What Godzilla Can Teach Japan About Its Cybersecurity

Sixty-two years after Japan’s most famous monster first shocked audiences, Godzilla is again packing movie theaters with its latest incarnation in Shin Godzilla (titled Godzilla: Resurgence in the U.S.). Now, I’m not a science fiction fan and I don’t watch a lot of movies. So why am I enthused about this one? Ironically, I only decided to see it after several friends in government and politics strongly urged me to go. The reason is it has a great takeaway: in my mind, the entire film can be interpreted as a parable for fighting hackers.

Essentially, it’s all about threat preparedness and response – or lack thereof (warning: this post contains spoilers).

The focus of this film is not the battles with Godzilla itself, but the battles within the powerful bureaucracy that runs Tokyo and all of Japan. Civil servants in the movie are seen jockeying for position when things look promising and then ducking responsibility when events take a turn for the worse. They try to skirt jobs and roles that seem difficult and, initially, various overlapping agencies fail to work together. They’re also distrustful of foreign governments when they should be collaborating with them to fight back.

I have many years of experience in Japanese government and can tell you that while we’ve never dealt with a giant physical monster in real life, the film is right on the money in terms of how bureaucratic institutions plan for and respond to threats. The chain of command, titles and responsibilities in a crisis were realistic. The portrayal of the early-stage meeting and decision-making process was not exaggerated in any way. In fact, they were frighteningly accurate.

In the film, government checklists to respond to crises are of course useless because Godzilla is an unknown, unexpected entity. I got a kick out of seeing officials saying, “This situation was unexpected,” or, “There was no such training scenario,” or, “Which ministry are you giving this directive to?” in response to a collective order by a high-ranking official.

These mandarins demonstrate a textbook response to Godzilla that’s also seen in governments and corporations that grapple with cyberattacks. They underestimate the threat and they don’t understand it, its motivations and its ultimate goal. They fail to coordinate a response when the threat crosses various government jurisdictions; just like giant monsters, defense against cyberattacks will involve multiple ministries or agencies in Japan or anywhere else.

While the officials waste time in pointless meetings and discussions with so-called experts (academics with no real-world experience) instead of empowering people who actually know what to do, the threat evolves and grows stronger.

There’s much to learn for the leaders in Shin Godzilla. The movie shows the value of enabling those with expertise instead of only seniority, and of knowing how to distinguish big problems from small ones. It shows that putting a team of experts together after a disaster occurs is counterproductive. But it also shows how breaking the rules is often necessary.

Maverick government officials share samples of the monster’s DNA (similar to sharing malware) to people outside Japan and ask the international community for help. Going against protocol, these heroes are finally able to “crack the code” thanks to their personal relationships connecting international institutions and private industry that completely skirt official government channels. This is a very real-world scenario.

While Japan often experiences natural disasters and cyber attacks, we don’t expect a radioactive monster to attack. But just like Godzilla, a major attack will become more sophisticated, tougher to prevent, tougher to detect and tougher to defeat. Exceptions to the rule will become the norm and we need to become more resilient in preparing for and fighting these threats. Working together, countries and the private sector will grow stronger when dealing with other unexpected disasters and threats due to the knock-on effects of becoming cyber resilient.

Like other countries, Japan conducts simulations dealing with various cybersecurity situations. Some of these are based on real events. In the late 1990s I was asked to be on a government task force dealing with the year 2000 (Y2K) problem – the computer bug that led some systems to interpret 2000 as 1900, potentially causing widespread outages. We spent countless hours thinking of various scenarios where systems could be affected. We had tabletop exercises and “red teams” testing the assumptions. In the end, we spent quite a bit of money coming up with a manual to deal with what some thought would amount to doomsday. Luckily, when January 1, 2000, came around, the world did not fall apart.

Nearly two years later, the 9/11 terrorist attacks took place, ostensibly targeting the financial centers of the U.S. This event was a terrible tragedy that paralyzed transport and financial systems, but I was surprised to see that officials in the U.S., without being told what to do, pulled out their Y2K manuals and consulted them. People were still able to get cash dispensed out of ATMs and the New York Stock Exchange re-opened the following week. While I distinctly remember that there was no scenario for an airplane crashing into a building for the Y2K problem, the resiliency that the task force created a knock-on effect through which we were able to use it for another disaster.

One thing is clear: preparation and resilience in the face of an unknown threat will only make things better not just defensively but also in terms of efficiency and productivity. It’s counter intuitive, but looking at a disaster like an earthquake, volcanic eruption or tsunami as an opportunity to learn and become resilient is far better than seeing it as purely negative. Japan suffers an inordinate amount of natural disasters but has yet to exploit these as an opportunity to grow stronger. The same is true for the cyberattacks it has experienced.

The latter problem certainly isn’t unique to Japan. The attack on the U.S. Office of Personnel Management (OPM), disclosed in 2015, is another recent example of where preparedness, based on previously identified concerns about security lapses, might have prevented the theft of personally identifiable information for as many as 21 million workers.

As former U.S. Secretary of Defense Donald Rumsfeld said, we live in a world of unknown unknowns. These will increasingly expand as the world grows in complexity and uncertainty. Preparing for your Godzilla is probably not a bad thing to do, because it’s the best way to prevent it. So the next time Godzilla rears its ugly head in the form of a massive malware problem or targeted hack, we might be waiting to send it right back into Tokyo Bay.

Originally posted: Forbes
Date: 10/26/16

Posted by whsaito

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

William H. Saito