Photo/IllutrationLAC Co.’s Japan Security Operation Center provides corporate clients with around-the-clock monitoring of cyber-attacks. (Asahi Shimbun file photo)

Japan plans to significantly bolster its defense against cyber-attacks, but the nation’s legal frameworks present hurdles in terms of staging counterattacks and pursuing the offenders.

The extent of Japan’s cybersecurity policy will likely be known in the National Defense Program Guidelines that will be revised in December.

The Defense Ministry and Self-Defense Forces are often targeted by hackers, with more than 1 million incidents reported annually.

Some attacks have very cleverly used the identities of real government officials to entice e-mail recipients to open attached documents that unleash computer viruses.

From late 2017, an e-mail purportedly originating from a member of the Cabinet Office secretariat handling comprehensive maritime policy was sent to retired Defense Ministry officials and others related to the issue.

An analysis by Tokyo-based LAC Co., an Internet security company, led to the judgment the e-mail was the work of Chinese hackers. A virus was hidden in the e-mail apparently to gather information about the maritime basic plan that was being compiled.

The Defense Ministry in 2014 set up a cyber defense unit within the SDF to respond to the large number of cyber-attacks.

In its budget request for fiscal 2019, the ministry is seeking funds to add 70 members to the unit for an overall strength of 220.

Plans have been floated to use a seven-grade ranking system in developing unit members with skills to counter advanced cyber-attacks.

Outside experts commonly known as “white hackers” or “top guns” will be hired to bolster the cyber defense unit.

The Defense Ministry will employ such experts for five years, and each individual could earn as much as 20 million yen ($177,000) a year, equivalent to the salary of the vice defense minister, the top bureaucrat in the ministry.

In May, the ruling Liberal Democratic Party submitted a proposal to the central government, calling on it to consider possessing cyber-attack capabilities to include such a goal in the guidelines.

However, Masatoshi Sato, who was the first commander of the SDF cyber defense unit, said many issues must be dealt with before Japan could possess such capabilities.

He said SDF members could end up violating various laws if the cyber defense unit tries to identify the hackers attacking the SDF's computer system, let alone conducts a counterattack.

Under the government’s interpretation, if Japan is the target of a cyber-attack as part of a military operation, the country could theoretically use cyber weapons as part of its self-defense.

However, problems would emerge if cyber-attacks occurred on a scale smaller than an all-out war and it was unclear if the hacker was an individual or an enemy nation.

Simply blocking a cyber-attack would not pose any legal problems, but there are legal hurdles that prevent counterattacking, or even pursuing and identifying hackers, during times of peace.

Article 21 of the Constitution states the secrecy of all forms of communication should not be violated. And the Criminal Law stipulates penalties against creators of computer viruses, including defenders who design programs for counterattacks against hackers.

Despite such hurdles, the Defense Ministry has decided there was a need for an outlet to allow SDF members to familiarize themselves with cyber-attack methods to improve their defensive skills.

In the request submitted for the fiscal 2019 budget, the ministry is seeking funds for exercise sessions in a special “cyber training area” between SDF members divided into attack and defense teams.

Keiko Kono, a fellow at the National Institute for Defense Studies who is knowledgeable about international law, said discussions have stalled even in the United Nations over the relationship between cyber- and military attacks.

“Western nations believe it is possible to employ self-defense as a reason to respond to cyber-attacks, but Russia and China do not agree,” she said.

In such a situation it might be difficult for Japan to enact its own standards and laws to deal with cyber-attacks.

“Although wording (in the defense guidelines) might leave open the possibility for some form of attack, it will likely be very difficult to clearly state an objective of possessing attack capabilities,” a high-ranking Defense Ministry official said.