Prime Minister Fumio Kishida’s administration hopes to raise Japan’s poor cybersecurity performance to an acceptable level by requiring government contractors to meet US standards, according to local media reports. Repeated hacking of Japanese defense contractors and other companies and institutions has made this a top priority.
The US standards, known as NIST SP 800-171, apply to contractors supplying the US Department of Defense and other government agencies. They include access control, audit and accountability, security assessment, communications protection, supply chain risk management and incident response, among others.
They are defined and overseen by the National Institute of Standards and Technology, or NIST, of the US Department of Commerce. A revised draft of NIST SP 800-171 was published on May 10. Significant changes include more specific requirements to remove ambiguity, improve effectiveness and clarify the scope of assessment. Public comments are due by July 14.
The Japanese government’s Cybersecurity Strategic Headquarters will be in charge of the upgrade, raising the information security standards that external contractors must meet when working with either ministries or administrative agencies. Part of the Cabinet Office, it is led by the Chief Cabinet Secretary.
The new standards will reportedly be implemented by the end of the fiscal year to March 31, 2024. More than 1,000 contractors are likely to be affected.
Cybersecurity is a long-standing US-Japan issue. According to cybersecurity expert Paul Kallender, a senior researcher at the Keio Research Institute at Keio University’s Shonan-Fujisawa Campus (SFC) outside of Tokyo, “the security needs were initially driven by the US to safeguard weapons platforms, primarily Aegis ballistic missile defense,” but “all security is now a hybrid of commercial and military networks.”
Kallender points out that “All this dates back a quarter century when the US, out of concerns about information assurance (what is now called cybersecurity) as Japan and the US geared up towards co-developing and deploying Japan’s BMD [ballistic missile defense] systems, got Japan to sign the Memorandum of Understanding Concerning Cooperation Regarding Information Assurance and Computer Network Defence and then, in 2007, the US-Japan General Security of Military Information Agreement (GSOMIA). This latest announcement can be seen in many ways as the grandchild of efforts dating back to GSOMIA.”
In 2011, Japan’s largest defense contractor, Mitsubishi Heavy Industries (MHI), admitted that unidentified attackers had gained access to and installed malware in servers and computers in several of its offices, factories and R&D facilities. MHI’s missile, submarine and nuclear power plant technology were reportedly targeted.
“What happened to MHI,” says Kallender, “where it is speculated that technologies related to Japan’s work on an advanced version of the Aegis missile being co-developed with US contractors (as well as work on fighter and space technologies) revealed not only the vulnerability of Japan’s leading military contractors but also that industry and research across Japan engaged in strategic R&D was at risk to a concerted campaign of highly coordinated and state-sponsored advanced persistent threats.
“It also seemed to realize the worst fears of the US, and was a kind of year zero for Japan, which started to get to grips with the fact that someone in the government, namely the Prime Minister’s Cabinet Office, needed to take control and coordinate efforts across a sprawl of ministries and agencies, to come up with a joined-up national cyber security plan and coordination.”
In December 2021, the Asahi Shimbun reported that “A June 2019 cyberattack on Mitsubishi Electric Corp compromised data that constituted the first-ever publicly acknowledged leak of sensitive national security information in Japan, the Defense Ministry admitted.”
Company officials said they thought it was the work of Chinese hackers, but no evidence was ever provided. Mitsubishi Electric makes radar and other electronic systems for Japan’s Ground, Maritime and Air Self-Defense Forces.
In January 2020, NEC – Japan’s leading producer of telecom equipment and a contractor to both the Defense Ministry and the Japanese Aerospace Exploration Agency (JAXA), which leads the nation’s space program – revealed that it had been the victim of a cyberattack in December 2016 but had not detected it until June 2017.
When it was finally able to decrypt the messages involved in July 2018, NEC found that files had been stolen from its defense business. In 2021 and 2022, Fujitsu – Japan’s second largest producer of telecom equipment and a provider of computing and software services – was hacked. These cyberattacks compromised the cloud software-as-a-service provided to several government agencies.
There have also been an increasing number of cyberattacks on non-defense businesses and other organizations in Japan, with targets ranging from automakers to confectionary, national telecom carrier NTT, internet messaging service LINE, Yahoo Japan, Japan Airlines and many others. The number of ransomware attacks rose from 146 in 2021 to 230 in 2022, according to the National Policy Agency.
No wonder the US has been badgering Japan, which it defends under the Japan-US Security Treaty, where it maintains air force, navy and marine corp bases, and with which it builds fighter jets and other weapons systems, to up its cybersecurity game.
On January 6 this year, Japan’s Minister of Economy, Trade and Industry Yasutoshi Nishimura and US Secretary of Homeland Security Alejandro Mayorkas signed a Memorandum of Cooperation (MOC) on Cybersecurity in Washington.
The MOC covers operational collaboration to improve the security of industrial control systems, capacity building and harmonization of regulations and schemes. The goal is to establish equivalent levels of software security by identifying and reducing risks and vulnerabilities.
Japan and the US will also seek to expand their cooperation in cybersecurity to Australia and India, the other two members of the Quadrilateral Security Dialogue, or Quad, and other Indo-Pacific allies.
Follow this writer on Twitter: @ScottFo83517667