Japan-U.S. Cybersecurity

Introduction

Cybersecurity has long been regarded as a critical part of national security. The sophistication, complexity, and scale of cyberattacks have increased, with state-sponsored actors posing significant threats to nations and international cybercriminal groups conducting massive attacks globally. Meanwhile, the ongoing digitalization of society is expanding cyberspace, leading to the complicated and expanded interdependencies among infrastructures, services, and functions. It is, therefore, becoming more important to ensure the cybersecurity and resilience of critical infrastructures that people and nations rely on every day. This is considered a national priority in most countries and a global issue where international cooperation is essential.

With regard to the Japan-U.S. relationship, the alliance has become more important than ever in light of rising geopolitical tensions in the Indo-Pacific region, and cyberspace is playing a key role as a foundation for a robust alliance. Both countries are currently at a pivotal point in their national cybersecurity. In the United States, the National Cybersecurity Strategy (NCS), released in March 2023, represents a significant shift from previous policies. This includes further government involvement in the private sector, including regulatory approaches, and a shift of the cybersecurity burden away from end users to providers. In Japan, the National Security Strategy (NSS), released in December 2022, puts a strong emphasis on fundamentally enhancing the country’s cybersecurity posture, including the implementation of its own “active cyber defense” (ACD). Furthermore, the recent passage of key legislations enhancing Japan’s security clearance system and economic security will have a positive impact on cybersecurity. Taking these evolutions as an opportunity, it is the right time to reassess the current state of Japan-U.S. cybersecurity cooperation and explore ways forward for further collaboration.

Taking these evolutions as an opportunity, it is the right time to reassess the current state of Japan-U.S. cybersecurity cooperation and explore ways forward for further collaboration.

There are two key areas for consideration in promoting holistic and effective Japan-U.S. cybersecurity cooperation. First, both countries’ cybersecurity authorities, roles, and responsibilities are highly decentralized, making it challenging to gain a comprehensive overview of the subject. Second, while there are a number of high-level frameworks and agreements for cooperation between both governments, there is still a need for more specific and operational collaboration. To address these issues, this paper begins by providing a comprehensive overview of the cybersecurity postures in both countries, including the basic policies, organizational structures, and functions, with a focus on recent developments. It then reviews Japan-U.S. cooperation to date, discusses the current state of critical infrastructure cybersecurity and resilience in both countries, and offers recommendations for operationalizing cooperation in this area.

Fundamentals of Cybersecurity in the United States and Japan

The United States and Japan have highly decentralized and complicated cybersecurity structures and functions across their governments, which results in overlapping authorities, roles, and responsibilities. While several cybersecurity experts focus on specific areas of cooperation, there is a lack of comprehensive and accurate understanding of the cybersecurity postures in both countries. To pursue effective Japan-U.S. cooperation in specific areas, it would be essential, as a prerequisite, to have a clear understanding of these cybersecurity postures and to be able to map both countries’ policies, structures, functions, initiatives, and so on. The following provides an overview of cybersecurity postures in both countries, focusing on recent developments and future direction.

Cybersecurity in the United States

Basic Strategy and Policy

Cybersecurity policy in the United States is commonly believed to be relatively bipartisan. The two major political parties have been pursuing a similar direction in general, although they have minor differences. The U.S. government has historically strongly emphasized prioritizing and reinforcing voluntary public-private partnerships (PPPs) to enhance the national cybersecurity posture. However, recent significant cyber incidents, such as those at SolarWinds in 2020 and Colonial Pipeline in 2021, as well as growing geopolitical tensions, have resulted in a major change in this policy. Recognizing cybersecurity as a matter of national security, the Biden administration has made a significant shift in policy to strengthen government involvement in the private sector. This includes strengthening the federal government’s organizational structure by creating high-level government posts responsible for cybersecurity; introducing and updating laws and regulations; and expanding government-led initiatives.

Recognizing cybersecurity as a matter of national security, the Biden administration has made a significant shift in policy to strengthen government involvement in the private sector.

The Biden administration’s cybersecurity policies are largely based on the recommendations from the Cyberspace Solarium Commission (CSC), established under the National Defense Authorization Act (NDAA) for Fiscal Year 2019. In addition, Executive Order (EO) 14028: Improving the Nation’s Cybersecurity, signed in May 2021, has served as the foundation for numerous federal cybersecurity initiatives to date. In March 2023, the NCS was released for the first time in four and a half years. The strategy is composed of five key pillars: (1) “defend critical infrastructure,” (2) “disrupt and dismantle threat actors,” (3) “shape market forces to drive security and resilience,” (4) “invest in a resilient future,” and (5) “forge international partnerships to pursue shared goals.” The NCS acknowledges the continued importance of voluntary PPPs, but also points out that this alone is not sufficient. It highlights the need for baseline requirements for critical infrastructure and the shift of accountability for cybersecurity away from end users to more capable manufacturers and providers. This demonstrates the administration’s clear intention to increase government involvement. The Office of the National Cyber Director (ONCD) publishes an annual National Cybersecurity Strategy Implementation Plan (NCSIP) to ensure transparency and accountability for the implementation of the strategy. This plan outlines the specific implementation items, responsible agency, contributing entities, and deadlines for each strategic objective. The second edition, published in May 2024, is the most recent version of the plan. Federal cybersecurity measures are being implemented in accordance with the plan.

Organizational Structure

Figure 1 shows an overview of the cybersecurity organizational structure centered on the U.S. federal government. ONCD leads and coordinates federal cybersecurity strategy and policy in the White House. The deputy national security advisor for cyber and emerging technology in the National Security Council (NSC) serves as an adviser to the president on national security issues related to cyber. Although the Office of Management and Budget (OMB) is not a cybersecurity-focused organization, it issues specific instructions to government agencies to implement policies such as EOs and manages and oversees their processes of implementation, including budgetary aspects.

In the executive departments, the Cybersecurity and Infrastructure Security Agency (CISA) in the Department of Homeland Security (DHS) plays a central role as the operational lead for federal cybersecurity and the national coordinator for critical infrastructure cybersecurity and resilience. The Federal Bureau of Investigation (FBI) in the Department of Justice (DOJ) serves as a law enforcement entity for cybercrimes. The National Security Agency (NSA) in the Department of Defense (DOD) is tasked with protecting U.S. national security systems, the DOD, and the defense industrial base. It is also one of the key agencies for cyber intelligence. The U.S. Cyber Command (USCYBERCOM) in the DOD is a military wing responsible for cyber operations to defend against and respond to cyberattacks on the nation. The Department of State (DOS) focuses on cyber diplomacy. The National Institute of Standards and Technology (NIST) in the Department of Commerce (DOC) plays a key role in developing cybersecurity resources such as standards, frameworks, guidance, and practices. The National Telecommunications and Information Administration (NTIA) serves as the principal adviser to the president on telecommunications and information policy, including cybersecurity. There are designated Sector Risk Management Agencies (SRMAs) that are responsible for managing critical infrastructure sectors. Further details can be found in Chapter 4. Independent regulatory entities, such as the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), and the Securities and Exchange Commission (SEC), are also increasingly involved in the cybersecurity field, leveraging their respective existing authorities.

