Japan and Cyber Security
The NISC breach in context
This week the Financial Times reported that Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) had been hacked. The story raises some interesting points about cyber policy and strategy, both about how difficult it is to improve cyber security whilst under the persistent threat of penetration by adversaries, and about the challenge of how to interpret the intention behind such breaches. This post explains some of that context and links to several reports and articles I’ve found useful in understanding the background to this story.
The NISC hack reportedly began in late 2022 and apparently went undetected until June 2023. That’s an uncomfortably long dwell time. The story reports attribution claims that point to China. Reportedly, the original breach was caused by email compromise and an official investigation “had concluded that only information on its email system was compromised.” If true, the incident could certainly have been much worse, but it’s clearly bad enough – and there’s insufficient information available publicly to be confident that it won’t subsequently be revealed to have been worse.
There are a few wider points that I think are worth drawing out about this story.
Geopolitical context
First, there is an obvious geopolitical context for a story about Chinese cyber espionage against Japan. It’s been widely reported that, to counter China (or if you prefer to express basically the same point more diplomatically, to pursue ‘a free and open Indo-Pacific and a peaceful and prosperous world’), Japan is in the process of addressing several gaps – in diplomatic capacity, militarily, and in reinvigorating its alliances and partnerships. In that context, the simple fact of either state spying on the other shouldn’t surprise anyone. Espionage is to be guarded against, remediated when discovered, perhaps called out (also sometimes not), but absolutely it’s to be expected as an inevitable component of statecraft.
Improving national cyber security is hard
Second, this particular report appears to be a case of ‘bad news likes company.’ Remember this Washington Post report from earlier this month that Chinese hackers had penetrated Japan’s defence network in a previous long-running hack? This should have primed readers to expect other, similar stories. If sensitive defence networks were compromised, why not those of Japan’s premier cyber security agency? It shouldn’t really be surprising (though is still clearly bad – and shows both why Japan would benefit from the closer collaboration it has sought with allies and partners, and why there is some reassurance to do about sensitive cooperation) that, relatively soon after such a serious breach, severe cyber security problems remained in Japan’s defence and security apparatus. It’s also worth framing this story as the latest in a longer-running series of stories about national (governmental and corporate) shortcomings in Japan’s approach to cyber security, in the context of which Japan appears to have made essentially reactive efforts to intensify cyber defence reforms – reforms that had a longer pedigree but which, for structural reasons, had a slower and smaller impact than was desirable.
The silver lining, such as it is, is that these serious breaches – and the attendant publicity from the news coverage – should act as a driver (yet another cyber security ‘wake up call’) for persistent improvements over time. The grey cloud inside the silver lining (sorry for that, but you know what I mean), is that achieving improvements will be difficult – particularly so, in the light of the last decade of history and if Japan’s government faces an uphill battle to recruit cyber defence experts, which, according to the FT story, it does. If there are further negative stories still to be reported, that won’t be a surprise, but nor should it necessarily be taken to mean that Japan hasn’t started to turn the page. It could simply be that overturning this very problematic legacy is a slow road – one that Japan has been on for some time (see here and here), but arguably without the necessary momentum. Incidents like those reported this month are important data points, but need to be seen in the broader context of Japan’s cyber security experience a decade since its first cyber strategy.
Responding to attribution allegations: why would you think it was us?
A third point worth highlighting is the apparent script followed by the Chinese foreign ministry’s reported response to the story. It’s interesting that the Chinese government’s denial brings up past allegations about US espionage targeting Japan. This isn’t just going through the motions – of course, it is that, to some extent – but it’s also just a really obvious point for China to make, and for any other state publicly accused of espionage to make, given the allegations long in the public domain from Snowden, Wikileaks, etc. It’s the gift that keeps on giving, though presumably with diminishing impact over time. Clearly, it isn’t going to confuse for a second the Japanese investigation of this incident or its ultimate attribution judgement, but that’s hardly the point of the Chinese statement, which is presumably aimed squarely at different, possibly more receptive audiences within the global public sphere.
Divining intention: signalling vs. helping your adversary?
The final point I thought was interesting in the FT story was a curious passage regarding debates about attribution: “In July, the port of Nagoya was temporarily closed down in what was believed to be a Russian ransomeware attack. But concerns have been raised at the highest levels in Tokyo over whether the incident was part of an attempt by state actors such as China to test Japan’s defences.”
This is interesting because it suggests potential obfuscation by the threat actor responsible for the breach – a Chinese state actor disguising its operation as that of a cybercriminal group out to extract a ransom payment? It would be interesting to know whether this is pure speculation or based on some more specific information revealed during the incident investigation and response.
But aside from that, this detail also introduces the question of what purpose would have been served by a Chinese cyber operation targeting civilian infrastructure in Japan. What intention (or intentions) might have led to such an operation, and how carefully would the institution responsible for approving it have considered the implications of its being discovered? Espionage preparatory to a possible future disruptive or destructive attack would seem to violate norms against attacking civilian infrastructure. But breaching a system to signal that you had the capability to achieve destructive effect is an operation with a different intended message, even if it is difficult to conceive beforehand how the victim is likely to interpret and respond to this message.
I made this connection on reading another FT story this week, in which an unnamed US defence official is quoted as saying that the US has benefited from ‘deterrence as defence’ – that is, from deterring more serious cyber attacks because its adversaries are aware that the US is present on their own infrastructure and could therefore respond in kind. So, if something like that logic was motivating some Chinese cyber operations, then something like a breach of its adversaries’ civilian infrastructure, just to prove it could, wouldn’t seem all that surprising.
That said, although this kind of signalling appears to play a part in some states’ calculations about how to use cyber operations, it runs counter to another line of thinking – expressed recently by the UK National Cyber Force (NCF). The NCF suggested that: ‘As a general rule we cannot and do not avow cyber operations, as to do so undermines the benefits of ambiguity and risks enabling adversaries to develop better defences.’ The dilemma here is that, by making it known to adversaries that they suffer from exploitable vulnerabilities, you are essentially offering free advice to help them to improve their cyber security (making it difficult for you to achieve the same or similar effects in future).
In Japan at least, if any of the cyber operations they have suffered in recent years has been motivated by this signalling intention, then it is reasonable to interpret Japan’s response – to embark earnestly on what should be a significant national improvement over time – as just this kind of foreseeable consequence of such an operation. To my mind, that is a costly consequence and arguably suggests a more plausible interpretation for infrastructure-targeting is to test defences without being seen, exploring where vulnerabilities might be exploited if and when necessary in future.
Conclusion
To conclude, this week’s story highlights once again that Japan is on a slow and difficult cyber security journey. It highlights the many challenges facing states as they develop and implement cyber policy and strategy. For Japan, this isn’t the first and won’t be the last breach (either reported or unreported). But there is some evidence that, over time, Japan’s approach has shifted and exhibits a greater sense of urgency. Whether subsequent efforts will be more fit for purpose than previous periods of reform is hopefully a question that those involved in implementing the current strategy reflect on carefully.