Over the last two decades, Japan has seen a more gradual buildup in awareness and action for cybersecurity objectives than have other countries. Although cybersecurity was first mentioned as a significant issue in the yearly Ministry of Defense (MOD) report in 2010 and Japan’s Cyber Defense Unit was created in 2012, momentum on cyber deterrence has been slow to develop. It has been inhibited by Article 9 of the Japanese constitution, which states a vehement opposition to war; as a result, most cyberwarfare policy has centered around the idea of “passive deterrence.” Thus far, this inactive cyberdefense posture has been entirely unsuited to repel a growing number of attacks — almost all attacks against Japanese targets were successful from 2014 to 2020.
Despite constant resistance and slow progress throughout the 2010s, the 2020s have already seen some more significant steps towards a more powerful positioning in cyberspace, as well as in the broader field of defense. With the growing presence of advanced persistent threats such as China, North Korea, and Russia, as well as further pressure from allies such as the United States, Japan has found itself driven by security needs to adopt a far-reaching brand of constitutional revisionism, including in the cyber domain. Bureaucratic changes, such as the growing influence of the Ministry of Defense, have also placed Japan in a more conducive position to revise its policies than before.
Last year’s revisions to Japan’s National Security Strategy and National Defense Strategy marked the latest, and possibly most ambitious, in the line of efforts designed to modernize and improve Japan’s military capabilities. While most observers focused on the Kishida Government’s plan to double defense spending from one to two percent of GDP, and its approval of preemptive counterstrikes against hostile missile bases, its planned revision of the nation’s cybersecurity posture should not be ignored. In the NSS, the Kishida Government announced plans to adopt a policy of “active cyber defense,” which will allow the JSDF to “penetrate and neutralize attacker’s servers and others in advance.” Three capabilities are integral to the policy: sharing more information on private-sector attacks with the government, tapping into telecommunications services when necessary, and most significantly, launching preemptive attacks in the case of reasonable threat.
This is a welcome change. As the Washington Post has reported, Japanese critical infrastructure faced hundreds of ransomware attacks in 2021 alone. States with superior offensive capabilities to these attackers—most notably, China—have already penetrated Japanese networks and would seek to disable them in the event of a war in the Indo-Pacific. Passive deterrence has been no match for these mounting threats. On the other hand, active cyber defense will allow Japan to go on the offensive, creating a far more meaningful deterrent against state-to-state action and allowing the nation to more effectively disable private cybercriminals.
The Japanese government typically clarifies its security strategies in other documents such as the National Defense Strategy (NDS). In the revised NDS, however, discussions of active cyber defense are sparse and do not elaborate on how these capabilities will be developed. The only two mentions of this policy in the NDS are a discussion of outsourcing cybersecurity talent and a very brief mention of “fundamentally reinforc[ing the] architecture” of the Ministry of Defense and Self-Defense Forces (JSDF). This lack of elaboration has translated into a lack of practical action. Of course, despite this inaction, cyberattacks have not abated. Japan cannot afford to leave these plans in the realm of theory.
While this strategy points Japan’s cyberdefense posture in the right direction, it must be backed up with legislation effectuating the planned changes. Although the plan originally indicated an intent to quickly pass a corresponding law, nearly a year has elapsed with no such action having taken place. While Japan’s Cabinet has made some progress, the government urgently needs to accelerate this process by passing legislation that clarifies and implements the most important components of the policy. Significant attention should be paid to three key goals:
- Reorganize Cybersecurity Institutions
The NSS stipulates that the government will “restructure” the NISC (National center for Incident readiness and Strategy for Cybersecurity), though it does not elaborate upon what this new structure will look like. NISC does not appear to have been reorganized since then; the departmental structure shown on its website is still dated to 2021. Even more worryingly, NISC itself was subject to a major Chinese cyberattack in late 2022 that went unnoticed for almost a year. The government ought to strengthen NISC so that it can effectively serve as the Japanese government’s central coordinating body for cyberdefense and allow it to absorb other government entities responsible for cyber operations as needed.
- Resolve Legal Obstacles to Action
As Adam Liff and Jeffrey Hornung of RAND note, “the Diet may [also] need to pass legislation related to privacy.” While the Japanese government has long engaged in constitutional revisionism regarding Article 9, which governs Japan’s use of force in international conflicts, Article 21 affirms the right to inviolable secrecy in private communications. Active cyber defense efforts that seek to repel attacks against private Japanese institutions, including critical infrastructure as mentioned in the NSS, may necessarily violate this provision because they may involve the intrusion of JSDF operatives into private networks. The Kishida Government should ensure that the Diet approves an understanding of Article 21 that permits the JSDF to defend Japanese civilian and commercial interests in cyberspace.
- Expand the Talent Pool
MOD has announced its intention to quintuple its force of cybersecurity personnel, from fewer than 900 to between 4,000 and 5,000. Although this declaration is an important step, Japan has long experienced a shortage of cybersecurity talent and only briefly suggested outsourcing as a solution in its NDS. It is unclear what other actionable steps the government is planning to take to train new talent. Additionally, despite the magnitude of this growth in personnel, it would barely bring Japan to parity with the size of North Korea’s cyberforce and leave it far smaller than China’s, which numbers in the tens of thousands. To avoid falling further behind and to ensure its ambitious policies are actionable, Japan will need to lay out a specific strategy for talent acquisition and build a comprehensive talent pipeline through partnerships with educational institutions and vocational training resources.
The NSS is far from a complete reworking of Japan’s cyber policy. For the government to achieve its goal of active cyber defense, it faces challenges of both implementing more concrete plans and moving past constitutional barriers. Deciding on a policy shift is important, but it is to no avail without making the granular changes necessary to accomplish it. Japan’s government has done the former after a long period of inaction, but in order to truly protect itself in the cyber domain, it must soon do the latter.