The U.S. federal government’s cybersecurity budget request for FY 2025 is $27.5 billion, with $13 billion allocated for civilian agencies and $14.5 billion for the DOD. The number of employees in CISA, the operational core of the federal government, was 3,161 as of August 2023.

▲ Figure 1: Cybersecurity Organizational Structure Centered on the U.S. Federal Government. Source: Author’s analysis.

Current State

• Defense

In September 2023, the DOD released the overview version of the Department of Defense Cyber Strategy for the first time since 2018. The strategy aligns with the priorities set out in the U.S. National Security Strategy (NSS) and the National Defense Strategy released in 2022, as well as the NCS. It includes four lines of effort: (1) “defend the nation,” (2) “prepare to fight and win the nation’s wars,” (3) “protect the cyber domain with allies and partners,” and (4) “build enduring advantages in cyberspace.” In March 2024, the new Office of the Assistant Secretary of Defense for Cyber Policy was established to enhance defense cyber policy.

USCYBERCOM is the primary entity responsible for cyber operations related to national defense. While its missions and activities are not necessarily all publicly available, one of its recent priorities has been to work with allies to respond to potential cyber activities from outside the country that pose a threat to the United States. This is represented by the concept “defend forward,” which defends against malicious cyber activities at their source. One form of this concept is the implementation of “hunt forward operations.” This initiative contributes to the cyber defense of the host country by monitoring and detecting malicious cyber activities on the host country’s network while also contributing to the defense of the United States against attacks from foreign adversaries. USCYBERCOM has shared leadership with the NSA since its establishment. The two organizations work together on cyber operations, with the NSA providing its own cyber intelligence insights and resources to support USCYBERCOM.

• Intelligence

The U.S. intelligence community is led by the Office of the Director of National Intelligence (ODNI), with the NSA playing a major role, particularly in the area of cybersecurity. The NSA collects foreign signals intelligence and provides it to U.S. policymakers and military forces. In the past, the NSA’s operations were less transparent and accessible to the public. However, in recent years, the NSA has been moving away from its historical secrecy and becoming more open to the public. It is actively promoting collaboration with the private sector as well as federal agencies, including strengthening its partnership with the defense industrial base through the Cybersecurity Collaboration Center (CCC) and developing and providing technical guidance in collaboration with CISA, the FBI, and other agencies. In recent years, the government has adopted a policy of sharing threat intelligence in a timely manner with a broad range of stakeholders by declassifying the information as much as possible. This has led to closer cooperation between government and critical infrastructure.

• Law Enforcement

The FBI is the lead federal agency investigating cybercrimes, working with other agencies such as CISA and the NSA, foreign partners and law enforcement entities, and the private sector. The National Cyber Investigative Joint Task Force (NCIJTF) is a government-wide initiative that integrates investigative efforts against cyber threats. The FBI is responsible for organizing and leading this, with the participation of over 30 agencies in the intelligence community and law enforcement. The Internet Crime Complaint Center is a resource for the general public to report internet crimes. The FBI has recently assigned cyber assistant legal attachés to embassies worldwide to work closely with international authorities.

In recent years, the FBI and DOJ have shifted their focus from traditional criminal investigations (e.g., establishing a case, arresting, prosecuting, convicting, and sending criminals to prison) to the disruption of cybercriminals. This shift could make it more challenging to prosecute crimes without sufficient evidence. However, the government has prioritized proactive measures, including the prevention of crimes, early detection, and the prevention of the spread of damage. The government has been implementing this policy aggressively, conducting a series of law enforcement operations. These include disrupting international ransomware groups such as ALPHV/BlackCat and LockBit, as well as the botnets used by state-sponsored actors such as Volt Typhoon, Flax Typhoon, and 911 S5. The case of LockBit is one of the largest coordinated operations in recent years, involving law enforcement agencies from around the world. The National Police Agency (NPA) of Japan also participated in the operation, along with the Five Eyes countries (an intelligence alliance composed of Australia, Canada, New Zealand, the United Kingdom, and the United States) and other international partners.

• Diplomacy

The DOS is responsible for coordinating diplomatic engagement on the security of international cyberspace in bilateral, multilateral, and regional forums. It also leads intergovernmental cyber dialogues with international partners, including Japan. The Biden administration has enhanced its system for promoting national and economic security in cyberspace and digital technology from a diplomatic perspective through the establishment of the Bureau of Cyberspace and Digital Policy in April 2022, the appointment of the first-ever ambassador-at-large for it in September of the same year, and other measures. Furthermore, in May 2024, the DOS published its first United States International Cyberspace and Digital Policy Strategy. The strategy outlines four key areas of action to build digital solidarity. These include promoting a secure and resilient digital ecosystem, aligning rights-respecting approaches with international partners, building coalitions and engaging partners to counter threats to cyberspace, and strengthening international partners’ digital and cyber capacity. There is also a plan to have trained cyber and digital officers in every U.S. embassy around the world by the end of 2024. The White House is also leading international cooperation on cybersecurity through initiatives such as the International Counter Ransomware Initiative (CRI). The current status of Japan-U.S. cybersecurity cooperation is outlined in Chapter 3.

• Government System Protection

The federal Chief Information Security Officer (CISO) oversees cybersecurity policy, planning, and implementation for the executive branch. OMB provides instructions on specific cybersecurity measures to be implemented by federal agencies with a deadline through the issuance of memoranda and other means. CISA serves as the operational lead for cybersecurity in the Federal Civilian Executive Branch (FCEB). The Federal Information Security Modernization Act (FISMA) of 2014 requires government agencies to include incident detection, reporting, and response procedures in their information security programs. FISMA also requires OMB to publish an annual report on the progress and state of implementation in federal agencies. EO 14028 of May 2021 is based on FISMA. One of the sections notes the modernization of federal government cybersecurity. It includes a number of directives for FCEB, such as the use of secure cloud services, transition to zero trust architecture, and deployment of multi-factor authentication and data encryption. CISA maintains and publishes a Known Exploited Vulnerabilities Catalog as part of its operational support to federal agencies. The Known Exploited Vulnerabilities Catalog includes recommended actions that agencies must take by specified dates, which serves as a binding operational directive. CISA also offers the Continuous Diagnostics and Mitigation Program, which provides cybersecurity tools, integration services, and dashboards to assist agencies in enhancing their security posture. Note that the NSA is primarily responsible for the protection of government agencies with respect to the national security system (NSS). While EO 14028 is a directive for the FECB, a separate National Security Memorandum (NSM), NSM-8, was issued in January 2022 that requires the NSS to meet equivalent or greater cybersecurity requirements than those defined in the EO.

