According to the latest report from the specialized service of the Japanese National Police, ransomware cyberattacks have increased by 85% in the first quarter of 2022 in the archipelago. In the Land of the Rising Sun, hackers like to attack the manufacturing industry and services, with a marked predilection for the medical sector. At the end of February, Toyota’s 14 factories in Japan were shut down after a cyber attacker targeted one of its subcontractors. Most recently, the Osaka Hospital (population 2.7 million) had to wait two months to recover its patient data. The damage caused by cyber hackers to critical infrastructure is worrying the authorities.
Created in 2015 and first revised in 2018, the current national cyber strategy had been working well to protect the 2021 Tokyo Olympics. Although effective for securing a specific point or event, points out Kazuto Suzuki, professor at the University of Tokyo and partner researcher at the Foundation for Strategic Research (FRS), this stance appears to be failing to counter a global threat, hampered by specific regulatory constraints. Today, for example, the NISC, the equivalent of our Anssi, which depends on the police, protects critical infrastructures without an explicit legislative mandate.
The main legal barrier is Article 21 of the Constitution, which sets in stone the inviolability of private communications. This prohibits any system or action to monitor all digital traffic. Kazuto Suzuki explains: “Of course, our officials have access to all the data, but they are unable to identify where the attacks are coming from; we have to wait until they are officially classified as such before we can act. Under these conditions, it’s impossible to take any comprehensive preventive measures.”
An “anticipatory defense”
As the country is due to revise its national cybersecurity strategy again by the end of the year, debates are heating up between experts and politicians on its future outlines. The issue is a crucial one, as two other fundamental texts are under discussion, on which Japan’s overall defense and security architecture depends. In terms of cybersecurity, the objective is to give birth to a true “anticipatory defense” or “active defense” of the archipelago in cyberspace.
To achieve this, an agreement will have to be reached between the various ministries concerned, under the leadership of the Prime Minister, the conservative Fumio Kishida, who was appointed to the post in September 2021 to replace the very experienced Shinzo Abe, who resigned for health reasons and has since died. Among those sitting around the table are the ministries of Internal Affairs, Industry, Trade and Communication.
The military also has a say. Currently responsible for the cyber protection of their networks alone, the Self-Defense Forces could recover critical infrastructure. And for the first time, there are thoughts of extending the cyber defense strategy to space, where Japan wants to increase its presence, in the U.S. fold, as well as to deep-sea infrastructure.
Japanese experts are reviving the idea adopted by the 2019 Osaka G20 to promote a digital data free trade zone that would encompass the United States, Europe, India, and Japan. They suggest that its governance be modeled on the European directive framing the free flow of non-personal data within the Union adopted in 2018. Kazuto Suzuki argues that this step would make Japan more attractive to China, where developers of artificial intelligence programs backed by mega-data farms are flocking.
In fear of the Chinese neighbor
Even more than cybercriminals, what Japan fears above all is that one day it will face a massive cyberattack on its economy orchestrated by Beijing. When it comes to the balance of power in the cyber world, China still has the upper hand, according to the latest report on the subject by the British think tank IISS. Out of 15 countries analyzed, the Middle Kingdom is at the top of the ranking, just behind the United States, ex aequo with France and Great Britain, while Japan is relegated to the last third, alongside India, Indonesia, Iran, North Korea, and Vietnam…
In view of the first lessons learned by Europeans from the war in Ukraine, nothing is lost for Tokyo, which has built its cybersecurity strategy based on the French model in particular, and now seems to want to bet on the development of cooperation with the Western camp to consolidate its defense. “Despite the fact that more than 1,000 cyber attacks of Russian origin were recorded on Ukrainian networks and infrastructures during the first months of the war,” emphasized researcher Nicolas Mazzuchi during a recent exchange with Kazuto Suzuki at the FRS, “the impact proved to be weak, except for the one that affected the Via Sat space system on the eve of February 24.
For the director of research at the Navy’s Center for Strategic Studies, Russia has not been overestimated, but the damage its hackers inflicted on Ukraine before the war led Kiev to put its foot down to defend itself. And the result shows that it made the right choices: acting on both the technical and informational layers, betting on cooperation with the United States and the European Union; in 2021, Brussels is committed to supporting Kiev in case of a major attack.
The good news is that the free trade zone for digital data that Japan is calling for to counterbalance China’s influence is making further progress in the West. After the entry into force of the GDPR, the first real effective text to protect private data, then the adoption of the DMA (to limit market monopolies) and DSA (which makes online content platforms responsible) directives, Brussels and Washington agreed, at the end of October, on a “transparent” framework for exchanging personal data. As a result of a compromise, this agreement “marks a turning point for the ambition to create a common space for sharing digital data,” says Nicolas Mazzuchi