Earlier this month, the Japanese government approved a new amendment that permits government agencies to hack into Japanese citizens’ private devices that are connected via the Internet of Things (“IoT”). Calling the move a nationwide “survey” intended to protect the nation from foreign cyber attacks, the Japanese government plans to use the preemptive hacking as a means to detect devices that are deemed insecure or vulnerable to attack but owned by private citizens. They will then create a list of insecure IoT devices. The Japanese government has cited the upcoming 2020 Tokyo Summer Olympics as the main impetus for drafting such a drastic law and intrusion into citizens’ private devices.

The large scale survey of citizens’ devices will be carried out by government employees of the Japanese National Institute of Information and Communications Technology (“NICT”) under the supervision of the national Ministry of Internal Affairs and Communications. To gain access to citizen devices, NICT employees will attempt to log into citizens’ devices by using default passwords, password dictionaries, and other similar “common” passwords. If the government is able to access a citizen’s device in such a manner, the device is deemed insecure and will be recorded on a nationwide list of insecure IoT devices compiled by the government. The NICT will then pass on the list of insecure IoT devices to Internet Service Providers (“ISPs”) and other relevant service providers so they may warn the relevant citizen or account holder directly.

Japan Cites Concern with Security Surrounding Upcoming Tokyo Summer Olympics with Need for List of Insecure IoT Devices

The massive nationwide survey will begin in February of 2019 and is expected to affect over 200 million IoT devices. The NICT plans to begin the survey with routers and web cameras, two devices that can have devastating effects on the device owner if hacked. After those two devices are surveyed, the NICT will move onto other devices, most likely focusing on the next most important or impactful devices connected to the IoT, creating a comprehensive list of insecure IoT devices of concern.

While this is considered by most experts to be the most blatant intrusion into consumer data privacy by any government, the Japanese government has defended the move by noting that cyber attacks on IoT devices accounted for two-thirds of all hacking attempts in 2016. Moreover, the Japanese government cites the 2018 cyber attack on South Korea during the Pyeongchang Winter Olympics, which had been carried out by Russian nation-state hackers as retribution for the International Olympic Committee’s decision to ban hundreds of Russian athletes from competing that year, as a reason behind the survey and need for a list of insecure IoT devices to proactively help protect Japanese consumers and the country.

Russian Hack of IoT Devices Was Intended to Impede Olympic Ceremony Broadcast

In the 2018 Russian cyber attack, Russian nation state hackers deployed malware they had dubbed “Olympic Destroyer” right before the opening ceremony in South Korea in combination with a botnet of home routers and IoT devices, dubbed “VPNFilter” that were intended to hinder broadcast of the 2018 UEFA Champions League Finals. “Botnets” refer to when hackers are able to take over routers and their firmware by simply using the default passwords that originally came with the router. Then the router essentially becomes their tool or “bot” and becomes part of the hackers’ arsenal and can be utilized as part of a hacker’s network in the country of attack.

While time will only tell whether the Japanese citizens will comply peacefully and whether or not the survey will even be successful in warding off cyber attacks. While the idea of the compilation of a comprehensive list of insecure IoT devices would be useful, the manner in execution is likely to create controversy among Japanese consumers.  Experts in the field are closely following the survey as it rolls out.

For more information on Jim Chester and the Klemchuk LLP international business and trade practice, please click here.

About the Firm:

Klemchuk LLP is a litigation, intellectual property (IP), and business law firm, located in Dallas, TX.  The firm offers comprehensive legal services including litigation and enforcement of all forms of IP as well as registration and licensing of patents, trademarks, trade dress, and copyrights.  The firm also provides a wide range of technology, Internet, e-commerce, and business services including business planning, formation, and financing, mergers and acquisitions, business litigation, international business, import/export, data privacy, and domain name dispute resolution.  Additional information about the Technology & Data law firm and its Technology & Data attorneys may be found at www.klemchuk.com.

Klemchuk LLP hosts Culture Counts, a blog devoted to the discussion of law firm culture and corporate core values with frequent topics about positive work environment, conscious capitalism, entrepreneurial management, positive workplace culture, workplace productivity, and corporate core values.