• Critical Infrastructure Protection

The Biden administration considers critical infrastructure cybersecurity and resilience a national security priority. The national framework for critical infrastructure protection has long been based on the 2013 Presidential Policy Directive (PPD-21). However, the National Security Memorandum on Critical Infrastructure Security and Resilience (NSM-22), the first revision in 11 years, was signed by the president in April 2024. NSM-22 designates 16 critical infrastructure sectors, which is the same as PPD-21. CISA, as the national coordinator, is responsible for the cybersecurity and resilience of the nation’s critical infrastructure. Each sector is overseen by a designated SRMA, which is the competent agency related to that industry and responsible for risk management and mitigation in the sector.

Given that the majority of critical infrastructure is owned and operated by the private sector, it is the responsibility of these entities to ensure their own cybersecurity. The government also plays a supporting role in these efforts. The specifics of PPPs vary by sector. In general, critical infrastructure owners and operators cooperate with the SRMA of the sector. In addition, the Sector Coordinating Council (SCC), which comprises critical infrastructure owners and operators, trade associations, and other entities within the sector, serves as a forum for discussing sector-specific strategies, policies, and plans. SCC also works closely with the Government Coordinating Council (GCC), which is the corresponding government entity for the sector. Technical and operational activities are typically managed through Information Sharing and Analysis Centers (ISACs), which are established in each industry. The National Council of ISACs (NCI) facilitates cross-sector operational coordination among ISACs. In addition, there are several specific initiatives related to critical infrastructure protection. One of the most notable initiatives to date is the Joint Cyber Defense Collaborative (JCDC), which was launched in August 2021. It is a framework of cross-sector collaboration between selected private-sector entities and key government agencies, including CISA, the NSA, and the FBI.

The United States has long relied on voluntary PPPs as a primary policy approach. However, there has been a notable increase in legislative and regulatory approaches under the Biden administration. In March 2022, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was passed, requiring critical infrastructure owners and operators to report significant incidents and ransomware payments to the government. The rule-making process is currently underway. In addition, as indicated in the NCS and NSM-22, further cybersecurity requirements and regulations are being considered for each sector. Further details on critical infrastructure protection can be found in Chapter 4 and beyond.

• Small- and Medium-sized Businesses Protection

In general, small- and medium-sized businesses (SMBs) often have smaller budgets, fewer employees, and less cybersecurity expertise than large corporations. These companies are often part of key supply chains, large corporate groups, or critical infrastructure and have been increasingly targeted by attackers as the weakest link. The government has identified the need to enhance the cybersecurity posture of SMBs as a critical issue. CISA assists SMBs in reducing their cyber risks by providing guidance tailored to their needs and free services and tools. NIST also plays an important role in this effort. It has launched a website, Small Business Cybersecurity Corner, which provides a centralized collection of cybersecurity guidance, training, and other resources for SMBs, including NIST IR 7621. Additionally, the Small Business Cybersecurity Community of Interest was established to facilitate the exchange of information and resources. To date, over 1,000 small businesses have participated in this initiative.

• Consumers and the General Public

It is important to raise cybersecurity awareness among the general public in order to build nationwide cybersecurity capabilities. In the United States, CISA has taken a leading role in working with the federal government; state, local, tribal, and territorial governments; and the private sector to disseminate information and conduct campaigns to ensure that the public is aware of cyber threats and can safely use the digital space. October has been designated as National Cybersecurity Awareness Month since 2004. In 2023, the initiative celebrated its 20th anniversary, and CISA launched a new permanent cybersecurity awareness program, Secure Our World. The program is focused on four key actions: use strong passwords, enable multi-factor authentication, recognize and report phishing, and update software. These actions are designed to encourage behavioral change throughout the year.

• Technologies, Products, and Services

The security of technologies, products, and services is a broad topic. This paper does not cover all aspects of the topic, but one of the Biden administration’s key interests is the promotion of secure by design and secure by default. This is the concept of ensuring that products and services are secure from the design phase and that security features are built in by default for the products and services. This aligns with the NCS’s primary objective of shifting cybersecurity accountability to manufacturers and providers. CISA, in collaboration with federal agencies and international partners, including Japan, has been actively promoting the adoption of these principles. In May 2024, 68 of the world’s leading software manufacturers made a voluntary commitment to CISA’s Secure by Design Pledge, pledging to design products with better security built in. Furthermore, CISA is advancing this principle, shifting the concept of secure by design to secure by demand, to ensure that customers understand the necessity of the security and safety of the products and push vendors to improve their products. In March 2024, CISA and OMB released a Secure Software Development Attestation Form, which requires producers of software used by the federal government to attest to the adoption of secure development practices aligned with NIST’s Secure Software Development Framework. Subsequently, in August 2024, CISA released a software acquisition guide for federal agencies, which can be used by a broader range of stakeholders, including the private sector. The guide provides recommendations for software assurance in the cybersecurity supply chain risk management life cycle, focusing on the secure by demand concept. In a related effort, CISA has been facilitating community discussions to promote the use of the Software Bill of Materials (SBOM) to increase software transparency. The government has also been calling for the use of memory-safe languages for secure software development. Additionally, as indicated in the NCS, a legal framework for holding software producers accountable is also being considered. Regarding consumer devices, the White House announced a plan for an internet of things (IoT) labeling program in July 2023. The objective is to make secure IoT devices widely available through a voluntary approach that leverages market forces. The program is currently being prepared under the leadership of the FCC with the aim of becoming operational by the end of 2024. Several government initiatives are being developed under the common concept of secure by design.

Another key issue is the safety and security of artificial intelligence (AI), which is considered a foundation of the use of AI in EO 14110: Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, signed in October 2023. The EO addresses a wide range of issues, including risk assessment and mitigation for the use of AI in critical infrastructure, the security of the foundation models, and the detection and labeling of synthetic content. These tasks have been assigned to CISA, NIST, and other government agencies.

• Workforce

A shortage of cybersecurity professionals is a common challenge for both the public and private sectors globally. In July 2023, the United States published the National Cyber Workforce and Education Strategy (NCWES), which focuses on four pillars: (1) “equip every American with foundational cyber skills,” (2) “transform cyber education,” (3) “expand and enhance America’s cyber workforce,” and (4) “strengthen the federal cyber workforce.” In releasing the strategy, government agencies, industry, academia, and nonprofit organizations have committed to working together to implement the strategy through training, apprenticeship programs, and partnerships. ONCD is leading this national initiative. In June 2024, ONCD released a report outlining its progress to date and future work plans for implementing NCWES.

