[The following is NIKKEI Business Daily’s interview on cyberattacks with Masatoshi Sato, director of the National Security Laboratory at LAC Co.]
Question: What kinds of state-sponsored cyberattacks are launched against Japan?
Masatoshi Sato: In the past, we saw many attacks attempting to directly harm government organizations. Examples include a case in which the websites of many government ministries and agencies were hacked and defaced in 2000 and a distributed denial of service (DDoS) attack carried out in 2012 on the anniversary of the  Liutiaohu Incident (which triggered the Manchurian Incident). But in recent years, it seems there is an increasing number of advanced persistent threat (APT) attacks believed to be targeting information held by government agencies and defense-related companies.
In a targeted-email attack in 2017 in which the attacker posed as a staff member of the Ministry of Defense and another attack in 2018 in which the attacker posed as a Cabinet Office member, the texts of the emails were written in an extremely skillful manner. Previously, emails were written in unnatural Japanese, so we could easily identify them as cyberattacks. But recently the emails are written in natural Japanese, so it is difficult to determine whether they are cyberattacks or not.
Q: Are these attacks state-sponsored?
Sato: Many countries have cyber units established in a government agency or the military, so they are suspected of being involved in intelligence gathering activities and attacks on other countries. Some countries are believed to closely cooperate with private hacker groups known as “cyber militias,” so the boundaries between the state and the private sector are becoming blurred. Recently, attackers are not only launching direct attacks but also using a wide range of methods, such as manipulating public opinion and information on the Internet.
Q: What kinds of corporate information are targeted?
Sato: Take China, for example. In 2015, the Chinese government posted on its website the strategic goal of “revolutionary development of 10 key sectors.” The areas include next-generation communications technology, [numerically] controlled machine tools, and biological medicine. Companies should be aware that it is not just the defense industry that is targeted. A wide range of corporate information, including that on technologies and specifications related to national strategies, is a potential target.
Q: What kinds of measures should the Japanese government take?
Sato: If a company with critical infrastructure were damaged by an attack, it would first be reported to government agencies controlled by the economy ministry and the land ministry. Then the information would be shared with the foreign ministry, the defense ministry, and the National Policy Agency via the National center of Incident readiness and Strategy for Cybersecurity (NISC). This setup causes a small delay in the initial response. The key point is whether the government can swiftly respond to a major attack. In the case of a cyberattack, assessing damage, removing vulnerabilities, and preserving evidence become more and more difficult as time passes.
Such domestic legislation as the Act on the Prohibition of Unauthorized Computer Access and the penalty on computer virus creation may restrict the government’s defense, investigation, and information gathering. The Self-Defense Forces’ cyber unit is expected to add more staff members, but the unit can operate only within the scope of investigation and research unless the situation is recognized as an emergency.
Currently, Japan primarily engages in passive defense, such as the confirmation of damage. But this approach makes it difficult to ensure cybersecurity. Japan should advance discussions on the introduction of a system that allows “active defense,” including the collection of information on attackers, and it should establish a system where it can protect companies as a nation.
(Interview conducted by Akinobu Iwasawa)