Japan’s Limited Cyberwarfare Capabilities

Despite the Japan Self-Defense Force’s (JSDF) reputation as one of the most of technologically advanced militaries in the world, its cyberwarfare capabilities remain underdeveloped. This is predominantly due to a lack of adequate resources and a reluctance to move beyond a purely defensive mindset in cyberspace.

For over a decade, the United States has increased pressure to improve cyber defenses because of the need to secure information assurance for ballistic missile defense systems and related U.S. technology transfers. However, the Japanese Ministry of Defense (JMOD) did not create its first (90-member) Cyber Defense Unit (CDU) until 2014, and overall the JSDF is estimated to field only a few hundred soldiers tasked with protecting military networks and infrastructure.

Military cyber intelligence-gathering — a key ingredient to developing sophisticated offensive capabilities in cyberspace — remains one of the biggest problems for the JMOD in the cyber realm and the Japanese government overall. Furthermore, one can deduct from past statements by Japanese Prime Minister Shinzo Abe that the reinterpretation of Article 9 of Japan’s pacifist constitution (the 2015 “Legislation for Peace and Security”), outlining under what circumstances Japan can come to the aid of allies abroad, does not apply to cyberspace and is confined to JSDF logistical support of allies since the use of force beyond self-defense remains unconstitutional.

The U.S.-Japan Alliance in Cyberspace

Following the core principle of its overall national defense policy, Japan relies on the U.S.-Japan alliance to increase its cyberwarfare capabilities, with Washington providing a cybersecurity umbrella — a guarantee by a major cyberwarfare power to defend a less capable ally.

Yet cooperation in the cyberwarfare realm between the two countries remains underdeveloped. For example, the 2015 Guidelines for U.S.-Japan Defense Cooperation — a document originally created in 1979 to set the parameters for the cooperation between the U.S. military and JSDF in the event of an armed attack against Japan — do not specifically include cyberwar and cybersecurity in the lifting of the self-imposed ban on collective self-defense, which allows Japan to defend allies, even when the country is not under attack itself.

Indeed, cyber attacks remain classified as “crimes” and not as “armed attacks” under Japanese law, even when military forces of another state are involved. This is despite the fact that cybersecurity was already designated as an alliance “common strategic objective” in June 2011 following a Security Consultative Committee (SCC) “Two-Plus-Two” meeting.

However, over the last two years, Japan has been slowly embracing a more militarized response to state-sponsored threats from cyberspace. The 2016 Defense of Japan White Paper specifically notes that the JSDF aim to “strengthen capability to collect intelligence regarding cyber attacks” and to increase the number of analysts in the CDU.

Also, the 2015 Guidelines for U.S.-Japan Defense Cooperation, despite not discussing cyberwar in relation to collective self-defense, include an entire section dedicated to cyberspace, illustrating how central cybersecurity will be for the U.S.-Japan in the future. A part reads:

The Self-Defense Forces and the United States Armed Forces will: maintain a posture to monitor their respective networks and systems; share expertise and conduct educational exchanges in cybersecurity; ensure resiliency of their respective networks and systems to achieve mission assurance; contribute to whole-of-government efforts to improve cybersecurity; and conduct bilateral exercises to ensure effective cooperation for cybersecurity in all situations from peacetime to contingencies.

That section is the most comprehensive public statement by the JMOD on its cyberwarfare doctrine to date. However, the application of Article 5 of the U.S.-Japan Treaty of Mutual Cooperation and Security, outlining U.S. defense commitments in the event of an attack on Japan, does not offer concrete guidelines on whether a cyber attack or cyber-enabled attacks constitute a casus foederis, a trigger for acting on those commitments.

 According to the U.S. cybersecurity expert James Lewis, to solidify their alliance in cyberspace, Japan and the United States need to make progress in six areas:

Assigning adequate resources to cybersecurity, particularly for Japan; Agreeing on how collective defense in cyberspace is defined and implemented, including clear guidance on Article V thresholds and a joint public statement on cyber activities that could trigger the mutual self-defense commitment; Creating bilateral mechanisms for cooperation and for sharing information on cyber threats and the techniques used to mitigate them; Developing robust, realistic joint training and exercises; Expanding national and joint efforts for civilian critical infrastructure protection and counterespionage; Coordinating efforts to create a framework for cybersecurity discussions and CBMs [confidence-building measures] in Northeast Asia.

Japan is slowly moving in some of these areas. For example, the U.S and Japanese governments have been holding an annual U.S.-Japan Cyber Dialogue since 2013. Japan has also recently pledged to participate in the U.S. Department of Homeland Security-sponsored Automated Indicator Sharing program, which enables the exchange of cyber threat indicators between the two countries. However, “U.S.-Japan alliance coordination on cyber remains still mostly talk, presentations, and white papers,” as retired U.S. Admiral Dennis Blair, the former Director for National Intelligence, recently wrote in The Diplomat.

Regional Cyber Alliances

Despite the obvious emphasis on the United States-Japan alliance in cyberspace, Tokyo would do well to deepen its partnerships with like-minded countries in the region such as Australia and Singapore. It could, for example profit greatly from a reinforced Japan-Singapore-U.S.-Australia cybersecurity nexus at the defense ministry level.

Singapore, in particular, could be a good example for Japan to emulate since it is the most advanced Asian country in cybersecurity. It has a cyber component in its smart-nation strategy, and its military has devoted substantial thought and resources to developing comprehensive approaches to cybersecurity in a way that no other country in Asia has. Deeper Japan- Singapore ties could perhaps influence Tokyo to jointly develop offensive cyber capabilities in the face of growing Chinese and North Korean capabilities in this field.

As James Lewis notes: “A force without cyber capabilities is increasingly outdated and more dangerous to itself than its opponents.” However, political and legal limitations to Japanese offensive military capabilities make this unlikely, and the military component of cybersecurity will remain the weakest part of Japan’s overall national cybersecurity posture for the foreseeable future. This is corroborated by one of Japan’s leading cybersecurity scholars, who, in an interview, said that the Japanese military is “still cautious” in its cyberspace operations and primarily concerned with defending its own systems and networks, not the private sector.

Japan’s military capabilities in cyberspace remain in their infancy. The Abe administration has been careful not to abandon the JSDF’s defensive posture in cyberspace, and has not indicated that it will develop offensive cyberwar capabilities. This, however, may change should the new U.S. administration abandon the United States’ historic solid defense commitment to Japan. There is reason to believe that President Donald Trump may loosen cyber alliances, including U.S.-Japanese cooperation, abandon the quest for norms of state behavior in cyberspace, and trigger an offensive cyber arms race. These developments could force Japan’s hand.

This article is adapted from Franz-Stefan Gady, “Japan: The Reluctant Cyberpower,” Asie.Visions, No. 91, Ifri, March 2017.