Why Japan and the US Need Cyber and Data Security Cooperation for Their Economic Security

Ms. Mihoko Matsubara
Chief Cybersecurity Strategist, NTT Corporation

Download this publication (PDF)

Publications Why Japan and the US Need Cyber and Data Security Cooperation for Their Economic Security

Download Why Japan and the US Need Cyber and Data Security Cooperation for Their Economic Security

*This paper is derived from a presentation the author gave at a NEXT Alliance Conference workshop on November 5-6, 2022, in Annapolis, MD.

Introduction: Why cybersecurity is crucial for economic security

As the world becomes more reliant on digitization, cybersecurity plays an increasingly important role to ensure business and government activities continue without any disruption from cyber sabotage and to protect intellectual property information from cyber espionage. An ever-growing number of information technology (IT) assets makes it more challenging for organizations to defend all systems from malicious actors.

Cybersecurity and incident response planning are also indispensable to ensure robust supply chain risk management. For example, ransomware attacks on the Colonial Pipeline[1] in the United States in May 2021, caused the company to suspend fuel deliveries for five days[2]. This incident demonstrated that a financially motivated cybercrime incident affecting one key supplier can cause an economic and national security crisis affecting all upstream companies dependent on this supply chain.

The damage caused by Colonial Pipeline’s insufficient cyber defense consequently spread to other business sectors and trade partners throughout the global supply chain. For example, the fuel shortage caused American Airlines to change flight routes, to adjust to reduced refueling options.[3] Furthermore, the incident rendered thousands of gas stations dry and led to higher gasoline prices throughout the United States.[4]

This is why both the Japanese and US governments have publicly acknowledged that cybersecurity is imperative for economic security. The Biden Administration acknowledged that “the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security”[5] in mid-May 2021, immediately after the Colonial Pipeline hack. Japanese Economic Security Minister Sanae Takaichi expressed the Japanese government’s commitments in October 2022 to move forward with cybersecurity policy and economic security as an interdependent package.[6]

Disruptive or destructive cyberattack risks

Major cyber threats to economic security include cyber espionage and disruption or destruction of public and private critical infrastructure. Cyber espionage involves state sponsored actors or cyber criminals stealing information or intellectual property, causing a victim company to lose its market  and diminishing its brand and reputation. Ransomware or “wiper” attackers suspend a victim’s business operations by encrypting critical data or deleting critical data from IT systems. Ransomware criminals then use their ill-gotten ransoms to fund the targeting of their next victims.

There are concerns that Russia might launch disruptive cyberattacks on the critical infrastructure of companies, not only in Ukraine but also among its allies, given a historic example in 2017.[7] When the NotPetya wiper attack first hit Ukraine in June 2017, the infection spread and affected at least 65 countries including Germany and the United States.[8] The estimated total damage amounted to more than $10 billion worldwide.[9] Since the Russian-led invasion of Ukraine in February 2022, at least seven new families of wiper have been used.[10] Furthermore, a Russia-based threat actor started ransomware attacks on the logistics and transportation industry in Ukraine and Poland in October 2022.[11] Microsoft warned that this could be a precursor to disruptive Russian cyberattacks on countries and companies that provide Ukraine with military or non-military aid.[12]

In addition to the risk of wiper attacks, ransomware attacks stifle economic activities and innovation. The average downtime caused by ransomware attacks is 24 days in the second quarter of 2022.[13] Financial impacts are also grave: in a recent survey conducted by the security company Cybereason, 67 percent of organizations that indicated they suffered losses from ransomware attacks said that their combined losses range between $1 million and $10 million.[14] Proofpoint revealed that 72 percent of surveyed organizations infected by ransomware are in the United States, and 64 percent paid a ransom in 2021. 50 percent of Japanese organizations were hit by ransomware and 20 percent paid in that same year.[15]

