Japan Cyber Security Recap: Top Five Issues Of 2015

Japan to Concentrate on Cyber Security in 2016 and Beyond

Download our exclusive cyber security report for in-depth information

2015 was a busy year for cyber security in Japan, with a series of high-profile incidents causing widespread anxiety about Japan’s cyber readiness. After years of complacency, it seems like the country is finally waking up to the gravity of the cyber threat and the need for all strata of society to gear up and prepare for the challenges to come. The following five elements were particularly important for Japan in 2015, and will remain key issues in 2016 and beyond:

  1. The National Pension Fund Hack
  2. The “My Number” Social Security and Tax Number System
  3. The Shortage of Cyber Security Professionals
  4. The Tokyo 2020 Olympic and Paralympic Games
  5. The National Cyber Security Strategy v2.0

Japan National Pension Fund Hack

The cyber security narrative in Japan has been dominated in 2015 by the June revelation that the National Pension Fund had been hacked, leading to the leakage of personal data from approximately 1.25 million people. Although smaller in scale than other high-profile data breaches, such as the 2014 breach at Benesse Corporation (22.6 million people’s data) or the 2011 hack on Sony’s Playstation Network (77 million people), the Pension Fund hack has arguably had a greater impact, becoming a tipping point in public consciousness about the cyber threat.

Investigations by the National Pension Fund itself and NISC (the National centre of Incident readiness and Strategy for Cybersecurity) have found that the breach succeeded in large part due to poor data protection and incident response procedures within the organisation, rather than highly sophisticated new malware. In other words, it was people more than technology. The attack itself consisted of a targeted e-mail campaign using at least 124 e-mails that were disguised to look work-related. Three of these e-mails were eventually opened, but where the timely application of appropriate incident response procedures could have prevented most if not all of the damage, the Pension Fund lacked clear rules, and where there were rules, many were not followed. For example, while internal rules stated that some sets of data had to be password-protected, these data lacked passwords, and where some devices were supposed to remain off the network, they were connected to the internet. Several opportunities for nipping the problem in the bud were missed, resulting in a breach that ended up being much bigger than it needed to be.

The National Pension Fund hack has become a watershed moment in Japanese public consciousness of both the cyber threat and the nation’s readiness to deal with the threat. The incident has gone a long way towards convincing people across all levels of society that cyber security is a matter that concerns everybody, that everybody is a target, and that eventually, attacks will always come through. It has shifted the dialogue from one centred on prevention (primarily via technical means) to one that accepts that there are many pieces to the puzzle, such as training and awareness, governance, monitoring, analysis, and timely reporting. Furthermore, the incident has moved cyber security to the front page of the newspapers, bringing significantly more attention to the issue. While the added news coverage has had its positive effects in the increased attention and awareness, it has also added an element of anxiety bordering on panic. This is related in part to concerns over the next big thing looming on the horizon, namely the new social security and tax number system, nicknamed “My Number”.

The My Number System

Until now, the tax, social security, financial and healthcare information of each resident of Japan was stored and handled separately. The My Number Law seeks to streamline government administration by assigning each person a single, unique, 12-digit registration number that will be tied to their tax and social security information. From October to the end of November 2015, each resident of Japan should have received a notification card assigning them a number that will go into effect in January 2016. Initially the numbers will only be used for tax and social security purposes, with plans to expand the scope to cover bank accounts and health information over the next few years.

Coming so soon after the National Pension Fund hack, there is much anxiety over the government’s ability to safeguard the personal information of its citizens, especially as more and more information gets linked to a single number. There are several channels for My Number data to be leaked, as companies must manage the data of their employees, local governments have to manage the data of their residents, and social service providers have to do the same. Already at the end of November 2015 – a full month before the system actually went online – police had received 168 reports of attempted scams using the My Number system. Although these scam attempts could not really be classified as “cyber attacks” (having mostly come via telephone calls or in-person visits), it is clear to everybody that a cyber attack to the system could have dire consequence. The proper protection and management of My Number data will surely be a key issue in the years to come.

Shortage of Cyber Security Professionals

According to a much-publicised report issued by the Information-technology Promotion Agency (IPA), Japan had 265,069 cyber security professionals in 2014, which was 81,590 less than it needs. In addition, of the 265,069 cyber security professionals already in the workforce, roughly 60% (159,041) were underskilled and require more training. The government has identified the shortage of qualified cyber security professionals as one of its key challenges, making repeated references to it in the nation’s new Cyber Security Strategy.

