Asia Defense

Why Japan Is Lagging Behind in Cyber Defense Capabilities

Recent Features

Asia Defense | Security | East Asia

Why Japan Is Lagging Behind in Cyber Defense Capabilities

To introduce active cyber defenses, Tokyo will need to overhaul its bureaucracy and legal framework. 

Why Japan Is Lagging Behind in Cyber Defense Capabilities
Credit: Depositphotos

As previously reported by The Diplomat, Japan is lagging behind other major countries in cyber defense capabilities to deal with cyberattacks. Currently, only passive cyber defense, such as detecting network intrusions, is possible. 

The Japanese government decided to introduce active cyber defense in the new National Security Strategy, released in December 2022, in order to catch up on the delay in cyber defense efforts. Japan recognizes the need to counter cyberattacks targeting important infrastructure such as government organizations and nuclear power plants.

But the government’s efforts are still proceeding at a snail’s pace. 

“Japan’s cyber defense has been ridiculed by the world because we haven’t done anything,” Kanehara Nobukatsu, a former assistant chief Cabinet secretary and deputy director general of the National Security Secretariat under the second Abe Shinzo administration in the 2010s, said on a BS Fuji television program on May 23.

“Many in North Korea, Russia, and China are hunting for vast amounts of data in Japanese cyberspace. Who will go and catch them? No one has done so in Japan. Japan is the only country that has been slacking on cybersecurity for 20 years,” Kanehara cautioned.

The Washington Post reported on August 7 last year that Chinese military hackers had infiltrated systems that handle Japan’s defense secrets, and that the U.S. government had issued a warning to Japan in the fall of 2020.

“It was bad – shockingly bad,” the newspaper quoted one former U.S. military official as saying. 

Why is cyber defense in Japan so unreliable? There are a couple of reasons.

First, in Japan, the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) is in charge of cyber countermeasures for government offices, but there is no organization in place to protect the entire population from cyber threats.

It is true Japan has the ability and readiness to react and respond to immediate threats such as earthquake disasters more quickly than almost any other major country. However, Japan typically does not react much to problems that are difficult to see. The discussion of cybersecurity has thus been on the back burner for years.

The government stipulated in the 2022 National Security Strategy that “the NISC will be constructively restructured to establish a new organization, which will comprehensively coordinate policies in the field of cybersecurity, in a centralized manner.” However, there is no estimate as to when this organization will be established.

Second, in order to realize active cyber defense, lawmakers need to amend existing laws, but the hurdles to doing so are high.

The National Security Strategy specifically lists the following three measures to implement active cyber defense:

  1. Japan will advance efforts on information sharing with the government in case of cyberattacks targeting the private sector, including critical infrastructure, as well as coordinating and supporting incident response activities for the private sector.
  2. Japan will take necessary actions to detect servers and other digital infrastructure suspected of being abused by attackers by utilizing information on communications services provided by domestic telecommunications providers.
  3. For serious cyberattacks that pose security concerns by targeting the government, critical infrastructure, and others, the government will be given the necessary authority to penetrate and neutralize the attacker’s servers and others in advance to the extent possible.

As for point two, information gathering activities within the network are essential for detecting servers that are suspected of being exploited or attacked through suspicious communications. But when its comes to patrolling cyberspace using information from domestic telecommunications carriers, there is a high possibility that citizens’ personal information and privacy may be violated. 

Article 21 of the Japanese Constitution guarantees citizens the “secrecy of communications,” and the Telecommunications Business Law stipulates that telecommunication carriers must protect the secrecy of communications. So there is a risk that this would directly conflict with the National Security Strategy’s provisions.

If a nation cannot maintain the security of cyberspace, that nation certainly cannot maintain the confidentiality of communications. But it is very difficult to draw a line as to what constitutes legitimate information gathering, as shown by the leaks from Edward Snowden, a former contractor for the CIA.

The third point – allowing the government to penetrate and neutralize an attacker’s servers – presents an even higher hurdle. Once an attack on a server is suspected, the government is given the authority to access the other party’s systems. But this may violate Japan’s Act on Prohibition of Unauthorized Computer Access, which prohibits unauthorized access to systems. 

Moreover, one way to neutralize an attack is to send malware (malicious programs) to the source of the attack. This may also violate the criminal law’s penalty for computer virus creation. 

If the system of the other organization is destroyed through such penetration and neutralization, the possibility cannot be ruled out that it will be considered an armed attack. It is also necessary to consider the requirements and standards for implementation, as well as who will carry out the cyber counter-attack.

Third and finally, the establishment of active cyber defense must conform to Japan’s long-standing principle of exclusively defense-oriented policy, which has been its national policy in the 79 years since the end of World War II.

In Japan, from the perspective of exclusive defense, it has been considered difficult to take countermeasures before being attacked. But in active cyber defense, relevant government authorities collect and analyze information on attackers, and if there is a risk of a serious cyberattack, they will infiltrate the attacker’s system and render it harmless in a pre-emptive strike.

To enhance Japan’s cyber defense capabilities, the government plans to hold a panel of experts for the first time in early June and submit a related bill to the extraordinary Diet session this autumn.

It remains to be seen whether Japan can firmly establish a system that meets international standards to protect its citizens by overcoming the many legal challenges.