Closing panel of the Shirahama Symposium on Cybercrime: "How to respond to a rapidly changing environment"

The three-day Shirahama Symposium on Cybercrime #SCCS2024 has concluded. The closing session was a panel discussion with the following four people. The coordinator/moderator was Professor Uehara.

• Coordinator: Tetsutaro Uehara
• Panelists: 
  • Mr. Atsuo Inomata
  • Jun Matsumoto
  • Mr. Hiroyuki Hasegawa
  • Mr. Masanori Kusunoki

I am an amateur in this field, and the following is based on a few lines of notes and memory. I'm sure there are many inaccuracies and omissions, so I would appreciate it if the Shirahama group could point them out as appropriate. I also think that a large portion of what I write is my own personal opinion, so I hope you will forgive me for that. Regarding things that were obviously not mentioned on the panel,italicsI also tried to incorporate as much of the content of the Q&A at the end of each session as possible into the main text.

要約

This panel discussion covered the development and challenges of generative AI, the impact of the cloud shift, and recent large-scale ransomware incidents. It was pointed out that while the development of generative AI has improved efficiency, it also increases the risk of generating and spreading inappropriate information, that the shift to the cloud has reduced costs but has made vendor management difficult, and that the severity of the damage and phase of ransomware incidents has changed, along with the need for countermeasures.

Developments and challenges of generative AI

While the development of generative AI is expected to improve work efficiency, the risk of information leakage was initially pointed out. However, since then, it has become difficult to imagine information leakage becoming a major problem due to controls such as contracts. However, on the other hand, there is an increased risk of dilution of content rights and the creation of inappropriate content and malware.

For example, a man was recently arrested for allegedly using generative AI to create ransomware for smartphones. It is extremely difficult to create and distribute ransomware that runs on smartphones using AI.¹However, it is believed that the law was not actually used, and so the crime of creation was applied in this case. However, this should not be applied lightly.(Atrophy effects are also possible.)This raises concerns. (If someone creates something intentionally, they can be charged with creating it, but proving intent is difficult, and prosecution is difficult.This may be considered a special case.）

Problems were also raised about generative AI creating inappropriate content (e.g., nude images, information that could be used to incriminate people) and fake news.

Regarding the former, some have pointed out that generative AI should not be taught such "inappropriate" content.

1. In order to control "inappropriate" output, the "inappropriate" thing itself must be taught, and it would be difficult to not teach it at all.
2. In order to get them to do something useful, sometimes you have to teach them things you don't want them to output.
   • Example: To draw the human body well, we need to learn from nude models, either human or machine.

Given these factors, it is difficult not to teach them. Therefore, these "disciplines" are basically carried out at a prompt level. However, with open AI models, it is difficult to enforce them, and they may be abused. The challenge is to find a balance between the use of generative AI and regulation. We have no choice but to accept that generative AI will produce large amounts of malware and inappropriate content, and measures against this will also need to be taken by AI. There is a need to deepen the discussion on the need for regulations and ethical guidelines regarding the use of AI.

The impact of the cloud shift

As the shift to cloud continues, cloud vendor management is becoming more difficult. Although there are benefits such as cost reduction and short-term security enhancement, it has also become more difficult to grasp the actual situation of the vendor, making it difficult to estimate risks. In addition, the long-term risks of excessive reliance on cloud providers include the difficulty of maintaining internal expertise, risks in the cloud supply chain, and the risk of price increases.

Meanwhile, cloud vendors are making efforts to ensure security by obtaining third-party certification based on audits and disclosing information. Certification systems include ISMS and SOC2, and for government agencies there is the US government's FedRAMP and the Japanese government's ISMAP. However, it has been pointed out that obtaining such certifications (especially SOC2 and ISMAP) is very costly, making it difficult for small and medium-sized providers to handle. In response to this, procurement parties have suggested that they will make up for the areas that small and medium-sized providers are unable to handle.²It was also mentioned that they are trying to cover this issue by

It was also pointed out that cloud vendors should be careful about how much information they can disclose if they are asked to disclose information in the event of an incident. Although they can provide audit trails and third-party audit reports, it may be technically difficult to isolate and disclose the data of individual customers. There may be limitations to complete disclosure.

Adopting organizations need to take these factors into consideration and assess the advantages and disadvantages of shifting to the cloud.

Large-scale ransomware incidents and countermeasures

Recently, there have been a series of large-scale ransomware incidents. These have shifted from random attacks to targeted, high-value operations, with increasing sophistication and scale of impact. For example, the Colonial Pipeline incident.³These include the impact on important infrastructure, as exemplified by the recent case of Company K.⁴and Company I⁵Examples include:

This means that the phase of damage has changed in several ways.

First of all, the amount of damage is enormous.

Secondly, it has the potential to affect a person's life or death. For example, if the energy supply is cut off in a very cold place, there is a risk of freezing to death, and if a celebrity's address is known, it could lead to a stalker murder.⁶.

Furthermore, the case of Company I has a large impact in terms of damaging the social trust mechanism. In the case of Company I, information was stolen, even though the company was an ISMS and P-mark certified company that had been properly audited and had basically separate networks. This was caused by information that should only be on the business network being copied onto the information network and lying around, and data that had been certified as deleted to the local government not actually being deleted. The certification system was unable to find this, and it was pointed out that this will have a social impact in the form of a decline in the credibility of the certification system.

On the other hand, when it comes to certification systems such as ISMS,

• It can easily become like a checklist, but that is not the essence; what is important is the leadership and risk awareness of the management;
• Certification should not become an end in itself;
• There is a need for certification systems tailored to specific business operations, and more effective measures are needed that understand the role and limitations of certification systems;

It was also pointed out that:

This section also pointed out the importance of information disclosure when an incident occurs and the management of contractors. It also pointed out that strengthening monitoring and reviewing management systems are essential measures against ransomware.

1. It is considered very difficult to create ransomware that works on smartphones. It is highly likely that the hurdle for installing the app is high, and the malware can only access data in your sandbox or at most photos, and the only function it can achieve is file encryption. The reports may not be true.
2. Example: Digital Agency startup allowance
3. Piyolog:  Summary of cyber attacks on US oil pipeline companies
4. Author's note: KADOKAWA KADOKAWA halts "Niconico" due to ransomware attack
5. Author's note: Piyolog:  Summary of Iseto ransomware infection
6. This is a topic that Professor Sunahara and I were discussing while listening to the panelists' meeting in the waiting room.