The government should act to bolster protections, for both national and international security.
At the Upper House elections on July 21, Japan’s ruling Liberal Democratic Party (LDP) and its coalition partner, New Komeito, won a landslide victory. With a stable majority in both of the houses to add to his triumph in the Lower House election last December, Prime Minister Shinzo Abe has finally ended the so-called twisted Diet (parliament), in which the Upper House was able to prevent the passage of legislation. With no Diet elections planned for the next three years, now is an ideal time for the Abe administration to address security issues in addition to his first priority, economic recovery.
Cybersecurity is one of the most important agenda items for the Japanese government, especially after the Ministry of Defense (MOD) published the Defense Posture Review Interim Report on July 26, in which it emphasized the importance of more domestic and international cooperation for better cyber defense. The report serves as a basis for new National Defense Program Guidelines, which provide Japan’s medium to long-term defense principles. The MOD plans to release the new guidelines by the end of this year.
Information and communications technology (ICT) has become critical to much of 21st century life: energy and water supplies, financial and medical services, and the information networks of the government and military. Successful large-scale cyber sabotage could impair or paralyze the operations of the targeted organization or country, let alone damaging their confidence and reputation. Information theft has the potential to erode the strength of a target if an adversary – be that an individual, group, or state actor – is able to access its trade secrets, including intellectual property, and identify potential vulnerabilities in defense equipment or planning.
As the world’s third-largest economic power, Japanese cybersecurity is critical for both Japan and the international community. If cyber-attacks were to cripple the economic health of Japan, the ramifications would be felt in other countries and the international markets. Those potential repercussions make Japan responsible for enhancing cyber security and increasing international cooperation. Because an adversary can launch coordinated and sophisticated cyber-attacks across national boundaries, governments need to work together to counter the threat.
Protected by the ocean, Japan enjoyed relatively internal security for thousands of years. Its citizens could afford to give little thought to national defense. This perhaps explains the continuing ambivalence Japanese feel about security issues, even given the dramatic changes in regional dynamics – including China, North Korea, and cyber threats – over the past couple of decades. It may also explain why Japan has been slow to take action on cybersecurity.
The next three years represents an excellent opportunity for Japan to develop a roadmap to enhance national cybersecurity and reinforce international cooperation, albeit slowly. Recognizing the significance of the growing incidence of cyber attacks such as espionage and disruptive threats to infrastructure, the Abe administration has begun with three promising steps. It needs to see them through.
First, the government needs to strengthen the legal authority of the National Information Security Center (NISC) under the Cabinet Secretariat as a national command center for cybersecurity, as declared in the Cyber Security Strategy released in June 2013. Although the NISC is responsible for crafting cybersecurity policy and strategy and sharing information with domestic and international partners, it currently lacks the authority to serve as a center for issuing alerts and analysis of cyber threats. The Ministry of Economy, Trade and Industry, Ministry of Internal Affairs and Communications, and National Police Agency have channels to exchange information with the private sector and international counterparts. It is essential to make clear that NISC has a leading role in providing information, and clarify who exactly will receive that information. Otherwise, information-sharing efforts could overlap and create confusion in a crisis.
Second, the government should enact legislation to protect national defense secrets for better information assurance. The Abe administration plans to submit a bill to the Diet this fall to protect secrets by raising the penalty for government officials who leak classified information. At present, Japan has no anti-espionage law, a pre-war legacy. The government tried to craft a law in 1985 but the efforts failed, facing strong oppositions from lawyers and the media concerned about its potential to limit the right-to-know.
A robust information assurance system is not limited to cybersecurity; it is necessary not only to specify rules and regulations to protect classified information but also to assure allies and friendly countries who might be in a position of wanting to share sensitive information. Japan has cybersecurity cooperation with the Association of Southeast Asian Nations (ASEAN), India, the North Atlantic Treaty Organization (NATO), the United Kingdom and the United States. These countries and potential partners would appreciate stronger information protection, which would encourage them to share more sensitive information.
Third, the Copyright Law needs to be revised to allow reverse engineering for fair use and cybersecurity purposes, as in the United States. The Cyber Security Strategy acknowledged the importance of amending the law for the first time as a national strategy. Since the current law does not refer to reverse engineering, this discourages Japanese companies from even identifying vulnerabilities in computer programs or software and from researching computer programs to determine the interoperability of different systems. Revising the law will be critical to boosting cybersecurity and the associated industry in Japan. The Japanese government should carefully explain the intention of the revision, to avoid any misunderstanding that it might encourage the abuse of intellectual property or the rejection of foreign cybersecurity products.
These three initiatives are crucial if the Japanese government is to enhance national cybersecurity and be a responsible international actor on this front. They would certainly contribute to confidence in the international community and stimulate domestic and international discussions for greater cooperation and information sharing.
Mihoko Matsubara is a cybersecurity analyst. She is also Adjunct Fellow, Pacific Forum CSIS.