While Washington has long considered the defense industry a critical part of the nation’s infrastructure, that has not been the case in Tokyo. Yet as Japan increases its defense exports in partnership with foreign defense industries, it is inevitable that more sensitive information will be shared between Japan and its partners. To counter future cyber threats, it is imperative that these partnerships develop strong information security protocols.
In the U.S., cyber-attacks on defense contractors are already commonplace. The Senate Armed Services Committee reported last month that hackers linked to the Chinese government broke into U.S. transportation contractors’ systems in 2012. Earlier this year, a report showed Israeli defense contractor’s computers, which contained sensitive information on their Iron Dome systems, were also hacked by the Chinese in 2011. The Israeli defense contractors were also partners with U.S. defense contractors.
According to an annual report by the Ponemon Institute, cyber-crimes – including intellectual property theft, inserting computer viruses, and distributing confidential information – cost each of the 59 U.S. companies surveyed an average of $12.7 million in 2014. That’s a record high, up almost 10 percent from the previous year. Costs ranged from as low as $1.5 million to $60 million. And it is only a fraction of the total cost of cyber-crimes. Another study, which includes lost opportunity and recovery costs, estimates the total cost at $100 billion annually for the U.S.
The Ponemon Institute’s report identifies U.S. defense industries as the sector suffering some of the greatest losses, with a yearly average loss of $20.6 million per company, up from $20.3 million in 2013.
The number of cyber-attacks on Japan is rising rapidly. Japan’s National Information Security Center (NISC) reported earlier this year that cyber-attacks reached 5 million in 2013, a five-fold increase from a year earlier. The Ponemon Institute pegged the cost of cyber-crimes suffered by the Japanese companies surveyed at an average of $6.9 million in 2014.
Cyber-crime is growing at the same time that Japan’s defense sector is looking to expand. Earlier this year, Japan reinterpreted its constitution to allow for the exports of its weapon systems. Though Japanese defense industries are currently waiting for legislation outlining the specifics, many companies are already partnering with foreign companies – on submarine technology with Australia, missile technology with Britain, as well as U.S. defense companies such as Boeing and Northrop Grumman.
It wasn’t until 2011, though, that Japan’s defense industry publically reported its first cyber-crime. Yet as these companies assume a larger role on the international stage, they will become more of a target for attack. This is why information sharing between these sectors and the international community concerning cyber-attacks is increasingly important.
As far back as 2009, data on the F-35 Joint Strike Fighter program was targeted for cyber-attack. Already a huge program, involving some 900 subcontractors, the F-35 program is growing even bigger as regional allies Japan, South Korea, and Australia purchase the aircraft. Meanwhile, Japan has aspirations of becoming an F-35 maintenance, repair, and operations hub.
Wednesday, the U.S. and Japan released an interim report on the revision of their mutual defense guidelines, outlining security cooperation between the two countries in the region– with the new addition of cyber security. The report highlighted that threats in cyberspace are growing and becoming more serious, and that the governments of the U.S. and Japan must work together to improve cyber security, especially concerning critical infrastructure.
Programs such as the Department of Defense’s Defense Industrial Base (DIB) Cyber Security/Information Assurance (CS/IA) and Japan’s Initiative for Cyber Security Information Sharing Partnership (J-CSIP), both created in 2011, allow for cyber-threat information sharing among defense industries and government. Non-disclosure agreements are made, and both the use and sharing of information is kept voluntary as a way of incentivizing companies to join, while not pressuring them to commit.
In general, the threat of cyber-attacks will only increase as the world becomes more digitally interconnected. This makes information-sharing even more crucial to cyber-security. Companies sharing information regarding potential cyber threats can help others defend themselves – and vice versa. Anonymity is a further incentive. Companies need to know that the information they submit won’t possibly be used against them in the future. The last thing these countries need is for their defense industries’ information to fall into the wrong hands.
Riley Walters is a Research Assistant at The Heritage Foundation in their Douglas and Sarah Allison Center for Foreign and National Security Policy.