Japan’s New Cybersecurity Strategy: Security Without Thwarting Economic Growth

Mihoko Matsubara is a cyber security policy director at Intel K.K.

In September 2015, the Japanese Cabinet approved the second Japanese Cybersecurity Strategy, which outlines the country’s approach to cybersecurity for the next three years.

Unlike the previous strategy, this new one was approved by Japan’s cabinet. This additional step highlights the importance of cybersecurity to senior Japanese leaders. It also comes a year after the Japanese parliament passed a law formalizing the role of the National Center of Incident Readiness and Strategy for Cybersecurity (NISC). The Japanese Prime Minister had originally established the NISC ten years ago but the lack of legal authorization meant that it held little sway over other ministries and agencies. Thanks to the new law, NISC is responsible for developing national strategy and policy, ensuring the cybersecurity of ministries and agencies, and serving as a focal point for international cooperation.

There are four important takeaways in the 2015 strategy. First, it highlights the positive and negative aspects of cyberspace—it’s both the source of innovation and threats—unlike the 2013 strategy, which only focused on risks and mitigation measures. By focusing on innovation, the 2015 strategy recognizes that the Japanese government won’t have all of the answers to cybersecurity challenges and that all stakeholders—users, civil society, critical infrastructure companies, and business—should contribute to the safety and security of cyberspace, through measures like two-way and real-time information sharing. It also makes clear that security measures shouldn’t hamper Japan’s ability to innovate given the important role that cyber-enabled technologies will play in driving economic growth.

Second, the Internet of things is described as an enabler to create new business opportunities and improve existing ones. The strategy, however, doesn’t provide any insight into how the Japanese government and industry will approach the security challenges associated with the Internet of things or set milestones as it becomes integrated in business operations. We are at the beginning of the Internet of things era, and government regulation or guidance would be somewhat premature. Now is the time for industry—both in Japan and around the world—to work with the government to begin addressing the security of Internet of things devices in a scalable and globally harmonized manner.

Third, the 2015 strategy reiterates the Japanese government’s concern over the recent series of massive personal information leaks, such as the Japan Pension Service (JPS) incident of May 2015. The NISC plans to revise Japan’s basic cybersecurity law, first passed in 2014, allowing it to monitor and audit special government-affiliated organizations such as the JPS, similar to its existing authorities with respect to government ministries and agencies. The change is expected to improve the cybersecurity practices of state organizations as they would have government auditors looking over their shoulders. This is particularly important as Japan rolls out My Number, a twelve-digit identification number for Japanese residents to access the country’s social security and tax systems, akin to the U.S. Social Security number. To alleviate worries over potential massive leaks of personal information tied to My Number, industry needs to engage customers and the government to explain the security mechanisms that already exist to keep My Number data safe. Japan will struggle to grow and innovate if its population doesn’t trust new technology designed to improve access to government and private sector services.

Finally, the strategy provides an overview of Japan’s international cyber efforts to date, noting its capacity building contributions in the Association of Southeast Asian Nations, South America and Africa and bilateral dialogues, including with the United States and the European Union. The strategy makes clear that Japan is keen to deepen existing dialogues, expand confidence building activities, and participate in the ever-increasing number of cyber-related conferences to convey its interests and cyber security posture to international audiences. Details as to how Japan would actually achieve this, however, are sparse.

Overall, the new strategy strikes the right balance in emphasizing the government’s role in Japan’s cybersecurity without limiting the growth of the technology market—especially Internet of things—that will drive innovation.