The cyber attacks on Japan’s Upper House, which occurred soon after attacks on the Lower House and Mitsubishi Heavy Industries last year, have brought increased attention to Japan’s susceptibility in cyber space. Media reports suggest that Japan will be left behind in terms of preparedness against internet-based attacks if it does not solve two problems quickly: (i) the lack of lawmakers’ understanding of cyber threats and (ii) the legal problems limiting the use of Japanese capabilities to defend against cyber attacks.

The lack of government attention makes it easy to understand why Japan is so vulnerable in cyberspace. In 2010, only three of Japan’s eleven political parties included statements about cyber security issues in their manifestoes for the Upper House election. In addition, one poll shows that only 45 percent of Lower House members changed their online passwords after the attack in 2011. Moreover, government-led cyber-attack drills conducted between October and December 2011 found that approximately 10 percent of government employees opened fake virus attachments. This evidence demonstrates that Japanese lawmakers lack awareness on the seriousness of this issue.

Furthermore, Japanese experts in cyber security argue that the current legal system could deadlock government cyber-defense projects. Unlike many other developed countries, Japan has not officially acknowledged cyber attacks as an emerging security threat. Therefore, there are no effective countermeasures against internet-based attacks under the existing constitution and Japanese law. In the beginning of this year, the Defense Ministry unveiled a project to develop mechanisms to trace and counterattack foreign hackers. Nonetheless, the government officials who have engaged in the project are concerned that uses of these mechanisms would be impossible without support from the legal system. The Criminal Code and/or Article 9 of the constitution could be interpreted to mean that cyber weapons are in violation of the anti-PC virus clause (which bans creating and distributing computer viruses to other individual’s computer), or constitute a “war potential,” respectively.  This interpretation may prevent the Self-Defense Forces from utilizing the cyber weapons to react to future cyber threats.

Although a revision of the constitution is not realistic, Japan must understand that cyber security is not only a domestic issue. Information stolen from major defense contractors and the Cabinet will drastically change the security map.  Future discussions should focus on how to incorporate cyber security as an emerging issue and adjust Japan’s current legal framework accordingly. A public-private partnership for the cyber defense is another effective approach. Effective action by Japan is necessary for the protection of the nation and its allies in cyberspace.

AEI