In the early hours of May 13, news spread that a malicious hacking virus was causing havoc across the world. Tomoo Yamauchi, a Cabinet Secretariat counsellor who handled the situation on the front lines at the National Center of Incident Readiness and Strategy for Cybersecurity (NISC), was busy gathering information on his smartphone and computer. Throughout the weekend, he was constantly contacting senior NISC officials by phone and email to check for possible disruptions of core infrastructure.
But overall, the government was slow to respond to this emergency. As of May 13, there was no clear sign that ministries and agencies concerned, such as the Ministry of Internal Affairs and Communications, the Ministry of Defense, the Ministry of Economy, Trade and Industry and the National Police Agency, had taken unified action. The NISC issued a warning through Twitter, but didn’t instruct all ministries and agencies to respond to the attack until the morning of May 14. Though it explained that “no damage within government agencies has been confirmed,” there was a delay in its initial action.
On the evening of May 14, Junichi Eguchi, head of IT Security Center at the Information-Technology Promotion Agency (IPA), a METI-controlled independent administrative agency, held a press conference to warn businesses of the attack as they were scheduled to resume operations on the following day. But at that point the IPA had yet to pinpoint the actual “ransomware” virus. He was not able to field a spate of questions from the media, saying that “there are many things that we are still unsure about.”
In Japan, only Hitachi and a few other firms fell prey to the global cyberattack. Disruptions were limited. However, a METI official said, “It was the first time for us to suffer such a widespread attack.” The incident underscored the government’s lack of experience. So how should the government put this lesson to good use?
An internal official document shows that the government envisages the consolidation of information on key infrastructure in 12 fields, such as finance, medicine and petroleum. There is growing concern that “it is important to step up efforts for the collection and sharing of information to address cybersecurity threats.”
The government is calling on companies to report on the damage when they undergo a cyberattack, but this is not mandatory. Companies tend to fear that if they release such information, their stock prices will tumble or they will lose customers. “We want to consider establishing legislation that will make it possible to automatically collect information,” said Takuya Hirai, chairman of Liberal Democratic Party’s special committee on IT strategy.
In major industrialized economies, government organizations share information to deal with cyberattacks. Japan, meanwhile, will host the Tokyo Olympic and Paralympic Games in 2020. On May 23, Toshiaki Endo, chairman of a LDP parliamentarian league on the promotion of cybersecurity measures, presented to the Prime Minister’s Office (Kantei) a set of proposals calling for the establishment of a command center. Although the government has begun considering countermeasures against cyberattacks, there is not much time left. (Abridged)