Remaining Challenges for Operationalizing Japan’s Information Security Legislation

Foresight (March 22, 2024)

Remaining Challenges for Operationalizing Japan’s Information Security Legislation

Hirohito Ogi Senior Research Fellow

Japanese government submitted a bill on establishing the new security clearance legislation for protecting sensitive information related to economic security in February 2024. This was in response to the “Final Report” of the discussions at the expert panel meetings on this legislation, which had been submitted prior to the finalization of this bill. In February 2023, when the expert panel commenced consideration, I published a commentary on the website of the Institute of Geoeconomics, in an attempt to correct misconceptions about the related discussions and describe the issues. However, arguments based on misconceptions have persisted due to the highly technical nature of the system itself. In addition, even the direction of the legislation presented in the Final Report does not address some issues as to whether it can truly address the requirements that were originally discussed.

In this article, I summarize the focal points related to security clearance legislation, identify the remaining issues that the Final Report does not deal with, and expand the scope of future discussions.


The New Security Clearance Legislation Has Nothing to Do with the Defense Industry

A misconception that frequently arises in discussions about security clearance legislation is that the first enactment of such legislation in Japan, where such a system has never existed before, would promote defense industrial cooperation with allies and partners. This is a common and lingering misconception, especially in discussions and reports in think tanks and the media. Security clearance is a system of screening the eligibility of persons and facilities that handle what the government designates as classified information in order to ensure that it is properly secured. Discussions have been conducted based on the awareness that security clearance is required in some cases for Japanese companies to participate in international joint research projects and projects by foreign government procurement involving classified information, and that smooth international expansion of companies would be hampered without it.

However, as explicitly stated in the Final Report, Japan has had a security clearance system under the Act on the Protection of Specially Designated Secrets. Under this system, sensitive defense, diplomatic, terrorism, and counterintelligence information is designated as specially designated secrets (SDS). The act permits only those who meet the qualification requirements, including private-sector eligible contractors, to handle SDS after they undergo investigations and other procedures by the government. Regarding defense equipment, the company’s employees must also obtain security clearances when they handle the Defense Ministry’s confidetials based on the Self-Defense Forces Law – not only Self-Defense Forces personnel, which is subject to punishments under the Self-Defense Forces Law, but also employees (civilians) of businesses in contractual relationships (equipment secrets) are subject to punishments under the Act on Enhancing Defense Production and Technology Bases enacted in 2023 – and special defense secrets based on the Act on Protection of Secrets Incidental to the “Mutual Defense Assistance Agreement Between Japan and the United States of America” (in the case of US-made defense equipment).

On the other hand, the legislation this time is intended to cover “information related to the economic bases of our country which requires special protection for ensuring national security.” In other words, the purpose is to expand to the field of economic security the scope of the conventional security clearance system, which has been limited to information on defense, diplomacy, and other fields covered by the Act on the Protection of Specially Designated Secrets and other Acts mentioned above. Therefore, the statement that a security clearance system has never existed in Japan before is simply incorrect. In addition, the new law would not directly change anything from the perspective of employees of the contractors engaged in international joint development and other cooperation related to defense equipment.


Design of the New Legislation

Then, what exactly are the areas of classified information covered by the security clearance under the new legislation? The Final Report includes the following information as examples of “information to be protected: “cyber-related information (information related to cyber threats and countermeasures)”; “regulatory information (screening information related to examination and analysis)”; “survey, analysis, research and development-related information (information on industry/technology strategy, supply chain vulnerability, etc.)”; and “information related to international cooperation (information on international joint research and development).

To designate and control information in these economic fields as classified information in a hierarchical manner according to the degree of impact of information leaks, the Final Report advocates that the new legislation be handled seamlessly with the Act on the Protection of Specially Designated Secrets. This is based on the fact that the United States and other countries categorize classified information into multiple layers (top secrets, secrets, and confidential) depending on the importance of the information. In response to this suggestion, the bill submitted to the National Diet is designed to establish a system to protect confidential level information while “necessary measures would be taken, including consideration of a review of the implementation guidelines of the Act on the Protection of Specially Designated Secrets” (Prime Minister Fumio Kishida’s remark at the Council for the Promotion of Economic Security on January 30, 2024) to cover the secret and top secret level information related to economic security. The latter point may have been inspired by the fact that one member of the expert panel pointed out a problem that there is no track record of secret designation by the economic policy authorities even though there is room for information related to economic issues to be designated as a specially designated secret in the Act.

Indeed, the guidelines of the Act on the Protection of Specially Designated Secrets list in detail the defense, diplomatic, terrorism, and other items in the appendix of the Act as items that can be designated as specially designated secrets. In the list, it refers to economic-related information such as the import/export of goods and the transfer of assets. Thus, it could be an option to revise the implementation guidelines to make it easier to designate economic security-related information. Nevertheless, there is a limitation in revising this because there is no item in the main body of the act’s appendix that directly refers to information on advanced civilian technology. Therefore, the government may continue to discuss the extent to which the new law should cover.

In any case, it is appropriate to seamlessly implement the security clearance-related laws by carefully reconciling the coverage of the two laws to avoid conflicts between them, rather than adding on the Act on the Protection of Specially Designated Secret – which already has an established clearance system – the new one without clear demarcation.


The Most Important Issue is How to Handle Privately Generated Information

However, three major issues still remain. All of them are related to the fact that it is not clear whether the needs for the security clearance system can really be met as originally proposed.

The needs originally expressed were to facilitate the overseas businesses of Japanese companies by establishing an eligibility system for handling sensitive information in international joint research and other projects beyond defense equipment contracts.

The first issue is the nature of the information to be designated as classified. Based on the policy of the secretariat of the expert panel (the government) as indicated in the discussions at the expert panel meetings, the Final Report decided that “information in the government’s possession” would be subject to classification designation under the new legislation. Although the legislation would not preclude the government from adding analysis and other value to the information provided by the private sector and designating it as classified, the private sector information owned by private entities would not be subject to classification designation. In other words, the effect of the designation of information provided by the private sector to the government does not extend to and bind the original generator of the information in the private sector. This implementation criterion is in a sense consistent with that of the Act on the Protection of Specially Designated Secrets.

Yet, what would it appear when taking into account the realities of manufacturing, research, and development? The Act on the Protection of Specially Designated Secrets stipulates the methods of manufacturing, inspection, and repair of defense equipment as matters that can be designated as secrets. In this regard, the original holder of specially designated secrets would be the government when it has eligible contractors (defense companies) manufacturing defense equipment by providing those secrets in its possession based on a contract. However, because the government lacks both the function of manufacturing the product by itself and the necessary information for manufacturing and inspection, it would need to have the company develop and manufacture the product through contracted research or contracted manufacturing of prototypes at the development stage. In the process, sensitive information about the government’s needs would be added to the privately generated manufacturing technology. The actual implementation would be for the government to designate the whole information combining government requirements with technical data as specially designated secrets, and then provide it to the company under a contract for manufacturing. In addition, the designation itself is adequately implementable enough since the technical data obtained in the process of research and development would in principle belong to the government in the case of a prototype contract for research and development of defense equipment.

Therefore, the structure of the Act on the Protection of Specially Designated Secrets is not in itself problematic. However, there are cases in which this way of designation would be difficult to carry out when this law is applied to technologies of economic security importance that are not related to the manufacture of defense equipment. When the government provides secret information to the private sector, it may contract with the private sector and have them manufacture some products or perform some services (e.g., research or analysis) based on a contract. However, there would not be many cases where government procurement other than defense procurement would include advanced critical technologies. If so, there would be little opportunity left to protect privately generated critical technology information in such cases.

Exceptions to this may be the areas of cyber security. Those areas were mentioned as examples in the expert panel discussions and can be considered as cases of designation under the new legislation since there are government procurement projects other than defense equipment including developing government data communication systems. On the other hand, in other areas such as AI, unmanned, and quantum, which are targeted by the Key and Advanced Technology R&D through Cross-Community Collaboration Program (K Program) under the Economic Security Promotion Act, it is unlikely that the government will directly procure products or technologies while the government grants private institutions funding for advanced research and development. Plus, in the case of the government providing value-added sensitive information to the private sector originally acquired from a private sector source as exemplified in the discussions at the expert panel meetings, it is not clear what services the government intends to entrust to the private sector by providing such information.

In this regard, the United States has established an exceptional procedure to designate such information as classified, assuming that contractors and researchers who receive government funds may generate classified information on their own. Executive Order 13526 stipulates that, when a recipient of government funds believes that it has generated information requiring classification designation, it should notify the government agency with jurisdiction over the information. Upon receiving such a notification, the government would decide whether to designate the information as classified or not. Although the actual implementation of this provision by each government agency is yet to be examined, it can be said that the existence of this provision actually guarantees the designation of “scientific, technological, or economic matters related to national security,” which Executive Order 13526 includes in the scope of classification designation.

Given this, it is highly likely that there will be extremely few actual cases of classification designation if Japan’s new legislation does not include similar provisions and strictly follows the procedure of implementing the Act on the Protection of Specially Designated Secrets. This is because the scope of designation is limited only to government-possessed information while the bill broadly defines the fields of information that can be designated as classified. This makes it unclear what exactly is the government action (contracts on procurement, research, analysis, etc.) that would trigger such designation.

Considering that the original need was to create an eligibility system for handling classified information that could be internationally accepted in the field of economic security, very few putative cases of classification designation will be a major issue. This is because, of course, there is no clearance given to information that is not designated as classified. The number of private persons holding security clearances will not increase if the scope of information subject to designation remains narrow.

As of October 2023, one of the experts had put such exceptional provisions on the discussion table at the expert panel meeting. Earlier, however, at the corporate hearing stage (March 2023), one company invited to the panel’s hearing claimed that privately held sensitive technical information was CUI (controlled unclassified information, i.e., sensitive but unclassified information), expressing a cautious attitude toward the classification designation of such information. This seems to have unintentionally set the direction of the subsequent debates. In the subsequent discussion, it was decided that only government-possessed information, even if of private origin, is subject to classification designation and that CUI – which was referred to as private sensitive information at this time – might need to be controlled outside the framework of the security clearance system.

Such an overall concept of controlling sensitive information beyond the classification designation system itself should be credited. However, given that the original corporate need was to establish an eligibility system for handling sensitive information not related to defense procurement, such a measure would not adequately meet that need. This is because security clearances are granted for handling classified information, and cannot be replaced by eligibilities for handling information that are not classified. Naturally, such “eligibility”, even if it is created, would not be applicable as an eligibility for handling classified information in the United States or other foreign countries either. It is also questionable whether it would contribute to facilitating the overseas businesses of Japanese companies.

The burden/costs of strictly controlling information designated as classified and acquiring the eligibility to handle it and the international business opportunities gained from it are two sides of the same coin. It is impossible to choose only the benefits side. In legislating a new system, the government should consider its effectiveness by referring to the US exception provisions mentioned above to be reminded of the original needs while cautiously paying attention to the perspective of free and open development of science and technology.

Merely creating a system does not automatically result in the establishment of criteria for designating advanced civilian technologies as classified. However, the above-mentioned exception provisions in the United States do not provide a framework for the government to unilaterally designate civilian technology as classified. At the expert panel meetings, the companies that were invited also stated that they do not completely deny the possibility of sensitive corporate information being subject to classification designation and that the government should proceed with caution while closely consulting with the companies. The only way to do this would be to share views with the companies, research institutes, and other groups that generated advanced technologies.


To Whom Is the Information Whose Rights Are Attributed?

The second issue is the question of how to deal with the attribution of intellectual property if a procedure similar to the exception provisions in Executive Order 13526 is to be introduced. Specifically, it is necessary to consider attributing sensitive technologies (intellectual property rights) among government-funded research results to the government.

Currently, many government-funded R&D projects, with the exception of those in the field of defense, are thought to be conducted by companies or research institutes to which intellectual property rights as research outcomes are attributed. This is based on the Japanese version of the Bayh-Dole Act, which was introduced under the Industrial Technology Enhancement Act to strengthen the industrial competitiveness of the private sector. The terms of contract research agreements of research and development public entities such as the Japan Science and Technology Agency (JST) and the New Energy and Industrial Technology Development Organization (NEDO) provide for such a measure to be possible.

Changing this would go against some of the past practices. However, at least for sensitive research results that could be designated as classified, consideration should be given to making them the intellectual property of the government. Rather, it would be inconsistent to place restrictions only on the use of such IP through a system of classification designation while the rights remain with the private sector. On the other hand, the notion proposed by the secretariat of the expert panel – that only “value-added information” becomes classified, and that the original holders of the information in the private sector are not affected – may not be realistic even if it were conceptually possible. This is because technology is inherently intangible. In addition, there is a further issue regarding R&D-related information. That is, the Act on the Protection of Specially Designated Secrets does not cover information acquired by incorporated administrative agencies. Furthermore, these agencies do not have the authority to designate specially designated secrets. In the process of formulating the Act on the Protection of Specially Designated Secrets, an expert panel report during the Democratic Party of Japan’s administration proposed that information acquired and held not only by national administrative organs but also by incorporated administrative agencies and universities be included in the law. However, the proposal was not incorporated when the Act on the Protection of Specially Designated Secrets was formulated after the change of government.

