Japan Its Own Enemy in Push to Improve Cybersecurity

Apart from rogue hackers, criminal organizations or even state-backed cyberwarfare units, Japan’s businesses and government agencies are facing a unique cybersecurity foe: themselves.
Japan Its Own Enemy in Push to Improve Cybersecurity
A man walks out from the headquarters of Sony Corp. in Tokyo on Dec. 18, 2014. Improving cybersecurity practices has emerged as a top national priority for Japan, stung in recent years by embarrassing leaks at Sony Pictures, the national pension fund and its biggest defense contractor, Mitsubishi Heavy Industries, which possibly suffered the theft of submarine and missile designs. AP Photo/Eugene Hoshiko
|Updated:

OKINAWA, Japan—Apart from rogue hackers, criminal organizations or even state-backed cyberwarfare units, Japan’s businesses and government agencies are facing a unique cybersecurity foe: themselves.

Even with the frequency and severity of cyberattacks booming worldwide, efforts by the world’s No. 3 economic power to improve its data security are being hobbled by a widespread corporate culture that views security breaches as a loss of face, leading to poor disclosure of incidents or information sharing at critical moments, Japanese experts and government officials say.

Improving cybersecurity practices has emerged as a top national priority for Japan, stung in recent years by embarrassing leaks at Sony Pictures, the national pension fund and its biggest defense contractor, Mitsubishi Heavy Industries, which possibly suffered the theft of submarine and missile designs.

Toshio Nawa, a top Japanese security consultant who is advising the Tokyo 2020 Olympics organizers, said he encountered a telling instance this summer when he was called to investigate a breach at a major Japanese government agency.

Nawa found that five different cybersecurity contractors employed by the agency had discovered the breach—but that not one reported or shared their findings.

With evidence from the contractors pooled together, Nawa matched the digital fingerprints to a Mexican group that he believes was responsible for a previous attack on Japanese diplomatic servers. The breach was patched, but Nawa walked away flustered.

“In the U.S., if they find a problem, they have to report,” he said. “The Japanese engineer feels he fails his duty if he escalates a report. They feel ashamed.”

To be sure, the cybersecurity industry around the world, not just in Japan, frequently echoes the call for greater transparency within and among organizations. The U.S. Senate last month passed the Cybersecurity Information Sharing Act to ease data sharing between private companies and the government for security purposes, although civil liberties advocates warned it posed a threat to privacy.

But the problem may be particularly acute for Japan’s private sector behemoths and government ministries—sprawling bureaucracies wrapped in a “negative culture that cuts against wanting to communicate quickly,” said William H. Saito, the top cybersecurity adviser to Prime Minister Shinzo Abe.