“API Geoeconomic Briefing” is a weekly analysis of significant geopolitical and geoeconomic developments that precede the post-pandemic world. The briefing is written by experts at Asia Pacific Initiative (API) and includes an assessment of burgeoning trends in international politics and economics and the possible impact on Japan’s national interests and strategic response. (Editor-in-chief: Dr. HOSOYA Yuichi, Research Director, API; Professor, Faculty of Law, Keio University; Visiting Fellow, Downing College, University of Cambridge)
This article was posted to the Japan Times on January 17, 2022:
API Geoeconomic Briefing
January 17, 2022
Why cyber defense in Japan is so unreliable
Dean, API Institute of Geoeconomic Studies; Senior Fellow, Asia Pacific Initaitive (API);
Distinguished Professor, Keio University;
Co-Director, Keio University Cyber Civilization Research Center;
Special Advisor to the Cabinet
For the past two years, people have struggled with the coronavirus pandemic, and part of that has entailed experiencing the benefits and challenges of cyberspace.
In terms of challenges, we have experienced a great number of new incidents caused by the abuse and misuse of cyberspace. For one, ransomware attacks created by combining conventional cyberattacks – malicious email attachments – with cryptocurrency, inflicted significant damage to vital infrastructure, including medical institutions hit by COVID-19 and energy suppliers.
The attacks proved extremely effective against lifeline infrastructure such as Colonial Pipeline Co., the operator of the largest fuel conduit system in the United States, and vaccine production.
New threats to cyberspace highlighted not only the vulnerability of spatial connections but also new weaknesses in digitally connected industrial structure.
A geoeconomic approach to cyberspace is now being recognized as the core sphere of economic security policy.
According to the Global Cybersecurity Index 2020, released on June 28 by the Development Bureau of the International Telecommunication Union (ITU) — the United Nations agency for information and communication technologies — Japan ranked third in the Asia-Pacific region after South Korea and Singapore, which tied for first place, and Malaysia, and came seventh in the global ranking.
Meanwhile, Japan was recently ranked 40th in the National Cyber Security Index developed by e-Governance Academy — an Estonian nonprofit foundation that assists public sector institutions worldwide in digital transformation.
Compared to the fact that Japan was ranked 10th in the ITU’s ICT Development Index and 16th in the World Economic Forum’s Networked Readiness Index, e-Governance Academy’s index shows the country still needs to go further in the area of cybersecurity.
On June 28, the same day as the global cybersecurity index was released, the International Institute for Strategic Studies, a London-based think tank, released “Cyber Capabilities and National Power: A Net Assessment,” a report that provides the result of two years of study assessing 15 countries’ cyber power.
The studies have been conducted amid intensifying international confrontation in cyberspace in recent years, focusing on moves taken by the U.S., China and Russia from geoeconomic perspectives, and providing substantial evidence that cyber policies and capabilities have moved to center stage in international security.
In the report, Japan is classified in the tier 3 group — countries with strengths or potential strengths in some of the categories but significant weaknesses in others — along with India, Indonesia, Iran, Malaysia, North Korea and Vietnam.
The changing foundation of digital technology has quickly evolved into a big data and cloud system that collects data on locations where information is generated, information required by individuals and information sent out by individuals, analyzes this data and utilizes it for all kinds of purposes.
Moreover, thanks to the incredible amount of computational calculations conducted by the cloud system, artificial intelligence technology can be applied to all sorts of things to transform society.
We can look at the drastic technological changes that took place in the last two decades from a geoeconomic viewpoint.
Data held by individuals became the roots of digital technology, and America’s GAFA companies — Google, Amazon, Facebook and Apple — emerged as the driving force of the global economy by establishing a business model that relies on vast amounts of data as a marketing tool.
The European Union, threatened by the creation of a new U.S.-led global industrial structure, confronted the United States with concerns over protection of private information.
Major economic trends grew in proportion to the amount of private data in existence.
China, which has now become the country with the largest number of internet users, covered itself with firewalls that keep the online flow of private information moving in only one direction. And a domestic industry that is equivalent to GAFA developed quickly amid the country’s highly restricted internet.
