2 September 2020

Japan and cyber capabilities: how much is enough?


As it faces burgeoning cyber threats from China, North Korea and Russia, Japan is struggling to operationalise its defensive and offensive cyber capabilities. What are some of the financial, legal, and organisational barriers facing Tokyo as it tries to realise its growing aspirations in cyberspace?

Japan is increasing investment in its military cyber capabilities. In the near term, it will grow the personnel numbers of its Cyber Defence Group by one-third, with further restructuring to follow. Like other countries, however, Japan is grappling with the twin challenges of determining what constitutes adequate funding for its cyber aspirations, and clarifying the boundaries between the civil, military and inter-service spheres of cyber responsibilities and operations.

Japan’s cyber capabilities at a glance

The Japan Self-Defense Forces’ (JSDF) Cyber Defence Group (CDG), part of the JSDF’s Command, Control, Communication & Computers (C4) Systems Command, will increase its personnel from 220 to 290 by the end of March 2021. Spending on cyber more than doubled between 2018 and 2019 following the adoption of the 2018 defence strategy, rising from JP¥11 billion (US$100 million) to JP¥25.6bn (US$235m). However, this growth was from a very low base: the 2019 spending figure was less than half a percent of the country’s defence budget. Whether this level of expenditure is sufficient to provide the cyber capabilities Japan seeks is open to question.


The CDG coordinates cyber defence for the Ground Self-Defense Force (GSDF), Maritime Self-Defense Force (MSDF) and Air Self-Defense Force (ASDF), and is charged with protecting the defence ministry’s critical-information infrastructure. It is also tasked with defending against external state-level cyber attacks that target the defence ministry, as well as military networks and information systems.

Each branch of the JSDF also has a cyber-defence unit tasked with the defence of network and information systems. The GSDF has the System Protection Unit, the MSDF the Communication Security Group, and the ASDF the Computer Security Evaluation Squadron. However, the principal focus of these units is internal threats to the JSDF’s critical-information infrastructure. In March 2019, the JSDF also set up the first regional cyber-defence unit as part of the GSDF’s Western Army, consisting of some 60 personnel. The unit, the first of a number of similar regional formations to be stood up in the coming years, is specifically tasked with defending and protecting JSDF systems and networks, including those of the newly established amphibious rapid-deployment brigade, on the remote islands and islets of the Ryukyu Arc of southwestern Japan.
Further challenges

In addition to the small size of its cyber force and its limited funding, there are other challenges Japan must negotiate in responding to cyber threats.

Under Japanese law, cyber attacks are initially investigated as ‘crimes’ by the Metropolitan Police Agency; they are not investigated as ‘armed attacks’ until they are attributed to the military forces of another state. Moreover, Article 21 of the Japanese Constitution limits the ability of government authorities to collect signals intelligence (SIGINT). Given that cyber-reconnaissance operations are viewed as a subset of SIGINT, this would be a further constraint on cyber units’ ability to respond quickly and effectively to incoming threats.

Furthermore, JSDF plans to move towards a limited offensive cyber posture in the event of an ‘armed attack’ would require a revision to Japan’s Self-Defense Forces Law to clarify whether cyber responses fall under the category of ‘use of force’ or ‘use of weapons’ for a defence operation, or for a public security operation. Without revision, Japan would face legal difficulties in using some of the capabilities included in the new defence strategy.
Cyber capabilities and multi-domain operations

Japan’s nascent cyber capabilities are one aspect of its plans to build a Multi-Domain Defense Force, as outlined in the National Defense Program Guidelines and Medium-Term Defense Program (MTDP), approved by the government in December 2018. This approach is modelled on the United States’ notion of multi-domain operations, given that Washington is Tokyo’s closest military ally.

Central to the notion of multi-domain operations is the capacity to synchronise in near-real time across all operation domains and platforms to generate combat power. The 2018 MTDP recognised the importance of command, control, communications, computers and information (C4I) to achieve this, noting the need to ‘strengthen and protect [C4I] capabilities that effectively connect capabilities in all domains’. However, there is as yet no information in the public domain to suggest that the JSDF is pursuing an integrated command-and-control battle-management system that would support the multi-domain goal.

Tokyo also faces organisational challenges in integrating the different domains. For the JSDF to synchronise operations between different domains, Japan would likely need to set up a joint operations command or a permanent joint task force (JTF). This would require changes to existing laws. Under Article 22 of the Self-Defense Forces Law, Japan is only allowed to establish JTFs for a specific mission, for example, for ballistic-missile defence missions. (The GSDF has also established a Cross-Domain Operations Task Force.) A change of law would be required to allow the JSDF to set up a permanent joint-operations headquarters or a JTF to more effectively coordinate cross-service multi-domain operations.

Tokyo is far from alone in struggling with the implications, demands and uncertainties of defensive and offensive cyber capabilities and operations. Its situation, however, is among the most pressing given the burgeoning offensive cyber capabilities of China, North Korea and Russia.

No comments: