I am in Japan and Korea this week, doing some interviews on cybersecurity issues. You can get a pretty good overview of current Japanese policy in this document from the National Information Security Center (NISC), which is supposed to act as a central coordinator for any response to a cyberattack--think Howard Schmidt, the cyber czar.
I only have one day of interviews under my belt, so any big conclusions are still to come. But here are some initial impressions/interesting points:
Coordination is not easy anywhere: the cabinet secretariat heads the NISC and there are real questions about how effective it can be. One researcher thought it would hold much less sway than Schmidt because he was at least seen to have the ear of the White House. The government sets security standards, but it is, like in the United States, up to individual companies to meet those standards. And as the same researcher put it, "it is my impression that Japanese industry is not that interested."
Cyber still a relatively low priority: while there have been some significant hacking events--attacks on government websites and the theft of data--the public (and politicians), so far, have not been clamoring for better security. The mention of cyber operations in the 2010 Quadrennial Defense Review did however have a big impact on the Ministry of Defense, which is thinking about many of the legal and political issues involved in defending military and civilian networks. At least two people said that cyber would only become a major public issue after a prominent Japanese firm suffered a "Google-like" attack.
Another angle to the Google story: it’s bad for Google’s business in Japan too. Before Google announced that it had been attacked, most Japanese firms were reluctant to work with Baidu. The Chinese search engine was not well-known to Japanese companies, and those that did know it were suspicious about it. Once the story broke, Japanese firms began to realize how big it was. It became clear that if they wanted to do anything in the Chinese market, they could not do it offshore through Google. They would have to be in China. And as one academic put it, "In the United States, companies took the attack as a sign that they needed to think about modifying their China strategies. In Japan, companies took it as a sign that there was no alternative to working with the Chinese state."
One more day in Tokyo, then I am off to Seoul and will post more from Korea.