Tokyo Report

A Missing Piece in Japan’s Cyber Defense

Recent Features

Tokyo Report | Security | East Asia

A Missing Piece in Japan’s Cyber Defense

The case for a government process handling “zero day” vulnerability disclosure in Japan.

A Missing Piece in Japan’s Cyber Defense
Credit: Pixabay

Cyber defense in Japan is becoming more and more important due to increasingly frequent and sophisticated threats from China, North Korea, and Russia. Japan’s “exclusively defense-oriented” national security policy forbids the use of force or even the threat of force as a political instrument, imposing limits on its ability to respond effectively to cyber threats. While neighboring states have been building up both offensive and defensive cyber capabilities, Japan has focused almost exclusively on defensive ones.

Japan’s efforts on cyber defense have been developing rapidly since 2015, driven by the former Abe administration’s redefinition of Japan’s defense policy in cyberspace and the vision of an interconnected society. In addition, a more militarized response to state-sponsored threats started to emerge following the adoption of the 2018 defense strategy. Japan’s Defense Ministry aims to increase defense unit personnel and to create a new joint cyber unit – with limited offensive capabilities – by 2023, responsible for protecting Japan Self-Defense Force (JSDF) networks.

It remains unclear whether the above-mentioned developments will be sufficient to achieve the capabilities Japan seeks. It is an immediate challenge for Japan to deter malicious actors through its current predominantly defensive posture. As it redefines its approach to cyber defense, Japan should consider establishing a government vulnerability disclosure process to deter future attackers in a way that is compatible with its current policy.

Deterrence theory specifies two approaches that can be used to deter an adversary by manipulating its cost-benefit calculations: deterrence by punishment aims to raise the cost of an attack by threatening a wider retaliatory punishment, whereas deterrence by denial aims to raise the cost of an adversary’s actions by making it especially difficult for an adversary to reach his objective.

Deterring cyberattacks through punishment – such as economic sanctions – has so far proved largely ineffective. The difficulties in implementing an effective deterrence by punishment strategy in cyberspace are multifold. These include the problem of attribution and of timely detection of an unfolding attack, which are essential conditions for credible, legitimate, and effective retaliation. In addition, this approach contradicts Japan’s defense-oriented policy.

Deterrence by denial in cyberspace is usually associated with cyber defense (Joseph Nye refers to it as “denial by defense”). If well designed and implemented, traditional defensive systems (such as antivirus software, intrusion detection systems, and so on) can significantly reduce an adversary’s incentive to launch an attack by making it difficult to reach their objective.

However, effective defense through traditional mechanisms can be harder to achieve when it comes to more sophisticated actors, like states’ military cyber units or large criminal organizations, which invest a substantial amount of time and resources in trying to bypass security defenses by looking for harder-to-find vulnerabilities.

According to cybersecurity experts Robert Morgus and John Costello, a strategy for deterring by denial should put emphasis on shaping the battlespace by reducing vulnerabilities that are inherent in the technology, people, and process that make up this ecosystem.

There are many actors involved in the search of previously unknown (or zero day) vulnerabilities, such as government agencies, private companies and various non-state actors. A new vulnerability, when found, can be used for either offense – attacking others – or defense – getting it patched. When government agencies (such as a military cyber unit or intelligence agencies) discover or purchase a new vulnerability, they face a binary decision: They may decide to keep it secret and stockpile it for later use or to disclose it to the appropriate vendor so that it can be fixed.

As explained by cybersecurity expert Ben Buchanan, “Once the details of a vulnerability have been widely disseminated, much of the unique intrusion value of the zero day – and thus the offensive advantage that goes along with it – is lost. In addition, a state that learns of a zero day but does not use it runs the risk that another state will also find it and exploit it.”

States might sometimes deem it necessary to retain some zero days for national security purposes such as signals intelligence collection or military missions. A few countries, in particular the United States, have established a process by which governments review zero days to determine whether to retain or disclose them. While Japan has established a normative framework to facilitate vulnerability disclosure by the private sector, it currents lacks a similar process for government agencies.

This cannot simply be attributed to Japan’s greater focus on defense as opposed to offense. The lack of cyber offensive capabilities does not imply that government agencies, such as Japan’s Cyber Defense Unit, are not or should not be involved in the search for zero days. On the contrary, the search for previously unknown vulnerabilities needed for the development of network penetration capabilities can be critical for defenders as well.

Intruding other states’ systems can be helpful to gather important information on their infrastructure, internal organizational procedures, techniques, and targets. As Buchanan explained, “for some states, these intrusions are a key part of the defensive mission,” especially with regards to preparation, detection, and data analysis. Depending on the sophistication of their target, such defensive intrusions may require the use of zero days to minimize the risk of detection.

The establishment of a government vulnerability disclosure process would allow Japan to decide which zero days to retain or disclose based on its national security interest in a way that is compatible with its defense-oriented policy. In particular, it would allow it to increase its defensive capabilities while at the same time increasing costs for potential attackers.

Eugenio Benincasa is the WSD-Handa resident fellow at Pacific Forum in Honolulu, Hawaii. He holds an M.A. in international affairs from Columbia University in New York, where he focused on international security policy.