:
Now you recently wrote a book on cyber threat intelligence, the cybersecurity workforce, and so on in Japanese. Tell us about that book. What prompted you to write it?
Mihoko Matsubara:
So, in my job as chief cybersecurity strategist at NTT Corporation, I'm responsible for cybersecurity thought leadership to raise cybersecurity awareness. So I often go to different seminars and workshops and symposiums in different countries to talk to CISOs, but also business people and smaller medium-sized companies.
And especially when I talk to the non-cybersecurity general public, like business managers and business people, people usually already are overwhelmed by the term “cybersecurity” because they say, "Well, cybersecurity sounds scary and sounds too technical."
And they say, "Well, but you must have used a laptop and your smartphone or the social media or emails to communicate with others." They say, "Yes." So even though IT is part of their life, they admitted, but cybersecurity is not necessarily a part of their life. And I found it really funny and contradictory.
So I said, "Well, if there's a book to talk about cybersecurity stories rather than techniques or technologies or technical jargon, then people may find it more relatable and they can feel that, okay, cybersecurity is actually the part of my life daily from business operations." So that's what I did keep in mind to protect my colleagues or protect my family. So that's how I started.
Dave Bittner:
And what are some of the specific things that you cover in the book?
Mihoko Matsubara:
So, I wrote about decent examples of cyberattacks. And also, the second chapter is about cyberattackers. The third chapter is about cybersecurity professionals, and the fourth chapter is cyber threat intelligence. The fifth chapter is what's next for organizations to consider and how to take action.
Dave Bittner:
Well, let's talk about threat intelligence. What part do you think threat intelligence plays in an organization's defenses?
Mihoko Matsubara:
The reason why I picked cyber threat intelligence is, Japanese people tend to have less understanding of what intelligence is, including what cyber threat intelligence is. So because cyber threat intelligence is now the foundation to allow decision makers to make decisions on what kind of actions they should take for their employees and organizations and the business partners under their brand.
So I wanted to talk about what cyber threat intelligence is. And because even intelligence organizations play a quite major role to launch cyberattacks on us. Intelligence organizations actually also do play a major role to cultivate cybersecurity professionals in some countries.
So intelligence can apply to offensive cybersecurity, but also defensive cybersecurity. So it's better to have at least a basic understanding of what cyber threat intelligence is, and how it helps us, especially how Japanese organizations can take advantage of cyber threat intelligence in the future.
And I also made a comparison between Japanese and non-Japanese organizations’ cyber threat intelligence applications.
Dave Bittner:
Well, can you go into that for us, what are some of the differences between Japanese organizations and other organizations around the world?
Mihoko Matsubara:
So in Japan, 70% of IT or cybersecurity professionals work in vendors and system integrators. So it means that only the rest, about 30%, of IT or cybersecurity professionals are working in end-user companies. So it means that the end-user companies tend to have a very small cybersecurity team compared to American companies for instance, because in the United States, 65% of IT or cybersecurity professionals work in end-user companies.
So it means that end-user companies, even though that they are not necessarily specialized in IT or cybersecurity, they have bigger teams including cyber threat intelligence analysts to educate, sit with managers to make a decision on what kind of actions they should take for better defense and also to manage business risks including cyberattacks.
Versus in Japan, because the IT people and cybersecurity people allocations are totally different compared to American companies. So the shortage of cybersecurity professionals in end-user companies makes it difficult to take advantage of cyber threat intelligence.
Dave Bittner:
So do you think that puts Japanese organizations at a disadvantage with the way that they come at this?
Mihoko Matsubara:
Yes, because if you do not have a better or good visibility of what's going on in the cyber threat environment, then how can you manage your risks? Because you can only manage risk when you have visibility of what's going on in your risks, right?
And every single organization has limited resources to spend on any business risks because business risks are not just limited to cyberattacks, of course, and then, cyberattacks are big these days. But we also have to deal with different risks, right? International trade or the coronavirus pandemic, especially these days.
Nowadays, culprits take advantage of the coronavirus pandemic, and they use coronavirus pandemic-themed lures to try to trick people to click the attachment or link on phishing emails.
So it's definitely needed for organizations to have a good cyber threat intelligence to inform decision makers to have a good decision on what kind of cybersecurity actions they should take to better protect themselves.
Dave Bittner:
What are your recommendations for organizations that are just getting started with threat intelligence? How should they go about deciding how they're going to integrate it and how they're going to collaborate with various providers?
Mihoko Matsubara:
So when I talk to the Japanese organizations, because now it will probably be their first time using cyber threat intelligence, it will be quite an investment to hire a cyber threat intelligence analyst and have teams and purchase different services and work with different vendors.
So I recommend, why don't you just start with open source intelligence, because you cannot start big. It's better to start with small steps from the beginning, and there is good open source cyber threat intelligence to understand the basic trend of cyberattacks going on these days, such as coronavirus pandemic-themed phishing attacks.
And if you feel more comfortable using this kind of intelligence to make decisions on how to protect your employees and organizations and brand from cyberattacks, then it's the time to start thinking about what kind of team your organization should have next to expand from what you have now.
Rather than starting thinking about, "Okay, we should have a bigger team on cybersecurity including cyber threat intelligence analyst because it doesn't really work." You should start to familiarize yourself on how to use open-source intelligence first.
Dave Bittner:
And then as they proceed and find the value in threat intelligence, where should they go next?
Mihoko Matsubara:
After they feel more comfortable and feel familiarized with using open source cyber threat intelligence, then the next step they should take is to start thinking about and incorporating a cyber threat intelligence specialist component into their teams, so that at least one person — or multiple people — can focus on using cyber threat intelligence feeds from vendors to incorporate into their day-to-day cybersecurity practices.
Dave Bittner:
Can you share with us some of your insights as to what the situation is there in Japan when it comes to the cyber threat environment?
Mihoko Matsubara:
So it's quite similar to what's happening in the United States right now. I've seen more cyberattacks and phishing emails and scams using a coronavirus pandemic-themed lure, to trick people to click on a link or on an attachment.
So the typical example is a stimulus package scam. In Japan, Prime Minister Shinzo Abe declared to deliver 100,000 yen — almost 933 U.S. dollars — in cash to all Japanese people in Japan.
And right after that, scammers started to send out emails or phone calls or texts pretending they're a local municipal government representative and they're happy to take care of the money on behalf of Japanese citizens.
And we also see business email compromise in Japanese and English. Funny enough, we still see a lot of business email compromise targeting Japanese companies in English. But we started to see more in Japanese because we only started to see business email compromise written in Japanese two years ago.
But now we have a Japanese version. It means that the culprits have a wider target — not just Japanese companies that are familiar with international trades, but also any type of Japanese company, because it's written in Japanese.
I'm so fascinated. The cyber culprits are creative enough to go after people who are very concerned about the pandemic and also very scared about the lack of masks and devices.
Dave Bittner:
It's fascinating to think about how despite Japan being an island, that doesn't protect you from the rest of the world when it comes to being connected on the internet.
Mihoko Matsubara:
That's very funny you say that because some people think that, well, because the Japanese speak in Japanese and most of the cyberattacks are in English, so we are protected, but no, we are not. Thanks to Google translation for AI.
The culprits started to use automated translation and even the automated translation has a better quality. Of course, a few years ago, the phishing emails in Japanese were horrible and not grammatically correct, but they are getting better. So the language barrier doesn't work anymore.
Dave Bittner:
Thanks to Mihoko Matsubara for joining us.
Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I'm Dave Bittner.
Thanks for listening.
Related