Japan’s New Cybersecurity Strategy

The tendency in the United States is to think about cyberthreats exclusively in terms of US interests (a tendency I’ve certainly followed on more than one occasion).  Hence, the extended attention to questions of whether and how Congress should regulate cybersecurity.  But, of course, cyberspace — and cyberthreats — are global.  Every nation is now faced with developing a strategy for responding to these threats, whether through the deployment of government resources, private industry, or public-private partnerships.  So, I read with interest Hitachi’s English-language summary of Japan’s new Cybersecurity Strategy, which was adopted by Japan’s Information Policy Council earlier this week (you can read the policy itself here in Japanese).  Here are some highlights:

• Japan (like most other States) has moved away from using “information” as the adjective to describe the issue; so it’s now cybersecurity, not information security
• Japan’s National Information Security Center will be given more authority to play a “command” role in dealing with cyberthreats
• Japan will revisit what counts as “critical infrastructure” to include targets, which, if attacked, would have significant socioeconomic effects or impact civilians more broadly.
• Japan will increase consultation with the private sector and pursue more information sharing.
• There will be a “Cyber Clean Day” to raise user-awareness of cyberthreats and ways to combat them.
• A Cyber Defense Unit will be established within Japan’s Self Defense Forces with responsibility for countering cyber-attacks that constitute part of armed attacks;
• In terms of international relations, the Japanese government intends to continue to study how international law, including international humanitarian law, is applicable to cyberspace; establish confidence-building to avoid any escalation of tensions; and prioritize cooperation with the United States.

Japan is truly a high-tech culture, but I was surprised during my Spring semester there, how little attention cyberthreats have received; indeed, the most visible “cyberthreat” has been anonymous users making threats via the Internet (this was the dominant story line this past Spring on the cyber front).  I saw much less attention to the threats posed by large-scale DDoS attacks, let alone infiltration of critical infrastructure by Advanced Persistent Threats.  So, it is a welcome development to see the Japanese government moving forward on these issues.  That said, I don’t see much in the way of “new” ideas here; almost everything Japan’s government is talking about doing there is on the table here in the United States (with the possible exception of a “Cyber Clean” day, which I attribute to the fact that the Japanese populace is much more willing to undertake collective enterprises than the U.S. citizenry). Still, I’m very interested to see how Japan approaches the question of cyberattacks and the use of force, especially given its Constitutional structure with respect to military activities.  Will they adopt Harold Koh’s mutli-factored, contextualized standard?  Or, will they be one of the first States to accept the Tallinn Manual’s effects-based approach?  Or, is there some other way they could approach the issue?  Comments welcome, especially from those readers who can offer more insights into how the Japanese government is thinking about these topics.

Hat Tip:  Mihoko Matsubara