Central Challenge
Japan is a critical economic and security ally of the United States, both in the traditional and cyber realms.The nation has long sought help for its traditional security from the United States and it is now seeking help for its online efforts using the language of global cooperation.[1] It is paramount that we cooperate and assist in bolstering Japan’s cyber-defense capacity for our own national economic and security interests.
Recommendations
- Assist Japan to increase its cyber-defense capacity.
- Continue to promote the U.S.-Japanese Cyber Dialogs.
- Provide quicker and stronger cooperation regarding the 2020 Tokyo Olympics.
Background
Since the end of WWII, Japan has been a strategically important ally to and a critical access point into Asia for the United States. The United States guarantees Japan’s defense under a security treaty, while Japan provides major financial support for U.S. presence in the region—presently totaling around $4 billion in direct and indirect expenses.[2]
Beyond financial support, in recent years Japan has slowly liberalized the interpretation of its pacifist constitution to allow its defense forces to aid the United States directly.[3] This indicates that Japan is willing to push the limits of its constitution for U.S. interests. Japan has benefited economically from this relationship. However, while Japanese economic growth caused tension with the United States for a time, relations between the two countries now provide important mutual economic benefits through trade partnerships.[4] Further, the United States enjoys unparalleled security benefits through its presence in Asia through Japan, particularly in helping maintain regional stability.
On the cyber front, Japan has long been well-regarded for its technological sophistication. However, it is woefully deficient in terms of cyber defense, particularly given its large online footprint. There are multiple explanations for this situation. For instance, some argue that an aging society, a culture of victim shaming and associated reluctance to admit failure, and a lack of trained cybersecurity workers have created vulnerability.[5]
Naiveté appears to be an important factor in the equation. The naiveté stems from Japan’s early isolation from the broader Internet due to its early adaption of Internet-ready mobile devises that essentially linked just to carrier-provided web services. The resulting situation is a historical lack of exposure to greater cyber dangers than the occasional scam—and a mind-set stemming from the nation’s physical and cultural isolation.[6]
The first reported cyberattack on the Japanese government happened in 2001, when some government agency websites were defaced leading to the establishment of the cabinet-level Information Security Office. However, it was not until 2005 that any semblance of true cybersecurity policy was enacted, when the Information Security Policy Council and the National Information Security Center were created. While these groups put out policy recommendations,[7] the legislative basis was weak and the groups provided little unity among the various Japanese governmental agencies.
The situation in Japan regarding cybersecurity has rapidly changed in the 2010s. Cyberattacks have increased from three billion in 2005 to 5.8 billion in 2010 to 54.5 billion in 2015.[8] Data breaches in the defense industry and of Diet member email accounts in 2011, major distributed denial of service attacks on Japanese business in 2012, and attacks on the South Korean banking sector in 2013 put the issue of cybersecurity onto the minds of Japanese bureaucrats and politicians. Under the current Abe administration, focus on cybersecurity has heavily increased. In 2014, Japan passed a new and more explicit cybersecurity law, which gave more teeth to the National Information Security Center—now named the National Center of Incident Readiness and Strategy for Cybersecurity.
The new focus on cybersecurity has not alleviated Japan’s cybersecurity problems. The issue came much more into the public eye after both the Sony hacks in 2014 and the hacking of Japanese pension system in 2015. The newly revamped National Information Security Center has been issuing cyber guidelines in multiple areas in response, but much work is still needed.
These issues are now further compounded by concerns over security of the 2020 Tokyo Olympics. Japan is looking to showcase itself once again with the games and a cyberattack during the event would undoubtedly be problematic for all involved with any level of physical presence—including the United States. Tech-minded policymakers are using the event as a focal point to galvanize support for a major advancement in across Japanese cybersecurity capabilities, both in the public and private sectors.
Recommendations
U.S. cybersecurity policy has benefited from interconnectedness and openness.[9] In this regard, below are three recommendations specifically regarding U.S.-Japanese cybersecurity relations that can help protect that value.
Recommendation 1: Work with Japan to increase its cyber-defense capacity
The U.S. should work with Japan to increase Japan’s cyber-defense capacity in all sectors. On the defense front, U.S. military bases and personnel rely on Japanese critical infrastructure, including cyber-related infrastructure. If Japan cannot properly defend against cyber threats, it will cause critical lapses directly affecting U.S. personnel. Within the private sector, attacks on Japanese business affect the U.S. economy, as was evident from the Sony hacks. Finally, in the public sector, inability to tackle cyber threats harms international efforts to track and stop cyber-criminals.
While U.S.-Japan cybersecurity cooperation has already begun,[10] Japan’s capacity in terms of warrior-ready manpower is extremely limited on the cyber front. The Japanese Self Defense Force only just established a dedicated team in 2014, with merely 90 personnel. That number compares to approximately 6,000 for the United States and 5,000 for North Korea (which South Korea is now attempting to match).[11] By working with Japan to increase its cyber warrior pool, the United States provides greater opportunity for Japan to play a critical role in this area of defense, even given potential limitations these personnel might have under the pacifist Japanese constitution.
As for the Japanese private sector, is only starting to pick up on the crucial need to protect Internet-enabled activities. This situation presents great potential investment opportunities for tech companies in the United States. Specifically, unlike American companies, Japanese companies are known to prefer to farm out their cybersecurity to specialized companies rather than build in-house systems.[12] Although the Japanese market has long been considered difficult to penetrate, U.S. companies can still participate either as consultants or as providers of such services. Similarly, U.S. companies may find a market in training Japanese individuals to fill the nation’s noted deficiency in cybersecurity workers, believed to be in the range of 80,000[13] to 160,000 needed.[14]
In the public sector, continued and increased cooperation between U.S. agencies and their respective Japanese counterparts will improve ability to stop and catch cybercriminals that look to take advantage of both countries.
Recommendation 2: Continue to promote the U.S.-Japanese Cyber Dialogs
Since 2013, the U.S and Japanese governments have been holding the U.S.-Japan Cyber Dialogue, an annual top-level gathering aimed at enhancing exchange of threat information, alignment of policies, comparison of strategies, and cooperation on protection of critical infrastructure and other national defense matters.[15] Importantly, this meeting brings together a variety of agencies from both governments that have normally sought to cooperate only with their respective counterparts.
These dialogues promote a “whole-of-government approach,”[16] which, regardless of actual feasibility, should improve interagency cooperation. Undertaking such activities with a critical ally such as Japan will help the agencies work towards more cooperation across the board on the cybersecurity front. This is important because such cooperation can both improve responses to cyber threats while also increasing efficiency and, therefore, even potentially reducing the overall cost of cybersecurity for the government.
Accordingly, stressing the importance of these meetings is critical to both for the U.S.-Japanese relationship, as well as internally to the U.S. government. Should the U.S. choose to ignore or even spurn Japan’s advances for cooperation and help, Japan may shift their priorities to other nations and bodies, including Israel and the European Union, whom they have sought cyber dialogs with since beginning their efforts with the U.S.[17]—this situation would represent a major loss of opportunity for the U.S.
Recommendation 3: Provide quicker and stronger cooperation regarding the 2020 Tokyo Olympics
Japan has latched on to the 2020 Tokyo Olympics as a symbol to promote a variety of national activities, among which is cybersecurity. There is a reasonable concern that individuals or groups would want to disrupt both the games and Japan’s attempts to showcase its technology. For a variety of reasons, it is critical that the U.S. assist with cybersecurity preparations for this event, at bare minimum, the safety of attending or participating U.S. citizens and officials.
Critically, it is important that the U.S. begin assisting Japan regarding the Olympics as soon as possible. The Japanese are actively seeking help and cooperation[18], and while signs are the United States will provide some level of assistance, so far the approach indicates non-urgency. This approach is likely misguided. As noted above, there is a lack of capacity presently which needs to be addressed. The building of both cyber-capacity and cooperation takes time, and, therefore, must start as soon as possible. If the U.S. provides quicker and stronger cooperation regarding the Olympics, our nation can also leverage the symbolic event in ways that will greatly benefit our country in the long run.
Endnotes
[1] “Japan Readies Package for Trump to Help Create 700,000 U.S. Jobs,” Reuters, February 3, 2017.
[2] Yuka Koshino, “Q&A: How Much Do U.S. Military Bases in Japan and Korea Cost?,” Wall Street Journal, April 28, 2016, sec. World.
[3] M. Estevez-Abe, “Feeling Triumphalist in Tokyo The Real Reasons Nationalism Is Back in Japan,” Foreign Affairs 93, no. 3 (2014): 165–71.
[4] The International Trade Administration, U.S. Department of Commerce, “Top U.S. Trade Partners: Ranked by 2015 U.S. Total Export Value for Goods (in Millions of U.S. Dollars),” accessed November 16, 2016; Embassy of Japan in the United States of America, “FACT SHEET:U.S.-Japan Cooperation for a More Prosperous and Stable World,” accessed August 22, 2016.
[5] Mina Pollmann, “Japan’s Achilles Heel: Cybersecurity,” The Diplomat, accessed August 24, 2016.
[6] Ibid.
[7] National center of Incident readiness and Strategy for Cybersecurity, “Archived Contents,” accessed November 16, 2016.
[8] Yasuaki Hashimoto, “Cybersecurity Policy in Japan,” in Securing Cyberspace: International and Asian Perspectives, ed. Cherian Samuel and Munish Sharma, 2016, 295–305.
[9] Commission on Enhancing National Cybersecurity, “Report on Securing and Growing the Digital Economy,” December 1, 2016.
[10] Franz-Stefan Gady, “Japan and the United States to Deepen Cybersecurity Cooperation,” The Diplomat, accessed November 17, 2016.
[11] Clyde Stanhope, “How Bad Is the North Korean Cyber Threat?,” HackRead, July 20, 2016.
[12] Mihoko Matsubara and Danielle Kriz, “Putting the METI Cyberthreat Information Sharing Recommendation Into Action in Japan,” Palo Alto Networks Blog, July 25, 2016.
[13] Pollmann, “Japan’s Achilles Heel.”
[14] Richard Smart, “Japan Gets Serious about Cybersecurity as Olympics Approach,” Japan Today, accessed August 5, 2016.
[15] Bureau of Public Affairs Department Of State. The Office of Website Management, “Joint Statement on US-Japan Cyber Dialogue,” Press Release|Media Note, U.S. Department of State, (May 10, 2013).
[16] Bureau of Public Affairs Department Of State. The Office of Website Management, “The 4th US-Japan Bilateral Cyber Dialogue,” Press Release|Media Note, U.S. Department of State, (July 27, 2016).
[17] Mihoko Matsubara, “Japanese Election Results in Positive Strides for Cybersecurity and Tokyo 2020 Summer Olympics,” Palo Alto Networks Blog, August 1, 2016.
[18] Hashimoto, “Cybersecurity Policy in Japan,” 303.