TOKYO – Japan plans to add “active cyber defense” to its national security policy mix with new operational emphasis on surveillance, prevention and response, preemptive neutralization and even counterattacks.
The move towards stronger, more institutionalized cybersecurity measures will please those on the Japanese right worried about China, North Korea and Russia’s cyber threats and concern those on the left who foresee a possible coming erosion of online freedoms for the sake of security.
Cybersecurity expert Paul Kallender, a senior researcher at the Keio Research Institute at Keio University’s Shonan-Fujisawa Campus (SFC) outside of Tokyo, recently shared his thoughts on the move in a wide-ranging email interview with Asia Times.
Due to the technical nature of the subject, the interview is presented as a mix of direct quotes and edited excerpts.
More than six years ago, you and Professor Christopher Hughes of the University of Warwick in the UK wrote that:
“Japan has been overlooked as a ‘cyber power’ but is now becoming a serious player in this new strategic domain. Japanese policy-makers have forged a consensus to move cybersecurity to the very core of national security policy, to create more centralized frameworks for cybersecurity, and for Japan’s military institutions to build dynamic cyber defense capabilities.”
That was a prescient observation. Now it’s front-page news. What do you have to say about that?
Narratively, of course, the news comes on top of the just-announced plan that Japan’s Ministry of Defense is going to bring its battalion-strength Cyber Defense Command, established last March and currently with a staff of around 900, to full division scale of 20,000 by 2027, including boosting its numbers to 4,000 next year alone.
In this context, the recent announcement that Japan will be able to conduct “pre-emptive measures” is the latest piece in a jigsaw puzzle to give the Ministry of Defense and Self-Defense Forces (Japan’s army, navy and air force, commonly referred to as the SDF) truly operational capabilities.
This has three aspects: digits on keyboards, the disentanglement of the SDF from legal restrictions so it can take meaningful actions and the use of cyberspace as a force multiplier in modern cross-domain warfare and joint operations in service of the US-Japan alliance.
First, digits on keyboards are increasingly replacing boots on the ground in terms of effectiveness. When the SDF set up its first Cyber Defense Unit with a couple of platoons of staff cobbled together from the three services a decade ago, it compared unfavorably to around 175,000 cyber defense personnel in China, 6,000 to 7,000 in North Korea, and about 1,000 in Russia.
Now, besides the brigade-size of 4,000 Cyber Defense Command members, the training of around 16,000 personnel as cyber-samurai clearly shows a huge new institutional commitment, backed by a new cyber education school at the Ground Self-Defense Force’s Signal School in Yokosuka.
Second, the Cyber Defense Command will become more operationally relevant. Until now, it has only officially been capable of what has been called a “passive defense” of monitoring and taking actions to minimize damage rather than an “active defense” that involves some degree of preemption, let alone a counterattack, meaning that the SDF has been rather like a boxer on the ropes absorbing the punches and hoping that not too many get through, clearly a ludicrous state of affairs since such a strategy does little to deter attacks.
It sounds half-baked. What contradictory factors brought Japan to this impasse?
The main reasons for this, as have been reported, are that such measures could violate Article 21 of the Constitution, which puts into question the legality of cyber “probing” – an act short of penetrating the defense of an adversary – for the purpose of target surveillance.
Article 21 prohibits censorship and the disclosure of telecommunications secrecy, which is upheld in Article 4 of the Telecommunications Business Law, which also protects the secrecy of communications.
Also directly pertinent has been the SDF Law, which allows the Japanese military to conduct self-defensive kinetic attacks against armed forces when a certain threshold of armed attack is crossed, but does not stipulate whether or not cyber responses fall under the category of a “use of force” or “use of weapons” for a defensive operation.
While in Article 74 the prime minister is authorized to order the SDF to be deployed to deal with an imminent threat, that threat has still been interpreted as kinetic, not digital, and no part of the SDF Law explicitly empowers the SDF to conduct active cyber defense or describes conditions under which it would be employed to counter cyber-attacks.
Last but not least, no part of the SDF Law has empowered the Cyber Defense Group to defend networks outside the Ministry of Defense, including critical infrastructure.
Now that we understand the background, exactly how is the situation likely to change?
Under the proposed changes, if a possible cyberattack is detected, the government is considering giving the SDF the right to infiltrate the potential attacker’s system or server and neutralize the prospective attack, or even launch counterattacks, removing significant brakes on the SDF’s cyber operations.
This move toward meaningful operational capability is long overdue, especially since current restrictions on the SDF have become contradictory even within government practice elsewhere in Japan. Largely unnoticed by non-specialist media is the fact that Japan has actually been quietly prosecuting active defense measures since 2012, when the Japanese government outsourced the development of offensive cyber capability to Fujitsu and other IT vendors to seek and destroy malware.
So they’ve actually been at it for a long time, just not officially, with legal questions left unanswered. Rather like building one of the world’s largest armed forces (No. 5 in the GlobalFirepower 2022 Military Strength Ranking) despite Article 9 of the pacifist Constitution.
You could say that.
Since 2013, Japan’s Ministry of Internal Affairs and Communications has run its Advanced Cyber Threats response InitiatiVE (ACTIVE) program that, at the very least, set up honeypots and other measures to attract and destroy threats. Further, in 2019, the Sankei Shimbun [a Japanese newspaper] reported that Japan had started developing its own counterattacking virus programs and malware.