Simply speaking, China and India are currently holding the strongest position. Having cutting edge hardware technology and data and software technology — namely the power of AI — will have a great impact on the economy and national security.
Thinking how to explore the future with such issues in mind will be the key to economic security and the mission of the geoeconomic domain.
Cybersecurity and economic security
There are three historical factors that may explain why Japan is evaluated low in cybersecurity rankings.
First, the country has relied too much on the private sector.
The government’s economic policy of shifting the operations of key infrastructure from the public sector to the private sector was effective in terms of boosting the economy.
The telecommunications sector was at the starting point of such a policy focusing on the initiative of the private sector, as the public-corporation-run telegraph and telephone infrastructure had to be shifted to the internet that had been under development after emerging through academic research.
Because the deregulation of the telecommunications market in the 1980s, which allowed entries of newcomers, didn’t work as the government had planned, the government this time adopted an extremely strong principle of private sector-led development with the aim of developing the market in a way similar to the U.S.
However, the policy of letting the private sector lead the development gradually expanded to leaving everything to private companies.
Deregulation in domestic and international telecommunications resulted in the private sector being left to establish all the strategies for international submarine cable systems.
The development of telecommunications services — which shifted to the internet — was completely separated from the nation’s policies for the semiconductor and electronics industry. Japan’s telecommunication devices industry, which had been the global frontrunner in the era before the privatization of Nippon Telegraph and Telephone Corp., has disappeared.
Now that all industrial sectors, including energy companies and other infrastructure industries, utilize digital information in cyberspace, the negative impact of leaving everything related to cyberspace to the private sector is becoming more serious.
Second, there is the issue of Japan’s information systems being developed separately at different administrative levels, such as ministries, the central government, regional governments and municipalities.
The moves to adopt office automation in business systems that started in the 1980s appear to have slowed down along with the hesitancy to shift to the internet.
More than 1,700 administrative organs independently built their own information systems, and the processing and management of people’s private information was done within the constraints of those systems, resulting in a delay in digital transformation, administrative services being vertically segmented and a slow launch of services to cope with the COVID-19 pandemic.
The legal and cultural reasons behind such a situation include the principle of autonomy for local governments, as well as legal restrictions and the public’s psychological resistance to the central government accessing private information.
The government is yet to establish a system that completely fuses divisions in charge of domestic and international security to realize “Society 5.0,” in which problems are solved by a system that highly integrates cyberspace and physical space.
Third, there is no doctrine regarding security in cyberspace.
I have been proposing that the government adopts a theory of space as an indispensable and fundamental concept to address cybersecurity.
Cybersecurity means assuring safety in cyberspace, the sole global space on earth.
If any country is involved in an attack in cyberspace, it becomes a cyber defense issue which needs to be solved in international space.
As cybercrime can threaten the safety of the domestic space, there should be rules and ways to solve them in the domestic space.
For instance, the issue of attribution — identifying the source of cyberattacks and cybercrime — should be solved with a complete grasp of the situation in the global cyberspace.
In order to do so, all entities responsible for dealing with cyber defense and cybercrime must fully coordinate under an established doctrine that integrates all issues related to cybersecurity.
Japan unveiled a new digital policy in 2021. It is a policy to create a new Japanese society based on digital technology, with all individuals in the public and private sectors, as well as stakeholders in the central and local governments, working together instead of leaving everything to the private sector.
Japan is recognized in the global community as one of the world’s safest countries — one that has maintained peace since World War II.
We should have confidence in building a high-quality cybersecurity system, a nation different from the one ranked so low in the cybersecurity index.
The cybersecurity strategy headquarters, set up under the Cabinet in 2015, adopted a new cybersecurity strategy in September to strengthen cyber defense capabilities. The Digital Agency was launched in September, and the National Police Agency plans to create a cyber department in fiscal 2022.
Japan’s new mission is to establish a control center that can make all of these bodies work in a coordinated manner so that the country can bear the international responsibility to achieve free and reliable international data distribution in the new data-driven cyberspace.
Disclaimer: The views expressed in this API Geoeconomic Briefing do not necessarily reflect those of the API, the API Institute of Geoeconomic Studies or any other organizations to which the author belongs