Lawfare News

A Glimpse into Private-Sector Cybersecurity in Japan

Mihoko Matsubara
Tuesday, June 26, 2018, 1:47 PM

PDF Version

Review of Shinichi Yokohama’s “Keiei to Saiba Sekyuriti—Dejitalu Rejilienshi [Business Management and Cybersecurity - Digital Resiliency for Executives]” (Nikkei BP, 2018).

***

Published by The Lawfare Institute
in Cooperation With
Brookings

PDF Version

Review of Shinichi Yokohama’s “Keiei to Saiba Sekyuriti—Dejitalu Rejilienshi [Business Management and Cybersecurity - Digital Resiliency for Executives]” (Nikkei BP, 2018).

***

The traditional approach in Japan by the large-scale corporate sector to addressing national technology policies—such as cybersecurity requirements—that will inevitably affect wide swathes of industry has been to await instructions from government regulators. The approach of large American corporations, by contrast, has long been to engage proactively and publicly with government agencies, through their own corporate policy teams or industry-wide trade associations, with the aim of being part of policy and regulatory formation. Industry and particular corporate businesses bring their own agendas and goals to the American public policy conversation, to be sure. They also bring important technical and operational knowledge of the issues and policy choices—ever more so in a world dominated by increasingly complex technologies.

Thus it is rare, even today, for a Japanese company to have its own in-house public advocacy team. Although there are informal ways in which the corporate sector communicates its views, the formation of public policies that impact government itself; the Japanese public and society; and the worldwide consumers, clients, and business partners of Japanese companies remains largely in the hands of regulators. These regulators often lack the technical and operational knowledge that the private sector possesses, even as government policymakers make policy for society and the economy as a whole.

The social and economic downsides of this passivity on the part of Japanese industry, reports Shinichi Yokohama in his new book, “Business Management and Cybersecurity—Digital Resiliency for Executives,” are visible in the vital area of cybersecurity. Cybersecurity, of course, exemplifies the interconnectedness of, well, everything—but also the vulnerabilities that goes along with it. The book challenges the traditional passivity of Japanese industry and encourages business leadership to share technical and operational insights with the government—actively and affirmatively to contribute to policymaking around issues of cybersecurity.

Since 90 percent of information and communications technology (ICT) assets in Japan belong to industry (the remainder largely consumer or household devices), Yokohama believes that industry should take the initiative to ensure safety and security in cyberspace. Cyberspace is, in important respects, a matter of public goods. He further argues that Japan, its private sector and government agencies, should work together with other countries to create globally overarching policy and standards for addressing cybersecurity issues that run across national borders.

“Business Management and Cybersecurity” makes its case in six chapters. The first chapter explains what constitutes cybersecurity and what kind of impacts cyber incidents can pose to business operations. The second chapter explains why cybersecurity is a business management challenge. The third chapter compares the cybersecurity postures and policies of large Japanese, U.S., and European countries, and offers advice to Japanese C-suites on what to keep in mind in addressing cybersecurity. The fourth chapter encourages Japanese businesses (and by implication corporate actors in other countries) to seek industry-sector-based collaboration such as Information Sharing and Analysis Centers (ISACs), including for cross-border application. The fifth chapter describes how U.S., Southeast Asian, and European governments are able to work collaboratively on cybersecurity policy and public advocacy. The last chapter discusses how private industry can contribute to public-private partnerships in education and training as well as cyberthreat intelligence sharing.

It must be said that Japanese policy makers and C-suite executives would find all the chapters beneficial to identify what business leaders need to do for cybersecurity, sector-based collaboration, and public-private partnerships. Non-Japanese business audiences (reading the book in its English translation), on the other hand, would likely think the core message of the book (“cybersecurity is a business management challenge and industry needs to take the initiative to shape national cybersecurity policy and input practical insights to government”) is very far from being new or even interesting. This state of affairs, however, is noteworthy on its own terms—disturbing, in franker terms - because, as policy messages directed to corporate actors go, it is still new for Japan’s corporate executives.

The ambitious endeavor to publish a free English version of “Business Management and Cybersecurity” allows it to reach out to two different groups of language-speakers and two different expertise-level audiences. The book refers to cybersecurity developments outside Japan such as U.S. ISACs and the U.S. National Institute of Standards and Technology (NIST) Framework in order to compare the differences between Japan and elsewhere and in order to urge the book’s audience to think what cybersecurity approaches would work in Japan and how. While Japanese readers may find the information about non-Japanese countries useful to think about their next cybersecurity steps, the description itself is not insightful for non-Japanese readers. The introduction of the “Business Management and Cybersecurity” indicates that the author expects his audience to skip some pages and read only the ones relevant to their interests and background.

This does not mean the book offers no worthwhile insights to non-Japanese readers. This is, after all, the first comprehensive book to explain and compare specific cases about how Japan and other countries operate for cybersecurity policy, public-private partnerships, industry sector-based collaboration, and cyberthreat intelligence-sharing. Most Japanese books on cybersecurity, by contrast, focus on technical aspects of cyberattacks and defenses. Most documents and sources regarding Japan’s policy regime for cybersecurity are written in Japanese. Unfortunately, they are usually not translated into English (Japan’s national cybersecurity strategy documents are an exception). The language barrier makes it difficult for non-Japanese cybersecurity policy analysts and professionals to understand Japanese interests, concerns, challenges, and policy approaches. A virtue of “Business Management and Cybersecurity” is that it helps to open this “black box” for English-speaking thought leaders—at a moment when Japan is expanding and deepening its international cybersecurity collaboration in part to support the upcoming Tokyo Summer Olympic and Paralympic Games, but also looking beyond 2020.