It is also worrisome that small and medium-sized businesses (SMBs) are hit frequently by ransomware attacks, given they play important roles to support the global supply chain. US Secretary of Homeland Security Alejandro Mayorkas cautioned business leaders that 50 to 70 percent of ransomware attack victims are SMBs during his speech in May 2021.[16] The trend is similar in Japan. While Japanese companies defended themselves better from ransomware attacks last year, the Japanese National Police Agency warns that 52 percent of the victims were small and medium-sized enterprises in the first half of 2022.[17]

Cyber-enabled intellectual property theft risks

Although economic espionage by cyber means can easily go unnoticed and can be much more difficult to detect than ransomware attacks, intellectual property theft often leads to losing market competitiveness or even bankruptcy.[18] That is why the US government has repeatedly called for ending cyber espionage that targets intellectual property. After his summit meeting with President Xi Jinping in September 2015, President Barack Obama announced that the two countries agreed neither government will “conduct or knowingly support cyber-enabled theft of intellectual property.”[19]

Unfortunately, the spirit of this agreement has not been met even as of today. Director of US Counterintelligence William Evanina explained in October 2019 that cyber economic espionage causes the US economy to lose approximately $400 billion a year.[20]

Furthermore, geopolitical developments after Russia’s invasion of Ukraine may have increased the risk of cyber-enabled IP theft, as Russia seeks to substitute foreign technologies that the ongoing sanctions prevent Russia from accessing. In fact, the Russian Ministry of Trade and Industry admitted in September 2022 that the country is reliant on foreign technologies and factories.[21]

When Russian President Vladimir Putin gave a speech to the Russian Foreign Intelligence Service (SVR) in June 2022, he emphasized that one of their priority missions is to assist Russia’s industrial and technological development especially when sanctions are imposed on the country. His remarks have set off alarm bells among cybersecurity professionals.[22]

The Finnish Security and Intelligence Service or SUPO shares similar concerns. The SUPO warned about growing threats of cyber economic espionage by Russia in September 2022, urging the industry to enhance its data security. In its National Security Overview 2022, SUPO pointed out, “Russia feels the need to begin substituting manufacturing of cutting-edge technology.”[23]

First policy recommendations: cyber threat intelligence sharing

Based on the cyber threat landscape, this paper proposes the following two policy recommendations to the Japanese and US governments: to establish a mutual warning mechanism and to conduct joint cyber exercises. First, the two countries should establish a mutual warning mechanism to share classified and unclassified cyber threat intelligence and alert both the governments and industry in a timely manner so that organizations can take measures for robust defense and resilience.

US governmental organizations such as the Departments of Energy, Homeland Security, and the Treasury have been offering classified and unclassified briefings to critical infrastructure companies at least since the fall of 2021.[24] Yet, only security clearance holders can access classified cyber threat intelligence, and some skilled engineers may not be able to participate in critical cyber defense efforts prompted by such classified warnings.

Global critical infrastructure companies such as in the fields of energy and finance employ people from multiple countries, and some of those employees will not have an American or Japanese security clearance, even though they may have cybersecurity responsibilities. Thus, it is crucial to avoid over-classification and sanitize classified cyber threat intelligence by deleting information on methods and sources quickly rather than taking months or years. This will allow business executives and engineers to take strategic and/or tactical decisions to protect their intellectual property from cyber espionage or critical infrastructure and supply chains from disruption.

Still, some intelligence needs to remain classified, given the sensitivity. Some contextual feeds can be only provided through classified cyber threat intelligence reports or briefings for critical infrastructure companies, allowing them to decide on appropriate actions.[25]

That is why some argue that Japan needs to expand its security clearance system to cover not only central government officials and defense contractors but also other industry workers, based on the need-to-know and need-to-share principles.[26] While the Japanese Economic Security Promotion Act[27] currently does not cover the topic of security clearances, the Japanese government is aware of the need.[28]

Once Japan establishes a robust security clearance system, it would be easier for the country to share sensitive information not only with the United States but also with other like-minded countries. This is important, given that Japan’s supply chain expands beyond the two countries. The Quad leaders from Japan, Australia, India, and the United States agreed to start a Quad Cybersecurity Partnership to “share threat information between our governments and with industry partners” in May 2022.[29] To share sensitive intelligence internationally, strong encryption including post-quantum cryptography would be also required for data security.