Cybersecurity in Japan

Basic Strategy and Policy

The Japanese political system has been relatively stable and consistent in terms of the parliamentary cabinet system, with the Liberal Democratic Party having been in power for a long time, except for a few periods. With regard to cybersecurity policy, there are some similarities with the United States in terms of a decentralized government organizational structure and the basis of voluntary PPPs.

The current cybersecurity policy is based on the Cybersecurity Basic Act, which went into full effect in January 2015. The act outlines the fundamental principles and responsibilities of the nation in advancing cybersecurity policies. It also establishes the framework for developing a national cybersecurity strategy and other policy initiatives. In January 2015, the Cybersecurity Strategic Headquarters was established in the cabinet under the act, and the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) was established in the Cabinet Secretariat as the national cybersecurity center. The national Cybersecurity Strategy has been updated approximately once every three years since its initial version in 2013, with the latest version released in September 2021. The latest strategy sets “Cybersecurity for All” as its main theme and outlines three key directions: (1) “advancing digital transformation (DX) and cybersecurity simultaneously,” (2) “ensuring the overall safety and security of cyberspace as it becomes increasingly public, interconnected and interrelated,” and (3) “enhancing initiatives from the perspective of Japan’s national security.” The strategy reflects the current geopolitical landscape, naming China, Russia, and North Korea as countries of concern for the first time. It also indicates the importance of international cooperation with the United States, the Quad (a strategic security grouping that includes Australia, India, Japan, and the United States), the Association of Southeast Asian Nations (ASEAN), and other like-minded countries, as well as the importance of economic security and supply chains. Additionally, the government releases an annual report that serves as both a review of the previous fiscal year and a plan for the current year, outlining the key achievements and implementation plan based on the strategy.

Japan’s cybersecurity is now at a pivotal point. Most recently, the NSS of Japan, released in December 2022, outlined a strategy to fundamentally enhance the nation’s cybersecurity posture. While the ACD in general includes a wide range of proactive cyber operations, the strategy focuses on three key areas as its own ACD: enhanced PPPs, detection of attack sources using information provided by telecommunication service providers, and government operations against attack sources. It also includes the strengthening of the government’s organizational structure, including the restructuring of NISC and a significant increase in government staff for cyber. The implementation of the strategy, including the introduction of legislation, is currently underway. Furthermore, the position of minister of state for economic security was established in the cabinet in October 2021, and the Economic Security Promotion Act was passed in May 2022. In May 2024, a new regulation based on the act came into effect to ensure the safety and reliability of essential infrastructure. In the same month, a bill on a new security clearance system was passed. This will include cybersecurity information in the protected information and greatly expand the scope of clearance to the nondefense private sector. These developments will have a positive impact on further enhancing the nation’s cybersecurity.

Japan’s cybersecurity is now at a pivotal point. Most recently, the NSS of Japan, released in December 2022, outlined a strategy to fundamentally enhance the nation’s cybersecurity posture.

Organizational Structure

Figure 2 provides an overview of the organizational structure of cybersecurity centered on the Japanese government. The Cybersecurity Strategic Headquarters in the cabinet is the highest decisionmaking body for national cybersecurity. The headquarters comprises the chief cabinet secretary, the ministers related to cybersecurity, and external experts. The headquarters works closely with the National Security Council (NSC) in the cabinet. NISC serves as the secretariat for the headquarters and plays a coordinating role for government agencies involved in cybersecurity and critical infrastructure.

The NPA is a law enforcement agency responsible for investigating cybercrimes. The Ministry of Defense (MOD) is responsible for cybersecurity in the field of national defense, and the Japan Self-Defense Force (JSDF) is in charge of cyber defense for its own organization, including MOD. The Ministry of Internal Affairs and Communications (MIC) is responsible for cybersecurity policy related to information and communications networks. It also serves as a regulatory body for the communications industry. The National Institute of Information and Communications Technology (NICT), which is under the jurisdiction of MIC, conducts research and development (R&D) for cybersecurity in the information and communications technology (ICT) field. The Ministry of Economy, Trade and Industry (METI) develops cybersecurity policies for private companies across a range of industries. The Information-technology Promotion Agency (IPA), which is under the jurisdiction of METI, maintains a national certification system of information security and conducts studies and research in the field to support the national information technology strategy from a technical and human resources perspective. The Ministry of Foreign Affairs (MOFA) is responsible for managing diplomatic relations in the cyber domain. The Digital Agency is a relatively new agency, established in September 2021 to promote the digitalization of national and local government. It is also involved in cybersecurity from the perspective of DX. Moreover, as in the United States, critical infrastructure sectors are overseen by designated government agencies. Further details can be found in Chapter 4.

The Japanese government’s cybersecurity-related budget for FY 2024 is ¥212.86 billion, with approximately ¥152 billion allocated to MOD and the remainder distributed among non-MOD agencies. This represents an increase of approximately 54 percent from the FY 2023 initial budget. It should be noted that the cybersecurity-related budgets released by governments cannot be directly compared due to differences in the definition and scope of cybersecurity. While the exact number of NISC employees is not made public, as of FY 2023, it is made up of approximately 100 government officials and employees with specialized expertise from the private sector. Additionally, NISC plans to double the number of staff in FY 2024. Further expansion is anticipated in the coming years through organizational restructuring based on the NSS of Japan.

While it is not easy to precisely map out the roles and responsibilities of cybersecurity-related government agencies in the United States and Japan, a rough relationship may be expressed as in Figure 3. Please note that this simplified mapping does not necessarily define a complete and exhaustive relationship between the two.

▲ Figure 2: Cybersecurity Organizational Structure Centered on the Japanese Government. Source: Author’s analysis; and National Center of Incident Readiness and Strategy for Cybersecurity (NISC), Japan’s Cybersecurity Strategy 2021 (overview) (Tokyo: NISC, September 28, 2021), 8.

▲ Figure 3: Mapping of Cybersecurity-Related Government Agencies in Japan and the United States. Source: Author’s analysis.

