Last November, chilling news made headlines nationwide — the internal communications network of the Defense Ministry and Self-Defense Forces had been hacked in September, possibly by another nation.
According to Kyodo News, the Defense Information Infrastructure, the high-speed, high-capacity communications network linking SDF bases and camps, was compromised.
Following the report, Defense Minister Tomomi Inada declined to confirm whether the hacking took place but quickly denied that information had been stolen. An official knowledgeable with government cybersecurity matters, however, admitted there had been a breach.
Was it just one of countless cyberattacks the ministry detects daily, or a sign that another nation is silently waging war against Japan?
Tokyo seems to be downplaying the incident. The official said the ministry was dismissive of the incident and said the breach only penetrated “administrative information” rather than classified material.
But what’s more alarming was that the official, who was not authorized to speak on record due to the sensitive nature of the issue, admitted the government’s computer systems get hacked quite often, giving intruders access to internal data.
“This is just the tip of the iceberg. Hackers could further launch cyberattacks by using the information they gained,” he said, adding that the U.S. is getting more concerned about the state of cybersecurity in Japan.
Toshio Nawa, an executive at CyberDefense, a security firm, said the government should worry more about the fact that the hackers were able to penetrate the system and could paralyze or destroy military operations, rather than fret over information.
“Cyberattacks against the SDF system could severely impact SDF operations,” said Nawa, who was in charge of security message coding and transmission at the Air Self-Defense Force. “Major damage could impact the SDF’s ability to protect the lives and assets of the Japanese people, while a data leak does not directly threaten lives.”
Amid increasing concerns, Japan revised the Basic Cybersecurity Law last year, giving greater roles for the National Center of Incident Readiness and Strategy for Cybersecurity, dubbed “NISC,” which is in charge of developing Japan’s fundamental cybersecurity strategies. The revision was in response to cyberattacks against the Japan Pension Service that caused 1.25 million cases of potential data leakage.
Before the revision, NISC was only in charge of overseeing cyberattacks against ministries and agencies, but now it can investigate cyberattacks against government-linked administrative organizations such as the Japan Pension Service.
The Defense Ministry set up a Cyber Defense Unit the same year to specifically address cyberattacks on its systems.
The government says “Japan can defend itself” if a cyberattack launched by a foreign government constitutes use of force or a military strike against Japan. But the relationship between self-defense and cybersecurity is tricky, and this bureaucratic jargon provides wide latitude for interpretation. It is also unclear what kind of countermeasures Japan can take because the Constitution restricts the use of force to self-defense. The government’s recent reinterpretation of the Constitution, however, apparently allows Japan to circumvent that restriction in cases of collective self-defense.
“Cyber activities that proximately result in death, injury, or significant destruction would likely be viewed as a use of force,” Harold Hongju Koh, legal adviser to the U.S. State Department, said in September 2012. As examples, he listed operations to trigger nuclear power plant meltdowns, open dams to flood populated areas or disable air traffic control systems to cause plane crashes.
Even if Japan could prove another state launched a cyberattack, it might not use force if it deems the attack wasn’t “part of the use of force” by an intruder.
In addition, Japan has been vague on whether it can actually strike back with force, merely saying it depends on the case. There are no internationally accepted rules of engagement when it comes to cyberwarfare.
Cyberattacks are becoming a serious threat around the world. A U.S. report compiled earlier this month that said Russian President Vladimir Putin ordered the hacking of the Democratic National Committee to help Donald Trump win the U.S. presidential election is another reminder that cyberattacks can influence a country’s democracy.
The report said the Kremlin will “apply lessons learned from its Putin-ordered campaign, including against U.S. allies and their election processes,” meaning Japan could also be a target.
But the difficult part is to actually identify the perpetrator — whether it be an individual, group or state. Unlike the U.S., which singled out Russia as the perpetrator for the DNC hack, CyberDefense’s Nawa claims that Japan lacks strong intelligence-gathering capabilities and experts who can identify hackers because the process is very difficult and costly.