Second policy recommendations: joint cyber exercises

Second, Japan and the United States should hold a cyber exercise inviting both government officials and critical infrastructure company specialists to test their capabilities to respond to a disruptive supply chain attack affecting multiple critical infrastructure sectors. This could include electricity, energy, medical services, telecommunication, and transportation, because these critical infrastructure sectors have overlapping inter-dependencies. A supply chain attack can have cascading effects on an entire country or even a region similar to the ransomware attack on Colonial Pipeline in May 2021.

The Japanese government has been holding such exercises on two fronts. The National Center of Incident Readiness and Strategy for Cybersecurity (NISC) has been annually hosting a joint cyber exercise since 2006, inviting government ministries, and critical infrastructure companies.[30] The latest exercise in December 2021 invited approximately 4,800 people to simulate their responses to a ransomware attack.[31] However, the past exercises have never included Japan’s Ministry of Defense (MOD) or Self-Defense Forces (SDF), probably because these exercises focus on the 14 critical infrastructure sectors but do not include the defense sector.[32]

However, it should be noted that an economic security crisis can evolve into a national security crisis, because Japan’s armed forces are largely dependent on civilian critical infrastructure, particularly energy. A shutdown of companies providing critical infrastructure can negatively impact military operations and degrade national security capabilities. It would be helpful for both the Japanese government and industry to include the MOD and SDF in the exercise series, so that they can learn how to communicate with other ministries and critical infrastructure companies and support each other during a crisis.

Intriguingly, the MOD and SDF have invited Japanese civilian agencies and critical infrastructure companies to the global cyber exercise, LOCKED SHIELDS, twice. From 2010 the North Atlantic Treaty Organization Cooperative Cyber Defence Centre of Excellence (NATO CCD COE) in Tallinn, Estonia, has been hosting a joint cyber exercise annually called LOCKED SHIELDS, which focuses on simulating like-minded countries’ responses to disinformation campaigns during a concurrent simulation of thousands of disruptive cyberattacks on different types of critical infrastructure sectors. This exercise series tests strategic and tactical decision-making, technical cyber defenses, legal understanding, communications/reporting, and international public-private cooperation.[33] More than 2,000 participants from 32 countries participated in April 2022.[34]

The MOD and SDF teamed with the US Indo-Pacific Command during LOCKED SHIELDS 2021 and the UK Ministry of Defence and the British Armed Forces in 2022, as the exercise requires two countries to make a team. While neither of the US or UK governments have included other civilian governmental organizations or critical infrastructure companies, the Japanese side did invite other ministries such as NISC and some critical infrastructure companies.[35] This means that the Japanese MOD and SDF see the value of international public-private partnerships for resilience and supply chain risk management, and are willing to share their expertise with domestic and international partners.

Japan already has some experience in hosting and participating in joint exercises addressing inter-dependency issues of critical infrastructure. This is the time for Japan to take the lead to create an international joint cyber exercise with governmental and industry players from the US and other like-minded countries including the Quad members. Once Japanese critical infrastructure companies put more security clearance holders in place, such cyber exercises can also serve as a conduit to share classified insights to help cyber defenders more broadly.

Conclusion

Cyber-enabled IP theft and cyber disruptions by wiper or ransomware attacks cast a dark shadow over Japanese and US economic security. To ensure the resilience of industry and to protect the global supply chain, it would not be enough simply to rely on government-to-government cyber threat intelligence sharing. Critical infrastructure companies must be involved in information sharing and cyber exercises, and some of their employees should have access to actionable cyber threat intelligence gathered by government and industry sources.

Japan has begun taking some important initiatives such as the Economic Security Promotion Act and the LOCKED SHIELDS exercise to deepen and expand domestic and international public-private partnerships for robust supply chain risk management and cyber defenses. The country is moving in the right direction for economic security, and now needs to accelerate its efforts in collaboration with the United States and other like-minded countries to keep up with the fast and ever-evolving cyber threat environment.

