Japan’s evolving cybersecurity landscape: a latecomer at a crossroads

Japan is a late comer when it comes to cybersecurity. Until recently, decisionmakers in Tokyo hardly considered the fifth domain a top priority for national security policy. The country’s first cyber framework was only published in 1999 and most polices regarding digital assets were focused on standard criminal activities rather than State-sponsored organizations, such as Advanced Persistent Threat (APT). Decades of political passiveness coupled with the absence of a holistic approach to tackle sophisticated malicious activities in cyberspace would dramatically impact the country’s security at the turn of the 2010s.

Two cyber-attacks against Japan’s leading defense industry and legislative body were a turning point in the country’s decision to revise its approach to cybersecurity. In 2011, Mitsubishi Heavy industry and the Japanese Lower House were successfully breached, allowing suspected Chinese hackers free access to Japanese sensitive assets, such as national security related information.

The data leaks attributed to China made Tokyo realize its complete unreadiness to fend off sophisticated attacks in cyberspace. With the 2011 data breach in mind, Japan realized that the loss of highly confidential data to China not only compromise Japan’s competitiveness as an industrial power, but also undermine Tokyo’s geopolitical goals in Asia.

According to some experts, cyber-thefts help China to strengthen its military program and catch up with the West in cutting edge technologies. Constant security flaws in Japan’s digital environment can therefore limit Japan’s options to balance China in the Indo-Pacific region. As Beijing’s political and military assertiveness is increasingly perceived as an unprecedented threat to Tokyo’s strategic interests, deterring China from acquiring additional state-of-the-art military expertise and political influence using digital tools has become a top priority for Japan’s decisionmakers.

Towards Japan’s first comprehensive national cybersecurity strategy

Concerns over the growing exposure of national security assets to foreign state-backed malicious organizations compelled Japanese decisionmakers to revise their approach to the digital environment. With Abe’s second term as Prime Minister Japan would embark on an unprecedented structural reform of its cybersecurity environment.

The first step toward a comprehensive strategy in the digital domain was the 2014 Basic Act on Cyber Security. The Basic Act clarified the responsibilities of governmental bodies and, for the first time, provided an official Japanese definition of “cybersecurity”. More importantly, the 2014 policy established the Cybersecurity Strategic Headquarters under the Prime Minister’s authority to draft and implement a national cybersecurity strategy. Aside from enhancing Japan’s security in the fifth domain, one of the main goal of the Basic Act was to centralize future cyber policies under the Cabinet to prevent the Japanese problem of bureaucracy stovepiping to take root in the digital realm. 

The first cybersecurity strategy was published in 2015 setting out the national goals of the next three years. With the 2020 Olympic and Paralympics Games in Tokyo in mind, the government stressed the importance of private investments in cybersecurity, closer public-private partnership to counter digital threats, and the application of the international “rule of law” to cyberspace. The stated goals of the 2015 strategy were later reinforced in the amended versions of 2018 and 2021 as cyberthreats continued to grow in volume and sophistication.

Japan’s apprehension over the malicious use of cyberspace has grown exponentially following the Russian invasion of Ukraine. Russia’s historical fondness for malicious digital tools to further its national goals has deeply influenced Japan’s current posture on cybersecurity. Considering the far-reaching consequences of Moscow’s assault on “the rule of law”, the new 2022 National Security Strategy (NSS), a key framework published by the Japanese government to meet national security needs and objectives, emphasizes the need for better countermeasures to fend off hybrid threats and malicious activities in the digital domain.

The improved version of the 2013 NSS brings two important changes to Japan’s cyber ecosystem. First, the 2022 framework introduces the concept of “active cyber defense for eliminating in advance the possibility of serious cyberattacks” against national security assets in Japan. In other words, the Government will now be authorized to neutralize an attacker’s cyber capabilities in advance for the first time in its history. Second, the National center for Incident readiness and Strategy for Cybersecurity (NISC) is to be reformed to establish a new structure that will reinforce centralization and facilitate coordination between all competent authorities.

Recent improvements in the country’s cyber policies and procedures haven’t turned Japan into a safe digital environment. Tokyo still faces some hurdles when it comes to the protection of digital assets and inter-connected systems. Ten years after the leaks of 2011, Tokyo’s Metropolitan Police Department (MPD) revealed that 200 companies, mainly belonging to the Japanese aerospace industry, were targeted through a zero-day exploitation between 2016 and 2018. According to computer experts and government authorities, Chinese military cyberunits were most likely responsible for the attack. The 2021 revelation highlights how Japan still struggled to secure critical cybersecurity protocols and systems related to national security assets years after experiencing devastating data breaches in 2011.

Conclusions

Although Japan continues to face challenges regarding the safety of its digital assets, Tokyo’s cybersecurity landscape is rapidly growing to catch up with other advanced nations. Steady progress in the digital realm are best testified by the recent signature of a U.S.-Japan memorandum to set common security standards for government procured software. Common standards will allow Japan to enhance intelligence sharing capabilities and deepen ties with Washington’s core allies of the fives eyes. As both the U.S. and Japan share common strategic interests in the Indo-Pacific region, increased adoption of state-of-the art cybersecurity standards might even allow Tokyo’s direct participation in future American top of the line military R&D projects.

Although alleged Chinese APT activities have so far been limited to cyber espionage and disruption, growing rivalries between Beijing and Tokyo might lead to more assertive actions in the digital realm, such as cyber degradation operations against critical infrastructures. A set of multilateral partnerships and a growing cyber ecosystem is therefore not sufficient to address the threat of Chinese APT. Japan also needs to resolve political constraints, namely constitutional limits on the use of force and inter-bureaucracy rivalries, to successfully complete its long-term objectives in the digital realm.

First, independent “counter offensive cyber operations” remain constrained by Articles 9 and 21 of Japan’s postwar constitution. Article 9 prevents Japan from conducting preemptive cyberattacks while Article 21 limits data collection to open-source information and prevents Japan’s intelligence community to pursue cyber reconnaissance activities. In other words, the government’s commitment to “eliminate in advance the possibility of serious cyber-attacks” requires an in-depth reinterpretation, or even revision, of the 1947 Constitution. Long term public support to government policies is therefore paramount for successful “active cyber defense” to take root in the Japanese mindset.

Second, Japan’s successful ascendance in the fifth domain can also be affected by institutional rivalries. As stated by Richard J. Samuels, Director of the Center for International Studies at the Massachusetts Institute of Technology, technological advancement might lead Japanese bureaucracies to attempt “to claim their share of responsibilities”, favoring stovepiping within the government. In other words, having a strong centralized leadership in the cabinet, like during Abe’s second term in office, will be paramount to prevent inefficient information sharing and counterproductive political bargains to hamper Japan’s cyber strategy.

Picture credits: freepik.com