Japan's Achilles Heel: Cybersecurity
Japan is uniquely underprepared for the cyber challenges of the 21st century.
States around the world are finding themselves having to contend with a relatively new realm of security: cyber. From deciding what constitutes an “attack” to what constitutes a “proportionate response,” many states are still struggling to understand this new sphere. Such issues require international cooperation to establish new norms, and in a parallel effort, states are doing as much as they can unilaterally to defend themselves. However, Japan, in particular, is still lagging.
For a variety of reasons, Japan is uniquely underprepared for the cyber challenges of the 21st century, ranging from attacks by foreign quasi-state actors to theft by domestic criminals.
One important factor that makes Japan so vulnerable is its economy’s heavy reliance on the Internet. According to Deloitte’s Asia-Pacific Defense Outlook 2016, Japan, along with South Korea, Singapore, Australia, and New Zealand, has a cyber vulnerability index nine times higher than their Asian neighbors. The index is based on a number of data points that measure Internet-based economic interactions – such as the number of mobile phone subscribers, the number of secure Internet servers, broadband prevalence, and the rate of Internet use – and does not consider the effectiveness of countermeasures in place or the number of Internet-reliant military and government systems. Still, it provides a telling sign of how vulnerable Japan is.
Another factor that makes Japan uniquely underprepared is indifference or ignorance among the Japanese populace. There are a number of factors at work here, including the demographic reality that Japan is an aging society; a certain naiveté among the Japanese public at large; a culture of shaming victims that makes Japanese government and business leaders embarrassed to admit failure; and insufficient talent to meet Japan’s security needs.
Japan is one of the most rapidly aging nations in the world, and many of its seniors lack even a basic understanding of cyber – let alone cyber risks. Fraud and criminal activities, which tend to prey on seniors, have also taken on digital wings. Because of harsh penalties for writing malware, Japanese cyber criminals have a tendency to purchase such malware from foreigners for their use. Through anonymous – and restricted – access to the deep web, cyber criminals buy and sell phone number databases and credit card credentials, among other illicit goods.
William Saito, special adviser to the prime minister on cyber issues, also laments that too many Japanese become “unwitting accomplices” in cyber crime, as they unthinkingly insert an unknown USB drive into a device or click on a dangerous link. There is also a general lack of appreciation among ordinary Japanese about the importance of keeping sensitive information safe.
Moreover, cooperation – between different government agencies, different companies, and across the private and public sectors – to fight back against cyber threats is harder than it should be. One of the greatest obstacles to cooperation is the culture of victim-blaming, which makes it difficult for an agency or company that has been the target of a cyber attack to come forward. In this respect, Saito believes that the government needs to set an example of not covering up when attacks happen, and having better communication and more open reporting procedures. Only when the government takes the driver’s seat by setting a good example will this norm trickle down to businesses and individuals.
Meanwhile, little has been done to promote domestic expertise on cyber issues. In Japan, students are not exposed to computer programming until the university level. Saito characterizes this lack of emphasis on programming as a national security concern. “We lack, some say, 80,000 cyber literate workers in Japan at a minimum,” Saito explains. “Not only are we losing competitiveness, efficiency, but obviously the IP that we lose via theft. Thus, it is a huge concern that we need to put immediate attention towards.”
And, of course, when it comes to attacks from quasi-state actors, geopolitics cannot be discounted either. China, Russia, and North Korea target Japan not just because of a general sense of animosity or disputes over history issues, but because Japan could be a threat, due to its sheer proximity and advanced capabilities. China, Russia, and North Korea have a need to know what Japan is up to and what its capabilities might be.
In short, Japan is a high-value target – militarily, economically, and technologically. Consider the wide range of targets in Japan. In August 2011, hackers targeted classified defense information at Mitsubishi Heavy Industries and 20 other defense and high tech firms. Also in August 2011, emails and documents were stolen from 480 Diet members and staff. In April 2012, a hack at the Ministry of Agriculture, Forestry and Fisheries resulted in the exfiltration of 3,000 documents, including 20 classified documents on TPP negotiations. In early 2013, the Ministry of Foreign Affairs discovered it had lost “at least” 20 documents.
Cyber vulnerability is exacerbated by Japan’s “island nation” mentality, which Saito believes has made Japanese leaders complacent when it comes to defending against cyber threats. “Security and safety has always been taken for granted [because of Japan’s geographic isolation]. Cyber’s very premise has connected the country in many ways,” Saito argues. To use just one prosaic example to illustrate how Japan is no longer as isolated as it used to be: cyber means language differences are no longer the natural barriers they once were for espionage activities within Japan. Instead, Japanese officials’ lack of English fluency helps contribute to a lack of Japanese influence in international forums dealing with cyber issues.
The true wake up call to Japan was the pension hack last June, when 1.25 million cases of personal data was leaked – a psychological shock the equivalent of the United States’ own OPM breach.
So what can Japan do? Deterrence does not work in a traditional sense. The Deloitte report acknowledges this dilemma, concluding that Japan may have to consider “threatening disproportionate or unpredictable retaliation … including responses outside cyberspace.” But, ironically, because of just how extensively Japan is inter-connected, hackers’ fear of “unintended consequences” – triggering catastrophes greater than they intend or want – has likely imposed some restraint over hackers’ activities. Fear of waking a sleeping bear has likely deterred attackers from mounting more daring campaigns.
While this consideration might mitigate damaging attacks against Japanese assets, it does not necessarily deter those who simply wish to seek information that can be used for financial gain. These sort of illicit activities focus on going unnoticed and being undisruptive for as long as they can. Cyber theft of information is, after all, just the newest iteration of espionage. And as with traditional espionage, why kill off a good source by revealing your access? In the long-term, the most damage to Japan could come from more innocuous malware, which focuses on information gathering.
With the goal of increasing cyber preparedness, the Lower House of the Japanese Diet passed the Cybersecurity Basic Act in November 2014, which sets new requirements for national and local governments to quickly report cyber attacks, and created the Cybersecurity Strategy Headquarters to coordinate cyber strategy, policy and procedures. Aware of these threats, Japan is doing better, Saito concludes, especially the finance industry.
But this is no longer an issue that Japan can deal with on its own. James Lewis argues that the U.S. and Japan can do more to address these potential threats together, and should specifically take the following six steps:
“Assigning adequate resources to cybersecurity, particularly for Japan;
Agreeing on how collective defense in cyberspace is defined and implemented, including clear guidance on Article V thresholds and a joint public statement on cyber activities that could trigger the mutual self-defense commitment;
Creating bilateral mechanisms for cooperation and for sharing information on cyber threats and the techniques used to mitigate them;
Developing robust, realistic joint training and exercises;
Expanding national and joint efforts for civilian critical infrastructure protection and counterespionage;
Coordinating efforts to create a framework for cybersecurity discussions and CBMs [confidence building measures] in Northeast Asia.”
Greater coordination between Japan and the United States, as well as other allies, will be a big step forward for Japan. Cyber does not respect sovereignty, and domestic solutions are no longer adequate.
While ensuring cyber security ahead of the the 2020 Olympics is a daunting challenge, Saito sees this as a golden opportunity. That hard deadline can act as a “catalyst” to bring Japan’s cyber readiness up to the highest level. The fixed schedule prevents Japanese leaders from “kicking the can down the road,” and the sense of urgency can help cut through bureaucratic red tape that hinders cooperation.
Openness, transparency, a willingness to acknowledge the problem, and more seamless intra- and interstate cooperation are key for Japan to bolster its cybersecurity.