Ms. Mihoko Matsubara wrote in her own personal capacity. The views and interpretations expressed by the author are solely her own.

The US-Japan NEXT Alliance Initiative is a forum for bilateral dialogue, networking, and the development of joint recommendations involving a wide range of policy and technical specialists (in and out of government) to stimulate new alliance connections across foreign, security, and technology policy areas. Established by Sasakawa Peace Foundation USA with support from the Nippon Foundation, the goal is to help improve the alliance and how it serves shared interests, preparing it for emerging challenges within an increasingly complex and dynamic geostrategic environment. Launched in 2021, the Initiative includes two overlapping lines of effort: 1) Foreign & Security Policy, and 2) Technology & Innovation Connections. The Initiative is led by Sr. Director James Schoff.

[1] Colonial Pipelines provides 45% of U.S. East Coast’s fuel supplies. See David E. Sanger, Clifford Krauss, and Nicole Perlroth, “Cyberattack Forces a Shutdown of a Top U.S. Pipeline,” The New York Times, May 8, 2021,  https://www.nytimes.com/2021/05/08/us/politics/cyberattack-colonial-pipeline.html.

[2] Derek Brower and Myles McCormick, “Colonial pipeline resumes operations following ransomware attack,” The Financial Times, May 13, 2021, https://www.ft.com/content/b6ac99ea-d7c6-49dd-b7d7-1284ce2e85c0.

[3] Emma Korynta, “Colonial Pipeline hack impacting some long-haul flights,” WCNC Charlotte, updated May 11, 2021, https://www.wcnc.com/article/travel/colonial-pipeline-hack-long-haul-flights/275-6f0b116c-3b54-4975-bd6b-63f2a787f1c5.

[4] Clifford Krauss, Niraj Chokshi, and David E. Sanger, “Gas Pipeline Hack Leads to Panic Buying in the Southeast,” The New York Times, May 12, 2021, https://www.nytimes.com/2021/05/11/business/colonial-pipeline-shutdown-latest-news.html.

[5] White House, “Executive Order on Improving the Nation’s Cybersecurity,” May 12, 2021, https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.

[6] The Nihon Keizai Shimbun, “Takaichi Keizai Anpo Sho ‘saiba seisaku to Keizai anpo, ittai de kakuho [Economic Security Minister Takahichi is committed to ensure economic security with cybersecurity policy embedded],” October 3, 2022, https://www.nikkei.com/article/DGXZQOUC204I20Q2A920C2000000/.

[7] Michael Hill, “UK organizations, Ukraine’s allies warned of potential “massive” cyberattacks by Russia,” CSO, September 28, 2022, https://www.csoonline.com/article/3674871/ncsc-chief-warns-uk-organizations-ukraine-s-allies-of-possible-massive-cyberattacks-by-russia.html.

[8] NPR, “’Petya’ Ransomware Hits At Least 65 Countries; Microsoft Traces It To Tax Software,” June 28, 2017, https://www.npr.org/sections/thetwo-way/2017/06/28/534679950/petya-ransomware-hits-at-least-65-countries-microsoft-traces-it-to-tax-software.

[9] FBI Director Christopher Wray, “FBI Partnering with the Private Sector to Counter the Cyber Threat,” Federal Bureau of Investigation, March 22, 2022, https://www.fbi.gov/news/speeches/fbi-partnering-with-private-sector-to-counter-the-cyber-threat-032222.

[10] Kevin Poireault, “NSA Cybersecurity Director’s Six Takeaways From the War in Ukraine,” Infosecurity Magazine, October 19, 2022, https://www.infosecurity-magazine.com/news/nsa-6-takeaways-war-ukraine/.

[11] Microsoft Security Threat Intelligence, “New “Prestige” ransomware impacts organizations in Ukraine and Poland,” October 14, 2022, https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/.

[12] Clint Watts, “Preparing for a Russian cyber offensive against Ukraine this winter,” Microsoft, December 3, 2022, https://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/.

