Japan’s Achilles Heel: Cybersecurity

Recent Features

Features | Security | East Asia

Japan’s Achilles Heel: Cybersecurity

Japan is uniquely underprepared for the cyber challenges of the 21st century.

Japan’s Achilles Heel: Cybersecurity

Participants from government ministries and agencies take part in the Cyber Defense Exercise with Recurrence (CYDER) in Tokyo September 25, 2013

Credit: REUTERS/Toru Hanai

Cyber is a relatively new realm of security that states across the world have to contend with. From deciding what constitutes an “attack” to what constitutes a “proportionate response,” many states are still struggling to understand this new sphere. Such issues require international cooperation to establish new norms, and in a parallel effort, states are doing as much as they can unilaterally to defend themselves. However, Japan, in particular, is still lagging.

Due to a variety of factors, Japan is uniquely underprepared for the cyber challenges of the 21st century, ranging from attacks by foreign quasi-state actors to theft by domestic criminals.

One important factor that makes Japan so vulnerable is its economy’s heavy reliance on the Internet. According to Deloitte’s Asia-Pacific Defense Outlook 2016, Japan, along with South Korea, Singapore, Australia, and New Zealand, has a cyber vulnerability index nine times higher than their Asian neighbors. The index is based on a number of data points that measure internet-based economic interactions – such as the number of mobile phone subscribers, the number of secure Internet servers, broadband prevalence, and the rate of Internet use – and does not consider the effectiveness of countermeasures in place or the number of Internet-reliant military and government systems. Still, it provides a telling sign of how vulnerable Japan is.

Another factor that makes Japan uniquely underprepared is the Japanese population’s indifference or misunderstanding of the issue. There are multifaceted causes, including the demographic reality that Japan is an aging society; a certain naiveté among the Japanese public at large; a culture of shaming victims that makes Japanese government and business leaders embarrassed to admit failure; and insufficient talent to meet Japan’s security needs.

Japan is one of the most rapidly aging nations in the world, and many of its seniors lack even a basic understanding of cyber – let alone cyber risks. Fraud and criminal activities, which tend to prey on seniors, also have taken on digital wings. Because of harsh penalties for writing malware, Japanese cyber criminals have a tendency to purchase such malware from foreigners for their use. Through anonymous – and restricted – access to the deep web, cyber criminals buy and sell phone number databases and credit card credentials, among other illicit goods.

William Saito, special adviser to the prime minister on cyber issues, also laments that too many Japanese become “unwitting accomplices” in cyber crime, as they unthinkingly insert an unknown USB drive into a device or click on a dangerous link. There is also a general lack of appreciation among ordinary Japanese about the importance of keeping sensitive information safe.

Furthermore, cooperation – between different government agencies, different companies, and across the private and public sectors – to fight back against cyber threats is harder than it should be. One of the greatest obstacles to cooperation is the culture of victim-blaming, which makes it difficult for an agency or company that has been the target of a cyber attack to come forward. In this respect, Saito believes that the government needs to set an example of not covering up when attacks happen, and having better communication and more open reporting procedures. Only when the government takes the driver’s seat by setting a good example will this norm trickle down to businesses and individuals.

Meanwhile, there are few efforts so far to promote domestic expertise on cyber issues. In Japan, students are not exposed to computer programming until the university level. Saito characterizes this lack of emphasis on programming as a national security concern. “We lack, some say, 80,000 cyber literate workers in Japan at a minimum,” Saito explains. “Not only are we losing competiveness, efficiency, but obviously the IP that we lose via theft. Thus, it is a huge concern that we need to put immediate attention towards.”

And, of course, when it comes to attacks from quasi-state actors, geopolitics cannot be discounted either. China, Russia, and North Korea target Japan not just because of a general sense of animosity or disputes over history issues, but because Japan could be a threat, due to Japan’s sheer proximity and advanced capabilities. China, Russia, and North Korea have a need to know what Japan is up to and capable of.

