In the year since a sophisticated cyber attack on Japan's largest military contractor unleashed a flood of revelations about the vulnerability of the country's most sensitive technical data, cybersecurity has vaulted onto the country's national security agenda.
In August 2011, Mitsubishi Heavy Industries discovered viruses on its systems in 11 locations across Japan, including in plants that build many of the nation's missiles, military helicopters, fighter jets, rockets, submarines and nuclear power reactors. Some 45 servers and 38 PCs were infected by at least eight types of viruses when employees unwittingly opened emails containing malware. The company, also Japan's lead contractor for the SM-3 Block IIA missile being built with the U.S. and for 38 of Japan's F-35s, sat on the news. When local media brought the attacks to light the following month, the Ministry of Defense rebuked Mitsubishi for failing to immediately inform the ministry of any security breach.
Yet the Mitsubishi stories were just the start of a stunning wave of revelations about similar attacks on other leading companies and institutions. IHI Corp. and Kawasaki Heavy Industries, both major space and military contractors, soon confirmed they had been targeted. In late October, Chief Cabinet Secretary Osamu Fujimura admitted the foreign ministry and several Japanese embassies had been under attack since June. Just after that, it was revealed that computers and servers used by three members of Japan's Lower House had been hacked.
The bad news has continued into 2012. In April, Nissan reported malware and data breaches in its global network; in June, the group known as Anonymous hacked the finance and transport ministries' Web pages, forcing the finance ministry to reveal that 123 of its desktop computers had been infected with a remote-access Trojan in 2010 and 2011.
The attacks have been getting more sophisticated, said Motohiro Tsuchiya, a professor at Keio University and member of the Information Security Policy Council, Japan's top-level government cybersecurity advisory body.
“The recent tactic has been attacking peripheral institutions with lower security and then getting in behind the lower barriers — for example, by attacking think tanks. When this … started, everyone knew something was wrong,” Tsuchiya said.
Instead of brute-force denial-of-service and similar techniques, attacks against the Japanese government and the defense industry increasingly take the form of sophisticated targeted email messages carrying malware.
“In 2010-11, we saw emails mimicking legitimate email addresses, and the attachment files are no longer just [executable] files but also PDFs,” said Masahiro Uemura, who directs the office of IT security policy at the Ministry of Economy, Trade and Industry, known as METI.
In 2011, such attacks accounted for one-third of all recorded attacks, a record, Uemura said. Worse, he said, attackers appear to be focusing on Japan's infrastructure, especially control systems such as those used in power plants and the manufacturing industry. He said nearly 37 percent of infrastructure-related control systems are connected to the outside, and the vast majority has only perimeter security measures, Uemura said.
The flood of attacks has galvanized government action on cybersecurity policy domestically and internationally.
In October 2011, METI set up the Initiative for Cyber Security Information Sharing Partnership of Japan, which brings the country's strategic sectors together to share information on cyber attacks and policy. Nine of the country's top defense companies are members.
“Our minister personally asked us last fall to set up this initiative to protect our most critical industries. The attack on Mitsubishi was the trigger,” Uemura said.
Tsuchiya said the attacks jolted the Information Security Policy Council, which had rarely met since the Democratic Party of Japan came to power in 2009 with little policy focus on cybersecurity. This summer, the senior advisory board released Information Security 2012, which describes how the government might work with the private sector to protect critical infrastructure. The report suggested setting up large-scale attack drills with operators from nuclear plants, the gas distribution network and telecommunications; urging defense contractors to better ward off attacks and share information with the government; and implement measures to protect smartphones from viruses.
Meanwhile, the prime minister's Cabinet Secretariat is now coordinating government policy much more actively. After the Anonymous attacks, for example, the Cabinet Secretariat set up an emergency support team to make better preparations against cyber attacks on government organizations.
The attacks also jump-started Japanese efforts to reach out to the U.S. and other foreign partners. In February, the Ministry of Foreign Affairs replaced a lower-level body with a Cyber Task Force under the control of Ambassador Tamotsu Shinotsuka. Ministry documents show the new group has five policy units: international rule-making, cyber crime, system security and protection, economic issues and national cybersecurity.