[13] Coveware, “Fewer Ransomware Victims Pay, as Median Ransom Falls in Q2 2022,” July 28, 2022, https://www.coveware.com/blog/2022/7/27/fewer-ransomware-victims-pay-as-medium-ransom-falls-in-q2-2022.

[14] Cybereason, “Ransomware: The True Cost to Business 2022,” June 2022, https://www.cybereason.com/ransomware-the-true-cost-to-business-2022, p.8.

[15] Proofpoint, “Proofpoint, phishing kogeki no genjo wo akiraka ni shita nenji repoto ‘2022 State of the Phish’ wo happyo [Proofpoint published an annual report called ‘2022 State of the Phish’ to update phishing attacks],” April 11, 2022, https://www.proofpoint.com/jp/newsroom/press-releases/proofpoints-2022-state-phish-report-reveals-email-based-attacks-dominated.

[16] Doug Olenick, “DHS Secretary: Small Businesses Hard-Hit by Ransomware,” BankInfoSecurity, BankInfoSecurity, May 6, 2021, https://www.bankinfosecurity.com/dhs-secretary-small-businesses-hard-hit-by-ransomware-a-16529.

[17] National Police Agency, “Reiwa 4 nen kamihanki ni okeru saiba kukan wo meguru kyoi nojosei to ni tsuite [Cyber threat trends in the first half of 2022],” September 15, 2022, https://www.npa.go.jp/publications/statistics/cybersecurity/data/R04_kami_cyber_jousei.pdf, p. 2-3.

[18] European Commission and PwC, “Study on the Scale and Impact of Industrial Espionage and Theft of Trade Secrets through Cyber,” December 2018, https://op.europa.eu/en/publication-detail/-/publication/4eae21b2-4547-11e9-a8ed-01aa75ed71a1/language-en, p. 28.

[19] The White House, “Remarks by President Obama and President Xi of the People’s Republic of China in Joint Press Conference,” September 25, 2015, https://obamawhitehouse.archives.gov/the-press-office/2015/09/25/remarks-president-obama-and-president-xi-peoples-republic-china-joint.

[20] Vice, “The Economic Toll of China’s Cyber Espionage,” July 27, 2016, https://video.vice.com/en_us/video/the-economic-toll-of-chinas-cyber-espionage-scene/579780624bfe8ab01eafb1ec.

[21] Kommersant, “Электронику начнут с чистого нуля [Electronics starts from scratch],” September 13, 2022, https://www.kommersant.ru/doc/5558844.

[22] Kremlin, “Владимир Путин поздравил сотрудников и ветеранов СВР со столетием нелегальной разведки [Vladimir Putin congratulated employees and veterans of the Foreign Intelligence Service on the centenary of illegal intelligence],” June 30, 2022, http://kremlin.ru/events/president/news/68790, and Alexander Martin, “Fears grow of Russian spies turning to industrial espionage,” The Record by Recorded Future, September 14, 2022, https://therecord.media/fears-grow-of-russian-spies-turning-to-industrial-espionage/.

[23] SUPO, “National Security Overview 2022,” https://supo.fi/en/national-security-overview, and “Foreign intelligence and influence operations,” https://supo.fi/en/intelligence-and-influence-operations, and “National Security Overview: Russian intelligence changes approach,” September 29, 2022, https://supo.fi/en/-/national-security-overview-russian-intelligence-changes-approach.

[24] The White House, “Press Briefing by Press Secretary Jen Psaki and Deputy NSA for Cyber and Emerging Technologies Anne Neuberger, March 21, 2022,” March 21, 2022, https://www.whitehouse.gov/briefing-room/press-briefings/2022/03/21/press-briefing-by-press-secretary-jen-psaki-and-deputy-nsa-for-cyber-and-emerging-technologies-anne-neuberger-march-21-2022/.

[25] Kevin Poireault, “NSA Cybersecurity Director’s Six Takeaways From the War in Ukraine,” Infosecurity Magazine, October 19, 2022, https://www.infosecurity-magazine.com/news/nsa-6-takeaways-war-ukraine/.