In short, Japan is a high-value target – militarily, economically, and technologically. Consider the wide range of targets in Japan. In August 2011, hackers targeted classified defense information at Mitsubishi Heavy Industries and 20 other defense and high tech firms. Also in August 2011, emails and documents were stolen from 480 Diet members and staff. In April 2012, a hack at the Ministry of Agriculture, Forestry and Fisheries resulted in the exfiltration of 3,000 documents, including 20 classified documents on TPP negotiations. In early 2013, the Ministry of Foreign Affairs discovered it had lost “at least” 20 documents.

Cyber vulnerability is exacerbated by Japan’s “island nation” mentality, which Saito believes has made Japanese leaders complacent when it comes to defending against cyber threats. “Security and safety has always been taken for granted [because of Japan’s geographic isolation]. Cyber’s very premise has connected the country in many ways,” Saito argues.  To use just one prosaic example to illustrate how Japan is no longer as isolated as it used to be: cyber means language differences are no longer the natural barriers they once were for espionage activities within Japan. Instead, Japanese officials’ lack of English fluency helps contribute to a lack of Japanese influence in international forums dealing with cyber issues.

The true wake up call to Japan was the pension hack last June, when 1.25 million cases of personal data was leaked – a psychological shock the equivalent of the United States’ own OPM breach.

So what can Japan do? Deterrence does not work in a traditional sense. The Deloitte report acknowledges this dilemma, concluding that Japan may have to consider “threatening disproportionate or unpredictable retaliation … including responses outside cyberspace.” But, ironically, because of just how extensively Japan is inter-connected, hackers’ fear of “unintended consequences” – triggering catastrophes greater than they intend or want – has likely exercised some restraint over hackers’ activities. Fear of waking a sleeping bear has likely stayed attackers from mounting more daring campaigns.

While this consideration might mitigate damaging attacks against Japanese assets, it does not necessarily deter those who simply wish to seek information that can be used for financial gain. These sort of illicit activities focus on going unnoticed and being undisruptive for as long as they can. Cyber theft of information is, after all, just the newest iteration of espionage. And as with traditional espionage, why kill off a good source by revealing your access? In the long-term, the most damage to Japan could come from more innocuous malware, which focuses on information gathering.

With the goal of increasing cyber preparedness, the Lower House of the Japanese Diet passed the Cybersecurity Basic Act in November 2014, which sets new requirements for national and local governments to quickly report cyber attacks, and created the Cybersecurity Strategy Headquarters to coordinate cyber strategy, policy and procedures. Aware of these various threats, Japan is doing better, Saito concludes, especially the finance industry.

But this is no longer an issue that Japan can deal with on its own. James Lewis argues that the U.S. and Japan can do more to address these potential threats together, and should specifically take the following six steps:

  1. “Assigning adequate resources to cybersecurity, particularly for Japan;
  2. Agreeing on how collective defense in cyberspace is defined and implemented, including clear guidance on Article V thresholds and a joint public statement on cyber activities that could trigger the mutual self-defense commitment;
  3. Creating bilateral mechanisms for cooperation and for sharing information on cyber threats and the techniques used to mitigate them;
  4. Developing robust, realistic joint training and exercises;
  5. Expanding national and joint efforts for civilian critical infrastructure protection and counterespionage;
  6. Coordinating efforts to create a framework for cybersecurity discussions and CBMs [confidence building measures] in Northeast Asia.”

Greater coordination between Japan and the United States, as well as other allies, will be a big step forward for Japan. Cyber does not respect sovereignty, and domestic solutions are no longer adequate.

While ensuring cyber security ahead of the the 2020 Olympics is a daunting challenge, Saito sees this as a golden opportunity. That hard deadline can act as a “catalyst” to bring Japan’s cyber readiness up to the highest level. The fixed schedule prevents Japanese leaders from “kicking the can down the road,” and the sense of urgency can help cut through bureaucratic red tape that hinders cooperation.

Openness, transparency, a willingness to acknowledge the problem, and more seamless intra- and interstate cooperation is key for Japan to increase its cybersecurity.