Essay in NBR Special Report 116
Japan’s Cybersecurity Resilience Efforts in Collaboration with the United States
This essay examines Japan’s efforts to bolster its cybersecurity and resilience, prompted by the outbreak of the war in Ukraine in February 2022, its growing concerns over a potential conflict in the Taiwan Strait, and the major ransomware attack on the Port of Nagoya in July 2023.
EXECUTIVE SUMMARY
MAIN ARGUMENT
Japan is currently working to enhance its cybersecurity and resilience. Not only has it passed legislation on active cyberdefense to minimize the damage caused by substantive cyberattacks that can compromise national security, but it also has established new requirements for critical infrastructure companies to enhance their cybersecurity practices under the revised Economic Security Promotion Act. These and other efforts will require legal initiatives and domestic and international public-private partnerships through the legislation on active cyberdefense, the government sharing intelligence on cyber threats with industry, threat-hunting collaboration, and global law-enforcement cooperation to disrupt cyberattacks. While the defeat suffered by Prime Minister Shigeru Ishiba’s ruling coalition in the October 2024 election could delay some legislative efforts, the country has been proactively contributing to global resilience through law-enforcement collaboration to disrupt ransomware criminal activities and its participation in an international annual cyber exercise with Australia, the United Kingdom, and the U.S. By bringing not only the Japan Self-Defense Forces and Ministry of Defense but also civilian agencies and critical infrastructure companies to the exercise, these initiatives enable Japan to serve as a regional hub for cybersecurity and resilience collaboration and better prepare for major disruptive cyberattacks on critical infrastructure services during a national security crisis.
POLICY IMPLICATIONS
- While Japan’s legislation on active cyberdefense tends to attract attention to offensive capabilities, it is equally important for Japanese policymakers to increase the country’s defensive capabilities through secure-by-design and secure-by-default strategies, as well as by providing support for under-resourced small and medium-sized businesses.
- The Japanese government should establish a procedure to declassify cyber threat intelligence to share with industry stakeholders, so that individuals without a security clearance can use the intelligence to better protect their assets and contribute to national security and resilience.
- The government needs to create a legal framework to issue a waiver from regulatory requirements for companies to accept its threat-hunting offer. Otherwise, companies that are concerned about potential legal risks if government threat hunters find a gap between their cybersecurity practices and regulatory requirements will decline to participate in government initiatives.
Mihoko Matsubara is Chief Cybersecurity Strategist for the NTT Corporation in Tokyo, where she is responsible for cybersecurity thought leadership. She served at the Japanese Ministry of Defense before completing an MA at the Johns Hopkins School of Advanced International Studies on a Fulbright scholarship. Prior to joining NTT, she worked as vice president and public sector chief security officer for the Asia-Pacific at Palo Alto Networks. She is an awarded author of two books on cybersecurity and the war in Ukraine.