Nikkei Asian Review

Japan's Cyberthreats -- Lessons from the US

Arthur Herman on security challenges facing Japan

Government officers use their computers during a cyber security drill in Tokyo on March 18, 2014. (YOSHIKAZU TSUNO/AFP/Getty Images)
Government officers use their computers during a cyber security drill in Tokyo on March 18, 2014. (YOSHIKAZU TSUNO/AFP/Getty Images)

Japan is about to enter the brave new world of modern cybersecurity. The threats are coming, ready or not, especially -- but not exclusively -- from China and North Korea. The question is, how ready will Japan be when the next big wave of hackers hits?

If the recent scandal involving hackers raiding the email of executives at Sony's U.S. affiliate proves anything, it's that poor or lax cybersecurity is not only dangerous and costly, but can be highly embarrassing.

It's a lesson that Japan needs to take to heart. Back in 2000, the government drew up a Special Action Plan that recognized the growing cyberthreat, especially for an advanced technological society that depends heavily on the free and efficient flow of information over the Net, as well as the electronic storage of valuable, even critical, data.

Yet over the next decade, the number of cyberattacks worldwide skyrocketed as Japan's government and business communities looked all too vulnerable. In 2012, cyberattacks passed the 1 million mark, including attacks on the Japanese Diet and a nuclear power research institute. In April 2013 the major targets included Sony, Mitsubishi Heavy Industries, the Japan Aerospace Exploration Agency and Yahoo Japan. In the latter case, some 20 million user names and passwords were dumped into a file ready for remote download before technicians blocked the theft.

In 2014, the number of attacks passed the 25 billion mark, with 40% traceable back to China.

Waking up to the threat

Since coming to office, fortunately, the government of Prime Minister Shinzo Abe has taken major steps to bring Japan's cybersecurity policy into the 21st century. It discovered, for example, that only half of Japanese companies had an information technology policy, while a report from the National Information Security Center found that Japan was some 80,000 people short of having enough cybersecurity engineers. The Abe government passed a law making NISC the cabinet's chief watchdog over cybersecurity, while his Information Security Policy Council chaired by his chief cabinet secretary takes the lead in directing cyber policy. The Ministry of Defense, building on a 2012 report, "Toward Stable and Effective Use of Cyberspace," set up a Cyber Defense Unit to coordinate responses to threats by the ministry and the Self-Defense Forces.

In March 2014, under Abe's direction, the government ran its first broad cybersecurity drill, with 200 specialists trying to fend off simulated phishing attacks (i.e., when a government or company employee opens his or her server to a computer virus by opening a fake website) on 21 state ministries and agencies, as well as 10 industry associations.

The results were sobering. "It's not that we haven't put effort into cybersecurity," Ichita Yamamoto, the then minister in charge of IT policy said afterward, "but we are certainly behind the U.S." in being able to defend and respond to threats, especially in the critical areas of defense and civilian infrastructure.

So while Japan has been looking, correctly, to the U.S. for guidance (the first multiagency U.S.-Japan Cyber Dialogue took place in 2013, and the third will take place in Washington this spring), it also needs to avoid making some of the same mistakes America made in learning to defend its cyberspace.

Don't do as I do

Like Japan, the United States was woefully slow to realize the danger. It wasn't until 2004, when hackers in China went after various U.S. military computer systems, including the Army Space and Strategic Defense installation, that many officials began to wake up to the threat -- and its principal source.

The next China-based attack, which came in 2007, was far worse, with hackers getting into the Secretary of Defense's email system. More than 1,500 separate Pentagon communication networks had to be shut down. Hackers followed by breaking into the U.S. State, Energy, and Commerce departments and got away with enough data -- much of it highly sensitive -- to fill every bookshelf in the Library of Congress.

Following those attacks, and at the urging of his director of national intelligence, President George W. Bush in January 2008 authorized the Comprehensive National Cybersecurity Initiative to develop a national cybersecurity strategy that created a strong frontline defense against immediate threats, in order to protect information and communications across the entire spectrum of government agencies. The initiative also stressed the need for counterintelligence efforts to deter future attacks, and for ways to "strengthen the future cybersecurity environment" through education, research and cooperation.

That was followed by the creation of the U.S. Cyber Command to oversee cybersecurity for the U.S. military, in conjunction with the National Security Agency, in 2010. The Department of Homeland Security has developed its own cyberattack alert and deterrence system, dubbed the National Cybersecurity and Communications Integration Center (NCCIC), along with various cyberemergency response teams, although compliance with U.S. government IT protection standards remains voluntary for private companies.

All this has marked a big improvement, but it's still far from foolproof. In May 2011, for example, American defense contractor Lockheed Martin -- maker of the high-tech F-35 fighter jet that Japan has recently purchased -- announced it had been hacked; while the Gmail accounts of senior U.S. officials, including Secretary of State Hillary Clinton and Chairman of the Joint Chiefs of Staff Adm. Mike Mullen, were systematically worked over, almost certainly by hackers originating in China.

Cyberthreats are constantly evolving and the recent attacks that shut down unclassified networks at both the White House and the State Department prove that even the U.S. government doesn't have all the answers yet. Indeed, it may never have all of them.

The sober fact is that the cyberdefender, like his adversary, must be flexible and tireless; any strategy that demands less is bound to fail.

What's left to be done

So what lessons has the U.S. learned that Japan can embrace? The first is firewalls, antivirus programs, and other typical "security" measures are clearly not enough. Usernames can be faked; passwords can be stolen; firewalls can be broken open and burgled. Every company and government agency needs to have a clear and decisive cyberdefense strategy to deal with each and every intrusion -- and a program to make sure employees are diligent about keeping username and passwords safe, and aware of the dangers of opening the wrong website or email.

Two, the sharing of information about attacks and threats is critical to deterring future attacks. Fears of liability and humiliation at being exposed as careless (or leaking valuable corporate data) have to be set aside to make sure the experts know who's being attacked, and with what malware tools. A central cybersecurity agency like NISC is only as good as the cyberintelligence it collects.

Three, Japan's two most hostile neighbors, China and North Korea, are among the most persistent cyber criminals. This virtually ensures that any serious confrontation with either will involve a major cyberassault aimed at disrupting Japan's Self-Defense Forces and critical infrastructure -- possibly even aimed at triggering a meltdown of its nuclear reactors as a diversion from military action. Any national strategy for Japan dealing with a geopolitical crisis has to include a full-spectrum cyberattack counterstrategy.

Four, not just government but Japan's biggest companies will have to get into the cybersecurity field, bringing their best talent and resources to the job. America's big defense contractors, like Lockheed Martin and Boeing, have become important players in the business. Likewise, Toshiba, Mitsubishi Heavy, NEC and other technological and electronic giants need to plunge full speed into developing the tools, strategies, and above all, the personnel to do the job.

Five, purely passive cyberdefenses aimed at detecting and deterring attacks will always be inadequate in the long run. Japan and the U.S. will have to develop what the experts call "active defenses," aimed at disrupting, shutting down, and punishing the perpetrators, even if they are directly linked to governments.

Dealing with the global cyberthreat, and those who perpetrate or promote these attacks, will require ingenuity, patience, persistence, but above all courage. It's a challenge Japan and the U.S. can and must meet together.