Japan’s government recently launched an outline of its next cybersecurity strategy (in Japanese). The document is meant to both signal Japan’s cybersecurity priorities and solicit feedback from industry and civil society prior to the strategy’s release this summer. The government has updated its strategy every few years since the first one was released in 2013. The new strategy aims to improve the cybersecurity of Japanese critical infrastructure and encourage Japanese business to pursue cybersecurity best practices, both of which will help Japan’s economic growth and innovation.
A focus on improving cybersecurity in the private sector is central to the new strategy. Japanese industry lags behind its U.S. and European counterparts. According to government statistics, only 55 percent of Japanese companies conduct cybersecurity risk assessments, compared to roughly 80 percent in the United States and 65 percent in Europe. Similarly, only 27 percent of Japanese companies have a chief information security officer (CISO), a critical position that generally oversees a company’s cybersecurity efforts. By comparison, 78 percent of U.S. companies and 67 percent of European companies have CISOs. Japanese companies are ill prepared to confront cyber threats if just under half assess their risk and less than a quarter employ an advocate whose job it is to defend a company’s assets and identify security priorities.
Unlike in the United States, integrating cybersecurity in corporate governance is a relatively new concept in Japan. A 2017 report from Japan’s National Center of Incident Readiness and Strategy for Cybersecurity indicates that Japanese companies view cybersecurity as corporate social responsibility practice, rather than an asset that can improve their competitiveness. For example, only 21 percent of companies include cybersecurity in their corporate governance report whereas 63 percent feature it in their corporate social responsibility report.
Cybersecurity’s absence in corporate governance reports stems from the fact that there is a significant divide between Japanese executives and cybersecurity professionals. In general, Japanese business leaders lack the technical savvy and experience necessary to make good cybersecurity decisions. Meanwhile, cybersecurity professionals are busy with day-to-day tactical challenges. As of 2017, 63 percent of Japanese business leaders viewed cybersecurity as a cost whereas only 18 percent saw it as an investment opportunity. Moreover, cybersecurity budgets are often fragmented between the information security, risk management, and operations departments in a company.
Japanese business has had to become savvier about cybersecurity, but that is more the result of reacting to incidents as opposed to being proactive. According to a 2017 survey (in Japanese), 46 percent of Japanese companies took measures to improve their cybersecurity primarily because they had experienced an incident. The WannaCry ransomware attack in May 2017 is a case in point. It infected 2,000 computers at 600 organizations in Japan and disrupted their business operations. The incident was a wakeup call, and it prompted some Japanese companies to review their organizational structure to allow for quick and critical decision-making in emergencies. The few organizations in Japan that have a CISO, for example, created new structures so the CISOs report directly to the chief executive officer rather than the chief information officer.
To address these challenges, Japan’s new cybersecurity strategy will encourage industry to invest more in cybersecurity for business operations, risk management, and innovation. The strategy proposes that companies seek to establish a company-wide cybersecurity budget that covers all of its operations. To encourage better cybersecurity practices, Tokyo will also reduce companies’ corporate tax if they can prove that their IT investments, including efforts to automate and introduce new internet of things tools, will improve their productivity and include cybersecurity measures.
The new strategy will also contain best practices that will help companies better communicate with their C-suite to incorporate cybersecurity throughout its operations, as well as tools companies can use to identify their cybersecurity risks. Although the outline does not specify what kind of best practices and tools the new strategy will offer, the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework is likely to be featured. The Cybersecurity Guidelines for Business Leadership already uses the NIST Framework as a baseline. Similar to the Framework, the guidelines urge Japanese business leaders to prioritize assets to protect them from cyberattacks and conduct cyber risk assessment to identify if companies should reduce or transfer those risks.
Unlike the Japan of the 1980s that was the archetype of government-led industrial policies, Japanese cybersecurity policy relies more on prodding industry and offering tax incentives than government direction or regulation. This can be largely explained by the lack of consensus in the country that cybersecurity is an integral part of its economic prosperity. Government officials and industry should meet more frequently to learn which Japanese companies take cybersecurity seriously and how their successes could be replicated elsewhere. Venues built for this purpose in the United States and allow for a frank exchange of views, such as the National Council of Information Sharing and Analysis Centers, do not exist in Japan.
The coming 2018 Cybersecurity Strategy encourages business leaders to raise awareness and invest more in cybersecurity, but Japan needs more than just tax incentives. More frequent and frank interactions between government and industry would go a long way to improve the country’s efforts to create cybersecurity teams, consolidate budgets, and up its game to compete with the rest of the world.