Is Japan Ready for the Growing Cyber Threat?


In June 2021 a British thinktank ranked Japan in the lowest tier of cyber-defense capabilities, indicating significant weaknesses in the country’s approach. What should Japan do to overcome those weaknesses? Cyber defense expert Nawa Toshio explores the core of this issue in a global context.

Cyber Preparedness Analysis

On June 28, 2021, the International Institute for Strategic Studies, a British thinktank, released Cyber Capabilities and National Power: A Net Assessment, a report summarizing its analysis of 15 global powers in the cyber domain. IISS used its own methodology to run the assessment, ranking the countries in terms of their capabilities in various categories, and in the report listed Japan under Tier 3.

  • Tier 1: World-leading strengths in all the categories.
  • Tier 2: World-leading strengths in some categories.
  • Tier 3: Strengths or potential strengths in some categories, but significant weaknesses in others.

In other words, the organization sees Japan as having serious weaknesses in its cyber capabilities. However, most of the domestic media and social network responses in Japan emphasized the nation’s place “among the lowest tier of major nations,” which indicates that the true message to Japan in this report is not being conveyed.

I feel that a close reading of the report, with attention to its background, purpose, and assumptions, can help clarify the true core of the issue, and demonstrate responses Japan should make.

Essential Information

The 2017 Global Go To Think Tank Index report ranked Britain’s IISS among the world’s top think tanks for defense and national security. However, in 2018 it received the lowest possible rating for fundraising transparency, and the report created a new category just for IISS: “Deceptive.” The thinktank clearly has some reason to hide some funding sources, but research into diplomatic/security and military issues from any organization with that kind of stance should be considered potentially biased.

Results of the Assessment of Japan

IISS’s unique cyber power methodology assesses states based on specific “Cyber Power Categories,” and the following table shows the results of that assessment for Japan in a straightforward manner, based on my interpretation.

Cyber Power Categories Assessment Results for Japan
Strategy and doctrine Policies in place tend to be low on substance; military is unprepared 
Governance, command, and control Command coordination is weak; military has only low-level capabilities
Core cyber-intelligence capability Efforts are held back by underfunding and constitutional constraints
Cyber empowerment and dependence Military use of superior technology is limited
Cyber security and resilience The country is at a high-risk stage of development in the field
Global leadership in cyberspace affairs The country is making active diplomatic efforts
Offensive cyber capability Constitutional and political constraints make developing this capability difficult

These categories represent a measure of a state’s defensive capabilities in cyber space, or, in other words, its will and ability to eradicate invasive threats there. These defensive capabilities are that state’s final recourse in maintaining its cyber security; there are no alternative measures that can be taken in their place toward that end. That means that this report is not, as has been claimed, simply stating that Japan is “among the lowest tier of major nations.” Rather, it is saying that when it comes to cyber threats to its national interests, there are security and defense areas where its desired capabilities are significantly weak.

Russia and China: Different Values, Greater Strength

China has a very high ranking in the “Governance, command, control” category. The country has the world’s most extensive cyber-domain domestic surveillance and censorship system, under the strict control of government leadership. China also has clear strengths in the “Strategy and doctrine” category, with its national cyber strategy reflected in the text of its 2015 China’s Military Strategy white paper, as well as in the Cyber Security Law that went into effect in 2017.

Since the beginning of this century, it has also carried out large scale cyber activities directed at nations around the world. Analysts see these activities as attempts to acquire intellectual property or political influence, conduct international espionage, and deploy potentially disruptive capabilities in preparation for future conflicts. In light of its expanding digital technology industrial base, this is understood as a sustained buildup of “Offensive cyber capability” to rival that wielded by the United States.

Russia’s cyber power has developed independently during its long rivalry with the United States and Western Europe. In particular, analysis shows that Russia considers cyber strategy a key element of its broader information warfare strategy and is carrying out cyber attacks and large-scale cyber espionage targeting Western countries with the aim of disrupting their policies and governments. For that reason, the report gives Russia a high ranking in “Offensive cyber capability.”

