A top Japanese government panel has recommended the country begin widespread monitoring of Internet-based communications, establish a Cyber Defense Corps within Japan’s Defense Ministry to protect infrastructure, and ultimately set up a Cyber Security Center, a Japanese equivalent of the US National Security Agency (NSA), according to a member of the panel.
The June 10 report, “Cyber Security 2013,” by the National Information Security Center (NISC), Japan’s top government advisory panel on Cyber security issues, which is chaired by Prime Minister Shinzo Abe, recommended legislation to introduce monitoring and to strengthen laws to combat cyber espionage, although these could prove the most controversial, according to NISC panel member Motohiro Tsuchiya.
A first priority is to extend the competency of the Cyber Defense Corps, which is being set up in Japan’s Ministry of Defense (MoD), beyond protection of Japan’s armed forces, called the Self Defense Forces (SDF), he said.
“The MoD is thinking they cannot protect outside systems. They are focusing on protecting the SDF, since Cyber attacks do not typically involve obvious physical damage. We have proposed that the MoD must change its strategy,” Tsuchiya said.
A second step proposed by NISC is to introduce legislation to allow the Japanese government, probably through the establishment of a new agency, to monitor Internet-based communications, which is forbidden under both Article 21 of the Japanese Constitution and Article 4 of Japan’s Telecommunications Business Law.
“Under Article 21 and Article 4, the government is strictly prohibited from monitoring and wiretapping, for example. These restrictions are very strict and absolute. This is very extreme [in the context of international practice by other governments],” Tsuchiya said.
Under the NISC’s proposals, the new agency, provisionally called the Cyber Security Center, would be able to conduct limited monitoring of communications by setting up facilities at fiber optical trunk communications landing points targeting malware or suspicious communications.
Tsuchiya said that Japan badly needed an equivalent of the NSA or the UK’s Government Communications Headquarters to combat a wave of increasing serious Cyber espionage attacks on Japan.
“We might start monitoring communications. Japan is an island nation, and connected through submarine cables via landing stations. We can tap into these to watch malicious communications. We are not proposing deep packet inspection, for example. The ability to monitor headers and to use lists to stop distributed denial of service attacks might be sufficient,” he said.
Local media has reported that the new Cyber Security Center could be set up by 2015. But Tsuchiya disputed this because setting up such a body would require intensive negotiations among several turf-conscious ministries and agencies anxious not to lose budget or power. The National Police Agency, which is Japan’s primary domestic intelligence agency, has the most to lose in any reshuffle.
“At the moment, the Cyber Security Center is just a proposal on paper. But it’s a significant step forward just by the fact that it has been written,” Tsuchiya said.
NISC also recommends Japan introduce updated, focused legislation to define and punish Cyber espionage and Cyber crime.
At the moment data protection laws only cover civil servants and even those only impose relatively light punishments, for example, fines of ¥500,000 yen ($5,000) or a year in jail, and are wholly inadequate, lack scope and are badly dated, Tsuchiya said.
“The government’s main priority so far has been setting up the National Security Council. The Abe administration may try to draw up legislation in the summer. After that, there could be a lot of opposition, as many remember the bad experiences of the war,” he said.
The NISC’s proposals will be rolled into a final report that will include an implementation roadmap, early in July, Tsuchiya said.