Current State

• Defense

As highlighted in the NSS of Japan, Japan’s national cyber defense is undergoing a significant transformation. To date, the scope of JSDF defenses has been limited primarily to MOD and JSDF network systems, but the strategy will expand this to include critical infrastructure. Japan’s ACD, a key focus of the strategy, also includes relatively offensive-leaning cyber operations, such as “to penetrate and neutralize attacker’s servers.” While the strategy is still in the process of implementation, it is anticipated that JSDF, NPA, or equivalent organizations will play a key role in conducting such operations. To enable the government to fulfill this role, it is essential to expand and strengthen the government’s cyber staff. JSDF has already initiated this process in advance of the strategy. As of the end of FY 2022, the number of cyber professionals was approximately 890. The goal is to increase this number to 4,000 by the end of FY 2027. In addition, the number of operators for cyber-related systems in the Ground, Maritime, and Air Self-Defense Forces is planned to be expanded to 20,000. To support this plan, the educational system of the JSDF is being enhanced, including through the reorganization of Japan’s Ground Self-Defense Force (JGSDF) Signal School into the System & Signal/Cyber School with a new cyber department, introduction of a cyber course at the JGSDF High Technical School, and establishment of a cyber specialized department at the National Defense Academy. Additionally, a new system for hiring private-sector professionals for a limited period has been implemented. Furthermore, Japan has been engaged in the activities of the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) since 2019 and has participated in the cyber defense exercises (Locked Shields) hosted by the CCDCOE. Japan is expanding its international cooperation in cyber defense operations.

• Intelligence

The Cabinet Intelligence and Research Office (CIRO) is an intelligence agency directly under the Prime Minister’s Office responsible for collecting, consolidating, and analyzing information on important cabinet policies. The government intelligence community includes the CIRO, MOD, NPA, MOFA, and the Public Security Intelligence Agency, which work closely together in intelligence collection and analysis.

Japan operates a security clearance system based on the Specially Designated Secrets Act, which designates the four fields (defense, diplomacy, reconnaissance, and terrorism) as classified national security information. The current system has subjected primarily government officials and a smaller number of private-sector employees engaged in defense fields to eligibility screening. A new security clearance legislation, passed in May 2024, significantly expands the scope of the existing system. The new system will expand the scope of information to be protected to a wider range of economic security information, including cybersecurity. It will also greatly expand the scope of eligibility screening to the private sector. The government is currently developing detailed operational rules for implementation in 2025. The new system will also have a significant impact on the cybersecurity field, further promoting classified information sharing with like-minded countries and stricter management of it.

• Law Enforcement

In April 2022, NPA established the Cyber Affairs Bureau to streamline and reinforce cybersecurity roles and responsibilities distributed across various sections within the organization. The new bureau is responsible for developing and implementing cyber policies within NPA in a centralized manner. In addition, the National Cyber Unit was established as a centralized national investigative agency to address cyber cases that have a significant impact, are highly technical, and involve international criminal groups. It also serves as a central point of contact for international law enforcement agencies. In line with these developments, the number of public attributions has been increasing in recent years. These are conducted solely by Japan and in cooperation with like-minded countries, including the United States. Furthermore, Japan has conducted disruptive operations against cybercrime infrastructure in coordination with international law enforcement agencies, including the United States. NPA played an important role in providing technical expertise in the international coordinated operation against LockBit, one of the world’s largest ransomware groups, in February 2024. It developed and provided ransomware decryption tools, which were used by over 6 million victims.

Furthermore, the Japan Cybercrime Control Center (JC3), a nonprofit PPP, facilitates the sharing and analysis of threat and crime information among industry, academia, and law enforcement entities to identify and reduce risks related to cybercrime. In addition to NPA, major companies across sectors participate in the center and collaborate closely under confidentiality agreements. The organization also collaborates with the National Cyber-Forensics and Training Alliance of the United States.

• Diplomacy

MOFA’s approach to cyber diplomacy is based on three pillars: the promotion of the rule of law in cyberspace, the promotion of confidence-building measures, and capacity-building support. Japan, along with the United States and other like-minded countries, takes the position that conventional international law applies in cyberspace. It is actively engaged in international discussions through participation in government expert meetings at the United Nations, among other venues. Additionally, as the first Asian member of the Convention on Cybercrime, Japan is actively engaged in discussions to expand the number of signatory countries to this convention.

The Japanese government has been conducting intergovernmental cyber dialogues with countries and regions, including the United States, the United Kingdom, the European Union, and ASEAN. On capacity building, MOFA has coordinated initiatives to provide cooperation and support in a number of key areas, including awareness-raising, critical infrastructure protection, incident response, and cybercrime countermeasures, with a particular focus on ASEAN. Furthermore, MOFA has long had the post of ambassador for cyber policy, which oversees consultations with foreign governments and the government-wide cyber foreign policy. For further information on existing Japan-U.S. cooperation in this area, please refer to Chapter 3.

• Government System Protection

NISC, which leads the defense of government agencies, includes the Government Security Operation Coordination (GSOC) team. GSOC centrally monitors information collected from sensors installed in each agency 24/7. It also collects and analyzes data on cyberattacks and threats and shares that information with agencies to help improve the government’s overall response capabilities.

The government has established the Common Standards for Cybersecurity Measures for Government Agencies and Related Agencies as a common framework to enhance the cybersecurity posture of government agencies. The standards are reviewed regularly, with the latest version released in July 2023. The document specifies a common baseline that all agencies must meet and additional optional measures to ensure a higher level of security. This allows risk-based measures to be implemented continuously in accordance with each agency’s specific situation. The latest version includes a new requirement for government contractors to implement measures in accordance with NIST SP 800-171 for managing cybersecurity risk in the supply chain.

While each agency has had a CISO for many years, starting in FY 2016, a deputy director general for cybersecurity and information technology has been assigned to each organization as a full-time position to assist the CISO. The agencies are coordinated with one another through interagency CISO meetings.

• Critical Infrastructure Protection

There are similarities in the organizational framework for critical infrastructure protection in Japan and the United States. The basic policy and framework are defined in the Cybersecurity Policy for Critical Infrastructure Protection (CPCIP), which is approved by the Cybersecurity Strategy Headquarters and published by NISC. The initial version was released in 2005, and subsequent regular updates have led to the most recent edition, released in March 2024. The latest version added the ports and harbors industry as a new 15th critical infrastructure sector in response to the cyberattack on the Port of Nagoya in 2023. NISC, as the national coordinator, is responsible for critical infrastructure cybersecurity and resilience across the nation. In line with the NSS of Japan, NISC plans to double its staff in FY 2024, strengthening its structure in preparation for future restructuring into a new national cybersecurity agency. Five government agencies have been designated responsible organizations for overseeing respective industries and managing and mitigating risks specific to their sectors.

In Japan, as in other countries, the majority of critical infrastructure is owned and operated by the private sector. It is, therefore, essential to foster PPPs to enhance the nation’s collective cyber defense capabilities. In general, critical infrastructure owners and operators share information directly with the agencies responsible for the sector as well as with NISC. There is also an organization called Capability for Engineering of Protection, Technical Operation, Analysis and Response (CEPTOAR), which represents each sector and subsector. Major sectors, such as ICT, finance, power, and transportation, have ISACs in place to facilitate technical and operational cooperation within their respective sector. NISC leads an annual cross-sector exercise program to enhance collective response capabilities across sectors. Most recently, in April 2019, the Cybersecurity Council was established with the cross-sector participation of government agencies and selected private companies related to critical infrastructure and cybersecurity. The objective of this council is to facilitate rapid information sharing and analysis between the public and private sectors.

