Security Researcher Nakajima Asuka's Vision as to the Future of Tech and Society

—Tell us about your cybersecurity research.

Security research focuses on detecting and coming up with countermeasures for vulnerabilities. "Vulnerability" here refers to information security defects in hardware and software. Cybercriminals use these defects to infiltrate computers and commit malicious activities.

From 2018 to 2019, I was researching the residual risk of vulnerabilities contained within IoT devices manufactured through OEM. An OEM, or original equipment manufacturer, manufacturers products for brands owned by other companies. My research revealed that when there are vulnerabilities in the manufacturers' original equipment, these vulnerabilities are propagated to the OEM equipment sold as a part of brands under other companies. You can look at vulnerability databases to find out what original products have had exposed vulnerabilities, but OEM products are almost never included in these databases. This makes it so consumers are oftentimes buying and using OEM products without realizing that the products they are using have these vulnerabilities.

I noted that OEM products often look quite similar to their original counterparts, and proposed a method of recognizing OEM products from the equipment's appearance. I looked for products that looked similar to an original product that contained a security vulnerability, and considered these to be OEM product "candidates." I then conducted a partial analysis of these, and found that they were indeed OEM products, and that some of them contained the same vulnerabilities as the original product. The results of my research were presented in many international conferences and were highly evaluated.

—Are there advantages to being based in Tokyo, or more broadly in Japan?

Even now, Western countries lead the world when it comes to security research. But when comparing research that was done in the West to research conducted in Asia, you sometimes uncover differences, and some of my research has been evaluated highly for this reason. For instance, I was involved in a joint research project with Carnegie Mellon University (CMU). We were investigating whether there were any differences in trends between the release dates of security patches (updates meant to resolve vulnerabilities)—amongst other factors—of Japanese and American manufacturers selling consumer IoT equipment. The results showed that compared to American vendors, Japanese vendors were more likely to release security patches before vulnerabilities were announced publicly. The paper was chosen for the "ACM ASIACCS," a highly-selective international conference in the field of information security, and CMU has released a white paper on it as well.

There are also a lot of Western researchers who are looking for information on the kinds of security technologies that are needed in Asia, and I get a lot of questions from them about it. I think these experiences show that from a global perspective, there are advantages to promoting this kind of research from Tokyo and from Japan.

—I've heard you're also putting a lot of work into developing human resources.

With cybersecurity, all you need is a computer to help change the world for the better, which makes it an attractive field. But even so, there aren't enough human resources on an international scale. I personally became interested in security after reading the cybersecurity sci-fi novel Project SEVEN (Author: Nanase Hikaru / Publisher: AlphaPolis). I was so taken in by the story of this high school girl-slash-hacker that I started self-studying security. When I was a university student, I competed in "DEF CON CTF," the world's highest-tier hacking competition that's held in Las Vegas in the U.S., as part of one of the top hacking groups in Japan. There, I felt for the first time the sheer skill of the world's top-level hackers, and I realized how much more I needed to learn. That experience left me even more motivated, and after graduating university, I became a security researcher.

I think it's important not only to train top-level researchers that can compete at the same level with the rest of the world, but also to train personnel who understand the fundamentals of security. In recent years, there have been more programs in Japan that are focused on training security engineers and researchers, and more universities that are hosting security-related lectures. So the environment for it is coming together. There have also been more hacking competitions, and I think there's a lower threshold for entry when it comes to studying cybersecurity.

I personally am involved in developing human resources - for instance, giving lectures at universities, and writing for books and magazine articles. I also recognize, from my experiences in the security industry, that female researchers are still a rarity. I set up "CTF for GIRLS," a female security community, in 2014, because I believed that women needed a place where they could provide support for one another, if partly to lower the threshold for entry on a mental and societal level.

—What sort of efforts are being made at "CTF for GIRLS"?

We conduct regular workshops and CTF competitions for women who are interested in information security technologies. "CTF" is short for "Capture the Flag," and in CTF competitions, people compete against others using their skills in information security technologies. We coordinate with female security communities in Taiwan, South Korea, India, and more, providing each other with challenges for CTF competitions and sometimes even giving joint presentations at international conferences.

Many of the women participating in these workshops are beginners—for instance, people placed in security-related divisions at their companies—and are generally in their 20s to 30s. I want "CTF for GIRLS" to be the sort of organization that's able to promote a wide variety of role models, from people who've been able to balance their work in security with their personal lives, to people studying security as a hobby.

The STEM fields (science, technology, engineering and mathmatics), including security, are also mostly made up of men, and there's often the misunderstanding that women aren't suited for these fields. I think that can result in a mental hurdle for some women when it comes to entering these fields. Ideally, I'd want "CTF for GIRLS" to encourage more women to become security engineers, and to create an atmosphere where it's totally normal for women to work and thrive in the field.

—What is something consumers can do to help prevent cybercrime?

A lot of people assume cyberattacks are irrelevant to their lives. But in reality, anyone who uses devices connected to the Internet, including smartphones and computers, is at risk. It'd be great if all of us could take measures to reduce vulnerabilities, like updating our devices properly and installing security software, to limit the risk of cyberattacks.

Nakajima Asuka

Photo:Nakajima Asuka

Cybersecurity researcher. Researcher at the NTT Service Innovation Laboratory Group. Her research areas are vulnerability detection and countermeasures, and IoT security. Leader of "CTF for GIRLS," Japan's first female security community, and member of a program committee that peer-reviews submissions to international industry conference "Black Hat USA / Asia."