Nov. 12, 2015
A few things have come together to catalyze Japan’s growing efforts in cybersecurity. Japan, which earlier this week held the “Cyber3 Conference” in partnership with the World Economic Forum (WEF) in the southern prefecture of Okinawa, is hosting the G7 Summit next year and the 2020 Tokyo Olympics/Paralympics,—huge, high-profile, global events that will be extremely networked and Internet-dependent. In May 2015, the Japan Pension Service (JPS) was hit with a hack exposing the personal data of 1.2 million people. Like the U.S. Office of Personnel Management (OPM) breach in June 2015, the JPS breach has been a bit of a wake-up call for the Japanese government to better secure its own systems. The JPS breach also confirmed to the country that, in cybersecurity, unlike in the physical world, Japan is not an island.
Japan, as its role as host of the conference suggests, is indeed aggressively focusing on cybersecurity, which could bring about positive results for Japan, Asia, and the world. But this is not a brand new phenomenon: Contrary to the perceptions of some, Japan’s actions in cybersecurity have been building.
In November 2014, the Parliament passed the Cybersecurity Basic Act, a law formalizing the National Center of Incident Readiness and Strategy for Cybersecurity (NISC), a Cabinet office. NISC had been established a decade ago but lacked authority over other ministries and agencies. The new law codifies NISC and gives it a range of responsibilities, namely developing a national strategy and policy, ensuring cybersecurity of government ministries and agencies, and spearheading international cooperation.
In September 2015, the Cabinet approved Japan’s Cybersecurity Strategy, a document outlining the country’s approach to cybersecurity for the next three years. As explained by Mihoko Matsubara in her blog, the new strategy emphasizes “the government’s role in Japan’s cybersecurity without limiting the growth of the technology market…that will drive innovation.” The strategy focuses on public-private partnerships as the key to improved cybersecurity risk management. Importantly, the strategy highlights Japan’s international cyber efforts to date, and emphasizes that these will continue.
Impactful steps are appearing in the Japanese business community, with some key inflection points over the past year among influential business groups and leaders. A little more than a year ago, KEIDANREN (the Japanese Business Federation, akin to the U.S. Chamber of Commerce), formed a new “Cybersecurity Working Group” made up of approximately 30 of Japan’s most impactful companies representing multiple economic sectors. Names included pinnacles of Japanese industry, including Hitachi, Toyota, Tokyo Electric Power, All Nippon Airlines (ANA), Nippon Steel, Daiichi Insurance, Nippon Telegraph and Telephone (NTT), Sony, Mitsubishi Heavy Industries, and the Bank of Tokyo-Mitsubishi.
In February 2015, this group sent to the Japanese Government its first set of recommendations (Japanese version) for improving Japan’s cybersecurity. The recommendations called out roles for government and industry in protecting critical infrastructure and improving deterrence capabilities. KEIDANREN called on the government to promote greater cyber threat information sharing, improve training and human resources, support technology development, and promote international cooperation. KEIDANREN devoted one-third of its paper to business community responsibilities—according to KEIDANREN, this community will position cybersecurity as an important management task, and focus on raising awareness among company management, carrying out organizational reforms, and conducting human resource training.
KEIDANREN’s burgeoning focus on cybersecurity is significant. KEIDANREN is a very powerful group, and when KEIDANREN calls on the government and the business community, its proposals carry substantial weight. KEIDANREN was well-represented at the Okinawa Cyber3 Conference, another indication of its commitment to the topic, and plans to issue its next set of cybersecurity recommendations to the Japanese Government in early 2016.
Individual companies have also been taking steps to proselytize cybersecurity as a business issue. NTT, one of the world’s largest telecommunications firms, is one such company. As profiled in this August 2015 article, NTT has been involved in the U.S. cyber policymaking process, and using this experience to bring insights on issues such as risk management and cyber threat information sharing back to Japan. In fact, in October 2015, NTT released a book, Cybersecurity for Business Executives (Japanese version), aimed at Japan’s C-suite. The book has three messages: 1) cybersecurity must be repositioned, from an information technology (IT) issue to a business management issue; 2) skill sets related to cybersecurity are diverse, not just those of engineers; and 3) responsibility for cybersecurity lies in all industries—companies cannot simply look to the government or to technology companies. These are messages resonating more and more throughout the U.S. business community, and it is encouraging that NTT is bringing such thinking to its peers in Japan. In fact, NTT is working to bring these messages to Asian countries as well.
Japan’s influence in cybersecurity activities in Asia is essential. Many of these countries are in the process of enacting their own cybersecurity strategies, laws, and regulations, which will have far-reaching implications for global companies and the global economy generally, not to mention their own citizens and economies. Fortunately, Japan is embracing its leadership role in the region. The new Cybersecurity Strategy refers to Japan’s international cybersecurity efforts, including its work to date conducting capacity-building in the Association of Southeast Asian Nations (ASEAN), and makes clear Japan’s intention to expand its capacity-building work in the region. At the Okinawa C3 Conference, Makita Shimokawa, Executive Director-General and Foreign Policy Bureau and Ambassador in Charge of Cyber Policy in the government of Japan, talked about Japan’s diplomatic efforts in cybersecurity, which focus on international rule-making, promoting mutual understanding and transparency, and capacity-building. The Japanese business community’s actions in Asia are vital as well. In fact, Japanese companies’ investments in countries such as Indonesia and Malaysia are higher than U.S. investments—arguably giving Japanese industry and government a little more clout in such countries.
Japan has much further to go. Cybersecurity investments are still low and must increase, and cybersecurity as a function of business risk is still a nascent concept. Some people involved in cybersecurity for the 2012 London Olympics, now working with Japan on its preparations for 2020, have noted that Japan needs to focus more on implementation as opposed to planning. Participants at the Okinawa conference said they expect cyber threat information sharing to evolve slowly in Japan, given its cultural aversion to shame (companies may be ashamed to admit incidents on their networks). That said, the Financial Services Information Sharing and Analysis Center (FS-ISAC) recently expanded into Japan, and Japan’s National Police Agency (NPA) is doing more against cybercrime.
Despite these hurdles, signs are extremely encouraging, as described above. The most senior members of the Japanese government are focused on cybersecurity—in fact, Prime Minister Abe spoke (by video) at the Okinawa conference. This conference was similar in importance to the Cybersecurity Summit hosted by President Obama in Stanford in February 2015, which was the first time a U.S. president had hosted an event on the topic, indicating cybersecurity had risen to be a priority in the top levels of government.
When asked by an audience member to describe Japan’s strengths in cybersecurity, a Japanese government official replied, “Public-private partnerships.” It is true that Japanese government, industry, and academia are very skilled at working together towards common goals. In cybersecurity, where neither government nor industry has all the answers and partnerships are essential, Japan’s strength is welcome and needed. Japan did not just begin its work on cybersecurity, and it is to the benefit of Japan, its neighbors, and the global community that it is demonstrating commitment to continuing it.