Tokyo’s budget for cybersecurity remained a little south of ¥50 billion for fiscal 2016, while the U.S. earmarked $14 billion (about ¥1.7 trillion) for 2016.
“The gap between the U.S. and Japan on what they can do is like a college student and a kindergartner,” said Nawa, who advises the government and Japanese companies.
While fatal cyberattacks have been elusive to date, government systems are not the only way to severely damage a country and its people. Hackers can launch what former U.S. Defense Secretary Leon Panetta termed a “cyber Pearl Harbor” by shutting down a power grid or cutting communications networks.
The first major cyberattack on a utility happened in December 2015, when a power outage in Ukraine caused by a malicious hack left 225,000 people without electricity in the middle of winter.
Last year, U.S. authorities said that Iran-based hackers gained unauthorized remote access to a computer that controls the Bowman Avenue Dam in Rye, New York, in 2013, although no damage was caused.
Japanese firms that manage critical infrastructure also have been targeted. Earlier this year, Taiyo Nippon Sanso Corp., Japan’s biggest industrial gas producer, said a hack compromised 11,000 email addresses belonging to its employees and those of its affiliates. It declined to discuss whether the hackers penetrated its network deep enough to gain control of gas production but said they got in by stealing administrative credentials.
But a cyberattack doesn’t have to target infrastructure to cause harm. Last year, a subsidiary of JTB Corp., Japan’s biggest travel agency, was hacked, exposing the personal data of 7.93 million clients, including passport records. In 2014, Sony Pictures Entertainment became a victim of devastating cyberattack that resulted in the theft of 10 terabytes of sensitive data, including films such as “The Interview,” a controversial comedy about a plot to assassinate North Korean leader Kim Jong Un. In 2011, Sony’s PlayStation network was attacked, providing access to some 77 million accounts, while Mitsubishi Heavy Industries, Japan’s biggest defense contractor, was also hit by a cyberattack.
According to the National Policy Agency, cyberattack cases involving email totaled 1,951 in the first half of 2016, down 405 from the same period the previous year. Yet experts say the actual number is much higher because some companies don’t report the attacks.
The harsh reality, experts say, is that the hackers currently have the upper hand.
Governments and firms can’t entirely prevent cyberattacks when technological advances have pushed down the cost of targeted attacks and hackers have become more adept at social engineering, a hacker term for human deception.
For example, the emails sent to penetrate JTB reportedly had “E-TKT,” which stands for “e ticket,” in the subject line to mimic the messages sent to JTB’s clients. According to the NPA, 81 percent of targeted attacks are launched against email addresses that are not publicly available. This highlights the fact that hackers are very knowledgeable about the entities they are targeting.
Many firms meanwhile remain reluctant to spend greatly on cybersecurity as they are unsure whether they will ever be targeted. According to a 2013 report compiled by major auditor KPMG, only 52 percent of Japanese firms believe cybersecurity should be discussed at the executive level, compared with 88 percent of all companies worldwide, highlighting the lack of corporate awareness in Japan.
One does not even have to be an IT genius to launch a cyberattack.
Kaoru Hayashi, cyberthreat intelligence analyst at cybersecurity firm Palo Alto Networks, says there are underground markets that sell malware, including ransomware, for $3,000 to $4,000. Ransomware is software used to deny access to a computer system until ransom is paid. “It depends on how you look at the return on investment,” said Hayashi, adding that generally speaking, “Those who launch the attacks win.”
Another challenge has been that some companies are reluctant to reveal their systems have been compromised even though divulging such information could help defend against further attacks in their industry.
According to auditor PricewaterhouseCoopers, only 30.4 percent of Japanese firms share such information, compared with 64.7 percent globally.
“Japanese companies have this culture of shame. They do not want to let others know about disgraceful facts, and they hate being chastised for it,” said Mihoko Matsubara, chief security officer for Japan at Palo Alto Networks. “Information-sharing is an impending agenda for 2017.”