[26] Shigeji Kakinuma, ”Gijutsu ryushutu boshi saku to shite no sekyuriti kuriaransu – Keizai Anzen Hosho Suishin Ho no kaisei ni yoru seido donyu ni mukete – [Security clearance to prevent technology thefts – points to discuss to revise the Economic Security Promotion Act],” Keizai no Prisumu (Economic Prism), No. 217, October 2022,  https://www.sangiin.go.jp/japanese/annai/chousa/keizai_prism/backnumber/r04pdf/202221701.pdf, p. 1-2.

[27] The full text of the Economic Security Promotion Act is available in Japanese here: https://elaws.e-gov.go.jp/document?lawid=504AC0000000043_20230517_000000000000000.

[28] Kyodo News, “Japan’s economic security law takes effect amid regional tensions,” August 1, 2022, https://english.kyodonews.net/news/2022/08/18a4fe0f5512-japans-economic-security-law-takes-effect-amid-regional-tensions.html, and The Office to Prepare for Economic Security Promotion Legislation under the Cabinet Secretariat, “Keizai Anzen Hosho Suishi-ho no shingi – Kongo no kadai to ni tsuite [Issues to discuss on the Economic Security Promotion Legislation],” July 25, 2022, https://www.cas.go.jp/jp/seisaku/keizai_anzen_hosyohousei/r4_dai1/siryou3.pdf, p. 2, 5.

[29] Japanese Ministry of Foreign Affairs, “Quad Cybersecurity Partnership: Joint Principles,” May 24, 2022, https://www.mofa.go.jp/files/100347801.pdf, p. 1.

[30] NISC, “Bunya odan teki enshu ni tsuite [Cross-sector exercises],” October 29, 2018, https://www.nisc.go.jp/pdf/council/cs/ciip/dai16/16shiryou06.pdf, p. 1.

[31] NISC, “Juyo inhura 14 bunya wo taisho ni sabisu shogai taio no tame no saiba enshu wo jisshi – 2021 nendo ‘bunya odanteki enshu’ [Hosted JFY 2021 cross-sector cyber exercise with critical infrastructure companies from the 14 sectors to simulate service disruptions],” December 9, 2021,  https://www.nisc.go.jp/pdf/policy/infra/bunya_enshu20211208.pdf.

[32] NISC, “Juyo inhura gurupu [Critical Infrastructure Group],” Accessed on October 23, 2022, https://www.nisc.go.jp/policy/group/infra/index.html. As of today, the Japanese stewardship ministries and agencies are the Financial Services Agency (finance), Ministry of Internal Affairs and Communications (telecommunication and local government services), Ministry of Health, Labour and Welfare (medical services and water), Ministry of Economy, Trade and Industry (electricity, gas, chemical, credit, and petroleum), and Ministry of Land, Infrastructure, Transport and Tourism (airlines, airports, railways, and logistics).

[33] CCD COE, “Locked Shields,” Accessed October 24, 2022, https://ccdcoe.org/exercises/locked-shields/.

[34] CCD COE, “Over 2000 Cyber Experts from 32 nations at the Locked Shields Exercise,” Accessed October 24, 2022, https://ccdcoe.org/news/2022/over-2000-cyber-experts-from-32-nations-at-the-locked-shields-exercise/.

[35] Ministry of Defense, “NATO saiba boei kyoryoku senta ni yoru saiba boei enshu ‘Locked Shields 2021’ heno sanka ni tsuite [Participation in Locked Shields 2021 cyber exercise hosted by the NATO CCD COE],” April 13, 2021, https://www.mod.go.jp/j/press/news/2021/04/13b.pdf, and “NATO saiba boei kyoryoku senta ni yoru saiba boei enshu ‘Locked Shields 2022’ heno sanka ni tsuite [Participation in Locked Shields 2022 cyber exercise hosted by the NATO CCD COE],” April 19, 2022, https://www.mod.go.jp/j/press/news/2022/04/19e.html.

Download Why Japan and the US Need Cyber and Data Security Cooperation for Their Economic Security

2024 Sasakawa USA | Privacy Policy | Sitemap

Custom WordPress Design, Development & Digital Marketing by time4design