Japan | Shift to a more offensive cyber posture in 2023

This assessment was issued to clients of Dragonfly’s Security Intelligence & Analysis Service (SIAS) on 21 December 2022.

• Japan has set out a strategy to shift towards a more offensive cyber posture amid wider efforts to adopt a more assertive military defence posture
• Any offensive cyber operations would probably be preemptive and seek to disrupt the network infrastructure of its adversary hacker groups and states, particularly China
• For this reason, we do not anticipate that the already-negligible threat of hostile cyber activity against organisations by Japan will increase in 2023 and beyond

As part of its new national security strategy, the government is advancing efforts to monitor foreign cyber attackers and preempt attacks by hacking their systems. This would be a significant change in Japan’s largely defensive cyber posture thus far. Any offensive cyber operations would be likely to target adversary hacker groups and their network infrastructure, particularly in China. And so these would probably not raise the threat of hostile cyber activity to organisations globally.

A strategic shift

The new strategy by Japan is its most significant move so far to bolster its defence and deterrence capabilities in cyberspace. It has advanced international cyber cooperation and collaboration in recent years; Japan joined NATO’s Cooperative Cyber Defence Centre of Excellence in November, and it has worked with its ‘Quad’ partners – Australia, India and the US – to bolster the cyber security of critical infrastructure. According to the new strategy published by the government, some of the measures that it aims to advance efforts on include:

• Bolstering information sharing with the private sector in the event of a ‘cyberattack’, including against critical infrastructure, and helping coordinate and support incident response measures for the private sector
• Detecting servers that Japan suspects are used by cyber attackers, by utilising information on communication services provided by domestic telecom firms
• Providing the ‘necessary authorities’ the ability to penetrate and neutralise the servers of an attacker in anticipation of ‘serious cyberattacks’ that pose security concerns to the government and Japan’s critical infrastructure

Worsening geopolitical tensions in the Indo-Pacific in recent years have almost certainly accelerated Japan’s plans to develop its defence capabilities, including in cyberspace. In its national security strategy, Japan highlighted China, North Korea and Russia as contributing to tensions in the region. It also said that for the first time it will obtain ‘counter-strike capabilities’ and boost annual military expenditure to around 2% of GDP. The Financial Times has also reported that Japan will form a 20,000-person team within its Self-Defense Force to ‘prevent cyber attacks before they occur’.

On the front foot

Based on the national security strategy and constitutional restraints on Japan using force, any offensive cyber operations would likely be preemptive against the systems or networks of its adversaries. And although the government has not clarified what would constitute a ‘serious cyberattack’ that would prompt it to pursue preemptive offensive cyber operations (probably to ensure strategic ambiguity), this would probably be prompted by any specific intelligence of foreign hackers preparing disruptive cyberattacks on critical infrastructure.

A former UK national cyber security source told us last week that although they were unaware whether Japan would be ‘actively attacking in order to gain intelligence’, it would ‘be one way in which intelligence agencies get one step ahead of their attackers’. This would be similar to how other Western powers, such as the UK and US, appear to have conducted such operations in the past. The latter, for example, has said it conducted cyber operations to identify and disrupt foreign adversary network infrastructure to secure recent midterm elections.

Preemptive or retaliatory cyber operations by Japan would most likely target the network infrastructure, such as servers, of adversary hacker groups. These are particularly likely against groups in China, North Korea and Russia, which all pose strategic threats to Japan. These states sponsor cyber groups capable of infiltrating and disrupting critical network infrastructure or conducting pervasive intelligence collection. The Japanese authorities in 2021 accused hackers linked to the Chinese military of a cyberespionage campaign that had breached more than 200 Japanese companies and organisations since 2016.

Even if geopolitical and military tensions in the Indo-Pacific significantly worsen over the coming years, we doubt that Japan would seek to engage in tit-for-tat disruptive cyber operations on the critical infrastructure of its adversaries. This has often been the case between countries such as Iran and Israel in recent years. The wording of the national security strategy suggests that any offensive cyber operations would be specifically targeted against the network infrastructure of adversary hacker groups, rather than to cause wider disruption on the critical infrastructure of its adversaries outside of wartime.

Any offensive operations by Japan would be unlikely to raise the exposure of organisations to cyber threats. The country does not appear intent on pursuing a campaign of cyber espionage or intellectual property theft against organisations to gain a competitive advantage in key industries, much like China has done. In Japan itself, the finance, defence, education and media industries are likely to remain attractive targets for cyber operations by hostile nation states and cybercriminal groups over the coming years.

Image: Japan’s Prime Minister, Fumio Kishida, attends a press conference in Tokyo on December 16, 2022. Photo by David Mareuil via Getty Images.