Cyberspace has become a new battlefield in “warfare” today. In the United States and Europe, politicians are joining hands across party lines to make efforts to create a cyberdefense system suited to the times. In contrast, Japan’s Diet has not been active in debating the issue.
The data bears this out. Looking through the minutes of 800 meetings during the ordinary Diet session this year reveals that the terms “cyberattack” or “cyberdefense” was mentioned one or more times at only 57 of the meetings held by the Upper and Lower Houses. Of these, 17 were meetings of the houses’ committees of foreign affairs and security and 14 were meetings of the houses’ committees on the Cabinet.
The terms were mentioned at six meetings of the houses’ general affairs committees, which oversee communications, whereas they were used at only two meetings of the houses’ Commissions on the Constitution. Even the Lower House Committee on Security and the Upper House Foreign Affairs and Defense Committee rarely engaged in in-depth discussion of the need for legislation and the relationship between cyberdefense and the right of self-defense.
In the past as well, the Diet has not taken up cyberdefense issues. Over the past decade, the words “cyberattack” or “cyberdefense” were used at only seven meetings of the houses’ Commissions on the Constitution. There was no in-depth discussion of the relationship between cyberdefense and the Constitution and under what circumstances the Self-Defense Forces should be allowed to act and what scope of action would be permitted.
The U.S. monitors cyberspace in peacetime
In peacetime, the United States monitors and infiltrates the networks of potential adversaries. If it detects an attack in advance, it will take action to quash it. Japan cannot do such things under its current legal system. Article 21 of the Constitution, Article 4 of the Telecommunications Business Act, and the Act on Prohibition of Unauthorized Computer Access, which stipulate the “secrecy of communications,” do not permit such actions.
Since cyberattacks have become a kind of “war” in the international community, the question of exercising the right of self-defense needs to be sorted out.
In the United States, there is bipartisan cooperation in the legislative branch [on these issues]. In 2018, the Cybersecurity and Infrastructure Security Agency Act was passed, authorizing the launch of an agency responsible for promoting public-private coordination in protecting government agencies and critical infrastructure. In 2019, a bipartisan group was formed, and it has been actively making recommendations to the government.
The agency also invites private companies to attend congressional deliberations, and it investigates the origins of cyberattacks. The top executives of such companies as Microsoft testified at committee hearings in February after several government agencies were compromised by a cyberattack. In June, executives at a pipeline company also testified at government committee hearings about the damage [they suffered in a cyberattack].
According to Japan’s House of Representatives, the Diet has never invited a private company hit by a cyberattack to speak at a meeting.
“The United States has a tradition of discussing sensitive information and security across party lines,” said Kawaguchi Takahisa, a Tokio Marine dR senior researcher familiar with cybersecurity issues. In Japan, “there is the belief that cyberdefense discussions will not win votes. Developing legislation requires political will,” he says.
In the United States and Europe, there are cases where cyberattacks have obstructed the activities of parliament as well as election campaigns. This is one of the reasons why political parties and parliamentarians have a sense of involvement in the issue.
“No agency assigned to handle cyberattacks”
Former Minister of Internal Affairs and Communications Takaichi Sanae of the Liberal Democratic Party complains that “Japan neither has a law that allows for political retaliation, such as financial sanctions or counterattacks in cyberspace, nor an agency assigned to handle cyberattacks.” She has called for the establishment of a “Ministry of Information and Communications” and says that a “Cybersecurity Agency” under that ministry should spearhead cyberattack response.
In Japan, a wide range of government bodies are involved in addressing cyberattacks, including the Ministry of Defense, the Ministry of Internal Affairs and Communications, and the National Police Agency, making it difficult to stage an integrated response. In the United States and the United Kingdom, the government agencies that deal with cyberattacks are centralized.
Takaichi emphasizes that “if the Diet and the government do not address the matter, it will put Japanese lives at risk.” In 2019, she submitted a proposal that stressed the importance of developing legislation and expanding the framework for handling cyberattacks, but discussions stagnated.
Shinohara Go, chairman of the Constitutional Democratic Party of Japan’s research council on foreign affairs, security, and sovereignty, explains that “cooperation with the United States and the international community is also important.” He argues that “Japan should also discuss developing an environment that would be a prerequisite for such cooperation, including creating a security clearance system.”
Watanabe Tsuneo, a senior fellow at the Sasakawa Peace Foundation, points out that “many Japanese, including politicians, fail to recognize that defense in cyberspace is vitally important for Japan’s survival.” “Japan remains unprotected even though it is located geopolitically on the cyber warfare front lines of the United States, China and Russia,” he says.
It is up to the prime minister to decide whether Japan should retaliate in the event of a massive cyberattack that delivers a severe blow to Japan’s economic and social activities.
How should Japan prepare for the silent contingency of a “cyber war”? The ruling and opposition parties should take the opportunity of this fall’s House of Representatives election to debate this matter as the core of their security policy.