TOKYO — While security analysts hailed the upcoming establishment of Japan’s first combined Cyber Defense Unit (CDU), they say the newly minted corps’ funding and expertise is inadequate to meet the country’s broader cybersecurity needs.
In April, Japan’s Ministry of Defense announced it would set up the CDU by March 2014 as it reorganized the ministry’s hitherto disparate cybersecurity teams that had controlled the land, air and marine forces under a communications command force. The new combined command unit, with a budget of ¥14.1 billion (US $141.9 million) compared with last year’s ¥9.1 billion for its cyber teams, will provide integrated 24-hour cybersecurity monitoring, inspection and analysis, defense, cleansing and training functions for the entire military, or Self Defense Forces (SDF), according to MoD documents.
The move comes after several years of Finance Ministry reluctance to boost investment in the MoD’s cyber defense capabilities, according to Motohiro Tsuchiya, a professor at Keio University and a member of the National Information Security Center (NISC), Japan’s top government advisory panel on cybersecurity issues.
Tsuchiya said the CDU’s establishment marks an important first step by NISC to establish a stronger basis for cybersecurity for Japan. The August 2011 hacking of Japan’s largest military contractor, Mitsubishi Heavy Industries, sounded a wake-up call that focused the political establishment’s attention on the fact that Japan is not isolated from the menace of advanced cyber espionage, he said.
In its most recent policy proposals published in June, NISC has recommended that Japan begin widespread monitoring of Internet-based communications and set up a Cyber Security Center, an equivalent to the US National Security Agency. The center would counter so-called advanced persistent threats, which are sophisticated, long-term, strategically motivated cyber espionage and sabotage programs thought to be directly or indirectly state-sponsored.
While Tsuchiya characterized the setting up of the CDU as an important first step, the unit is tasked only with protecting the SDF. The next step, he said, is to introduce legislation broadening its field of action.
“For [the unit] to be effective, we need it to be allowed to defend our public infrastructure. We must fundamentally change its role,” Tsuchiya said.
Hiroshi Itoh, managing director of the Cyber Security Laboratory at LAC, an IT security company based here, said he agreed the CDU is an important first step, but argued that several critical weaknesses must be remedied to effectively protect the SDF. These include insufficient staffing, inadequate skills and the doctrinal immaturity of network operations, he said.
Itoh said the CDU will have only 100 dedicated cybersecurity officers, a smaller number compared with South Korea, which is ramping up its cyber protection force from 500 to 1,000 troops. And because the CDU’s staff is recruited internally, the civil servants seconded to the unit will probably lack sufficient specialized skills to play cat-and-mouse with the hackers they will encounter.
“The CDU has too few cybersecurity officers, they are insufficiently trained, and [it] is more like a civil servant police force; they don’t have a strong cyber warrior mentality,” he said.
Itoh is an intelligence specialist and retired colonel who served for 27 years in the Ground Self-Defense Forces and set up its initial cyber defense unit seven years ago. To be effective, he said, the CDU needs 2,000 to 3,000 dedicated cyber warriors, with at least a portion of them “white hat” hackers recruited from the private sector.
But this would require new civil service and confidentiality laws, in addition to a fundamental change of culture within the MoD to accommodate them, Itoh said. And even if the law were changed to allow these hackers to be employed as civil servants, there is no precedent for paying them at the necessary market rate for their skills, he said, which is probably several times that of government pay scales for civil servants.
“It is not only the case of lacking a legal basis for employing white hat hackers, but also the ability to pay them,” he said.
And MoD doctrine governing the CDU’s network operations is still only partially formed. The MoD’s latest policy document, “Toward [the] Stable and Effective Use of Cyberspace,” issued in September, made relatively huge strides in recognizing cyberspace as a domain along with land, sea, air and space, Itoh said. But it effectively limits the CDU’s operational parameters to a defensive role designed only to “counter” and “suppress” cyberattacks, “deny” an opponent the use of cyberspace during an attack and enable the SDF to “quickly recover” from such attacks.
Itoh said the policy is unclear on what actions the CDU can take to pre-empt an attack or the operational role it could play, for example, during a pre-emptive conventional (or kinetic) attack.
Ryusuke Masuoka, a cybersecurity expert and senior fellow at the Center for International Public Policy Studies, agreed the CDU is grossly understaffed and underfunded, especially compared with other countries.
“Having said that, I believe it is a quite important step,” he said. “It would have been extremely difficult to add a new SDF unit a few years ago; now, it is very likely this will happen.
“To make this new unit practical and effective, the first step would be to state clearly that SDF can protect civilian critical infrastructures in case of an emergency,” Masuoka said.
Legal barriers that restrict the MoD’s cyber defense role in protecting SDF’s facilities and information technology infrastructure, which includes all of the MoD’s bases, buildings and weapon systems, could be cleared “fairly easily,” he said.
Article 94 of the SDF Law, which covers disaster recoveries by SDF and mentions specific cases, such as nuclear disasters and transporting Japanese people in foreign countries, could be extended to cover cyber incidents.
One route, Masuoka said, could be to add a cyberattack sub-article to the law.
A tougher issue is counterattacks and pre-emptive operations, he said.
“Without at least pre-emptive network operations, the effectiveness of the new MoD Cyber Defense Unit would be significantly limited,” Masuoka said. “But I predict that this would remain a controversial issue for [a] ‘Self-Defense’ Force.”