In May 2024, a new regulation was initiated based on the Economic Security Promotion Act. This requires the government to conduct a prior review of the installation and outsourced operation of critical facilities of designated essential infrastructure owners and operators. The objective is to ensure the safety and reliability of critical infrastructure services against threats posed by foreign adversaries. Currently, there is no law similar to CIRCIA mandating incident reporting across all sectors. However, the potential advantages of implementing such a measure are being discussed at a panel of experts hosted by the Japanese government. In addition, sector-specific reporting requirements are currently in place as regulations and other means. Further details on critical infrastructure protection can be found in Chapter 4.

• SMBs’ Protection

Cybersecurity for SMBs is a major concern in Japan as well. METI and IPA have been leading initiatives in this area. IPA has established a website to provide SMBs with a centralized access point for resources, tools, and services of information security. In addition, it has published guidelines for SMBs, outlining the actions that both senior management and operational managers should take from their respective perspectives. It also introduced a comprehensive support package for SMBs at a low cost, offering a range of services, including consultation, anomaly monitoring, emergency response support, cyber insurance, and more. In addition, a self-declaration program has been implemented, enabling organizations to self-declare their cybersecurity actions taken according to their maturity level. This is also used as a prerequisite for applying for the government’s IT subsidy program.

Furthermore, in November 2020, the Supply-Chain Cybersecurity Consortium (SC3) was established as an industry-led initiative to promote cybersecurity measures for the entire supply chain, including SMBs, with the industry stakeholders working together. Cybersecurity for SMBs is a key area of focus discussed in a working group of the consortium.

• Consumers and the General Public

NISC is leading awareness-raising initiatives in cooperation with other government agencies. Since 2010, February has been designated as Cybersecurity Month, with the objective of promoting public awareness and understanding of cybersecurity. NISC has created a dedicated website for public awareness, which provides a centralized set of resources. These include a handbook for safe and secure use of the internet, FAQs on cybersecurity-related laws and regulations, and educational video content.

• Technologies, Products, and Services

Japan has a long history of implementing robust IoT security measures. In 2019, the government-led NOTICE project, which scans IoT devices connected to the internet in Japan to identify vulnerable devices and report them to users for remediation, launched in cooperation with the private sector. In addition, in 2020, the technical standard for devices connected to the internet was revised to mandate minimum security requirements for devices. Security measures are being implemented for both devices before introduction to the market and those already deployed. Most recently, METI has led discussions to introduce an IoT-labeling scheme similar to that in the United States. The program is expected to be partially launched during FY 2024. A working group will be established between the governments of the United States and Japan to develop an action plan for the mutual recognition of schemes.

Secure by design and secure by default is also a key theme in Japan. The Japanese government is a cosignatory to the joint guidance on secure by design issued in October 2023 by international partners, including CISA. In the area of SBOM, METI has developed guidance on SBOM implementation based on the results of a multiyear testing project. MIC is also studying the use of SBOM in the communications sector, conducting a pilot project to install SBOM in selected facilities of communications carriers to evaluate its effectiveness and identify any issues that may arise.

Regarding AI, the Hiroshima AI Process, a Group of Seven (G7)-led initiative to develop international rules for the use of AI, was launched at the G7 Hiroshima Summit in May 2023. Japan, as the chairing country, led the discussion. In December 2023, the Hiroshima AI Process Comprehensive Policy Framework, Hiroshima Process International Guiding Principles for All AI Actors, and Hiroshima Process International Code of Conduct for Organizations Developing Advanced AI Systems were developed as deliverables of the Hiroshima AI Process. Within the government, there is a growing focus on the use of AI with safety and security. In February 2024, the Japan AI Safety Institute (AISI) was established. In April 2024, the AI Guidelines for Business was published, consolidating AI-related guidance previously dispersed across multiple agencies. The Japan AISI and NIST have completed a mapping of the AI Guidelines for Business and the NIST AI Risk Management Framework to ensure consistency with international discussions and to promote interoperability of AI policy frameworks between the United States and Japan.

• Workforce

The 2021 national Cybersecurity Strategy highlights the need for a more robust cybersecurity workforce in terms of both quality and quantity through cooperation between the public and private sectors. This is one of the cross-cutting measures in the strategy to secure and train human resources. Cybersecurity-related agencies are implementing specific measures. For instance, MIC/NICT has operated the National Cyber Training Center since 2017. The center offers a range of training programs, including hands-on practical exercises for government agencies, local governments, and critical infrastructure owners and operators, as well as technical R&D programs to train young people and practical defense exercises intended for national events such as the Olympics and World Expo. In 2017, METI and IPA established the Industrial Cyber Security Center of Excellence, which offers a one-year program to train IT and operational technology professionals with technology, management, and business perspectives. The lecturers are world-leading experts in control system security.

Regarding industry-led initiatives, a cross-industry cybersecurity study group has been active since 2015, with participation from companies in the critical infrastructure sectors. It has been engaged in discussions on how to strengthen the human resources ecosystem through collaboration between industry, academia, and government. The group has developed a reference defining human resources that aligns with NIST SP800-181, while taking into account the organizational structure and business practices of Japanese companies.

Current Status of Japan-U.S. Cooperation

Japan as a Trusted Partner

The United States is an important ally of Japan, and both countries have had a long-standing alliance built on mutual trust and cooperation for many years. While the alliance covers a wide range of areas, including national and economic security, many of today’s cooperative activities rely on cyberspace as their foundation. For instance, the digital infrastructure that serves as the foundation for intelligence and information sharing; Japan’s critical infrastructure, which U.S. military bases in Japan depend on; the supply chain that broadly covers both countries, including the defense industry; and the international business environment are all closely related to cyberspace. It is, therefore, essential to ensure the security and resilience of cyberspace if the two countries are to facilitate effective cooperation.

The recent rise in geopolitical tensions in the Indo-Pacific region and the increasing cyber threats posed by state-sponsored actors make Japan’s position in cybersecurity increasingly important. It is also important to note that a robust cybersecurity partnership between the United States and Japan, like-minded countries that share the common values of the Free and Open Indo-Pacific, serves as deterrence against these foreign adversaries.

The recent rise in geopolitical tensions in the Indo-Pacific region and the increasing cyber threats posed by state-sponsored actors make Japan’s position in cybersecurity increasingly important.