Nevertheless, it is the national research and development agencies as a type of incorporated administrative agency (e.g., the Japan Aerospace Exploration Agency (JAXA) – the main body for space development – and JST and NEDO – the implementation agencies for the K Program) that lead national research and development. Under the current legislation, there is no means to directly designate information acquired or held by them as specially designated secrets. Given that these agencies are the main contracting parties for government-funded research contracts, it is necessary to review this deficiency in the new legislation and enable it to include the information of these agencies in the scope of designation.


The Obstacle Arising from the Issue of International Equivalency

The third issue, as pointed out in a previous article as well, is that a security clearance system in Japan is not directly applicable overseas even if it is successfully established. For example, in the United States, security clearance holders are basically limited to US citizens only. This point is not necessarily an inherent issue in the new bill. Yet, it needs to be addressed properly in addition to domestic legislation.

The exchange of secret information between Japan and the United States, including private contractors, is conducted under the Japan-US General Security of Military Information Agreement (GSOMIA). GSOMIA provides “protection substantially equivalent” to that afforded by the other country to each side’s classified information. It also requires that the individual who has access to classified military information must have a “personnel security clearance” when the information is provided to a contractor and that classified military information must be transmitted “through Government-to-Government channels.” Therefore, corporations and civilians on both sides can only share classified military information through their respective intergovernmental channels upon fulfillment of conditions such as possession of a clearance.

Therefore, in the case of joint R&D or joint procurement between the Japanese and US defense authorities, Japanese companies can participate in the project through the government channel. On the other hand, to the best of the author’s knowledge, there is currently no way for Japanese companies to directly participate in US government procurement or joint projects with US companies that involve classified information without going through the Japanese government. Here, too, the same problem of non-defense advanced technology fields that the government is not expected to procure as mentioned in the previous section arises. In other words, there is no route for Japanese companies to access projects in the United States and other foreign countries that contain classified information in these advanced technology fields where the Japanese government is not involved.

In this regard, the United States has concluded supplemental industrial security agreements (ISA) with the United Kingdom and other countries. Those agreements may provide more flexible procedures for handling classified information including that of companies. However, it is necessary to consult with the US government in parallel with the consideration of the establishment of a new system since the contents of such agreements are not disclosed to the public. In addition, in any case, amending the Japan-US GSOMIA or concluding supplemental agreements/arrangements will be essential to cover the exchange of sensitive economic security-related technologies that are not directly related to defense since the agreement only covers “classified military information.”

It should be noted that the core of the security clearance system is the eligibility for handling defense-related information. In the United States, the Department of Defense plays a major role in the design and implementation of the system. And it is undeniable that the US defense procurement and defense industry have more or less a closed nature. Therefore, in cases where the US defense industry or the Department of Defense was involved in a project or meeting and refused to provide information allegedly due to its security clearance, it is possible that they did so just because only US companies or those from the Five Eyes (United Kingdom, Canada, Australia, and New Zealand, all of which have close relationships with the US government) are perceived as potential cooperation partners in projects involving sensitive information. If this is the case, it can be said that the problem lies not only in the situation in Japan regarding the security clearance system but also in the policy of the US government.

If so, this is an issue that runs through both the economic security and defense fields. In January 2024, the US Department of Defense released its first “Defense Industrial Strategy” and called for the need for a robust defense supply chain and flexible procurement. Measures to strengthen the supply chain include the enhancement of defense production cooperation with allies and partners. If the Pentagon considers this a truly necessary strategy, then the necessary measures for its implementation must also be taken at the same time. This is even more so if Japan is explicitly identified as a place for friend-shoring. One way to do this is to provide Japanese companies with broader opportunities to participate in projects involving classified information while ensuring strict control. The Japanese government should also make the most of this opportunity to encourage the US government to promote Japan-US industrial cooperation. It should also make similar efforts with partner countries other than the United States.

The creation of the new security clearance system will be an extremely significant effort to improve the credibility of such claims, but at the same time, we should not assume that simply having new legislation will be a silver bullet.

The creation of the new system is timely as the boundary between defense and civilian technologies has become blurred and as the security of sensitive information in the economic and civilian technology fields must be taken into account to ensure national security. The government’s efforts to vigorously promote information security are worthy of recognition.

Nevertheless, exactly because this is the case, the legislation must be operable in practice. From this perspective, it is hard to deny that the current direction of the debate is a bit of a small package probably because the government is paying too much attention to take precautions to mitigate public concern. A bold institutional design that is tightly connected to the original needs is necessary.