Still, Tsuchiya said, “The foreign affairs ministry hadn't really been focused on cybersecurity, but this changed this year when [Minister of Foreign Affairs Koichiro] Gemba showed up at the June ISPC meeting. It was the first time any foreign minister had attended.”
Now, he said, international cooperation, especially with the U.S., is high on the agenda. Cooperation is now written into the U.S.-Japan security alliance. In April, a joint statement by the U.S.-Japan Security Consultative Committee announced Tokyo's intention to join the Convention of Cybercrime and to strengthen bilateral cooperation, critical infrastructure, system-security control, incident management and operational cooperation.
Most importantly for Uemura, he said his department now meets regularly with counterparts in the U.S. Department of Homeland Security to discuss coordination and address U.S. concerns on defense product issues. The partners are working toward an information-sharing security framework that may be announced in the coming months.
The ministry's main policy is to promote international rule-making and norms setting in line with U.S. and European policies, according to one ministry official. The official cited U.K. Foreign Secretary William Hague's February 2011 “Seven Principles” speech at the Munich Security Conference as one of the key references for Japanese policy and said Japan supports the promotion of the Budapest Convention on Cyber Crime.
Tsuchiya said the foreign ministry is working to promote international rules in line with U.S. and European policy to form international norms of behavior at the International Conference on Cyberspace in Budapest in October.
Significantly, Gemba has laid out a tentative Japanese policy on the right of self-defense against cyber attacks, an interpretation that theoretically paves the way for Japan to take defensive action. While it does not go as far as the U.S. Defense Department's 2011 announcement that the U.S. may treat cyber attacks as “acts of war,” the Japanese government for the first time has recognized cyberspace as a national security domain, just like land, sea, air and outer space.
Meanwhile, the Ministry of Defense is beefing up its capabilities. The ministry, which created its first cybersecurity unit in 2000 and added the C4 Systems Command to protect its Defense Information Infrastructure data network, has about 380 people devoted to cybersecurity, said Koji Yoshino, the principal deputy director of the ministry's Defense Programming and Planning Division.
The ministry's baseline for cybersecurity and information exchange with the U.S. is based on an April 2006 memorandum of understanding that asks both sides to increase their capability against cyber attacks. After a CD-ROM containing classified Aegis radar data went missing in 2007, a new agreement was made leading to a bilateral agreement requiring Japan to tighten its military information security policies.
The focus on information security has been deepened further by the two countries' cooperation on ballistic missile defense, which requires sharing information from Aegis ships, Patriot missile batteries and other sensors.
In the past two years, Yoshino said, the ministry has added a cyber planning coordinator to the Joint Staff Office, worked to drill people on responding to attacks, and begun developing tools to gather and analyze information about the latest attacks. It has also improved cyber analysis at Japan's signals intelligence agency, called Defense Intelligence Headquarters and modeled after the U.S. Defense Intelligence Agency, he said.
This year, the C4SC added tools to improve information collection and dynamic and static analysis, particularly of malware, said Keiichi Sakashita, who directs the Information Assurance Office.
In September, the ministry's cyber defense strategy took two steps forward. First, the ministry requested 21.2 billion yen ($270 million) to set up a new cyber defense force with about 100 people, which will combine the ministry's previous efforts to create its own version of a Japanese Cyber Command, along with 13.3 billion yen to reinforce cyber defense of the ministry's core Defense Information Infrastructure.
Tsuchiya applauded the move.
“The MoD has been trying for two years to set up the unit, but the attempts were refused by the finance ministry,” he said.
Second, the ministry is now writing doctrine on responding to a cyber attack, said Tetsuya Ito, who directs the strategic planning office of the ministry's Defense Policy Division.
In September, a ministry panel released new guidelines for dealing with cyber attacks and affirming Japan's right to respond.
“If a cyber attack takes place as part of a military attack, this can be considered to fulfill the first condition for invoking the right of self-defense,” said a report issued by the panel.