With increasingly more significant developments and dependence on computers in sectors such as finance, healthcare, and media, it is critical that Japan continue improving its cyber security measures qualitatively and quantitatively.
The question is: Who is responsible for introducing and (more importantly) implementing these cyber security measures?
Japan’s National Information Security Center (NISC) plays a central role in overseeing cyber security measures. NISC was established in 2005 under the Cabinet Secretariat, and is responsible for addressing information security issues and drafting national cyber security plans.
Although NISC is one of the central organizations for cyber security, it has struggled to carry out its functions effectively due to structural issues. NISC is mostly composed of officials and authorities “borrowed” from other ministries and the National Police Agency (NPA) for two to three year terms. On top of this, the roles of the multiple organizations tasked with overseeing and managing cyber security in Japan are not well defined. This includes organizations such as Information Security Policy Council (ISPC), Ministry of Economy, Trade and Industry (METI), Ministry of Internal Affairs and Communications (MIC). Authority and roles amongst these groups are not properly defined, and as a result several roles often overlap.
No law gives NISC and its operational unit, the Government Security Operation Co-ordination team (GSOC), authority to deal with threats in a timely manner due to the sectionalism among Japanese ministries. To strengthen the foundation of Japan’s ICT framework, Japanese lawmakers are preparing a bill that will provide NISC with legal authority to lead cyber security policy and specific roles would be assigned to the national body. The bill is scheduled to be submitted to the Diet in autumn of 2014. Enhancing the legal authority of NISC would is necessary for Japan to build confidence and share information more freely.
Along with the structural problems, Japan lacks qualified professional software engineers. According to the 2013 Cyber Security strategy, released by NISC, there are 265,000 information security engineers in Japan, which are about 80,000 less than needed. The strategy also states that among the engineers employed, about 60 percent do not have the adequate skills to counter a new computer virus.
The 2013 Cyber Security strategy also states that NISC would address its lack of manpower in 2015, and halve its shortage of staff by 2020. The shortage is not static, and will keep changing progressively. Therefore, Japan needs to prioritise manpower issues and deal with them periodically. NISC also needs to address the absence of permanently assigned personnel to tackle the scarcity of experts and engineers.
Major decisions and amendments have to be made over the span of the next few years in order for Japan to be able to achieve the goals set in its own Cyber Security strategy. The steps taken by the government to improve the overall cyber security framework are encouraging, but in the case of a potential cyber attack, is smooth communication ensured between the bodies of the Japanese government?
In order to remove the sectionalism and confusion among its ministries, NISC must become the central agency responsible for Japan’s cyber space.