Japan's Achilles heel: Cybersecurity

Japan is one of the most rapidly aging nations in the world, and many of its seniors lack even a basic understanding of cyber � let alone cyber risks

Cyber is a relatively new realm of security that states across the world have to contend with. From deciding what constitutes an “attack” to what constitutes a “proportionate response,” many states are still struggling to understand this new sphere. Such issues require international cooperation to establish new norms, and in a parallel effort, states are doing as much as they can unilaterally to defend themselves. However, Japan, in particular, is still lagging.
Due to a variety of factors, Japan is uniquely underprepared for the cyber challenges of the 21st century, ranging from attacks by foreign quasi-state actors to theft by domestic criminals.
One important factor that makes Japan so vulnerable is its economy’s heavy reliance on the Internet. According to Deloitte’s Asia-Pacific Defense Outlook 2016, Japan, along with South Korea, Singapore, Australia, and New Zealand, has a cyber vulnerability index nine times higher than their Asian neighbors. The index is based on a number of data points that measure internet-based economic interactions – such as the number of mobile phone subscribers, the number of secure Internet servers, broadband prevalence, and the rate of Internet use – and does not consider the effectiveness of countermeasures in place or the number of Internet-reliant military and government systems. Still, it provides a telling sign of how vulnerable Japan is.
Another factor that makes Japan uniquely underprepared is the Japanese population’s indifference or misunderstanding of the issue. There are multifaceted causes, including the demographic reality that Japan is an aging society; a certain naiveté among the Japanese public at large; a culture of shaming victims that makes Japanese government and business leaders embarrassed to admit failure; and insufficient talent to meet Japan’s security needs.
Japan is one of the most rapidly aging nations in the world, and many of its seniors lack even a basic understanding of cyber – let alone cyber risks. Fraud and criminal activities, which tend to prey on seniors, also have taken on digital wings. Because of harsh penalties for writing malware, Japanese cyber criminals have a tendency to purchase such malware from foreigners for their use. Through anonymous – and restricted – access to the deep web, cyber criminals buy and sell phone number databases and credit card credentials, among other illicit goods.
William Saito, special adviser to the prime minister on cyber issues, also laments that too many Japanese become “unwitting accomplices” in cyber crime, as they unthinkingly insert an unknown USB drive into a device or click on a dangerous link. There is also a general lack of appreciation among ordinary Japanese about the importance of keeping sensitive information safe.
Furthermore, cooperation – between different government agencies, different companies, and across the private and public sectors – to fight back against cyber threats is harder than it should be. One of the greatest obstacles to cooperation is the culture of victim-blaming, which makes it difficult for an agency or company that has been the target of a cyber attack to come forward. In this respect, Saito believes that the government needs to set an example of not covering up when attacks happen, and having better communication and more open reporting procedures. Only when the government takes the driver’s seat by setting a good example will this norm trickle down to businesses and individuals.
Meanwhile, there are few efforts so far to promote domestic expertise on cyber issues. In Japan, students are not exposed to computer programming until the university level. Saito characterizes this lack of emphasis on programming as a national security concern. “We lack, some say, 80,000 cyber literate workers in Japan at a minimum,” Saito explains. “Not only are we losing competiveness, effi­ciency, but obvio­usly the IP that we lose via theft. Thus, it is a huge concern that we need to put immediate attention towards.”
And, of course, when it comes to attacks from quasi-state actors, geopolitics cannot be discounted either. China, Russia, and North Korea target Japan not just because of a general sense of animosity or disputes over history issues, but because Japan could be a threat, due to Japan’s sheer proximity and advanced capabilities. China, Russia, and North Korea have a need to know what Japan is up to and capable of.
In short, Japan is a high-value target – militarily, economically, and technologically. Consider the wide range of targets in Japan. In August 2011, hackers targeted classified defense information at Mitsubishi Heavy Industries and 20 other defense and high tech firms. Also in August 2011, emails and documents were stolen from 480 Diet members and staff. In April 2012, a hack at the Ministry of Agriculture, Forestry and Fisheries resulted in the exfiltration of 3,000 documents, including 20 classified documents on TPP negotiations. In early 2013, the Ministry of Foreign Affairs discovered it had lost “at least” 20 documents.
Cyber vulnerability is exacerbated by Japan’s “island nation” mentality, which Saito believes has made Japanese leaders complacent when it comes to defending against cyber threats. “Security and safety has always been taken for granted [because of Japan’s geographic isolation]. Cyber’s very premise has connected the country in many ways,” Saito argues.  To use just one prosaic example to illustrate how Japan is no longer as isolated as it used to be: cyber means language differences are no longer the natural barriers they once were for espionage activities within Japan. Instead, Japanese officials’ lack of English fluency helps contribute to a lack of Japanese influence in international forums dealing with cyber issues.
The true wake up call to Japan was the pension hack last June, when 1.25 million cases of personal data was leaked – a psychological shock the equivalent of the United States’ own OPM breach.
So what can Japan do? Deterrence does not work in a traditional sense. The Deloitte report acknowledges this dilemma, concluding that Japan may have to consider “threatening disproportionate or unpredictable retaliation … including responses outside cyberspace.” But, ironically, because of just how extensively Japan is inter-connected, hackers’ fear of “unintended consequences” – triggering catastrophes greater than they intend or want – has likely exercised some restraint over hackers’ activities. Fear of waking a sleeping bear has likely stayed attackers from mounting more daring campaigns.
While this consideration might mitigate damaging attacks against Japanese assets, it does not necessarily deter those who simply wish to seek information that can be used for financial gain. These sort of illicit activities focus on going unnoticed and being undisruptive for as long as they can.
The Diplomat

