Kaori Kaneko, Tim Kelly and John Geddie, Associated Press
As the United States faces security threats across the globe, its close ally Japan has committed to stepping up as a trusted defence partner — but Tokyo’s cyber and information security vulnerabilities remain a concern, officials and experts say. Japanese Prime Minister Fumio Kishida, who is overseeing a once-unthinkable military build-up, told the US Congress this month that Tokyo was committed to helping its partner counter challenges ranging from Russia’s war in Ukraine to an increasingly assertive China. That came as the allies announced new areas of military cooperation, including tapping Japan’s industrial capacity to bolster defence production and possibly developing new technologies with AUKUS security partners Australia and Britain. But Tokyo has suffered high-profile hacks in recent years that have shut down its biggest port, breached servers at its leading defence contractor, Mitsubishi Heavy Industries , and even infiltrated the government’s own cybersecurity centre. Although Japan is not alone in being targeted by such attacks, they have elevated long-held concerns over whether Tokyo can fully support its security partners.
“It’s really been an Achilles heel for Japan and the U.S,” said Mark Manantan, director of cybersecurity and critical technologies at the Pacific Forum think tank in Hawaii. Japan faces an uphill battle in creating the systems and finding the people it needs to plug these vulnerabilities, officials and experts say. Dennis Blair, the former US director of national intelligence, travelled to Tokyo in 2022 to address lawmakers and journalists, telling them Japan’s weak cyber defences were the biggest liability in the countries’ security alliance. Later that year, Japan announced plans to recruit more personnel for its cyber capabilities. But the pace of recruitment seems set to slow, according to the latest defence ministry figures, amid fierce competition for such workers and high private-sector salaries. A U.S. State Department spokesperson said Japan’s “ability to adequately protect sensitive data and information” would be considered when identifying collaboration opportunities. Asked whether Washington had raised such concerns with Tokyo, Japan’s defence and foreign ministries said they had been communicating closely on the matter but declined to elaborate on the discussions.
In 2022, Kishida unveiled a historic plan to double defence spending over five years, including moves to quadruple its core cyber defence force to about 4,000 people, backed up by 16,000 support staff. Kazuhisa Shimada, a former vice defence minister and one of the key architects of that plan, told Reuters the recruitment target would be tough to hit within that time frame. “When we came up with the number, our cybersecurity officials were cautious,” he said. “Japan as a whole lacks cybersecurity human resources.” The defence ministry said in April it had recruited 2,230 core members so far and expects to add another 180 by March 2025, but was still aiming to hit its target. It did not say how many support staff were in place. Defence Minister Minoru Kihara has proposed easing physical fitness requirements and offering salaries up to 23 million yen ($149,108), the same as a top bureaucrat, for cyber recruits. But that is only half of what a senior industry expert can earn, according to Itsuro Nishimoto, chief executive of Japanese cybersecurity firm LAC Co., and unlike private firms the government must hire only Japanese nationals.Japan also said in 2022 it wants to pre-emptively hunt down and neutralise potential cyber threats, many of which originate beyond its borders, a tactic commonly used by its allies. But the government has yet to submit the legal amendments to parliament that would allow such strikes — controversial given the country’s pacifist constitutional constraints. Akihisa Nagashima, a ruling party lawmaker and former deputy defence minister, said those amendments may not reach parliament until next year, which was disappointing given “Japan is getting cyber attacks on a daily basis”. Japan’s National Police Agency said the daily average number of cases of suspicious internet access, a broad measure that includes cyberattacks, hit a record of 9,144 last year, up from a previous record of 7,708 in 2022.
Expectations that Japan can step up international collaboration on defence projects have been bolstered by Tokyo recently relaxing rules on defence exports. The country can now ship Patriot air defence missiles it builds under licence back to the United States, for example, and will let Britain and Italy export an advanced jet fighter they are developing together. Although it would be a leap for Japan to supply arms to a country at war, the rule changes have opened the door for overseas arms manufacturers to tap industrial capacity that was once off limits. Even that may be tangled in bureaucracy, however. Because Japan does not have a system for companies to handle classified information comparable to those of the US and its other allies, projects such as the fighter jet are done under burdensome bespoke frameworks, said Jeffrey Hornung, an expert in Japanese security policy at the Rand Corporation.