There are multiple public reports that assess Japan’s national cybersecurity capabilities, and each has a different methodology for its assessment. It is, therefore, important to have an in-depth understanding of the assessment methodologies when citing these reports. The author views Japan’s national cybersecurity capabilities as being on par with those of other like-minded countries. For example, the National Cyber Power Index 2022 assesses countries based on a range of indicators, including malicious activities such as external destructive attacks, reconnaissance, and financial crimes. Japan, with a low score in such indicators, is ranked 16th among all 30 countries. The report’s overall evaluation is based on two major elements: the cyber capabilities of a nation and its intentions to exercise those capabilities, including misuse. Japan is categorized as a nation with high capabilities and low intentions. In particular, Japan’s capabilities in the area of commercial cybersecurity technology and R&D, which is one of the evaluation indicators, are rated highly. Similarly, in Cyber Capabilities and National Power, Japan is not ranked in the top category, but it is still evaluated as “a world leader in cyberspace technologies.” This indicates that cybersecurity technology and capabilities in the private sector are highly regarded. A security firm’s survey found that only 32 percent of organizations in Japan paid a ransom in 2023 after being infected with ransomware. The average rate across 15 countries, including the United States and Japan, was 54 percent, with the United States at 77 percent. The report indicates that Japan’s relatively low rate may be due to the nature of Japan as a disaster-prone country and the implementation of advanced backup measures to mitigate such risks. This could be another example of the advanced technological capabilities of Japanese companies, with their thorough preparedness in normal times and ability to quickly respond to and recover from incidents.

Furthermore, Japan has achieved remarkable success in cyber operations, with no significant incidents during national events that can often be attractive targets for global attackers. These include the Tokyo 2020 Summer Olympics and Paralympic Games, the 2019 Rugby World Cup, the 2019 G20 Summit, and the 2023 G7 Summit. In particular, more than 450 million attack events were observed during the Tokyo 2020 Summer Olympics, which was more than twice the number observed during the London 2012 Summer Olympics, but through the implementation of appropriate measures, the games were able to conclude without any major incidents. This success was made possible by the significant contribution of Japanese companies with advanced technological capabilities as well as the close PPPs. Furthermore, in January 2023, NTT, a major Japanese telecommunications operator, became the first Asian member of JCDC in the United States. This could be further evidence of the high level of capability and international credibility of Japanese companies.

The NSS of Japan demonstrates the government’s strong intention to fundamentally enhance national cybersecurity capabilities with sufficient authorities and resources. This is not only a strategic goal for Japan but also a strong commitment to the international community, especially like-minded countries. The implementation of this strategy is expected to facilitate robust and operational public-private bidirectional cooperation by further enhancing government capabilities and deepening the engagement of the private sector for national cybersecurity. This nationwide evolution will significantly enhance Japan-U.S. cybersecurity cooperation.

Existing Framework

Cybersecurity has been identified as a key area of cooperation for the Japan-U.S. alliance. At the summit level, cybersecurity cooperation is regarded as a foundation for expanding and deepening security and defense cooperation. The joint statement issued in April 2024 highlighted the two countries’ commitment to strengthening cooperation in the areas of information and cybersecurity, as well as critical infrastructure protection. The U.S.-Japan Competitiveness and Resilience (CoRe) Partnership, a collaborative framework between the two countries agreed at the Japan-U.S. Summit in April 2021, identifies cybersecurity and critical infrastructure resilience as key areas of cooperation, along with the digital economy and economic security. Similarly, at the Japan-U.S. Security Consultative Committee (“2+2”) held in July 2024, the two countries reaffirmed “the foundational importance of cyber and information security for the Alliance,” as well as “the importance of enhancing the cybersecurity of critical infrastructure.”

There are several government-wide bilateral dialogue frameworks in place. The Japan-U.S. Cyber Dialogue has been in place since 2013, with Japan’s MOFA and the U.S. DOS leading discussions on a wide range of topics, including situational awareness, cyber policy, cooperation in international fora, and capacity building. These discussions are attended by representatives from multiple government agencies with cybersecurity responsibilities from both countries. The U.S.-Japan Dialogue on the Digital Economy, formerly the U.S.-Japan Policy Cooperation Dialogue on the Internet Economy, has been held on a regular basis since 2010. The dialogue addresses a wide range of policy issues related to the digital economy, including cybersecurity. The dialogue, led by MIC and the DOS, is composed of two parts: an intergovernmental meeting and a public-private meeting. This meeting is also designed to serve as a framework to promote the CoRe Partnership. Furthermore, the U.S.-Japan Cyber Defense Policy Working Group, an intergovernmental cyber dialogue focused on defense policy, has been held since 2014 between MOD and the DOD. Other interagency dialogues and cooperative efforts are also underway, such as the memorandum of cooperation on cybersecurity signed between DHS and METI in January 2023.

Regarding the multilateral framework, the Quad has established a cooperation agenda in cybersecurity, focusing on four key areas: critical infrastructure cybersecurity, supply chain risk management, software security, and human resource development and training. This is known as the Quad Cybersecurity Partnership: Joint Principles. The topics have been regularly discussed among senior government cyber officials through the Quad Senior Cyber Group. At the Quad Foreign Ministers’ Meeting held in Tokyo in July 2024, the four member countries announced the establishment of the Quad Cyber Ambassadors Meeting to discuss the cyber capacity-building projects in the Indo-Pacific region and responsible state behavior in cyberspace. Furthermore, the United States, Japan, and South Korea have been working together through the Trilateral Diplomacy Working Group for Foreign Ministry Cooperation on North Korea’s Cyber Threats since December 2023. The NCS of the United States also emphasizes the importance of international cooperation, leveraging frameworks such as the Quad and the Indo-Pacific Economic Framework for Prosperity. At the G7, it has been confirmed that the seven countries should pursue four key approaches through the Cyber Working Group: (1) “promoting responsible state behavior,” (2) “improving cybersecurity, including in the private sector,” (3) “developing and using tools to deter and respond to malicious (state) behavior” and disrupt the attacker’s infrastructure, and (4) “strengthening our partners’ cyber security capacity.” The group has also agreed to work on countering ransomware, developing critical infrastructure cybersecurity and resilience, mutual recognition of schemes for secure IoT devices, and secure by design. At the United Nations, both the United States and Japan have taken the position that existing international law applies to cyberspace and have engaged in discussions to reinforce cyber norms of responsible state behavior. In recent years, following Japan’s official membership in the NATO CCDCOE, there has been an increase in the level of cooperation between the United States and Japan in multilateral cyber exercises. At the NATO Summit in Washington, D.C., in July 2024, NATO and its Indo-Pacific partner countries, including Japan, confirmed their intention to enhance practical cooperation in four key areas, including cyber defense. In the White House-led CRI, Japan, as an original member, has also contributed to international initiatives to counter ransomware.