Japans Achilles heel: Cybersecurity

Japan is one of the most rapidly aging nations in the world, and many of its seniors lack even a basic understanding of cyber � let alone cyber risks

Cyber is a relatively new realm of security that states across the world have to contend with. From deciding what constitutes an attack to what constitutes a proportionate response, many states are still struggling to understand this new sphere. Such issues require international cooperation to establish new norms, and in a parallel effort, states are doing as much as they can unilaterally to defend themselves. However, Japan, in particular, is still lagging. Due to a variety of factors, Japan is uniquely underprepared for the cyber challenges of the 21st century, ranging from attacks by foreign quasi-state actors to theft by domestic criminals. One important factor that makes Japan so vulnerable is its economys heavy reliance on the Internet. According to Deloittes Asia-Pacific Defense Outlook 2016, Japan, along with South Korea, Singapore, Australia, and New Zealand, has a cyber vulnerability index nine times higher than their Asian neighbors. The index is based on a number of data points that measure internet-based economic interactions such as the number of mobile phone subscribers, the number of secure Internet servers, broadband prevalence, and the rate of Internet use and does not consider the effectiveness of countermeasures in place or the number of Internet-reliant military and government systems. Still, it provides a telling sign of how vulnerable Japan is. Another factor that makes Japan uniquely underprepared is the Japanese populations indifference or misunderstanding of the issue. There are multifaceted causes, including the demographic reality that Japan is an aging society; a certain naivet among the Japanese public at large; a culture of shaming victims that makes Japanese government and business leaders embarrassed to admit failure; and insufficient talent to meet Japans security needs. Japan is one of the most rapidly aging nations in the world, and many of its seniors lack even a basic understanding of cyber let alone cyber risks. Fraud and criminal activities, which tend to prey on seniors, also have taken on digital wings. Because of harsh penalties for writing malware, Japanese cyber criminals have a tendency to purchase such malware from foreigners for their use. Through anonymous and restricted access to the deep web, cyber criminals buy and sell phone number databases and credit card credentials, among other illicit goods. William Saito, special adviser to the prime minister on cyber issues, also laments that too many Japanese become unwitting accomplices in cyber crime, as they unthinkingly insert an unknown USB drive into a device or click on a dangerous link. There is also a general lack of appreciation among ordinary Japanese about the importance of keeping sensitive information safe. Furthermore, cooperation between different government agencies, different companies, and across the private and public sectors to fight back against cyber threats is harder than it should be. One of the greatest obstacles to cooperation is the culture of victim-blaming, which makes it difficult for an agency or company that has been the target of a cyber attack to come forward. In this respect, Saito believes that the government needs to set an example of not covering up when attacks happen, and having better communication and more open reporting procedures. Only when the government takes the drivers seat by setting a good example will this norm trickle down to businesses and individuals. Meanwhile, there are few efforts so far to promote domestic expertise on cyber issues. In Japan, students are not exposed to computer programming until the university level. Saito characterizes this lack of emphasis on programming as a national security concern. We lack, some say, 80,000 cyber literate workers in Japan at a minimum, Saito explains. Not only are we losing competiveness, efficiency, but obviously the IP that we lose via theft. Thus, it is a huge concern that we need to put immediate attention towards. And, of course, when it comes to attacks from quasi-state actors, geopolitics cannot be discounted either. China, Russia, and North Korea target Japan not just because of a general sense of animosity or disputes over history issues, but because Japan could be a threat, due to Japans sheer proximity and advanced capabilities. China, Russia, and North Korea have a need to know what Japan is up to and capable of. In short, Japan is a high-value target militarily, economically, and technologically. Consider the wide range of targets in Japan. In August 2011, hackers targeted classified defense information at Mitsubishi Heavy Industries and 20 other defense and high tech firms. Also in August 2011, emails and documents were stolen from 480 Diet members and staff. In April 2012, a hack at the Ministry of Agriculture, Forestry and Fisheries resulted in the exfiltration of 3,000 documents, including 20 classified documents on TPP negotiations. In early 2013, the Ministry of Foreign Affairs discovered it had lost at least 20 documents. Cyber vulnerability is exacerbated by Japans island nation mentality, which Saito believes has made Japanese leaders complacent when it comes to defending against cyber threats. Security and safety has always been taken for granted [because of Japans geographic isolation]. Cybers very premise has connected the country in many ways, Saito argues. To use just one prosaic example to illustrate how Japan is no longer as isolated as it used to be: cyber means language differences are no longer the natural barriers they once were for espionage activities within Japan. Instead, Japanese officials lack of English fluency helps contribute to a lack of Japanese influence in international forums dealing with cyber issues. The true wake up call to Japan was the pension hack last June, when 1.25 million cases of personal data was leaked a psychological shock the equivalent of the United States own OPM breach. So what can Japan do? Deterrence does not work in a traditional sense. The Deloitte report acknowledges this dilemma, concluding that Japan may have to consider threatening disproportionate or unpredictable retaliation including responses outside cyberspace. But, ironically, because of just how extensively Japan is inter-connected, hackers fear of unintended consequences triggering catastrophes greater than they intend or want has likely exercised some restraint over hackers activities. Fear of waking a sleeping bear has likely stayed attackers from mounting more daring campaigns. While this consideration might mitigate damaging attacks against Japanese assets, it does not necessarily deter those who simply wish to seek information that can be used for financial gain. These sort of illicit activities focus on going unnoticed and being undisruptive for as long as they can. The Diplomat