print PRINT

SECURITY > Cybersecurity

Japan urgently needs to develop legal framework for cyberwarfare

  • August 2, 2022
  • , Wedge , pp. 43–45
  • JMH Translation

By Sato Ken and Osawa Jun

 

Russia’s war in Ukraine is truly a “hybrid” war.

 

In this “hybrid war,” an “information war” was launched to incite social divisions, social turmoil, and the loss of the government’s credibility from the days prior to the outbreak of hostilities. “Information warfare” and “cyber warfare” during peacetime prior to the destruction of military targets with weapons have come to be deemed important because such warfare chips away at the enemy’s will to fight. Information warfare causes social confusion, and cyber warfare causes paralysis in the functioning of critical infrastructure and government institutions.

 

Since Feb. 24 when Russia’s military invasion of Ukraine began, Russia has intermittently engaged in electromagnetic attacks aimed at confusing the Ukraine military and in cyberattacks aimed at paralyzing telecommunications, electricity, and other critical infrastructure. From the days prior to the war, the West supported Ukraine in psychological warfare and the cyber domain and successfully neutralized Russia’s hybrid war to a considerable degree.

 

Cyberwar is unique in that it is hard to distinguish whether it should be classified as peacetime, gray zone, or armed attack and, vexingly, it can shift categories in an instant. Moreover, it is hard to distinguish whether a system malfunction or other grave situation is a national security situation caused by cyberwarfare or just an accident in the private sector.

 

In May 2021, an oil pipeline in the United States was halted due to a ransomware cyberattack. The U.S. government, under the leadership of the National Safety Council, handled it as a security situation from the start.

 

In Japan, companies and other entities hit by a data-breach cyberattack tend to think no damage has occurred if “no data leaks to outside have been confirmed.” The fact is, however, that companies do not keep a communications log because they have no communications monitoring system in place. There is a chance that information related to national security or confidential information regarding the company’s management is being leaked

 

In the current context, seamless handling of security is required from peacetime when armed conflict has not broken out. In the cyber domain in particular, it is extremely important to discern as quickly as possible whether it is a cyberattack or not, who is implementing the attack, and what their aim is.

 

Japan lags behind in the cyber domain

 

In Japan, individual companies and organizations handle security in the cyber domain. The Basic Act on Cybersecurity enacted in 2014 states that the national government is responsible for formulating and implementing comprehensive cybersecurity policies, and business entities and the people are to endeavor to ensure cybersecurity.

 

The role of the Cabinet Secretariat’s National center of Incident readiness and Strategy for Cybersecurity (NISC) is limited to formulating overall policy, monitoring administrative system security, and cybersecurity information sharing and advising. The Self-Defense Forces handle cyberattacks equivalent to an armed attack made during a contingency. The SDF exercises Japan’s right to self-defense in this case. In peacetime or in cases where the cyberattack is not equivalent to an armed attack, the government is not in charge of protecting systems unless they are SDF assets.

 

The hybrid war between Russia and Ukraine clearly shows that addressing cyberattacks that are not equivalent to an armed conflict is critical in cybersecurity. To address such attacks during peacetime, Japan needs to make possible (1) monitoring for attacks, (2) determining the attacker (attribution), and (3) taking countermeasures against attacks. Thinking about the form that warfare will take in the future, it is clear that equipment in the “new domains” of space, cyberspace, and electromagnetic spectrum will decide who will be victor on the battlefield. Therefore, Japan must urgently construct capabilities and put in place frameworks in the cyber domain.

 

Japan lags behind other nations because of its legal system. Monitoring to detect cyberattacks requires looking for signs of a cyberattack by intercepting and recording communications in the cyber domain.  Moreover, if a cyberattack occurs, records of past communications need to be scoured. If it were in the physical domain, it would be the national government’s responsibility to have in place a monitoring system to detect incursions from foreign countries. An example of this would be Japan’s monitoring of its territorial airspace for incursions. In the cyber domain, however, the national government is not permitted to intercept transboundary communications from foreign nations. In Japan, “secrecy of communications” is applied to all communications.

 

Regarding “secrecy of communications,” Article 21 of the Constitution states “the secrecy of any means of communication shall not be violated.” Based on this, Article 4 of the Telecommunications Business Act stipulates “The secrecy of communications handled by a telecommunications carrier must not be violated.” In other countries, secrecy of communications is a right of the people; however, limitations are generally placed on that right in the case of the “public interest,” including national security, criminal investigations, and cybersecurity.

