Japan patches cybersecurity gaps with new laws, overseas tie-ups
Active cyberdefence law, training of security experts and cooperation with Lithuania among efforts under new strategy to shore up capabilities
Japan is scrambling to shore up its cybersecurity capabilities through new legislation, international partnerships and training schemes – moves observers say are long overdue as threats from hostile states and criminal groups escalate.
In the latest push, Defence Minister Gen Nakatani met his Lithuanian counterpart Dovile Sakaliene in Tokyo on Wednesday and agreed to deepen cooperation in cybersecurity.
A Japanese defence ministry expert will be dispatched to Lithuania in June to learn from the Baltic nation’s cybersecurity specialists, who are widely regarded as among the best in the world for their experience countering persistent Russian digital threats.
The agreement comes after Tokyo announced earlier this month that it intended to increase specialist cybersecurity technicians from 24,000 people at present to at least 50,000 individuals by 2030. The government unveiled the plan after a panel of the industry ministry indicated that the nation requires a force of about 110,000 skilled cybersecurity experts.
Demand is expected to continue to grow as new regulations mean that from 2026, the government will inspect private companies’ cybersecurity measures and potentially withhold state subsidies from firms that do not meet the required standards.
On May 16, the Diet passed legislation that introduces the concept of an active cyberdefence, permitting the government to gather communications data to defend against digital attacks. The new law allows authorities to monitor the internet, collect and analyse communication information, and target servers that are launching cyberattacks. The law is applicable even if the nation is not at war.
Opponents of the legislation said it would enable the government to use data in criminal investigations and was a breach of privacy. The government dismissed the accusation, adding that a new panel would be created to provide oversight.
Ryo Hinata-Yamaguchi, associate professor in Tokyo International University’s Institute for International Strategy, said the challenges posed by increasingly sophisticated cyberattacks from both state actors and criminal groups had “been overlooked for too long”.
“These measures have already been taken in other countries, even in quite liberal places like Europe, but Japanese government have always said it would be hard to do for privacy and other reasons,” he told This Week in Asia.
“But that has meant that Japan’s cyber infrastructure has a lot of vulnerabilities. We just did not pay enough attention to this before, there have not been enough laws and now there are not enough people with the necessary skills and experience,” he said. “And that goes for the private sector as well as government agencies.”
The consequences were already serious, he said.
In 2011, Mitsubishi Heavy Industries (MHI), the country’s largest weapons manufacturer, said its servers had been hacked by ransomware after more than 80 servers and computers were confirmed to have been infected with viruses.
MHI’s Nagoya plant, where the company designs and builds guidance and propulsion systems for missiles, was apparently a particular target. The firm’s Nagasaki shipyard and a facility in Kobe where it builds submarines and components for nuclear power plants were also compromised.
The defence ministry insisted at the time that the hackers had not been able to access any important information, but did not identify the source of the attack. Reports have suggested that Chinese language was identified during an investigation of the malware script.
In 2013, data on 22 million Yahoo Japan users was leaked through unauthorised access, while a year later, Japan Airlines suffered the loss of data on 190,000 of its frequent flyer programme members.
In 2018, hackers had access to the internal system of Japanese cryptocurrency platform Coincheck for more than eight hours, enabling them to steal an estimated 58 billion yen (US$443.2 million). Law enforcement agencies in Japan and the US later concluded that the hack – the largest single cryptocurrency heist until that point – was carried out by North Korean operatives.
Tokyo’s decision is also likely to have been encouraged by a number of high-profile incidents linked to North Korea and China, such as hackers accessing SK Telecom’s internal systems in June 2022 – although the hack was not identified until this April. The attack has been blamed on Chinese hackers who were able to obtain 9 gigabytes of sensitive personal data from about 25 million subscribers.
“These attacks can affect any sector but the [Japanese] government’s primary concern is defence, the police, public infrastructure and so on,” Hinata-Yamaguchi said.
“This is not something that can be blamed entirely on North Korea and China, as there are criminal groups and domestic hackers in Japan as well. But that just goes to show that the threats can come from anywhere, and Japan does not at present have the manpower to fight this. It should have been done before, but now it is overdue and absolutely necessary.”
