Japan’s Cyber Resilience: Key to US Security in the Pacific

Japan, like many developed states, is facing an unprecedented surge in cyberattacks, and Tokyo finds itself inadequately equipped to defend against this growing threat. A historic lack of investment in cybersecurity and Japan’s constitutional constraints against the use of force have limited Tokyo’s ability to respond to the attacks, leaving critical infrastructure vulnerable.

As Japan remains the cornerstone of the U.S. alliance structure and force posture in the Pacific, vulnerabilities in Japan’s critical infrastructure weaken stability in the region and jeopardize U.S. military mobility and readiness. Japanese cyber resilience is essential to U.S. national security, and Washington should strengthen its cybersecurity cooperation with its ally.

Japan’s critical infrastructure, industries, and government agencies have all seen an increase in cyberattacks. Earlier this month, Japan’s largest port was the victim of a ransomware attack carried out by the Russian hacker group known as “LockBit,” delaying shipping operations for two days. Japan also experienced a surge in distributed denial-of-service (DDoS) attacks ahead of the G7 Summit in April, targeting local governments, government websites, and the rail sector.

Most dramatically, it has recently been reported that Japan’s intelligence and defense agencies were subject to extensive hacking and penetration by Chinese perpetrators in 2020. This included Chinese military threat actors breaching Japan’s classified defense networks. This is just one of several cyberattacks the Chinese military has launched against Japan in the last few years.

Japan historically has lagged behind its U.S. and European counterparts when it comes to cybersecurity defenses, and this deficiency starts with a lack of cyber awareness among the Japanese corporate governance. According to Mihoko Matsubara of the Pacific Forum, business executives in Japan “lack the technical savvy and experience necessary to make good cybersecurity decisions,” creating a divide between business leaders and cybersecurity professionals.

In TrendMicro’s cyber awareness report published in 2021, Japan scores lower than any other country in terms of “IT security budgeting” and “CEO and executives involvement in IT security.” The report also shows that Japan has a lower risk awareness of ransomware compared to other regions, potentially contributing to the lower investment in cybersecurity technologies.

Another barrier to cyber resilience stems from Japan’s pacifist constitution, which constrains the use of military force and has prevented Japan from developing offensive cyber capabilities. This constraint has hindered research and public debate on developing a sophisticated cyber defense strategy.

However, Japan has worked to overcome these hurdles in recent years. In March 2022, Japan’s Self-Defense Force (SDF) established a cyber-defense unit dedicated to responding to cyberattacks. Last December, Tokyo announced that it would establish a legal framework to develop an active cyber defense. This gives the SDF the authority to launch preemptive cyberattacks on threat actors planning an imminent cyberattack.

In addition, the Ministry of Defense reportedly is planning to increase the personnel responsible for cyber defense from just over 800 today to around 4,000 by 2027. Japan has also assumed a greater role in raising cyber awareness in the region. This includes the establishment of the ASEAN-Japan Cybersecurity Capacity Building Center (AJCCBC), which is dedicated to facilitating the cyber training of security personnel of ASEAN countries.

The United States recognizes that supporting Japan’s cybersecurity efforts is necessary to strengthen the alliance’s resilience against cyber threats and has already taken steps to strengthen U.S.-Japanese collaboration. Last January, Washington, and Tokyo signed an updated memorandum of cooperation in cybersecurity, pledging that both nations would establish the same security standards for government-procured software. This measure aims to reduce the risk of system disruptions and leakage of confidential data from cyberattacks while also facilitating coordination and improving incident response.

Both countries also stay committed to their ongoing efforts of cyber-defense cooperation through the U.S.-Japan Cyber-Defense Policy Working Group (CDPWG), an open dialogue first started in 2013 that helps facilitate information-sharing and policy reforms in the realm of cyberspace.

In the effort to push for further improvements in Japan’s cyber resilience, the United States must continue to invest in this bilateral cyber cooperation framework, including improving cyber threat intelligence and information sharing through working groups and agreements that put Japanese access at levels similar to Australia, Canada, New Zealand, the United Kingdom and the United States. This will require increased Japanese efforts to improve both the physical and cyber security of networks and the personnel who operate them. Likewise, Washington should offer Japan increased access to joint cyber training events, conduct exercises similar to those performed with Israel, and provide guidance on force generation and employment of offensive cyber teams. The United States can also cooperate with Japan in areas outside the military and intelligence, sharing guidance on strategy and policy development, incident response planning, cyber forensics, and numerous technical areas.

In addition to supporting Japan’s domestic and national cybersecurity programs, the United States should expand its support for Japan’s regional cyber capacity building efforts to enhance Southeast Asian cyber resilience. In its bilateral committee meeting last January, Washington unveiled its plan to provide cybersecurity training resources for the ASEAN-Japan Cybersecurity Capacity Building Centre. While this is a step in the right direction for the U.S.-Japan alliance, the effort must accelerate to achieve the desired outcomes and goals.

The U.S.-Japan alliance is the backbone of the U.S. strategic approach in the Pacific. The resilience of Japanese critical infrastructure against adversarial cyberattacks is critical both in Japan’s role as a stabilizing power and in U.S. force posture in the region. Small investments in the cyber aspects of this partnership can have big payoffs, but a failure to work together to secure these networks can lead to great vulnerabilities.

Rear Adm. (Ret.) Mark Montgomery is senior director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), a Washington, D.C.-based, nonpartisan research institute focused on national security and foreign policy. Sae Furukawa and Cole Knie contributed to this article and are both interns at FDD. Follow Adm. Montgomery on Twitter @MarkCMontgomery. Follow FDD on Twitter @FDD.