Organisations in both the public and private sectors have mobilised to tackle this problem. This summer, the Ministry of Internal Communications requested budget to train 50,000 cyber security professionals in time for the 2020 Tokyo Olympic and Paralympic Games, and telecommunications giant NTT announced its intention to quadruple its cyber security force to 10,000 by 2020. NTT has also partnered with Waseda University to offer a cyber security course, which began in April 2015. How effective these initiatives will be in alleviating Japan’s shortage of skilled and qualified cyber security staff remains to be seen, but increasing the size and skills of the cyber workforce will remain a hot topic for the years to come, especially as the nation heads towards the Tokyo Olympics.

Tokyo 2020 Olympic and Paralympic Games

Anyone new to Japan might be surprised at how frequently the Tokyo 2020 Olympic and Paralympic Games are mentioned in conjunction with cyber security. The Tokyo Games have served as a catalyst for Japan to reinforce its cyber readiness by drawing a clear deadline by when everything must be safe and secure. This is an especially pressing issue considering the expected expansion of the IoT (Internet of Things) market and the increasing reliance on IT for everything from trains and buses to ticketing systems. IT outages during the Games would be a major embarrassment at the least, and a danger to life, limb and property at worst.

Unfortunately for Games organisers, the attacks have already started, with the Tokyo 2020 website being rendered inaccessible for twelve hours on November 4 due to a suspected DDoS attack. Although this attack was relatively harmless, there are concerns about potential cyber terrorism, especially from organisations such as ISIS.

Securing the networks and devices at Tokyo 2020 will remain a key issue for the next five years, with ample opportunities for collaboration between Japanese and foreign governments and companies. British companies that have experience with securing not only London 2012, but also the 2015 Rugby World Cup will have much to offer in the way of knowhow and experience.

It may still take some time for business to fully develop, as Olympic organisers and government stakeholders are still in the process of clarifying which organisations are responsible for what aspects of security. In addition, anecdotal evidence suggests that many eyes from both government and industry are currently directed towards the 2016 Olympic and Paralympic Games in Rio de Janeiro to “see what happens” before making major decisions for Tokyo 2020. Nevertheless, for UK companies aiming to capture Olympics-related business, it is never too early to initiate engagement with Japanese stakeholders. Companies that get their foot in the door early will be better placed to take advantage of business opportunities as they materialise.

Japan Cyber Security Strategy v 2.0

Following the passage of the Basic Act on Cybersecurity in November 2014, the government of Japan moved to update its cyber security strategy. Originally scheduled to be adopted in June 2015, the new Cyber Security Strategy was delayed due to the National Pension Fund hack, but was eventually approved on September 4, 2015. It lays out Japan’s strategy through the end of 2018 with an eye towards the Tokyo Olympics and beyond. Its objective is: “To create and develop a free, fair and safe cyberspace that will contribute to increased economic vigour and sustainable growth, the development of a safe society for Japan, and the guarantee of peace and stability for both Japan and the international community.”

The 2020 Tokyo Olympic/Paralympic Games feature especially prominently in the new Strategy and give a strong sense of urgency to the overall document. The Japanese government recognises that in order to deliver a successful Games, Japan must strengthen its cyber security, especially around IoT services, critical infrastructure and public networks. The Strategy goes on to lay out a series of specific measures it intends to implement in order to achieve its objectives. These include awareness-raising, recruiting and training more cyber professionals, promoting R&D and PPP in a range of fields, and increasing international cooperation. Finally, the Strategy emphasises the need for the government to break down silos and adopt a cross-government approach to cyber security.

Looking towards 2016

Even as Japan heads into 2016, many of the headline issues of 2015 will continue to be of high importance. Although more than half a year has already passed since the National Pension Fund hack, it remains a pertinent topic in cyber conversations. The My Number system, meanwhile, is only just getting started. It will also take a long time before Japan manages to train all of the cyber security professionals it needs, and preparations for the 2020 Olympic and Paralympic Games will truly kick into gear as soon as Rio 2016 has finished.

There are of course other issues that will capture headlines in 2016. Hacktivism by the likes of Anonymous (which appears to have launched an attack on Prime Minister Abe’s home page on December 10 2015), the threat of cyber terrorism from groups like ISIS, and increasing concerns around ransomware will certainly gather attention from the public and media alike.

Whatever issues end up capturing the most limelight in 2016, the key takeaway is that cyber security will only increase in importance in Japan, not only for the government, but also for business and the general public. For any UK cyber security companies eager to tap into this £4.8 billion market, now is the time to start your engagement.


Send us your enquiry to learn your potential in the Japanese market.

Contact Daniel directly if you are a UK company in the cyber security sector.

Download our in-depth cyber security report to learn about the opportunities in this market.


Article by Daniel Bjornstrom, January 2016.