All chapters but one analyze differences and similarities between Japan and other countries with regards to cybersecurity issues. One point of these exercises in comparison and contrast is to allow the analysis to drill down what will and will not work in Japan. As both the Japanese government and companies are looking at the NIST Framework for their cybersecurity guidelines and practices, Japan is trying to catch up with the rest of the technologically-advanced world and align its cybersecurity posture with other leading countries. “Business Management and Cybersecurity” aims to allow the world’s cybersecurity policymakers and analysts worldwide to understand what messages both the Japanese government and industry seek to convey as Japan reaches out to engage in creating national cybersecurity policies and postures.

In this regard, Chapter 4 compares ISACs in the U.S. and Japan. Japan currently has five ISACs (Finance, ICT, Automotive, Electricity, and Trading) but their information has not been made fully available in English yet. Moreover, even the available Japanese-language has not specified what kind of information each Japanese ISAC shares. This chapter would thus be useful for non-Japanese audience, especially those who are involved in non-Japanese ISACs, to learn what kind of potential collaboration they can seek with their Japanese counterparts in the future.

Non-Japanese cybersecurity professionals would also find the Cross-Sector Forum on Cybersecurity Human Resources Development case study of value (also in Chapter 4). The Cross-Sector Forum consists of blue-chip companies in Japan working together with the aim of establishing a positive social “ecosystem” to educate, recruit, train, and retain cybersecurity professionals in cooperation with government and academia.

While U.S. and European companies focus more on skillsets of individual employees that will complement each other and thus create a successful corporate team, Japanese companies prefer generalist individuals—thus focusing relatively more on the skillsets of the organization as a whole. Japanese companies rotate employees every few years as part of this broad corporate approach, and while it has its advantages, one negative effect is that cybersecurity career paths are underdeveloped. Although the book does not go into details, it is still intriguing to read of the efforts of the Cross-Sector Forum in developing a list of the distinct skill sets and workers Japanese companies require and will increasingly require. The Cross-Sector Forum is now making a database of cybersecurity training and education programs publicly available.

Another example of the value of the book’s comparative approach is its description of the different expectations the chief information-security officer (CISO) role in corporations in Japan and overseas. Only 63 percent of Japanese companies assign a CISO, whereas the ratio is 95 and 85 percent in the U.S. and Europe respectively. While CISOs are “dual-hat” positions in 35 percent of Japanese companies, the ratio is only 17 percent in the U.S. and 18 percent in Europe. Since Japan does not have many long-term cybersecurity professionals as the U.S., and since Japanese business culture does not usually recruit C-suite executives externally, “Business Management and Cybersecurity” expresses doubt that an American or European approach of hiring and assigning a CISO would work in Japan. Instead, the book suggests that cybersecurity team building would be more effective given Japan business culture and patterns of Japanese corporate governance.

The author of “Business Management and Cybersecurity,” Shinichi Yokohama, is a leading cybersecurity professional in Japan—he headed the office of Cyber Security Integration of the Japanese multinational NTT and becomes its CISO at the end of June 2018. The book reveals his passion to reach out to global audience because he understands that the fact of cyber interconnectedness means that all the technologically important players need each other. Cybersecurity covers a wide range of expertise from technical to business management, law, and national security. As the WannaCry ransomware attacks in 2017 demonstrated, the consequences of a cyberattack are not necessarily contained within one organization, sector, or country. It is crucial to be aware of both the gap and commonality in terms of business practices and culture to facilitate policy and regulatory dialogues.

Yokohama has had an unusual career in both government and industry, one that allows him to serve as a bridge between government and industry as well as between Japan and other countries. He has worked for the Japanese trade ministry, for the global consulting firm McKinsey, and for NTT, a major Japanese corporation. It is important to understand how atypical this kind of career path is in Japan, but also the very special cross-cutting skills that this path has given Yokohama. It is typical, of course, for U.S. tech industry people to switch to a new company every couple of years for promotion and a better compensation, or for a corporation to bring in former government officials to staff offices in government relations. Career paths in Japan, even today, are not as fluid as in the U.S. Surveys show that 87.9 percent of Japanese people continue to prefer lifetime employment as of 2016. Employment in Japan is more stable in the U.S., but it makes it more difficult for Japanese companies and government to draw in new blood and new ideas.

Many Japanese government agencies and corporate actors are discovering the importance of cybersecurity as a set of national policies (the selection of Tokyo for the 2020 Olympics has been an impetus). But Japan’s role in the global economy means that government, business, policy, and academic actors outside of Japan need to understand the current policy stances and policy processes for their own economy and cybersecurity. “Business Management and Cybersecurity” provides an excellent entry into Japan’s changing understandings and its roles in global cybersecurity.


Topics:
Mihoko Matsubara is Chief Cybersecurity Strategist, NTT Corporation, Tokyo, being responsible for cybersecurity thought leadership. She previously worked at the Japanese Ministry of Defense before her MA at the Johns Hopkins School of Advanced International Studies in Washington DC on Fulbright. She served on the Japanese government’s cybersecurity R&D policy committee between 2014 and 2018. Mihoko published a book on cybersecurity, attackers, defenders, and cyber threat intelligence in Japanese from the Shinchosha Publishing Co., Ltd in 2019. She is Adjunct Fellow at the Pacific Forum, Honolulu, and Associate Fellow at the Henry Jackson Society, London.

Subscribe to Lawfare