This piece was originally published in New America’s digital magazine, the New America Weekly.
A few things have come together to catalyze Japan’s growing efforts in cybersecurity. Japan, which earlier this month held the “Cyber3 Conference” in partnership with the World Economic Forum in the southern prefecture of Okinawa, is hosting the G-7 Summit next year and then the 2020 Tokyo Olympics and Paralympics—huge, high-profile, global events that will be extremely networked and Internet-dependent. The country also has faced the reality of its vulnerabilities: In May, the Japan Pension Service was hit with a hack exposing the personal data of more than 1.2 million people. Like the U.S. Office of Personnel Management breach in June, the JPS breach has been a bit of a wake-up call for the Japanese government to better secure its own systems. The JPS breach also confirmed to the country that unlike in the physical world, Japan is not an island when it comes to cyberscurity.
Japan, as its role as host of the conference suggests, is indeed aggressively focusing on cybersecurity, which could bring about positive results for Japan, Asia, and the world. But this is not a brand new phenomenon: Japan’s actions in cybersecurity have been building.
In November 2014, the Parliament passed the Cybersecurity Basic Act, a law formalizing the National Center of Incident Readiness and Strategy for Cybersecurity, a Cabinet office. The National Center of Incident Readiness and Strategy for Cybersecurity had been established a decade ago but lacked authority over other ministries and agencies. The new law codifies NISC and gives it a range of responsibilities—namely developing a national strategy and policy, ensuring cybersecurity of government ministries and agencies, and spearheading international cooperation.
In September, the Cabinet approved Japan’s Cybersecurity Strategy, a document outlining the country’s approach to cybersecurity for the next three years. As explained by Intel’s Mihoko Matsubara in a blog post, the new strategy emphasizes “the government’s role in Japan’s cybersecurity without limiting the growth of the technology market … that will drive innovation.” The strategy focuses on public-private partnerships as the key to improved cybersecurity risk management. Importantly, the strategy highlights Japan’s international cyber efforts to date and emphasizes that these will continue.
Critical steps are appearing in the Japanese business community, with some key inflection points over the past year among influential business groups and leaders. A little more than a year ago, Keidanren (the Japanese Business Federation, akin to the U.S. Chamber of Commerce), formed a new “Cybersecurity Working Group” made up of approximately 30 of Japan’s most important companies representing multiple economic sectors. Names included pinnacles of Japanese industry, such as Toyota, Tokyo Electric Power, All Nippon Airways, Nippon Steel, Dai-ichi Insurance, Nippon Telegraph and Telephone, Sony, Mitsubishi Heavy Industries, and the Bank of Tokyo-Mitsubishi.
In February, this group sent to the Japanese government its first set of recommendations (link in Japanese) for improving Japan’s cybersecurity. The recommendations called out roles for government and industry in protecting critical infrastructure and improving deterrence capabilities. Keidanren called on the government to promote greater cyberthreat information sharing, improve training and human resources, support technology development, and promote international cooperation. Keidanren devoted one-third of its paper to business community responsibilities—according to Keidanren, this community will position cybersecurity as an important management task and focus on raising awareness among company management, carrying out organizational reforms, and conducting human resource training.
Keidanren’s burgeoning focus on cybersecurity is significant. It’s a very powerful group, and when it calls on the government and the business community, its proposals carry substantial weight. Keidanren was well-represented at the Okinawa Cyber3 Conference, another indication of its commitment to the topic, and plans to issue its next set of cybersecurity recommendations to the Japanese government in early 2016.
Individual companies have also been taking steps to proselytize cybersecurity as a business issue. Nippon Telegraph and Telephone, one of the world’s largest telecommunications firms, is one such company. As profiled in this August article, NTT has been involved in the U.S. cyber policymaking process and is using this experience to bring insights on issues such as risk management and cyberthreat information sharing back to Japan. In fact, in October, NTT released a book, Cybersecurity for Business Executives, aimed at Japan’s C-suite. The book has three messages: 1) Cybersecurity must be repositioned, from an information technology issue to a business management issue; 2) skill sets related to cybersecurity are diverse, not just those of engineers; and 3) responsibility for cybersecurity lies in all industries—companies cannot simply look to the government or to technology companies. These are messages resonating more and more throughout the U.S. business community, and it is encouraging that NTT is bringing such thinking to its peers in Japan. In fact, NTT is working to bring these messages to Asian countries as well.
Japan’s influence in cybersecurity activities in Asia is essential. Many of these countries are in the process of enacting their own cybersecurity strategies, laws, and regulations, which will have far-reaching implications for global companies and the global economy generally, not to mention their own citizens and economies. Fortunately, Japan is embracing its leadership role in the region. The new Cybersecurity Strategy refers to Japan’s international cybersecurity efforts, including its work to date conducting capacity-building in the Association of Southeast Asian Nations, and makes clear Japan’s intention to expand its capacity-building work in the region. At the Okinawa C3 Conference, Makita Shimokawa (who is executive director-general and foreign policy bureau and ambassador in charge of cyberpolicy in the government of Japan) talked about Japan’s diplomatic efforts in cybersecurity, which focus on international rule-making, promoting mutual understanding and transparency, and capacity-building. The Japanese business community’s actions in Asia are vital as well. In fact, Japanese companies’ investments in countries such as Indonesia and Malaysia are higher than U.S. investments—arguably giving Japanese industry and government a little more clout in such countries.
Japan has much further to go. Cybersecurity investments are still low and must increase, and cybersecurity as a function of business risk is still a nascent concept. Some people involved in cybersecurity for the 2012 London Olympics, now working with Japan on its preparations for 2020, have noted that Japan needs to focus more on implementation as opposed to planning. Participants at the Okinawa conference said they expect cyberthreat information sharing to evolve slowly in Japan, given its cultural aversion to shame—companies may be reluctant to admit incidents on their networks. That said, the Financial Services Information Sharing and Analysis Center recently expanded into Japan, and Japan’s National Police Agency is doing more against cybercrime.
Despite these hurdles, signs are extremely encouraging. The most senior members of the Japanese government are focused on cybersecurity—in fact, Prime Minister Shinzo Abe spoke (by video) at the Okinawa conference. This conference was similar in importance to the Cybersecurity Summit hosted by President Obama at Stanford University in February, which was the first time a U.S. president had hosted an event on the topic, indicating cybersecurity had risen to be a priority in the top levels of government.
When asked by an audience member to describe Japan’s strengths in cybersecurity, a Japanese government official replied, “Public-private partnerships.” It is true that Japanese government, industry, and academia are very skilled at working together toward common goals. In cybersecurity, where neither government nor industry has all the answers and partnerships are essential, Japan’s strength is welcome and needed. Japan did not just begin its work on cybersecurity, and it is to the benefit of Japan, its neighbors, and the global community that it is demonstrating commitment to continuing it.