The Japanese National Information Security Center (NISC)’s annual policy document “Information Security 2011” (IS2011) opens its executive summary with the line “A global, open network is a key to promote innovation for developing the economy and improving people’s lives” (p.8). Such a phrase could easily come from any of the technologically advanced, liberal democracies from which the fruit of digital innovation often springs, yet in Japan’s context it represents a principled stand against the draconic, authoritarian measures that might otherwise solve its recent problems with cybersecurity. Information Security 2011 lays out some concrete measures towards security that do not significantly impact the freedoms that the internet bestows upon its unencumbered users.

Broadly, the 2011 document can be broken down into four new areas of focus: cloud computing, smartphones, disaster resistance and cooperation. In the foremost case, cloud computing represents a transition on both the consumer and the corporate level towards entrusting data to the World Wide Web. Yielding the security of intranets for their extroverted partner may seem a dangerous step for a country already facing a litany of attacks, but it also makes for gains in efficiency as practices such as telecommuting can reduce the costs and footprint of workers on Japanese society. IS2011 calls for participation in multilateral discussions to set standards for cloud computing while going on so far as to recommend a common recognition format for assurance criteria between user and service provider. The government itself is in the process of creating a “common government platform” cloud which will be based on IPv6 and may prove the critical bulwark of governmental cybersecurity.

As for phones, Japan may only have 6% penetration in the smartphone market, yet its longer history of data-enabled phones has seen it further integrated with the features provided by smartphones. Whether an iPhone or one of AU’s staple flip phones, the deficit compared to US penetration (est. 31%) is made up for by Japan’s global lead in video sharing, web access and search usage. The chart below does well to illustrate the nuanced role smartphones play in Japan (credit to infographiclabs.com)

Obviously smartphones are ahead in certain respects in Japan and this lead is in sectors which find themselves particularly vulnerable to security breaches. Phone security cannot begin to approach system security for both user responsibility and platform vulnerabilities. Unfortunately, apart from putting the onus of security on the user, IS2011 does little more than to promote the dissemination of security information and call for further study. It does, however, consider smart appliances to be a frontier in security technology.

The March 11th, 2011 Tohoku earthquake and tsunami had a profound effect on the Japanese public and government, spurring long stagnant and dramatic reform in governance, corporate accountability and nuclear power oversight. The disruption of critical infrastructure, such that phone networks were cut down to essential services only (emergency calls, no person-to-person calls), put a new focus on digital resources as loved ones reached out to one another through e-mail and text message. IS2011 speaks about creating a “disaster resistant infrastructure,” something in line with what JR and NTT have been calling for. The telecommunications bubble is easily popped in a time of crisis and the Great Earthquake did well to awaken Japan to the need to create an ITC foundation that can adapt to periods of overwhelming use in a crisis.

Cooperation is a broader topic which merits its own consideration. IS2011 calls for cooperation at the government and police level, yet more broadly it is necessary to delineate between international and domestic cooperation. Domestically, the government is trying to extend itself down to the local level, providing support, resources, training and websites to assist local government in attempting to keep pace with the challenges they face. Police, too, are to receive further support and training from NISC and the cabinet office. Meanwhile, the paper puts special emphasis on public-private partnerships, meant to extend the security resources of the national government to those agencies which safeguard industry and national secrets.

Internationally, IS2011 endorses bilateral dialogues such as those held with the United Kingdom and the United States while making specific provisions for the ASEAN-Japan Information Security Policy meeting. The Ministry of Foreign Affairs has even planned a Convention on Cybercrime, approved July 4, 2012 and to be held from November 1, 2012.

Many other changes are planned. All government activities are to be monitored by the Government Security Operation Coordination Team (GSOC) 24 hours a day. The Ministry of Defense and the Self Defense Forces are to create internal organizations to oversee cybersecurity. More stringent encryption standards are to be promoted, though not mandated. At the center of all this would be NISC, with the authority of the cabinet office allowing it to extend into all branches of government.

Broadly speaking, the action items of IS2011 are to be achieved through human resource development, analysis and research, and dynamic partnerships. Human resource development extends down from the cabinet office through constituent agencies in the form of training and web resources that can assist potential victims, things like the National Police Agency’s “@police” site, or Japan’s “Anti-Phishing Council.” Analysis and research is to be conducted from a “test bed” to be created by NISC: a sandbox in which threats can be evaluated. Finally, partnerships with other countries, multilaterals, or even the Korea Internet and Security Agency (KISA) flesh out what is an otherwise impressive security portfolio.

One-year on, it has been a mixed bag as to which of these have been achieved, and it would seem that these provisions represent more of a guiding ideology than anything with a concrete timeline.

There are areas, too, that the document does not address, and some which it fails to rise to the necessities of. That encryption is suggested and not mandated means that it will not be used in the majority of cases. Though the document does well to center operations on NISC, it does not give it or request any specific power to override noncompliant agencies. Wherein Japan has traditionally lead the world in its support of private sector cybersecurity, IS2011 does surprisingly little in terms of public-private support, not that this would make Japan any less of a leader in this respect. IS2011 shines in its specific provisions for cooperation etc., yet as it is applied to the geopolitical stage, where states become antagonist actors in cyber, its main reinforcement is to network saturation born of disaster, not to the safeguards which prevent cyber attacks in the first place. Emphasis on training is critical, and IS2011 has some of that, but it must be all the more comprehensive if the government intends to move its resources into the cloud.

Stay tuned for analysis of Information Security 2012 as a provisional translation becomes available….