From: Defense News

TOKYO — While security analysts hailed the upcoming establishment of Japan’s first  combined Cyber Defense Unit (CDU), they say the newly minted corps’ funding and expertise is inadequate to meet the country’s broader cybersecurity needs.

In April, Japan’s Ministry of Defense announced it would set up the CDU by March 2014 as it reorganized the ministry’s hitherto disparate cybersecurity teams that had controlled the land, air and marine forces under a communications command force. The new combined command unit, with a budget of ¥14.1 billion (US $141.9 million) compared with last year’s ¥9.1 billion for its cyber teams, will provide integrated 24-hour cybersecurity monitoring, inspection and analysis, defense, cleansing and training functions for the entire military, or Self Defense Forces (SDF), according to MoD documents.

The move comes after several years of Finance Ministry reluctance to boost investment in the MoD’s cyber defense capabilities, according to Motohiro Tsuchiya, a professor at Keio University and a member of the National Information Security Center (NISC), Japan’s top government advisory panel on cybersecurity issues.

Tsuchiya said the CDU’s establishment marks an important first step by NISC to establish a stronger basis for cybersecurity for Japan. The August 2011 hacking of Japan’s largest military contractor, Mitsubishi Heavy Industries, sounded a wake-up call that focused the political establishment’s attention on the fact that Japan is not isolated from the menace of advanced cyber espionage, he said.

In its most recent policy proposals published in June, NISC has recommended that Japan begin widespread monitoring of Internet-based communications and set up a Cyber Security Center, an equivalent to the US National Security Agency. The center would counter so-called advanced persistent threats, which are sophisticated, long-term, strategically motivated cyber espionage and sabotage programs thought to be directly or indirectly state-sponsored.

While Tsuchiya characterized the setting up of the CDU as an important first step, the unit is tasked only with protecting the SDF. The next step, he said, is to introduce legislation broadening its field of action.

“For [the unit] to be effective, we need it to be allowed to defend our public infrastructure. We must fundamentally change its role,” Tsuchiya said.

Hiroshi Itoh, managing director of the Cyber Security Laboratory at LAC, an IT security company based here, said he agreed the CDU is an important first step, but argued that several critical weaknesses must be remedied to effectively protect the SDF. These include insufficient staffing, inadequate skills and the doctrinal immaturity of network operations, he said.

Itoh said the CDU will have only 100 dedicated cybersecurity officers, a smaller number compared with South Korea, which is ramping up its cyber protection force from 500 to 1,000 troops. And because the CDU’s staff is recruited internally, the civil servants seconded to the unit will probably lack sufficient specialized skills to play cat-and-mouse with the hackers they will encounter.

“The CDU has too few cybersecurity officers, they are insufficiently trained, and [it] is more like a civil servant police force; they don’t have a strong cyber warrior mentality,” he said.

Itoh is an intelligence specialist and retired colonel who served for 27 years in the Ground Self-Defense Forces and set up its initial cyber defense unit seven years ago. To be effective, he said, the CDU needs 2,000 to 3,000 dedicated cyber warriors, with at least a portion of them “white hat” hackers recruited from the private sector.

Read Complete Article