Japanese companies are under increasing attack from cyber criminals, and the government says it is ready to step in to coordinate a more offensive approach to cyber defense. The Kishida administration is looking to bolster Japan’s cyber defense capabilities by establishing an “active cyber defense” system, which monitors cyberspace and takes preemptive action to neutralize an attack before it escalates.
But, the ambitious plan to safeguard cyberspace faces debate over questions of government surveillance, data privacy, and the protection of personal information against a potential misuse of power.
Japan’s cyber defense countermeasures are in the spotlight with a string of cyber attacks aimed at businesses. Japanese news video site Nico Nico is the latest company to have its website shut down under a suspected cyber attack. The damage has spread to multiple entertainment and e-commerce platforms owned by parent company Kadokawa, which saw its share price temporarily fall 4 percent on the Tokyo Stock Exchange this week. Kadokawa says an investigation into the ongoing shutdown is still underway with the help of experts and the police.
Cyber crime in Japan is on the rise. The number of attacks has jumped 35-fold in the last 10 years. One type of cyber crime is Distributed Denial-of-Service or DDoS attacks, which disable websites when attackers flood a server with internet traffic to prevent users from accessing the site. The number of DDoS attacks reported to authorities has increased almost 15 times compared to the previous year.
The government has positioned cyber defense as a matter of national security, given that cyber attacks can threaten critical infrastructure such as telecommunications, the electricity grid, healthcare, cashless payments and remote work. Notable corporations such as Mitsubishi Heavy Industries, which has defense contracts with the government, and the Port of Nagoya, Japan’s largest port, have come under large-scale cyber attacks. Last year a ransomware attack on the Port of Nagoya brought cargo logistics to a standstill for three days. The government’s cyber security agency, the National Center of Incident readiness and Strategy for Cybersecurity (NISC), also publicly confirmed a security breach.
Last week Prime Minister Kishida Fumio instructed the Ministry for Digital Transformation, headed by Kono Taro, to assemble legislation for the envisioned “active cyber defense” system. Kono asked an expert panel to meet over several months and report on the results of the discussion.
Kishida said he wants to bring Japan in line with the United States and United Kingdom, which have already implemented active cyber defense. The government’s envisioned system will first require information sharing from private telecommunication carriers in order to detect servers suspected as the source of an attack. It will then penetrate and neutralize servers before they implement the attack. It aims to detect signs of attack by looking at the changes in volume of communication and sending a counter virus to render the attack harmless.
However, the “active defense” system requires an overhaul of several existing communication, data privacy, and anti-cyber crime laws. The expert panel pointed out that formulating a legal framework will need to be in line with Article 21 of the Constitution which guarantees “privacy of communication.” Additionally, the Unauthorized Computer Access Law prohibits the use of malware to intrude into networks, systems, servers, and imposes imprisonment and fines on violators.
There is also the legal issue of whether private companies that have suffered cyber attacks can be legally required to report cyber crime to the government. Experts say the lack of mandatory reporting has led businesses to typically avoid public disclosure of a cyber attack due to embarrassment. This has also delayed the cross-sharing of information about cyber attacks between companies, resulting in a lack of progress in understanding the patterns and techniques common in cyber attacks, a necessary step to create countermeasures. A significant challenge for the government will be consolidating cyber crime information by strengthening private-public communication and cooperation.
The U.K. and the U.S. have set up independent bodies in charge of cyber defense. The Japanese government says it is looking into the launch of an independent supervisory agency that is responsible for checking that the government is collecting only relevant information strictly for cybersecurity purposes. Experts argue the main targets of surveillance should be restricted to communications from overseas, as Japan faces increasing cyber threats by hackers in Russia, China, and North Korea.
Legislation is expected to be submitted to the next extraordinary Diet session in the fall. But timing will depend on the results of the expert panel debate.