Two days before Prime Minister Yoshihide Suga announced his resignation, Japan finally got around to launching his flagship Digital Agency — a new cybernetic arm of government cranked into existence by analogue panic over the sheer volume of paper involved in day-to-day government.
For all the necessity of creating such a body, and endowing it with political capital that may be gone by the time a new leader is chosen, the world’s third-biggest economy has left the project embarrassingly late.
Japan will pay a reputational price for its decades of foot dragging. The more successful the agency is in modernising the country’s digital-hesitant bureaucracy and economy, the more startling the shortcomings it unearths may be and the more overdue the endeavour will appear.
But the sense of urgency accompanying the Digital Agency’s birth, say people close to the Cabinet Office, masks a fear that is likely to be inherited by Suga’s successor. Japan knows that both its private and public sectors are not ready for cyber war, and strongly suspects that its potential foes — China foremost among them — are.
That makes it an intriguing moment for the founder and former head of Britain’s National Cyber Security Centre (NCSC), Ciaran Martin, to be joining the board of a small Japan-based cyber defence consultancy that has the ear of the highest echelons of the Japanese government. Other advisers to the firm, Nihon Cyber Defence, include Japan’s former highest ranked military officer and Taiwan’s former Chief of the General Staff.
The addition of Martin as an adviser, say his new colleagues, coincides with the government’s efforts to put together a full cyber defence strategy by December and a shift in perceptions of the risks the country faces. The ransomware attack that shut down America’s biggest petroleum pipeline in May was merely the latest in a global run of attacks on vital infrastructure, say Nihon Cyber Defence executives. But it was a particularly timely illustration for people around Suga (many of whom are likely to remain in the next administration) of what national vulnerability looks like today.
These jolts of reality, say those who have watched the slow progress of Japan’s public and private sectors in building coherent cyber defence strategies, are now vital.
At one level, Japan appears to have moved into a new phase of heightened security concern centred on tensions over Taiwan and the broader sphere of Chinese influence. A July defence review made that explicit. The theory of those arguing for a more robust stance is that the more tightly Tokyo focuses on the threat from an increasingly aggressive China, the more clearly it will see its own military and cyber defence deficits. The day before the launch of the Digital Agency, Japan’s defence ministry submitted its biggest ever budget request. It argued that an increase of $50bn was required for the coming fiscal year for both conventional military spending and the development of cutting-edge cyber weaponry.
But advisers to the Japanese government say that behind the ambition lies real uncertainty and a lack of expertise in how to quickly assemble the kind of world-class cyber defence capability that the country’s transport, power, medical and industrial networks clearly need.
Debates rage over how to streamline responsibilities into small task forces and whether legal and constitutional changes are necessary to accommodate the powers that might be required. Strategic questions include whether Japanese companies and government agencies should shift away from their passive defence tactics, whose primary goal has been to assure the quickest possible recovery from an attack. Instead some experts argue for a more active defence that seeks out and eliminates threats.
Arguably most critical, though, will be the creation of a role that places responsibility for Japan’s cyber security on a person with both the skills to understand the threat and the authority to co-ordinate multiple arms of government, intelligence and military in response. Japan may not yet have made the political or even the philosophical leap required to envisage such a job, let alone who might fill it. But it does have an example in the UK, which created the effective and widely envied NCSC, whose former cyber defence supremo, Martin, is conveniently on the books of a Tokyo-headquartered consultancy.
The challenge of pulling all this together — even when framed as a matter of crucial national urgency — will be formidable. The creation of the Digital Agency, however separate from the cyber war issue, suggests that Japan knows it has no more time to waste.