A Neglected Frontier: Challenges to Japan’s Cyber Security

A Neglected Frontier: Challenges to Japan’s Cyber Security

2020’s SolarWinds cyberattack, which affected numerous US government agencies, underscores the growing relevance of IT security and cyber-crime to national governments. Not solely the work of individual criminals, crimes perpetrated by state-sponsored or entirely state-operated hacker groups have increasingly been alleged. With cyberspace growing in importance as a frontier of political contestation, states must act; what steps has Japan been taking, and what barriers are there to enhancing Japan’s cybersecurity?

The SolarWinds hack involved a group of hackers, ostensibly backed by the Russian government, sneaking malicious code into the update system of the SolarWinds IT management software. Compromised updates were then downloaded by the software’s users, which range from technology companies like FireEye and Cisco to parts of the US government including the Departments of Energy and Defence. As a result, the hackers likely gained access to data critical to economic competitiveness and national security. This incident underlines the risk posed by cyberattacks that use non-state vectors to their advantage. Though Japan does not seem to have become a significant victim of the SolarWinds hack, its current state cybersecurity strategy is vulnerable to a similar attack due to weaknesses in areas such as its funding and focus.

Japan’s Cyber Security Forces Today

At the time of writing, the Japan Self-Defence Force (JSDF) operates a Cyber Defence Group of 290 personnel under the control of the SDF’s Command Control Communication Computers Systems Command (C4SC). Combined with cyber defence personnel already under the umbrella of the C4SC, Japan has approximately 400 personnel dedicated to cyber security for the JSDF as a whole. It is worth noting that each branch of the JSDF (ground, air and maritime) has its own dedicated cyber defence unit; these units combined total around 370 personnel.  There also exists a small cyber security unit of some 40 personnel in Kumamoto Prefecture. Altogether, the JSDF currently has less than 1000 personnel tasked with cyber defence. The Japanese Ministry of Defence’s 2020 budget allocated JP¥25.6 billion to cyber capabilities, making up less than 1% of the country’s defence budget. 

Insufficient Investment

In 2021 the proportion of the budget assigned to cyber security spending is set to rise to JP¥30.1 billion, an increase of almost JP¥5 billion, though one which will still not see spending on cyber rise to 1% of the budget. Importantly, the Ministry of Defence intends to consolidate Japan’s cyber security infrastructure by abolishing the C4SC and expanding the Cyber Defence Group to 540 personnel. Cyber personnel from other branches of the JSDF will be transferred to the Cyber Defence Group as part of this reorganisation; in the long term this reform is likely to enhance the co-ordination of Japan’s response in the event of a cyberattack. 

These plans are a step in the right direction, but they are not enough to overcome the most glaring weakness of Japan’s cyber security apparatus; its small size both in terms of funding and personnel. By comparison, it is estimated that North Korea’s cyber force numbers 6,800 personnel. Naturally staff numbers are not necessarily the deciding factor for cyber security, but the aforementioned figures do suggest that Japan has neglected cyber capabilities when compared to its neighbours. Though 2021’s budget demonstrates awareness on the Ministry of Defence’s part of this issue, it is probable that a consistently higher level of investment and recruitment will be needed for Japan to go toe to toe in the cyber domain with its rivals.

Legal Hurdles

Challenges to Japan’s cyber forces also arise from the country’s laws and constitution. Firstly, Article 21 of Japan’s constitution states that ‘the secrecy of any means of communication [shall not] be violated’, ostensibly placing limitations on the ability of the state and Internet service providers to analyse packet communication. Though the government has arguably violated this Article in the past, notably over the blocking of piracy website Manga Mura in 2018, it nevertheless poses a potential obstacle to tracing or blocking packet communication as part of the Japanese response to a cyberattack.

Secondly, Article 22 of the Self-Defence Force Law raises an issue for the JSDF’s goal of building a ‘multi-dimensional’ (多次元) defence capability. Article 22 specifies a limited range of missions for which special units combining forces from the three SDF branches can be established on a long term basis. Cyber security falls outside the purview of that Article and so the JSDF is legally permitted only to establish a multi-domain task force incorporating cyber defence forces on a temporary basis. The effects of this limitation extend beyond hindering the co-ordination of JSDF measures against cyberattacks, with possible ramifications for inter-service synergy and efficiency in other areas of military operations.

Narrow Scope

Moreover, the scope of Japan’s cyber defence aspirations may not be wide enough to protect the country against cyber threats. Currently, the Cyber Defence Group is tasked solely with response to attacks against the JSDF’s own systems, not with the defence of other critical public or private infrastructure. Given the SolarWinds hack’s demonstration of the vulnerability of private businesses to state-supported hacking and the ripple effect such breaches can have on other public and private sector networks, it is likely that the JSDF and Japanese government will have to expand their scope and take measures to support vulnerable points throughout Japan’s computer infrastructure.

Steps have already been made in this area, with Japan’s National Centre of Incident Readiness and Strategy for Cybersecurity (NISC) disseminating guidance for cyber security to organisations in critical industries and encouraging information sharing. Even so, Japan could do more to formalise the role of trained cyber defence personnel in the event of a cyberattack against non-military network infrastructure.

Conclusions

In sum, Japan’s cyber security efforts face obstacles on multiple fronts, from legal hurdles to a simple lack of investment. Indeed, an increase in investment alone would likely serve greatly to improve the state of Japan’s cyber defence capabilities relative to the states which surround it in the short term. In the longer term, boosting the capabilities of the Cyber Defence Group is likely to necessitate legal reform. While reform to Article 22 of the Self-Defence Force Law would likely not be so hard to achieve and open up new avenues for inter-service operations (both cyber and otherwise), efforts to reform Article 21 of Japan’s constitution can anticipate backlash given Article 21’s relevance to wider concerns about privacy and surveillance. 

The cyber domain constitutes an expansive frontier for military operations and national defence. Japan has already begun to improve its security in this area, but more decisive action is likely to be needed.

About Author

Samuel Arnold-Parra

Samuel graduated from LSE in 2020 with a degree in International Relations and History. Since graduating, he has been building up experience in research and analysis. Currently, he is conducting voluntary research on Japanese national and sub-national responses to COVID-19. He is eager to use his skills in Spanish and Japanese to contribute valuable insights focusing on Japan and Latin America.