“The People of Hitachi”: A White Hat Hacker Who Nurtures the Next Generation of Cybersecurity Professionals
Mar. 25, 2021
Kaori Sasuga
As COVID-19 infections mount, an increasing number of companies are implementing digital transformation to reform their business. Although digital transformation has brought about many advantages, including the spread of remote work, it has also raised the risk of cyberattacks. There are cases in which, due to the hasty way in which remote working environments were put together, inadequacies in server management have exposed many company to cyberattacks.
Against this backdrop, cybersecurity professionals known as "white hat hackers" are attracting attention for their activities in checking the various vulnerabilities of systems and servers, and configuring countermeasures against cyberattacks. Mr. Kazuya Yonemitsu of the Security Professional Center of Hitachi Solutions, Ltd. is one of them. In addition to his security-related duties, he is also devoting efforts to developing the next generation of white hat hackers. We interviewed Kazuya’s activities and why he is committed to human resource development.
Taking on the challenge of a global hacking contest
While he was a graduate student, Kazuya became interested in Copy Control CD technology (CCCD), which protects CDs from illegal copying, thus starting him on the road to a career in security. Since joining Hitachi Solutions, Ltd. in 2000, he has been in charge of system development for security measures and security consulting.
Sixteen years later, he was selected as a team leader to gather talented engineers from within the company, in order to nurture them as highly skilled security engineers.
"I started off with the concept of a 'team made up of cybersecurity specialists.' However, in demonstrating our technology and skills to the outside world, we won't be very convincing unless we have something to back it up. We then decided to participate in DEF CON CTF, a globally prestigious hacking contest, figuring that if we are able to produce good results in this external event, we could gain some credibility."
Every year, hackers from all over the world get together in Las Vegas, U.S. to participate in DEF CON CTF, an annual hacking competition entering its 29th year in 2021. DEF CON CTF is also a focal point for recruiters from various companies and government organizations, such as the CIA, to find talented human resources.
In this competition, teams compete to win by earning the most points in a style called “Capture the Flag (CTF)”. The qualifying round comprise a quiz format and lasts for 48 hours. The questions ask about computer security skills, and points are awarded when the team accomplishes in finding a hidden keyword inside the questions, known as "flags". The final round requires a more practical hacking technique, with the teams trying to hack into each other's virtual networks via cyberattacks and defending their own networks.
Teams with expertise in a wide range of fields have an advantage in this contest, as they will be tested not only on their hacking skills but also on their diverse knowledge and experience in cryptography, code analysis, reverse engineering, and mobile security.
Kazuya's team first entered DEF CON CTF in 2014. After placing only 224th out of about 1,500 teams, they practiced extensively, and in 2017 rocketed up in the standings to 63rd place. Since then, the team has stayed in the high rank and has also been among the top 10 teams from Japan. Kazuya spoke of the appeal of DEF CON CTF, as follows:
"DEF CON CTF is a contest that allows participants to attack and penetrate networks, which is not welcomed in real life. Its interest lies in the fact that the person with the right answer wins regardless of the means, so fairness and accuracy are not as important. Jokes and gimmicks designed into the problems, which is also unique to the culture of hackers, who are often regarded as outlaw types."
The difficulty in building a strong team
Although Kazuya's team has become one of the current powerhouses, the journey to this point was not an easy one.
The initial challenge in creating a strong team was the difficulty in gathering team members. The DEF CON CTF qualifying round is a 48-hour endurance contest in which participants take on one difficult problem after another without any clues provided. To make it through the long battle, team members have to take turns in order to maintain their concentration, and since there is no limit on the number of people per team, the teams with more members have an advantage.
Kazuya started up his team with talented engineers from his own circle but were not able to recruit enough members to make it through the lengthy battle. The situation became even worse when a talented engineer he intended to invite had suddenly changed his job.
"There was an employee at Hitachi Solutions who previously belonged to a strong team in DEF CON CTF. At that time, we schemed to get him on the team, but when we invited him, he had already decided to change his job. Having lost a key member, I was quite anxious about how to put in a good performance."
Another task essential to creating a strong team was raising the overall skill level of the members. Since many of the questions in the contest cannot be solved without knowledge of cutting-edge technologies, it is crucial to keep building up knowledge by checking the latest technologies and looking over papers that had been released abroad.
Kazuya's struggles began with how to gather talented engineers and how to raise members’ skill levels in order to create a strong team.
"Some of the problems presented during the competition can take over 10 hours to solve. The challenge was in how to develop people in the team and how to add people to the team who can solve such hard problems."
Things that can be done to form a strong team
To solve the problem of the lack of team members, Kazuya sought out talented engineers from among the participants of security competitions held internally. Kazuya nurtured close friendships with promising employees who had done well and recruited them to his team.
"I have been holding an in-house security competition since 2017, with participants from the entire Hitachi Group. When you gather human resources from such a wide range, people with superior technical skills are bound to appear. I reached out to those people to get them to join our team."
In order to raise the overall skill level of the team, Kazuya created an environment that allows for plenty of time and opportunities for members to polish their skills.
"Engineers who are good at their job are mostly people that want an environment where they can immerse themselves in their technology of their interest, so I focused on creating a place where members can fully concentrate on the work that they want to do. I also knew the kind of work that did not interest them, so I tried to take that up myself."
In just two years from its entry in DEF CON CTF, the team that Kazuya created from scratch grew to be able to compete on equal terms against the world's most-powerful teams.
Developing security human resources both in and outside the company
Kazuya says that the best part about taking on the DEF CON CTF challenge as a team is the "excitement of the moment when you solve a difficult problem." He says that he gets emotional when the team breaks through the heavy atmosphere after members solve a problem that took a long time.
"There are times when it takes multiple people to solve a single problem, and the atmosphere can be gloomy if an answer resists being found. Then, someone on the team suddenly gets a flash and finds the answer. It always impresses me how someone went from completely puzzled to finding the right answer."
Besides participating in DEF CON CTF, Kazuya exerts himself in developing young engineers outside the company by lecturing on security technology as a university instructor and participating in the preparation of national examinations as part of the “Information Technology Engineers Examination” committee.
"When engineers dive into a technology that they are interested in, they come to enjoy it fully as if it’s something like a game. So if they are able to help someone through technology, it means they are able to contribute to society while having fun doing it. I would like to share such joy with others."
Engineers often forget time and acquire skills while "at play." Kazuya believes that cybersecurity human resource nurtured through such environment will help protect society from the risk of cyberattacks. Going forward, he will continue with his various activities aimed at developing the next generation of cybersecurity professionals both inside and outside the company.