In recent years, global dependence on cyberspace has deepened dramatically. At the same time, cyber attacks are increasing around the world, and cyber attacks on critical infrastructure such as electricity, gas, water, telecommunications, transportation, and finance are of particular concern.
Cyber attacks on critical infrastructure occur across the spectrum from daily life to inter-state conflicts. Recent full-spectrum examples include the SolarWinds incident in 2020, the Colonial Pipeline incident in 2021 which remains fresh in our minds, and Russia’s wide array of cyberattacks against Ukraine during its invasion of Crimea in 2014 and early in its ongoing 2022 invasion of Ukraine. Cyber attacks on critical infrastructure are now one of the key means of inter-state attack, and their impact is immeasurable.
In the Indo-Pacific, the next crisis is likely to be the Taiwan issue. In that case, U.S. military forces in Japan undoubtedly will take the lead in response to any effort by China to invade Taiwan or Okinawa. China will conduct cyber attacks to gain a head start in the early stages of war. Cyber military operations are conducted in parallel with kinetic military operations. It is therefore necessary to establish a complementary, if not common, operational base from which joint U.S.-Japanese cyber operations can be conducted. Protection of Japan's critical infrastructure will be an important security partnership issue.
The Importance of U.S.-Japan Cooperation in Cyber and Critical Infrastructure Protection
Cyber has become one of the leading areas of cooperation in U.S.-Japan relations. On February 11, 2022, The Biden Administration published its "Indo-Pacific Strategy," which expressed concern about the intensifying struggle for supremacy in the Indo-Pacific region with China. The strategy expresses a sense of urgency to deepen and extend strategic partnerships across the region that compete with Beijing. It states that the United States will work with partner countries to develop common initiatives on emerging technologies, the Internet, and cyberspace. Cyberspace is a prominent area for deepened partnerships and collective interaction in the face of Chinese efforts to disrupt.
As the great power competition between the U.S., China and Russia intensifies, it is increasingly likely that cyber attacks will grow as a means of hybrid warfare in the future. In the Indo-Pacific, this means that once China moves from a competitive to a confrontational footing, Beijing can be expected to engage with offensive cyber capabilities. All regional states, and especially Japan, take note of this risk. Should China take military action to annex Taiwan, Japan will undoubtedly become involved. China also continues to assert territorial rights over Japan's Senkaku Islands. If China were to take full-scale military action against Taiwan or Japan’s Senkakus, it is highly likely that Beijing would combine cyber attacks with military strikes to disrupt U.S. and Japanese operations, command and control, and logistics functions. The U.S. Army, Navy, Air Force and Marines stationed in Japan, the largest U.S. military force permanently deployed in Asia, depend on Japanese infrastructure including electricity, water, telecommunications, ports and airports. Taking from and even extending the Russian cyber playbook for Ukraine, a most likely target of the cyber component of a hybrid Chinese attack would be the critical infrastructure of both Japan and the USA. Neither homeland would be spared. Japan and the United States thus have much to jointly consider about ways to mitigate their collective cyber vulnerabilities.
Comparison of U.S. and Japanese Cyber Capabilities and Challenges
What is required for proper strategic U.S.-Japan cyber cooperation? Today there are significant differences between U.S. and Japanese cyber capabilities and systems. These differences exist in both civilian and military cyber elements.
Civilian cyber side differences are manifest in the asymmetric development of federal agencies to manage cyber and infrastructure security. The American national cyber defense oversight system has been strengthened by three successive administrations -- Bush 43, Obama, and Trump. In the U.S., cybersecurity and infrastructure protection is a responsibility shared among the Department of Homeland Security (DHS), the Department of Defense, the Department of Justice (DoJ), and other agencies. DHS has been made responsible for overall protection of the consolidated national government cyber-network, coordination of major infrastructure protection, and coordination between the public and private sectors in cyberspace. In November 2018, the government's cyber-related organizations, which had been divided among the various agencies, were reorganized. The Office of National Protection Programs (NPPD), under the DHS was significantly expanded and redesignated as the Cybersecurity and Infrastructure Security Agency (CISA). Contemporary U.S. cyber policy concentrates clear authority and dedicated personnel in CISA and establishes a cyber defense structure that specifies cooperation among related agencies.
In Japan, National Center of Incident Readiness and Strategy for Cybersecurity (NISC) was established in 2015 as a secretariat of the Cybersecurity Strategy Headquarters in collaboration with the public and private sectors on a variety of activities to create a "free, fair and secure cyberspace." NISC plays its leading role as a focal point in coordinating intra-government collaboration and promoting partnerships between industry, academia, and public and private sectors. NISC is a counterpart to CISA because both agencies are responsible for civilian side cyber security. However, the major difference between CISA and NISC is that NISC does not have strong authority over ministries and the private sector. Moreover, NISC is composed of staff seconded from related ministries and private companies, so that members are replaced after a few years.
