Japan Must Boost its Defenses Against Cyberattacks; Aggressive ‘Hybrid Warfare’ Seen as a Growing Threat

The Yomiuri Shimbun
Prime Minister Fumio Kishida speaks at the first meeting of an expert panel on active cyber defense at the Prime Minister’s Office on June 7.

One evening, the power supply from multiple substations suddenly stops, and the power supply control center suffers an unexplained system failure. It’s a cyberattack, causing a blackout across almost the entire southern part of Okinawa Island.

This all-too-plausible scenario was the basis of a May 27 exercise in which members of the ruling and opposition parties, including former Justice Minister Yoshihisa Furukawa of the Liberal Democratic Party, examined Japan’s response to a potential crisis in Taiwan.

“It’s no longer possible to deal with this at Okinawa Electric Power.”

“We have to send a team of experts from Tokyo.”

Comments like these flew around the room, which was arranged to resemble the Prime Minister’s Office, highlighting the difficulty of dealing with a situation in which the attacker and their intentions are unknown. A senior official from the Cabinet Secretariat expressed his sense of crisis, saying, “If the power supply is cut off, transportation and logistics will become dysfunctional, and the Self-Defense Forces and U.S. military bases will be hobbled.”

“Hybrid warfare” is becoming the norm in modern conflicts, combining armed attacks with cyberattacks on critical infrastructure such as power plants. The Japanese government’s decision to introduce an active cyber defense system capable of preemptive actions against cyberattacks in the National Security Strategy, which was revised in December 2022, was largely due to the threat demonstrated by Russia’s invasion of Ukraine.

Russia began its physical invasion in February 2022, but it is believed that more than a year before that, it had infiltrated the systems of Ukrainian government agencies, as well as power and telecommunications facilities, and was preparing to carry out sabotage. About a month before the invasion, the cyberattacks intensified, and on Feb. 23, the eve of the invasion, the number of systems targeted by the attacks reached about 300. On Feb. 24, when the invasion began, the satellite communication network was disrupted.

The Japanese government believes that China will use the same methods before launching a landing operation in Taiwan.

In May of last year, Microsoft announced that the hacker group Volt Typhoon, which receives support from China, was working to infiltrate the systems of telecommunications and transportation facilities on the U.S. mainland and in the U.S. territory of Guam.

Okinawa has been pointed to as the most likely target of such a cyberattack in Japan . Like Guam, it is home to some of the U.S. military’s most important bases in the Indo-Pacific region.

The U.S. military and the Self-Defense Forces in Okinawa rely on local utilities for electricity and water. An official from Okinawa Electric Power Company confided: “Cyber technology is advancing day by day. So, even if it’s fine today, you never know what might happen tomorrow, so we need to strengthen our ability to respond.”

The Okinawa Prefectural Government Bureau of Waterworks, which is in charge of the water supply business, is stepping up its vigilance with a “central monitoring and control” system that manages the amount of disinfectant added to the water. In 2019, a water purification plant in the U.S. state of Florida suffered unauthorized access, and the concentration of sodium hydroxide was set to approximately 100 times the normal level. An Okinawa prefectural official said, “We must exercise the utmost caution when updating the system.”

In the case of Volt Typhoon, the U.S. government identified the infected network equipment and removed the malware after obtaining court permission. If Japan also establishes a system for active cyber defense, it will be possible to detect attacks and take measures to prevent or neutralize them.

Damage to infrastructure from cyberattacks is becoming more serious in Japan. In July last year, the container management system at Nagoya Port was infected with a virus, causing such harm as the suspension of the loading and unloading of containers.

In May this year, there was also a problem with JR East’s Mobile Suica service, which prevented users from adding money to their electronic money accounts. A spokesperson for the company recalled that “we saw a large number of unusual accesses.”

It is said that the Chinese military may attempt to forcibly take control of Taiwan by 2027. A senior Japanese government official emphasized: “The more digitized Japan becomes, the more vulnerable it is to cyberattacks. We only have a few more years to strengthen our countermeasures.”

A government expert panel chaired by Kenichiro Sasae, a former ambassador to the United States, began discussing active cyber defense in June. The biggest focus of the system design is how to reconcile it with the secrecy of communications guaranteed by the Constitution. This is because the government would need to analyze the communications information of service providers even during normal times in order to spot the signs of cyberattacks.

The scope of the secrecy of communications includes not only the content of communications, but also a wide range of related information such as messages’ time, date and destination. However, this is not unlimited. At a meeting of the House of Representatives Budget Committee in February this year, Masaharu Kondo, director general of the Cabinet Legislation Bureau, stated, “From the perspective of public welfare, there are cases where certain restrictions should be imposed to the extent that they are necessary and unavoidable.”

The government is carefully coordinating with the Cabinet Legislation Bureau and other organizations to determine a limited scope of communications information that can be used for active cyber defense, while respecting the confidentiality of communications to the greatest extent possible and helping to detect attacks.

In the United States, the United Kingdom and Germany, the acquisition of communications information by the state is governed by legislation based on requirements such as the intelligence and security needs of those countries, and independent supervisory bodies check whether there are any violations of rights. In Japan, a similarly detailed legal system is required to balance the Constitution and cyber security.

Such a system should be set up soon — before half of Okinawa Island goes dark.

Political Pulse appears every Saturday.


Shuhei Kuromi

Shuhei Kuromi is a deputy editor in the Political News Department of The Yomiuri Shimbun.