I am often asked by both Japanese and foreign individuals, “What do you think of Japan’s allegedly low cybersecurity capabilities?”
However, recent examples of damage from cyberattacks around the world do not indicate that Japan’s cyber defenses are significantly lower than those of other countries. Rather, large incidents, such as the Colonial Pipeline ransomware attack, are more common in the United States.
For example, a survey was conducted last year by the US cybersecurity firm Proofpoint, Inc. on ransomware damages in seven countries: Japan, the United States, the United Kingdom, Australia, France, Germany, and Spain. According to the results, 72% of the US organizations that responded were infected, 78% of the responding UK entities, and 80% of the responding Australian organizations. Japan had the lowest rate at 50% of the groups responding to the survey.
Ransom was paid by 64% of the organizations in the United States that became infected, 82% of the UK entities, and 80% of the Australian organizations. Meanwhile, the percentage in Japan was significantly lower at 20%.
Moreover, while recent Olympic Games were plagued by sabotage-type cyberattacks, the Tokyo Olympics in the summer of 2021 did not experience any incidents that could have affected the operation of the Games. This was despite being hit by 450 million cyberattacks, more than double the number of cyberattacks detected during the London Olympics.
During the eight years of preparation, officials repeatedly conducted risk assessments of related systems, identified holes in security, and strengthened countermeasures ahead of time. The collaboration extended to a vast number of domestic and international organizations and included a series of training sessions conducted to ensure that basic operation protocols were thoroughly implemented.
Dr Brian Gant, assistant professor of cybersecurity at Maryville University in the United States, has pointed out that the Tokyo Olympics’ cybersecurity is a true success story and praised it as a model for event organizers to follow.
It is difficult to accurately measure each country’s cybersecurity capabilities. For strategic reasons governments do not reveal all of their capabilities, especially their offensive capabilities. So we can only infer each country’s capabilities from very limited public information.
Moreover, cybersecurity maturity is measured comprehensively in terms of defensive and offensive capabilities, intelligence, development of laws and national strategies, contribution to international norms and standards, and competitiveness of related industries. Several organizations have produced rankings of cybersecurity capabilities by country, but the rankings vary greatly depending on which areas are emphasized.
Despite these challenges, the International Telecommunication Union (ITU) released its “Global Cybersecurity Index 2020” in June 2021, ranking Japan 7th overall with a score of 97.82 points.
Reasons for Japan’s Low Recognition
There are four main reasons why Japan’s cybersecurity capabilities are often perceived as low.
One reason is lack of knowledge. Even many Japanese are not familiar with the quality of Japan’s cyber defenses, including the successful cybersecurity of the Tokyo Olympics.
Second is the size of the country’s cyber force. The US Cyber Command has about 6,000 personnel. North Korea’s cyber unit is staffed by about 6,800. China’s has about 30,000, and Russia’s about 1,000 staff. Meanwhile, Japan’s Self-Defense Force Cyber Defense Command has only 540 personnel.
The third reason is the national budget. The Japanese government’s estimated budget for cyber security for the 2022 fiscal year is ￥91.93 billion JPY (about $665 million USD), while the United States federal government’s comparable budget is just under ￥1.5 trillion yen (about $11 billion USD), and that excludes military budgets.
Although the size of the cyber force and its national budget are limited, the Ministry of Defense and the Self-Defense Forces, in partnership with the Cybersecurity Strategy Headquarters established under the Cabinet, and other ministries and critical infrastructure companies, participated in international cyber defense exercises in 2021 and again in 2022 to raise the level of public and private sector capabilities.
Fourth is the intelligence community’s ability to disseminate information. The directors of the United Kingdom and United States intelligence agencies have actively participated in major international cybersecurity conferences around the world, analyzing the situation in Ukraine and making international contributions. In addition, the UK and US intelligence agencies have frequently alerted the world to cyber threats in cooperation with relevant domestic and international organizations.
Letting the World Know Japan’s Capabilities
Lack of information dissemination does not necessarily mean lack of intelligence capability. However, without appropriate information dissemination, it is difficult to deter attackers, gain trust domestically and internationally, and strengthen relationships.
Japan’s cybersecurity is by no means perfect, and it faces various legal constraints, including the Japanese Constitution. However, it is also true that even in the face of the difficulties presented by the COVID-19 pandemic, Japan showed it had the ability to make the Tokyo Olympics a success.
We should continue to strengthen our cybersecurity with confidence, and communicate our efforts to the world in English.
Unfair labeling without evidence and the failure to rebut inaccurate criticism will only lead to being underestimated in international relations and business dealings. The lack of international recognition of Japan’s capabilities is a loss for the country.
In response to Russia’s military invasion of Ukraine and rising tensions in the Indo-Pacific, international cooperation among countries has begun to strengthen at an increasingly rapid pace.
What is needed now is a legitimate understanding of the overall cybersecurity capabilities of Japan and other countries, the establishment of cybersecurity enhancement measures with the necessary financial support, and action to put these enhancements in place.
Unless Japan increases the public awareness of accurate information about its own cybersecurity efforts, both domestically and internationally, it will neither strengthen its domestic efforts nor gain momentum for international cooperation in the future.
(This was first published as a Sankei Seiron column. Read the article in Japanese at this link.)
Author: Mihoko Matsubara, Chief Cybersecurity Strategist, NTT Corporation