In terms of domestic policy, the move then does much to tie up some obvious, glaring loose ends. First, it will remove the SDF’s outlier status in terms of cybersecurity capability as regards key national security strategy policy in the shape of the 2018 Cybersecurity Strategy that stated that Japan would “proactively” strengthen its “capabilities of defense, deterrence, [Kallender’s italics and underline] and situational awareness.” Well, it’s started that.
Second, it should at last bring the SDF in line with its current National Defense Program Guidelines doctrine, established in 2018, that seeks to promote the integration of technologies and capabilities in the space, cyber and electromagnetic domains so that they can be used intraoperatively within the Ground Self-Defense Force, the Maritime Self-Defense Force and the Air Self-Defense Force.
The current National Defense Program Guidelines already explicitly and prominently identify space, cyberspace and the electromagnetic spectrum as new domains where Japan must attain (or maintain) superiority.
Indeed, under the 2018 Mid-Term Defense Plan, Japan has effectively regarded the three domains as de facto warfighting domains in which the SDF must be “capable of sustained conduct of flexible and strategic activities.”
As such, the 2018 National Defense Program Guidelines and Mid-Term Defense Plan asked the SDF not only to defend against cyberattacks but to possess the capability to disrupt, during attack against Japan, an adversary’s use of cyberspace in the attack. This implied that the SDF has already been edging towards elements of preemption against cyberattacks, which happen in real-time in nano- and milliseconds.
Is it, then, simply a matter of official policy catching up with reality?
This is the reality of prosecuting any military action in which Japan’s air, maritime and ground forces are expected to work together under the Multi-Domain Defense Force doctrine, meaning that without seeking to actively deny cyberattacks, which will be launched in real-time by adversaries, the SDF’s cyber forces will be – well, let’s just go back to the image of the boxer on the ropes.
On the other hand, if such functionality can be employed, for example pre-empting attacks, then they can at least make sure that the more active force multiplier functions of joint actions between the three services can operate, hopefully synergistically, as envisaged.
By the way, a force-multiplier function is when different weapons and systems work together better, or synergistically. For example, if you have a defensive missile system and a radar, it can do what it can do, within the limitations of that system.
If it is plugged into a network of radars and systems that cooperate and coordinate together, then it may well be more effective. The role of cyber defense means that a military’s networks are able to work together as a kind of infrastructure, and not get knocked out (blank screens) via cyber attacks.
Finally, domestically, the moves form the logical extension of laying the cyber groundwork for Japan’s upcoming formalization of its decision to deploy counterattack capabilities in the upcoming revised National Security Strategy and new five-year National Defense Program Guidelines.
Could you explain how this relates to Japan-US security cooperation?
The much more important impact of operationally useful cyber-forces is their utility to the real force multiplier in town, or in the region, which is working with US forces.
The SDF’s doctrine of passive defense had, arguably, been a neutral factor framework of the Japan-US Security Consultative Committee, the nexus of working out who does what between the allies militarily, until about 2015, when things started changing with the US gradually asking more of its local partner.
This is when the Committee issued a joint declaration on cyberspace cooperation that saw the allies share information of threats and capabilities, which was a start by the US into making Japan’s cyber defense unit more useful.
Things then moved on rapidly. The 2016 revised US-Japan Defense Guidelines mandated a major overhaul of the interoperability of the SDF and US military, calling for a seamless interoperability, without which Japan’s moves towards collective self-defense would be little more than an exercise in one hand clapping.
While the revised Guidelines did not specifically indicate cyberspace as an area of collective self-defense, the implications seemed quite obvious that – follow that vector – cyberspace at some point would have to become an area for de facto collective self-defense.
And so it is proving. In 2019, the Japan-US Security Consultative Committee affirmed that a cyberattack could, in certain circumstances, constitute an armed attack for the purposes of Article 5 of the US-Japan Security Treaty, extending cooperation in cyber-defense into a mutual defense obligation.
In March 2021, the Committee confirmed that extending cooperation was now a major agenda, and the January 2022 meeting confirmed that the US and Japan regard integrating land, maritime, air, missile defense and the electromagnetic domain as essential for jointed operations(the ability to work together effectively).
The meaning of all this is practicalities. Realistically, even if the SDF could only in theory hold its hands up in pitiful shock and dismay as hoards of Chinese hackers dismantled the Maritime Self-Defense Force’s Aegis missile defense, the two sides have de facto agreed that Uncle Sam would be obliged to step in, with cyber defense playing the classic role of “shield” to the US “spear.”
That sounds like the same old dependency relationship decried by Japanese left-wingers and right-wing nationalists alike.
Not quite, or perhaps not anymore. The relationship has moved on to codependency – no, not the struggles that aging marriages face, although like any long-term partnership, the US-Japan relationship has of course had its ups and downs – a different kind.
Twenty years ago, if a Japanese destroyer got taken out in a conflict, quite frankly, it wouldn’t have meant much to the US Seventh Fleet (headquartered in Yokosuka), at least not militarily.
The advent of Cooperative Engagement Capability (the necessary ability to share target information between ships in real-time) and the integration and interoperability of systems in today’s high-end long-range strike combat scenarios has changed all this.
Recent news indicates that for the sake of simple operational realities, the SDF is indeed stepping off the ropes.
Kallender’s latest work, “From Basic Law to the Multi-Domain Defense Force: Ten Years of Transformation in Japan’s Space Program,” a chapter in the Handbook on Japanese Security (ed. Leszek Buszynski, Amsterdam: Amsterdam University Press) is forthcoming in 2023.
Follow this writer on Twitter: @ScottFo83517