 

In the United States, the United Kingdom, France, and other major countries, communications among citizens are protected, but the inspection and interception of transboundary communications are permitted from the perspective of national security. In other words, the right to secrecy of communications is not guaranteed among people of different nations. Moreover, a safety net is in place in Western nations and independent commissions and courts of law check for excessive interception of communications by the executive branch.

 

To determine the attacker (attribution) requires identifying the sender by not only analyzing recent communications records but also looking back through past communications retroactively. To search for this requires intruding into third-party servers and looking at past communications records until the origin of the attack is determined (i.e., tracing and reverse-intrusion).

 

To determine the attacker requires reverse intruding into the networks and computers from which the attack originated. Such activities may violate Japan’s Act on Prohibition of Unauthorized Computer Access; provisions on “unauthorized creation of electronic or magnetic records” in Article 161 of the Penal Code; and provisions governing “making of electronic or magnetic records containing unauthorized commands” in Article 168 of the Penal Code. In other words, in Japan, there are prohibitions against such activities.

 

As was the case with the censorship or interception of transboundary communications, governments overseas are permitted to engage in tracing and reverse-intrusion to determine the attacker if it is for the public interest (i.e., for the interest of national security and intelligence). These kinds of acts are permitted under Executive Order 12333 and the Foreign Intelligence Surveillance Act (FISA) in the United States, the Investigatory Powers Act of 2016 in the United Kingdom, and the Code of Internal Security in France.

 

Let’s now look at countermeasures against the attack. In the case of a cyber incident that has serious implications for national security, countermeasures must be taken that cost the attacker and make them stop the attack and never initiate another attack again. Technological countermeasures should include destruction of the attacker’s assets or halting of its systems.

 

Such measures are hard to implement in Japan because they may violate provisions on the “obstruction of business by damaging a computer” in Article 234 of the Penal Code or stipulations on “damage to property” in Article 261 of the Penal Code. Countries overseas, however, have developed their legal systems and frameworks, considering this indispensable for active cyber defense (ACD).

 

In France, for example, the National Cybersecurity Agency of France (ANSSI) implements ACD, as the agency in charge of the national military and cybersecurity under the Code of Internal Security. In the United States, ACD is implemented through Department of Homeland Security (DHS) measures based on Executive Order 13636 and through military measures based on U.S. Code Title 50 and the National Defense Authorization Act.

 

Japan cannot resolve this issue with a patchwork approach

 

Other countries are moving forward with building systems and implementing measures needed to ensure security in the cyber domain, including ACD to prevent attacks and espionage activities through reverse intrusion.

 

The Tallinn Manual 2.0 permits peacetime cyber espionage, and countermeasures against cyberattacks from overseas are admitted under international law. Japan’s legal framework, however, is a list of negatives and “must-not-dos“ for those seeking to detect and deter cyberattacks. This makes it is hard to take agile measures to protect the cyber domain.

 

Japan is clearly lagging behind in terms of its legal framework and countermeasures for cyberattacks. The Russia-Ukraine war has shown that the cyber domain is very important for national security and by extension the existence of the nation. Japan clearly needs to urgently update its framework. Security in the cyber domain has many unique characteristics that differ from the physical domain, and the understanding and cooperation of the people are indispensable.

 

Taking a patchwork approach of amending the Penal Code and other individual laws will leave Japan completely unable to respond to cyberattacks, which will surely occur in the future. Japan is just sitting on its hands and waiting for the nation to be toppled. Japan’s space development and use have moved forward greatly with the enactment of the Basic Space Act, but Japan needs to enact a Cybersecurity Basic Law (provisional name), which sets out in one place basic matters, including national policy and the role, authorities, and responsibilities of the state.

 

Profiles of the authors

 

Sato Ken is adviser to the Nakasone Peace Institute

After graduating from the Faculty of Law at the University of Tokyo, Sato joined the Ministry of Finance. He served as Director-General of the Bureau of Defense at the Defense Agency as well as Administrative Vice Minister of Defense and advisor to the Defense Agency. He was President of the Institute for International Policy Studies before taking up his current position. He was a member of the consultative committee on security matters in the Koizumi, Abe (first), Fukuda, Aso, and Abe (second) cabinets.

 

Osawa Jun is Senior Research Fellow at the Nakasone Peace Institute

Osawa received his BA and MA from Keio University. He was an advisor at the Policy Planning Division of the Foreign Policy Bureau at the Ministry of Foreign Affairs; visiting fellow at the Brookings Institution; a staff member of the National Security Secretariat; and senior fellow there. Concurrently, he serves as a board member of the Kajima Peace Institute. He specializes in international politics (strategic assessment and cybersecurity).

  • Ambassador
  • Ukraine
  • OPINION POLLS
  • COVID-19
  • Trending Japan