A June 24 media report says that Japan’s National Police Agency will create a cybersecurity bureau ー including a cyber investigation team ー in the next fiscal year to address cyberattacks. The enhancement of cybersecurity bodies is obviously welcome, but there remain some concerns.
Defective Mechanism to Respond to Cyberattacks
While the National Police Agency plans to reorganize and expand its cybersecurity bodies as reported, I doubt if Japan has any sufficient mechanism to organically coordinate and supervise various bodies and cybersecurity teams, including those of other Japanese government agencies.
In general terms, the National Center of Incident Readiness and Strategy for Cybersecurity, known as NISC, is assigned such a task. But the NISC, as a part of the Cabinet Secretariat, is put under great constraints and has no power to give orders to central government agencies or other organizations.
Japan enacted the Basic Act on Cybersecurity, including Article 19 (Action for matters which may critically affect the country’s safety) that calls for “providing measures to clarify the division of roles” among relevant bodies. In the past eight years during which the act itself was revised, I doubt if the division of roles among relevant bodies has been clarified.
How are the roles divided in case of an unidentified but apparent foreign government or military organization’s cyberattack on key Japanese infrastructure? Would the Japan Self-Defense Forces (JSDF) be responsible for responding to such an attack?
Under existing law, the JSDF has no mission to defend citizens’ lives or assets from foreign cyberattacks. The JSDF cyber units are assigned to defend computer systems of the Ministry of Defense and JSDF.
How about in the U.S.? When I served as an JSDF cyberwarfare unit commander, I asked an American cybersecurity unit officer this question: “What organization would respond to an enemy’s large-scale cyberattack on the United States, and how?” The answer was that the Department of Homeland Security would combine government agencies to make a unified response, with the military doing what it should.
Unlike the United States, Japan lacks any powerful government organization to bring together a unified, effective response to a large-scale foreign cyberattack. Moreover, it has failed to clarify the division of roles and how relevant government bodies would cooperate in the case of a cyberattack.
Increase Trainers to Develop Relevant Human Resources
There is another concern. Have sufficient human resources been provided to the increasing number of cybersecurity organizations? If the private and public sectors are competing to get excellent human resources, there will be problems.
Talented individuals should be cultivated as human resources for cybersecurity. At present, excellent cybersecurity experts are cultivating human resources in their field. However, I doubt there is any established methodology for such cultivation. Cultivation is most likely dependent upon individual methods.
A long time has passed since there was a focus on cybersecurity human resources shortages. Japan seems to be missing the perspective that an increase in the number of expert trainers is necessary to systematically cultivate human resources in cybersecurity.
It is an issue that merits deeper thought and far more cooperation in order to find a remedy.
Author: Hiroshi Ito
Hiroshi Ito is a guest researcher of the Japan Institute for National Fundamentals and a former commander (the first commander) of a cyberwarfare unit of the Japan Ground Self-Defense Forces.