This post is authored by Angela McKay, Director of Cybersecurity Policy.
Earlier this year, my team and I had the great privilege and pleasure of spending several days in Japan, participating in the Information Technology Promotion Agency (IPA) Symposium. We also met with industry colleagues to discuss global cybersecurity trends and opportunities to engage in public policy, and met with Japanese government partners to examine the question of cloud security.
Even just a few days in Tokyo demonstrated that the focus on the importance of cybersecurity is growing in Japan and across the Asia-Pacific region, within both government and industry. The understanding that concrete action is now needed is also growing.
Japan is well positioned for regional leadership in this space. The size of the IPA symposium, the seniority of both attendees and speakers, and the maturity of the conversation underscored this. In Japan, cybersecurity is clearly evolving from an issue of interest solely to technically inclined geeks, to one that is a major concern for the government, businesses, and consumers. The policy debate is shifting from conceptual discussions to more practical consideration, such as the development of security practices and requirements, particularly for critical infrastructure and government.
What is particularly praise-worthy and unique in the Japanese approach, is the iterative way the government is tackling challenges in this space, dynamically reprioritizing and emphasizing different areas based on changes in technology and risks, and the effectiveness of its various efforts. For example, while the Basic Cybersecurity Law and National Cybersecurity Strategy were adopted more than two years ago, the government has since repeatedly consulted and reexamined areas where outcomes have proven to be difficult to attain, for example cross-government cooperation on cybersecurity.
Japan is not alone in grappling with how to govern cybersecurity; however, it is one of the few governments which understands that cybersecurity is not an area that can be looked at once and then ignored for the next decade. It is using the impetus behind the 2020 Olympics and Paralympics to increase cyber resilience, examining how new technologies, such as cloud computing, can increase security of the government, critical infrastructures, and for the Internet of Things (IoT). It actively seeks to assess progress with 2020 in mind, for example by considering whether and how cybersecurity information sharing is increasing the security of the Games and key sectors of the economy. It does this not just through forming ISACs but by partnering with the private sector to ensure that 1) sharing is focused on risk management outcomes and 2) cultural and structural obstacles that might be particular to Japan are understood and addressed.
A similar approach is being pursued when it comes to encouraging critical infrastructure sectors to adopt risk management practices. The government has been consulting on its guide, as they are realizing that while the voluntary nature of their cybersecurity efforts remains pivotal, many of the private sector enterprises are looking for more specific guidance on how to move forward in this area. In our response, Microsoft therefore suggested developing a model similar to the one put forward by NIST with its Cybersecurity Framework, where the government and private sector collaborated to develop guidance that built on proven standards and best practices within an overarching framework that is meaningful to executives.
Beyond this pragmatic approach, Japan also continues to drive thought leadership in important new areas. Japan recently announced a new partnership with Germany to establish an Internet of Things (IoT) standard for commercial and industrial organizations, as well as proposals on how to best secure this new area of innovation. This has given Japan a unique opportunity, perhaps even a responsibility as a genuine world leader in this space, to start articulating the security concerns that should be addressed by players in IoT services (with a link to our NTIA response for more detail). Their solutions, including the use of incentives to drive behaviors, will be looked at by other governments, not just regionally but across the globe.
In the era of digitalization, every government and organization should look to and incorporate and codify effective initiatives and programs, such as Japan’s, into their policies and operations. Microsoft is excited to work alongside Japan and other Asia-Pacific countries to build a global culture of strong cybersecurity principles that create a trustworthy high-tech world. It will require the leadership of countries such as Japan and the commitment of industry leaders such as ourselves to ensure the safety and security in the digital space.
