Facing Cyber Attacks, the Japanese Experience
On March 13, Institut Montaigne hosted Professor HASHIMOTO Yasuaki, director of the Policy Studies Department at Japan’s National Institute for Defense Studies for a roundtable discussion comparing French and Japanese vulnerabilities and responses to cyberattacks. He was joined by Gerome BILLOIS, cybersecurity publication rapporteur at Institut Montaigne & partner with Wavestone and Dr. Alix DESFORGES, researcher with Geode.
1. Society 5.0 creates new vulnerabilities
The number of cyberattacks recorded in Japan has increased 50 times between 2005 and 2017, and as the use of IoT devices will increase rapidly, the digital society will be more exposed to attacks. IoT systems need greater security. The Japanese government sees the 2020 Tokyo Olympics as an important cybersecurity challenge, having learned the lessons of the 2016 London Olympics. The French experience shows the importance of addressing online propaganda and election influence as part of our thinking on cyber issues, given the activism of terrorist organizations and state-sponsored advocates of authoritarian rule. State responses to challenges in cyberspace raise issues of privacy that need to be addressed adequately.
2. Cybersecurity is an investment, not a cost
Perceiving cybersecurity as an investment and no longer as a cost has taken a long time in Japan. This paradigm shift has now overall taken place in government as well as among corporate actors. However, as Institut Montaigne’s cybersecurity report showed in the case of France, there is a major question of vulnerability of small and medium enterprises. This is an issue of national interest given that an attack on a weak spot in an interconnected network can spread rapidly.
3. There is a challenge with human resources
Cybersecurity personnel are in high demand. The Japanese government estimates that 200,000 engineers will be needed by 2020, a target that the demographic situation will make difficult to meet with only Japanese nationals. Cybersecurity has a military dimension, and all defense ministries are building cyber units. Japan’s cyber defense unit is expanding from 120 people to 500 in 2023. In France, the National Cybersecurity Agency ANSSI is also expanding. Besides the state, the lack of human resources is a major question for small and medium corporate actors. Increasing awareness at CEO level and expert mobility (inter-company and inter-state) are essential.
4. States and corporate actors should place more emphasis on building resilience
Situational awareness and deterrence are essential to cybersecurity risk management but so is resilience. A better balance should be found between focusing on prevention and planning how to react to an actual large-scale attack. This is true at the level of companies and at the level of states, but this also applies to connected objects, for example, cars and planes.
5. Looking ahead: the international agenda
Japan engages in outreach and capacity building in the area of cybersecurity, with efforts concentrated in Southeast Asia. Japan is also one of only two Asian countries that have joined the Budapest International Crime Convention. In Europe, NATO plays a role in boosting the capacities of weaker member states. The multilateral agenda shows little sign of progress. Two different approaches are ongoing at the UN, one led by Russia that stresses stronger sovereignty and one led by the United States that emphasizes free but secure internet. Japan and Europe need to strengthen their reflection on how to respond to cyber intrusions and attacks by authoritarian states.