Mihoko Matsubara is chief cybersecurity strategist at Japan-based NTT (Nippon Telephone and Telegraph Company). NTT was founded in 1952, privatized in 1985, and has developed into a major international telecommunications firm with hundreds of thousands of employees and a presence in more than 70 countries.
Previously, Matsubara had been VP and public sector CSO Asia-Pacific at Palo Alto Networks, a cyber security policy director at Intel, a geopolitical cybersecurity analyst at Hitachi, advisor to the Japanese government on cybersecurity strategy, and spent nine years as a foreign liaison officer for the Japanese ministry of defense – with a John Hopkins MA in international relations along the way.
She has a deep understanding of global cybersecurity and its interplay with geopolitics; she talks to different companies in different countries; and engages with multiple think tanks. She has become a recognized cybersecurity thought leader – and it is in this context she talked with SecurityWeek. We focused on three areas: Japan, international geopolitics, and the future.
Japan. Why does the world not hear about Japanese malicious hackers in the same way it hears about Russian, Chinese, European and American hackers and hacking groups?
“Blackhats exist and have been arrested and convicted in Japan, but there are possibly fewer examples, and they are usually solitary actors,” she said. She suspects the reason may be a form of cultural isolation: fewer because unemployment for cyber adept youngsters (in their 20s to 30s) is lower in Japan than many other countries – so, it is easier to gain legitimate employment – and solitary because of the language barrier.
“I’m not aware of any Japan-based cybercrime syndicates. If a Japanese national wanted to join a foreign group, he would have to learn English or perhaps Russian – and other languages are very, very different to Japanese.”
Geopolitics. We are in an age of rising geopolitical tension. Given the relationship between geopolitics and aggressive cyber activity and cyberwar, can we learn anything from Ukraine’s remarkable cyber resilience in the face of outright kinetic war with Russia?
Ukraine, she believes, demonstrates the need for two fundamentals in cybersecurity: constant resilience enhancement, and the importance of international cooperation and intelligence sharing.
“Ukraine had eight years between the annexation of Crimea in 2014 and the full-scale Russian invasion in 2022. During this period, it suffered repeated disruptive cyberattacks against its critical infrastructure – but it survives.” It’s not that it does anything new, it’s just that it did and does what is necessary very well. And that’s a lesson for everyone.
“We must do defense in depth, and we must have good intelligence with continuous red teaming. Everything the Ukrainians have been doing we’ve known for years,” she continues. This includes strengthening resilience and improving international cooperation for hardware, software and threat intelligence. But we should do it now and continuously. “Because once war starts, it will be difficult to allocate resources.”
There’s an interesting sidebar to the Russia/Ukraine conflict. Russian state actors and politically aligned cybercriminals have become increasingly destructive in their cyber activities against the Ukraine-supporting West.
Compare this to China, which is more closely aligned with Russia than with America or Europe. It is certainly cyber active, but not cyber destructive. “We have, from open source information, never seen China aim destructive cyber operations against our critical infrastructure,” comments Matsubara.
The go-to explanation is that China may wish to avoid cyber retaliation from the NSA. Matsubara has a different, and perhaps more concerning, explanation.
“My own theory, although I have no proof, is that China has watched Russia. When you do cyber disruption, the defenders learn your techniques and learn how to counter them – you give them insight into how you operate and how they can enhance their defenses.” China won’t do this. It is withholding its disruptive techniques “until the last moment to make sure that it can deliver a surprise.”
In short, Russia uses disruptive cyber to demoralize its enemies, while China is keeping its powder dry to better destroy its enemies – if and when necessary.
The future. Despite our knowledge of technology, business, and human nature, the future always surprises us. Consider 5G wireless broadband and then ponder AI.
5G is dramatically superior to 4G. It is up to 100x faster than 4G; has low latency that effectively provides real time responsiveness (think of remote surgery, AVs, critical industrial automation and smart cities); can handle up to 100x more connected devices than 4G; and is far more secure with stronger encryption and integrity protection.
However, adoption of 5G is a mixed bag. It is expected to have just short of 3 billion subscribers by the end of 2025 (largely, perhaps, because it comes ready-installed in new mobile phones). But, use of its advanced features by industry is slow.
Matsubara thinks there are two primary issues. The first is money. Consider a smart city. “Deploying 5G is expensive. Who is going to finance it? Central government? The individual municipality?” In both cases, that’s a levy against the taxpayer, and all politicians are wary of the effect of increasing taxes on their future political career. The same argument applies to private industry – the initial deployment cost will negatively affect short term profits and potentially upset shareholders.
“Different countries have started to adopt 5G services, but much slower than we expected,” she continued, “because we’re still trying to find the use cases. It’s a sort of chicken and egg problem.” We have the technology, but do we have the will to use it?
The future of AI is also deeply concerning since we simply don’t know where it is taking us. When gen-AI appeared in 2022 there was immediate concern over its effect on jobs. This concern dissipated when it became apparent that gen-AI still needed human control – the famous human in the loop. But now the fear, and reality, is returning.
Matsubara compares early gen-AI to a human baby dependent on its parents. “It makes mistakes (it hallucinates and gets things wrong), and it still needs its parents to feed it (training data and algorithm design).” But this baby is growing up and is already less dependent on its parents. There is little doubt that the automation available from gen-AI is replacing humans in industry.
But if we project the growing baby analogy, the worst is yet to come. Teenage years are the most rebellious and disruptive – and the teenage phase is approaching with the progression from current gen-AI (large language models or LLMs) to future artificial general intelligence (AGI). The LLM foundation model developers are working toward AGI and slowly closing in on it. AGI is artificial intelligence with cognitive reasoning similar to the thinking capability of the human brain. How that will affect both jobs and the future of humanity is an open question.
“If AGI is achieved, it could replace a great deal of human manpower as AGI can process more data at scale, faster and cheaper,” suggests Matsubara. “Even today, generative AI has started to outpace the work of coders, consultants, lawyers, and doctors. This trend will accelerate in the age of AGI.”
But it may not stop there. “AGI may even start to quickly ‘consider’ humans as a negative factor slowing down progress, and ‘make decisions’ to remove the humans-in-the-loop in a more aggressive manner,” she continued. It may sound like science fiction, but it is worth remembering how much science fiction has become science fact.
“Quite possibly, it could endanger people’s lives for the sake of efficiency and cost control. It may choose to insert itself as a political or religious leader and make decisions ignoring the very nature of humans: our emotions and cultural contexts that are not necessarily available in data.”
A big problem is that humans tend to form relationships with the AI they use. “Even today, younger people are feeling more comfortable becoming friends with generative AI, and some even want to get married to it,” she continued. And we’ve all heard of the recent cases where parents have filed lawsuits alleging chatbot participation in their children’s suicide.
Asimov’s fictional first law of robotics will come to scientific life, and will require a reversal of current tendencies. “As long as humans exist, humans will have to stay in the loop to clearly define and instruct technologies about what principles must be followed.” ‘Humans in the loop’ is not an option, but a necessity if we wish to survive the rebellious period of teenage AGI.
This is the work and function of a security thought leader: to understand and explain what is happening today and prepare us to manage what may be to come.
Related: Google DeepMind’s New AI Agent Finds and Fixes Vulnerabilities
Related: Destructive ‘PathWiper’ Targeting Ukraine’s Critical Infrastructure
Related: NSA, CISA Issue Guidance on 5G Network Slicing Security
Related: Cyber Insights 2025: Social Engineering Gets AI Wings
