From: Council on Foreign Relations

Mihoko Matsubara is a cybersecurity analyst and a nonresident Sasakawa Peace Foundation fellow at Pacific Forum CSIS, Honolulu, Hawaii. The views expressed here are her own.

The Liberal Democratic Party (LDP) won a majority in the lower house election on December 16. This victory will make it easier for the next administration to reinforce cybersecurity as part of national security and improve technologies to deal with cyber attacks. Yet this will not be sufficient, and the new government must also enhance nontechnical aspects of cybersecurity policy, including international cooperation.

The LDP began preparing cybersecurity policy proposals from the viewpoint of national security since at least 2011, when the country suffered massive cyber espionage exploits against major defense contractors including Mitsubishi Heavy Industries, Ltd., and attacks against the Diet and other governmental organizations. In October 2011, three days after the media reported the attacks on the lower house, the Special Committee on IT Strategy under the LDP’s Policy Research Council presented sixteen action items for improving information security.

Now that the LDP is back in office, it may be able to make more progress on cybersecurity than the Democratic Party of Japan (DPJ) administration for two reasons. First, the DPJ undertook a budget-cutting process that discouraged the government from holding cybersecurity-related policymaking meetings. When they entered office in 2009, the administration rigorously screened governmental projects initiated by the LDP and abolished eighteen ministerial meetings during the first four months. The Information Security Policy Council, which was established by a prime ministerial order, did not hold any meetings for the first eight months of the new administration because it feared possible disbanding.

Second, the LDP is skilled in its use of both bureaucrats and private industry experts in policy-making, unlike the DPJ, which was heavily dependent on Diet members. As early as December 2011, the LDP’s Special Committee on IT Strategy solicited advice from major information technology and communications companies on cybersecurity policy.

In February 2012, the LPD submitted its “Proposal on Information Security,” which aims to overcome information technology vulnerabilities and push Japan to become a leader in information security by 2020. This policy proposal consists of three pillars: 1) designate cybersecurity as critical part of national security; 2) allocate budgets for cybersecurity research and develop Japanese technologies; and 3) invest to create an information security industry and one hundred thousand jobs. Given the increasing threat of cyber attacks, the LDP now says these goals should be accomplished in five years.

Despite the increased focus, it will not be easy going for the new administration. The ailing economy will reduce budgets and hinder private industry’s effort to develop domestic information security technologies. Furthermore, the rapid decrease in Japan’s working-age population will make it even more difficult to find and train technical expertise, which is in short supply globally.

As the new administration moves forward, it will need to energize the nontechnical aspects of cybersecurity strategy, including international cooperation. The LDP proposal focuses heavily on domestic policy and technological solutions. But it is important to remember that cybersecurity should entail a holistic approach based on a deep understanding of geopolitics, law, and technology. It is indispensable to appreciate the human aspects of cyber threats—what drives the adversary to stage cyberattacks and what and how attackers communicate each other. This type of comprehensive analysis is essential for future policy and decision-making.

The LDP has said that it wishes to revise the war contingency bills to include cyberattacks and enact a law to protect classified information, both of which could make cooperation with major partners such as the United States, the United Kingdom, and India easier. This September, Washington claimed that certain cyber operations would constitute “a use of force.” If Tokyo lifts the ban to execute the right of collective self-defense, it will have to decide what level of cyber attack constitutes a use of force that could trigger the right to self-defense and coordination with Washington.

New legislation to protect classified information is needed to assuage U.S. concerns about Japan’s weak information assurance system and will provide an opportunity for Japan to use information sharing to deepen cooperation with the United Kingdom and India. Sharing threat information on critical infrastructure could be a particulary fruitful area for Tokyo and Delhi to explore, since Japan is investing ¥1.2 trillion ($15 billion) in nineteen Indian infrastructure projects.

The LDP has been paving the way for better cybersecurity and defense technologies. Now, it is time for the party to walk the walk with both technical and nontechnical analysis and policymaking.