Military cyber differences are even more pronounced, and with significant implications for bilateral cooperation between allies. Over the past decade, the U.S. military's role in cyberspace has been substantially strengthened. In 2010 a U.S. Cyber Command (USCYBERCOM), previously two sub-unified joint task forces under US Strategic Command (USSTRATCOM), was designated a unified four-star command and combined under the Director, National Security Agency (NSA) and focused on support of global networked cyber operations planned and executed by and through the US Combatant Commands. In 2018, USCYBERCOM was upgraded to a Unified Combatant Command. Still joined with NSA under a single 4-star commander, USCYBERCOM now has the responsibility for developing cyber-unique, global operations planned and conducted with the support of other US military commands. In this role, USCYBERCOM focuses on intelligence gathering, deterrence, and counterattack in cyberspace. As of 2019, USCYBERCOM consists of 133 teams and 6,200 personnel, including the Cyber National Mission Force (CNMF) which is tasked with deterring cyber attacks from China, Russia, Iran, and North Korea.
In Japan, the Cyber Defense Group (CDG) was established in March 2014 as a joint unit with about 100 personnel under the SDF C4 Systems Command. The CDG has been tasked to protect the systems of the MoD and the SDF in addition to detailing personnel to the NSIC and providing defense relevant information. Just this March – March 2022 - the CDG was expanded to more than 500 personnel and positioned as an integrated Defense Cyber Unit under the direct control of the Minister of Defense. Cyber intelligence is conducted by several ministries and agencies, including the Ministry of Defense, National Police Agency, Cabinet Intelligence and Research Office, and NISC, respectively.
USCYBERCOM has an integrated role in protecting critical national infrastructure, combining selected cyber offensive operation authorities with broad cyber defense proponency for DoD networks, and several critical infrastructure categories including defense industries. On the other hand, the SDF has focused on defending its own systems and networks, thus lacks aptitude or experience in critical infrastructure protection. As a legal issue, the Constitution of Japan and national laws on communications strictly stipulate the protection of "secrecy of communications." As a result, it is difficult for the SDF (or other agencies) to hack or create cyber tools necessary to counter a cyber aggressor. SDF’s counterattacks are only possible when a cyber attack is carried out as part of a military attack. Compared to CYBERCOM, the SDF's negligible experience in critical infrastructure protection and vague legal basis make it difficult to conduct active cyber defense of defense cyber networks or critical Japanese national infrastructure. So as cyber cooperation between the U.S. and Japan moves forward, it is essential to understand just how far apart these allies are in terms of truly joint cyber operations or their respective frameworks for the protection of critical national infrastructure.
Future Directions for U.S.-Japan Cyber Security Cooperation
On April 19, 2019, the Japan-U.S. Security Consultative Committee affirmed that international law applies in cyberspace and that a cyber attack could, in certain circumstances, constitute an armed attack for the purposes of Article V of the Japan-U.S. Security Treaty. Recently some Japanese politicians and government agencies are beginning to call for a shift to “active cyber defense.” They argue that Japan should change its passive cyber defense policy and aim for a deterrent effect through active cyber counterattacks. The U.S. has also stated it would promote greater cyber cooperation with Japan. How might this work? It will work best if the U.S. and Japan focus on respective roles to meet the two most critical near-term cyber cooperation opportunities: enhanced joint military cyber operations and more closely coordinated protection of Japanese critical infrastructure
For its part, the U.S. needs to understand the differences between the U.S. and Japanese cyber defense regimes. Washington should clearly indicate to Japan what is needed to protect the critical infrastructure on which forward-deployed U.S. military forces depend, and on the kinds of changes needed for Japan-U.S. joint cyber operations. The U.S. should identify specific issues through expanded joint exercises and dialogue with Japan and prioritize necessary cooperation.
Simultaneously, Japan must study its own technical, institutional, and legal weaknesses, moving forward while conducting constructive cyber exercises and collaborative dialogue with the US. Leaving critical infrastructure protection to private sectors alone is problematic from the standpoint of resilience. It is time for Japan to seriously consider the involvement of SDF cyber unit in critical infrastructure protection upon which the SDF and U.S. forces in Japan depend. The timeframe for a cyber attack is very short, and the damage could be unmanageable while Japan is still struggling to prepare for a counterattack. Japan should develop a legal basis for cyber operations by the SDF and allow the SDF to be involved in some areas of critical infrastructure protection.
The contemporary Indo-Pacific security environment is very challenging. It is complicated by the Taiwan issue, China's territorial friction with Japan, Philippines and India, North Korea's nuclear and missile development, and Russia's increased military activity. Critical infrastructure to support U.S. forces in Japan and joint operations between the Japan Self-Defense Forces and the American military are essential for the U.S. to deal capably with these and other pressing regional security issues. Japan must ensure its own resilience and improve its cyber capabilities, not just rely on the United States. The success or failure of cyber cooperation with Japan will undoubtedly be key to the realization of the U.S. Indo-Pacific strategy.
Mr. Kiesuke Mizuhiro is a Visiting Research Fellow at the Institute of National Strategic Studies (INSS) of National Defense University (NDU). Mr. Mizuhiro is on detail from the Japanese Ministry of Defense (JMoD). The analysis and recommendations of this article are based upon his own research, and do not necessarily represent the positions or policies of JMOD, NDU-INSS, the U.S. Department of Defense or the U.S. government. Mr. Mizuhiro wishes to thank Dr. Thomas Lynch and Dr. Jaclyn Kerr of NDU-INSS for their contributions to his research and this article.