A June 24 media report says that Japan’s National Police Agency will create a cybersecurity bureau and a cyber investigation team under the bureau in the next fiscal year to address cyberattacks. The enhancement of cybersecurity bodies is obviously welcome but there remain some concerns.
Defective mechanism to respond to cyberattacks
While the National Police Agency plans to reorganize and expand its cybersecurity bodies as reported, I doubt if Japan has any sufficient mechanism to organically coordinate and supervise various bodies and cybersecurity teams including those of other Japanese government agencies. In general terms, the National Center of Incident Readiness and Strategy for Cybersecurity, known as NISC, is assigned such task. But NISC, as a part of Cabinet Secretariat, is put under great constraints and has no power to give orders to central government agencies or other organizations.
Japan enacted the Basic Act on Cybersecurity, including Article 19 (Action for matters which may critically affect the country's safety) that calls for “providing measures to clarify the division of roles“ among relevant bodies. In the past eight years during which the act itself was revised, I doubt if the division of roles among relevant bodies has been clarified. How are the roles divided in case of an unidentified but apparent foreign government’s or military organization’s cyberattack on key Japanese infrastructure? Would the Self-Defense Forces be responsible for responding to such attack? Under existing law, however, the SDF have no mission to defend citizens’ lives or assets from foreign cyberattacks. The SDF cyber units are assigned to defend computer systems of the Ministry of Defense and SDF.
How about in the U.S.? When I served as an SDF cyberwarfare unit commander, I asked a question to a U.S. cybersecurity unit officer. “What organization would respond to an enemy’s large-scale cyberattack on the United States and how?” The answer was that the Department of Homeland Security would combine government agencies to make a unified response, with the military doing what it should.
Unlike the U.S., Japan has lacked any powerful government organization to make a unified, effective response to a large-scale foreign cyberattack and failed to clarify the division of roles or how relevant government bodies would cooperate.
Increase trainers to develop relevant human resources
There is another concern. Have sufficient human resources been provided to the increasing number of cybersecurity organizations? If the private and public sectors are competing to get excellent human resources, it would be problematic.
Human resources should be cultivated to cultivate human resources for cybersecurity. At present, excellent cybersecurity experts are cultivating cybersecurity human resources. However, I doubt if there is any established methodology for such cultivation. Probably, cultivation may be largely depending on personal methods. A long time has passed since cybersecurity human resources shortages were emphasized. Japan apparently lacks a viewpoint to increase trainers to systematically cultivate cybersecurity human resources.
We may have to rack our brains more and cooperate to resolve these problems.
Hiroshi Ito is a guest researcher of the Japan Institute for National Fundamentals and a former commander (the first commander) of a cyberwarfare unit of the Japan Ground Self-Defense Forces.