It has long been said that cyberspace is the “fifth battlefield” following land, sea, air, and space. Its importance only continues to increase.
In the case of Russia’s aggression of Ukraine, fake news has become a new bullet, flying around the internet and causing a “digital war” on a historically unprecedented scale. The screen of each person’s smartphone has become one of the main battlefields. “Cognitive warfare” that manipulates public opinion by pushing an extensive information war is unfolding. This “cognitive realm” is now called the “sixth battlefield.”
However, Japan’s efforts at shoring up cybersecurity appear to be far behind not only those of major countries in the West, but also similar efforts from China, North Korea, and Russia. For example, the Japan Self-Defense Forces (SDF) just launched a new Cyber Defense Command in March 2022 by combining the existing cyber-related units of the Ground SDF, Air SDF, and Maritime SDF, but the command has only 540 personnel.
As cyberattacks become more serious, what security measures should the government and Japanese companies take?
The Diplomat recently sat down with Major General Tanaka Tatsuhiro, a former commanding general of the Japan Ground Self-Defense’s Signal School and the current research principal at the National Security Institute of Fujitsu Systems Integration Laboratories in Tokyo.
Tanaka emphasized the need to establish a “cyber ministry” in order to eliminate the harmful effects of vertically divided ministries and agencies and build a more integrated cyber defense system nationwide.
Japan’s military capabilities are still sharply restricted by its post-war constitution, and debate continues as to how far it will defend itself in cyberspace. However, in the event of an emergency – a contingency in Taiwan, for example, which is becoming more likely – there is a risk that Japan will be targeted by cyberattacks. As Tanaka points out, if the cyber defense system is not strengthened, critical infrastructure such as electricity and telecommunications could easily become dysfunctional. His proposal for establishing a new cyber ministry deserves attention.
The interview was conducted in Japanese and has been translated into English.
Amid the current war in Ukraine, the importance of “cyberspace” and “cognitive warfare” was recognized again. What do you think of the situation?
The most important point is that the information age has arrived and digitization is progressing. First of all, we must be aware of what has changed with digitization.
For one thing, we can physically recognize a face as a face and a hand as a hand, but when we digitize them and place them on a device, they are all represented by ones and zeros. Any color can be processed artificially using the three primary light colors of red-green-blue.
In other words, what we see in the real world is not the same as a virtual or imaginary image created digitally. There is “cognition” in it. How you perceive and what you believe are important.
Second, as the information age evolves with digitization, all activities are relying on the internet space. If the cyber infrastructure is crushed, all activities will stop. We must defend the cyber infrastructure and the electricity that supports it. These two points became clear in the Ukraine War.
The number of cyberattacks targeting companies is increasing here and elsewhere. What is the biggest challenge for Japanese companies in promoting cybersecurity measures?
There is a problem of how to promote changes in the consciousness of businesspeople, including management. In the past, the idea was how to balance the strengthening of cybersecurity with the costs for it. However, if cybersecurity is viewed as a cost for business activities, security may be relaxed in order to keep costs down. If the company’s network infrastructure is damaged, it will not be possible to carry out activities.
One may want to reduce spending for cybersecurity, especially after there has been no accident for some time. But it would be better to come to think that there is additional value created by cybersecurity – having zero accidents will increase corporate value. So spending for cybersecurity is actually not a cost but an investment.
You have been advocating for the establishment of a cyber ministry to protect and strengthen cyber infrastructure nationwide, although Japan already has the Digital Agency. Why is that?
When we think about the advent of the information age and what the internet has brought us, there is a horizontal structuring of society. And all activity rests on that horizontal structure. This is a great change taking place on our planet.
However, administrative organizations and general social activities still inevitably follow old values, rules, and their own sensibilities. They strive to stick to their own positions. But we can have more synergistic effect by strengthening horizontal cooperation and then doing things faster. As it is now, we cannot easily create high added value.
We have to think more seriously about how to make infrastructure stronger. In this sense, we need to have strong cybersecurity infrastructure. And since the information space is full of various kinds of information, including big data, we can use it to look at the information of the entire country. This also includes efforts in dealing with the real and virtual images mentioned at the beginning and the response to information warfare.
This can only be done by a cyber ministry, not the Digital Agency. We have to strengthen the cyber infrastructure by making it an organization that is on par with other ministries. More ideally, given the current social structure, the cyber ministry should be at the top, with other bureaus attached to it.
The National center of Incident readiness and Strategy for Cybersecurity (NISC), located in the Cabinet Secretariat, is not a command center for cyber defense, but a coordination-based organization for responding to situations. Instead, we need an organization that maintains a solid infrastructure for crisis management. When a cyberattack brings down a power grid somewhere, or a service provider goes bust, what we need is not coordination but command and control that can take necessary measures. We should aim to establish a large ministry with large powers and responsibilities.
The SDF has the Cyber Defense Command, but it is aimed at protecting the Ministry of Defense’s and SDF’s systems from cyberattacks. It is not enough to defend the cyber infrastructure of the country as a whole, is that correct?
This issue is now being sorted out. Japan is a country of laws and regulations, so the mission must be defined in the law. We need to have the Diet thoroughly discuss what to do with the mission outside the territory of the Self-Defense Forces, and then assign the mission to the SDF within the law. Laws cannot be expanded at will.
The Japanese government has formulated a cybersecurity strategy and has indicated a policy of deterring malicious cyberattacks by imposing costs in a timely manner. Cyber retaliation is excluded because it would be a big controversy nationwide.
As a countermeasure, such cyber retaliation it is supposed to make the opponent aware of the cost of an attack, so that the enemy concludes it is not worth it.
The United States has already clearly demonstrated the exercise of the right of self-defense in cyberspace. For example, the U.S. indicated that if a nuclear power plant were destroyed by a cyberattack, the nation would not hesitate to take physical retaliation. In Japan, the debate has not boiled over. We are eyeing the possibility of imposing economic sanctions. Overall, there is a notion that increasing resilience will serve as a deterrent.
Also, the National Defense Program Guidelines states that the SDF will fundamentally strengthen its cyber defense capability, including the capability to disrupt the opponent’s use of cyberspace for an attack against Japan in time of emergency. Currently, there is a debate as to what kind of specific abilities it will possess.