Though I can only say I’ve been an avid reader for a year now, I have gone through the Japanese Ministry of Defense’s Defense of Japan white papers from 2009-2011 in past and enjoyed them thoroughly. Though Japan may only be de facto locked to 1% of GDP as defense spending, the size of its economy still places them as the sixth largest military by expenditure (per SIPRI 2012). Certainly there is enough substance to pay attention to defense affairs in Japan and something caught my eye in the just-released Defense of Japan 2012. Besides including a quite thorough backgrounder section related to cyber threats and the cyber capabilities of allies, Chapter 3 of the report outlines a new and very concise list of measures the MoD will be taking to ensure its security. Here are those measures with my italicized comments.

1. Obligation introduced to submit a report to the Ministry of Defense immediately, in the event that a server or computer on which information that should be protected is stored becomes infected with a virus, etc. or is subject to unauthorized access, or if a server/computer connected to the same network as that server/computer is infected with a virus, etc.

This does well to address the persistent problem of non-reporting. Though it will not dissuade those that would hide security breaches out of shame for responsibility, properly implemented it could increase both identification and documentation of attacks for immediate response and post-attack analysis.

2. Compilation of a communication diagram that clarifies those in charge and those who should be contacted

Japan has been busy establishing a myriad of new cybersecurity organizations, not least of which is one to be established within the MoD itself. In such an environment, and despite the preeminence of the National Information Security Center (NISC) as an organ of the cabinet office, authority is somewhat confused and there is not a clear hierarchy which would otherwise allow for information regarding attacks to flow in the most responsive channels.

3. Implementation of a full scan by anti-virus software at least once a week

I’m a bit skeptical about this one. It is definitely a good psychological tool to convince employees to perform regular virus scans, but those are best at picking up the widely distributed viruses that one might contract by browsing .ru or .cn domains. MoD employees tend to be a bit more savvy, or at least composed, than to delve into the dangerous corners of the internet on computers networked to those with sensitive information. Moreover, the sophisticated nature of a highly tailored attack virus would potentially not be picked up on the scan. Mandatory scans are a useful tool, but definitely not the panacea that is needed.

4. 24/7 year-round monitoring to ensure that no information that should be protected is leaked outside the company

We can take this as a given, but the concept of constant monitoring – highlighted in NISC’s own 2012 guidelines – is one that needs to represent a complete shift of consciousness.

5. Preservation for at least three months of records of access to information that should be protected

I can’t really wrap my head around the logistics of how this might happen, but something tells me that these logs could be used against the MoD if released, if only to track behavior and access patterns. In the least they will serve to identify weak links – whether due to lack of training or being on a compromised machine.

6. Strengthening of encryption measures

Japan still lacks encryption standards, though it is getting there. NISC has tried to standardize the encryption algorithms used, but without them being mandatory to any degree, it is hard to regulate, especially when the strongest language towards persuading use is to “encourage.”

7. Audits of the status of education and training of staff

It is legendarily hard to fire someone in Japan and as a result it should come as no surprise that entrenched employees are resistant to new training. Time and generational shift may alter things, but with Japan’s ageing population that point may be moot. We can expect to see continued ineptitude in basic security measures and any concrete effort (as we can only hope this one to be) towards training and education is a worthwhile one indeed.

There is no mention, unfortunately, of the MoD cybersecurity entity of which NISC alluded to the creation of. Certainly this may still be in the pipeline, but the MoD does begin to step outside of its strict domain when it discusses the need for public-private partnerships in cybersecurity. As the Mitsubishi Heavy Industries hacking showed, it is as necessary to regulate contractors as it is the government entities themselves. The MoD posits itself as an entity that can contribute to external security, as well as one that can receive input from the computer security incident response teams (CSIRTs) that NISC and others can provide.

The 2010 National Defense Program Guidelines, the JSDF’s current guiding document, establishes the SDF as a component of the national response to cyber-attacks, with the resources put towards the SDF C4 (Command, Control, Communication & Computers) systems command being used to protect the public alongside an independent NISC. The 2012 White Paper further commits the SDF to the study, analysis and training related to cybersecurity. What is a new addition since 2011 is the endorsement of the Japan-U.S. Strategic Policy Dialogue and others as a venue for information sharing pursuant to security. Indeed, this year has been a golden one for bilateral partnerships and that the MoD is endorsing them is a great boon.

All in all, it is nice to see the Ministry of Defense include cyber in its ambitions. With the direction many Asian governments are headed in cybersecurity, it may be the year of the dragon, but it might as well be the year of the gigabyte.