At the same time, Russia’s IT infrastructure could be a weakness due to its heavy dependence on British and French ICT enterprises. However, the Russian government is promoting sovereign internet construction and domestic digital development based on its own statutory regulations, so the analysis in this report sees Russia as taking a stance to address its potential cyber security weaknesses.

Russia has also been successful in its diplomatic efforts to counter the dominance of Western nations, particularly the United States, in cyberspace. That has earned it a high ranking in “Global leadership in cyberspace affairs.”

Inevitable Evolution of Cyber Threats

Based on the facts and analysis presented in the IISS report, as well as its predictions for the future, my interpretation is this: The situational and structural issues faced by each nation are unavoidably and causally linked to the diplomatic and defense issues those nations face in dealing with counterparts that do not share the same values. This means, in a sense, that nations are guaranteed to see further growing cyber threats to their interests.

In recognition of this situation, most major powers have been making efforts to respond to the burgeoning threats, such as by establishing some form of national cyber security agency with the legal mandate and capabilities to mount a national defense against cyber threats.

Japan’s Current Status and Proper Response

Given the current societal and other issues facing Japan, it is difficult for the country to establish a strong, capable cyber security agency at the national level; various government ministries are therefore promoting their own individual cyber security policies. The Cabinet’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) is in charge of coordinating some part of that, but I find it hard to see any real unified national efforts. For example, let us look at the state of security personnel policies.

In the first half of the 2010s, each ministry and agency began enacting its own security personnel policies in response to changing circumstances and various outside recommendations. However, the situation grew so chaotic that in 2017 the NISC tried to coordinate all of those policies. With that incentive, each of the ministries reorganized its security personnel policies.

I had hoped that this initiative would help led to more effective measures as organizations selected and consolidated the policies they had in place. However, as the NISC’s Cyber Strategy Report from 2018 illustrates, no one was able to offer any concrete policy measures. To paraphrase, it says the government will consider further coordination of various human resources development policies and offer follow-ups through each annual Cyber Security Strategy report.

In other words, the government has accepted that each ministry and agency will proceed with its own measures and will not start coordinating them, but will “consider further coordination” in the future. “Consider” here simply means to examine an issue from various sides and think about the best steps. In my opinion, this reveals that the independent policies enacted by each government ministry were not only closed off within their respective fields, but that the government as a whole did not investigate the issue with any rigor. In Japan, it seems there are robust organizational structures and processes that make it difficult to successfully carry out consolidation, selection, and concentration of organizations and policies.

In recent annual editions of this report, the relevant language has included a new sentence regarding this idea of coordination. Again, to paraphrase, the reports note that portal site to consolidate various public- and private-sector initiatives related to human-resource development and public awareness has been established and is now in provisional operation.

I strongly believe that developing personnel who can help improve Japan’s capabilities in the diplomatic, security, and military areas is an increasingly urgent issue as cyber threats grow against the country’s interests.

There are many researchers with vast experience and expert knowledge who have dug deeply into the actions Japan should take in the harsh reality it currently faces, both in print and online. Many famous thinktanks have also offered suggestions, and so I will refrain from repeating what has already been said. I am more interested in thinking about what might be more necessary than detailed action items: broad initiatives that will show results in protecting the national interest. In particular, that means establishing a central entity in charge of implementation, with clearly assigned responsibilities and roles—in other words, an answer to the question, “who is in charge?”

The National Police Reserve was established in 1950, after which it was repeatedly given new responsibilities and roles. It continued to evolve into what is today Japan’s Ministry of Defense and Self-Defense Forces: the forces of last resort in situations where government agencies or private organizations are unable to defend the lives and wellbeing of citizens. The Defense Ministry and SDF have made extraordinary efforts to acquire budgets and build capacity in order to fulfill their responsibilities and roles. This offers up an idea of who could be in charge in new efforts in the cyber domain. I believe that in order to overcome the “significant weaknesses” that Japan displays in its cyber power, it must establish a national cyber security agency that can take on the role and responsibility of defending the national interests in cyber space, much as other nations have done.

(Originally published in Japanese. Banner photo © Pixta.)

cybersecurity diplomacy Self-Defense Forces security Ministry of Defense Rowing