I am often asked by both Japanese and non-Japanese alike, “What do you think of Japan’s low cybersecurity capabilities?”
Despite the widespread assumption of Japan’s allegedly subpar cyber capabilities, recent examples of damage from cyberattacks around the world do not indicate that Japan’s cyber defenses are significantly lower than those of other countries. Rather, large incidents, such as the Colonial Pipeline ransomware attack, are actually much more common in the United States.
Global Damage from Cyberattacks
For example, a survey was conducted last year by the US cybersecurity firm Proofpoint, Inc. on ransomware damages in seven countries: Japan, the United States, the United Kingdom, Australia, France, Germany, and Spain. According to the results, 72% of the US organizations that responded were infected, 78% of the responding UK entities, and 80% of the responding Australian organizations. Japan had the lowest rate at 50% of the groups responding to the survey.
Ransom was paid by 64% of the organizations in the United States that became infected, 82% of the UK entities, and 80% of the Australian organizations. Meanwhile, the percentage in Japan was significantly lower at 20%.
Moreover, while recent Olympic Games were plagued by sabotage-type cyberattacks, the Tokyo Olympics and Paralympics in the summer of 2021 did not experience any incidents that affected the operation of the Games. This was despite being targeted by 450 million cyberattacks, more than double the number of cyberattacks detected during the 2012 London Games.
During the eight years of preparation for the Olympic and Paralympic Games, officials repeatedly conducted risk assessments of interconnected systems, identified security holes, and strengthened countermeasures in advance. Collaboration of this nature extended to a vast number of domestic and international organizations and included a series of security training sessions conducted to ensure that fundamental operation protocols were thoroughly implemented.
Dr Brian Gant, assistant professor of cybersecurity at Maryville University in the United States, has pointed out that the Tokyo Olympics’ cybersecurity is a true success story and praised it as a model for event organizers to follow.
It is not easy to accurately measure each country’s cybersecurity capabilities. For strategic reasons governments do not reveal all their capabilities, especially offensive capabilities. Therefore, we can only infer each country’s capabilities from very limited public information.
Moreover, cybersecurity maturity is measured comprehensively in terms of defensive and offensive capabilities, intelligence, development of laws and national strategies, contribution to international norms and standards, and competitiveness of related industries. Several organizations have produced rankings of cybersecurity capabilities by country, but the rankings vary greatly depending on which areas are emphasized.
Despite these challenges, the International Telecommunication Union (ITU) released its “Global Cybersecurity Index 2020” in June 2021, ranking Japan 7th overall with a score of 97.82 points.
Reasons for Japan’s Low Recognition
There are four main reasons why Japan’s cybersecurity capabilities are often perceived as low.
One reason is lack of knowledge. Even many Japanese are not familiar with the quality of Japan’s cyber defenses, including the successful cybersecurity defense of the Tokyo 2020 Olympic and Paralympic Games.
Second is the size of the government’s (or country’s military) cyber force. The US Cyber Command has a personnel of about 6,000. North Korea’s cyber unit is staffed by about 6,800. China has about 30,000, and Russia’s about 1,000 staff. Meanwhile, Japan’s Self-Defense Force Cyber Defense Command has a personnel of only 540.
The third reason is the national budget. The Japanese government’s estimated budget for cyber security for the 2022 fiscal year is ￥91.93 billion JPY (about $665 million USD), while the United States federal government’s comparable budget is just under ￥1.5 trillion JPY (about $11 billion USD), excluding military budgets.
Although the size of the cyber force and its national budget are limited, the Ministry of Defense and Japan’s Self-Defense Forces, in partnership with the National Center of Incident Readiness and Strategy for Cybersecurity established under the Cabinet Secretariat, and other ministries and critical infrastructure companies, participated in international cyber defense exercises in 2021 and again in 2022 to raise the level of public and private sector capabilities.
Fourth is the quantity of public announcement and speakership by the intelligence community. The heads of the United Kingdom and United States intelligence agencies have actively participated in major international cybersecurity conferences around the world, analyzing the situation in Ukraine and explaining their contributions to international partners. In addition, the UK and US intelligence agencies have frequently alerted the world to cyber threats in cooperation with relevant domestic and international organizations.
Letting the World Know Japan’s Capabilities
Lack of information dissemination does not necessarily mean lack of intelligence capability. However, without appropriate information dissemination, it is difficult to deter attackers, gain trust domestically and internationally, and strengthen relationships.
Japan’s cybersecurity is by no means perfect, and it faces various legal constraints. However, it is also true that even when faced with the difficulties presented by the COVID-19 pandemic, Japan showed it had the ability to make the Tokyo Olympics and Paralympics a success.
Japan should not only continue to strengthen our cybersecurity with confidence, but also to increase the opportunity to communicate its efforts to the world. Unfair labeling without evidence and the failure to rebut inaccurate criticism will only lead to being underestimated in international relations and business dealings. The lack of international recognition of Japan’s capabilities is a loss for the country.
In response to Russia’s military invasion of Ukraine and rising tensions in the Indo-Pacific region, international cooperation among countries has begun to strengthen at an increasingly rapid pace. What is needed now is a legitimate understanding of the overall cybersecurity capabilities of Japan and other countries, the establishment of cybersecurity enhancement measures with the necessary financial support, and action to put these enhancements in place. Unless Japan increases the public awareness of accurate information about its own cybersecurity efforts, both domestically and internationally, it will gain momentum for neither domestic efforts nor international cooperation in the future.
(This was first published as a Sankei Seiron column. Read the article in Japanese at this link.)
Author: Mihoko Matsubara, Chief Cybersecurity Strategist, NTT Corporation