With regard to cooperation in industry, for example, ICT-ISAC Japan and Communications ISAC/IT-ISAC in the United States have been cooperating since 2016. The ISAC members have been exchanging threat information and best practices, as well as discussing operational collaboration, through regularly scheduled workshops. In 2019, a memorandum of cooperation was also signed between ICT-ISAC Japan and IT-ISAC to further strengthen cooperation. Furthermore, other collaborative efforts between ISACs in both countries are in place in key sectors such as finance and electricity.

While there are several policy cooperation initiatives between Japan and the United States at various levels and entities, there is still room for improvement in the actual implementation of these items. In recent years, there has been an increase in practical cooperation between both governments, including the release of joint guidance and advisories, law enforcement coordination, and capacity-building support in third countries. While this is a positive development, the number of such efforts would not necessarily be as large as that of the various cooperation agendas described above. There is still much to be done. To achieve deeper collaboration between the two countries, it is essential to operationalize and accelerate these agendas with greater involvement of the private sector.

To achieve deeper collaboration between the two countries, it is essential to operationalize and accelerate these agendas with greater involvement of the private sector.

Cooperation on Critical Infrastructure Cybersecurity and Resilience

Global Challenges

This and subsequent chapters shift the focus of discussions to critical infrastructure cybersecurity and resilience, which is one of the priority areas for Japan-U.S. cooperation. In light of the growing threats to critical infrastructure, it has become increasingly important for nations to ensure the cybersecurity and resilience of critical infrastructure, which people and nations rely on every day. This is a universal challenge for governments worldwide, requiring cooperation with a wide range of domestic and international stakeholders.

The majority of infrastructure is owned and operated by private companies, and they are primarily responsible for protecting their own organizations. At the same time, the government plays a key role in empowering them through various means, including its own intelligence, law enforcement authorities, international coordination, policy tools (e.g., grants, incentives), and regulations, as infrastructure cybersecurity is a matter of national defense. Private companies also cooperate with the government in providing technical and operational expertise with their unique threat and risk information, as well as cybersecurity products and services. This is a shared responsibility among a diverse range of stakeholders.

Furthermore, international cooperation is also essential, given the global nature of cyberspace. The fundamental principle is, of course, that nations should cooperate to reinforce international cyber norms of responsible state behavior. However, in practice, this approach alone cannot address all issues. There are a number of other considerations that leave room for international cooperation, including infrastructure interdependencies, global supply chains, regulatory harmonization, and the resilience of like-minded countries as a whole. These are still developing areas of discussion. No country is yet perfect, and all are still developing through a process of trial and error. Given the global nature of these challenges, it is imperative that countries work together to address them.

Opportunity for Japan-U.S. Alliance

As previously stated, the Japan-U.S. alliance is founded on cyberspace, with critical infrastructure being a central element of this. For instance, there are interdependencies in critical infrastructure between the two countries. The failure of essential national functions, such as power, communications, and transportation, directly impacts information and intelligence sharing between the two countries, as well as the transportation of goods and personnel for defense. In addition, globally interconnected infrastructures such as the internet can rapidly propagate the effects of a failure in one country to others. Both countries have world-class internet service providers (ISPs), which account for approximately half of the world’s Tier 1 carriers. These companies have a significant impact on the global network infrastructure.

Today, the United States and Japan are facing a common significant threat to their critical infrastructure. In January 2024, the heads of ONCD, CISA, the FBI, and USCYBERCOM testified at a hearing of the House Select Committee on the Chinese Communist Party, warning of the threat posed by suspected Chinese-sponsored actors known as Volt Typhoon. The group has been targeting U.S. critical infrastructure, with a particular focus on the nation’s essential sectors, including communications, energy, transportation, and water. This is being done through tactics known as “living off the land,” where the attacker gains access to infrastructure and remains undetected for an extended period of time to pre-position itself to immediately trigger a destructive action in the event of an emergency. This is not only a threat to the United States but also to Japan, a U.S. ally in the Indo-Pacific region. This is an extremely deep-rooted problem, with such activities expected to continue for at least five years. Even the United States, which is at the center of the problem, has not yet been able to fully “uncover and eradicate” the threat. In light of this common threat posed by advanced state-sponsored actors, it is imperative that allied countries leverage their respective information and expertise to jointly analyze the threat and risk and develop countermeasures. It is also crucial to ensure that Japan and the United States can collectively respond to such activities in order to maintain the resilience of their alliance as a whole in the event of an attack.

It is also crucial to ensure that Japan and the United States can collectively respond to such activities in order to maintain the resilience of their alliance as a whole in the event of an attack.

Both governments recognize the importance of Japan-U.S. cooperation in the field of critical infrastructure and have made it a high priority on the agendas of the Japan-U.S. Summit, bilateral cyber dialogue, and the Quad. However, both countries’ efforts tend to focus on domestic issues, and concrete and tangible operational collaboration between the two countries is not necessarily sufficient. As previously stated, Japan and the United States have recently been implementing more practical cooperation initiatives, but there is still a need for both countries to further expand these efforts and operationalize them with speed and scale while ensuring greater involvement of critical infrastructure owners and operators in both countries.

Recent Developments

This section outlines frameworks and efforts related to critical infrastructure cybersecurity and resilience in the United States and Japan, with a focus on recent developments.

THE UNITED STATES

• Basic Strategy and Policy

The fundamental policy framework for critical infrastructure protection is based on NSM-22. This memorandum replaced PPD-21 of 2013, making the first update to the framework in 11 years. The document is also intended to formalize the efforts made by the U.S. government during this period. This includes defining the role and responsibilities of CISA as the national coordinator for critical infrastructure protection, which did not exist at the time, as well as defining the role and responsibilities of the SRMAs. This requires SRMAs to conduct sector-specific risk assessments and develop sector-specific risk management plans every two years. CISA/DHS is required to conduct cross-sector risk assessments based on input from the SRMAs and develop a National Infrastructure Risk Management Plan (NIRMP) every two years. It is assumed that the National Infrastructure Protection Plan (NIPP) 2013, developed under PPD-21, will remain effective until the release of NIRMP, which is due by April 2025. NSM-22 also requires the development of minimum cybersecurity and resilience requirements for critical infrastructure and the implementation of these requirements using regulatory and other authorities. In addition, it requires the government to understand critical infrastructure interdependencies, analyze systemic risk, identify systemically important entities (SIEs), and enhance collaboration with the intelligence community, including the timely sharing of declassified information.

In June 2024, DHS released the Strategic Guidance and National Priorities for U.S. Critical Infrastructure Security and Resilience. This guidance aligns with NSM-22 and identifies risk areas that the nation should prioritize over the next two years to build secure and resilient critical infrastructure. The priority areas include addressing cyber threats posed by China, managing the evolving risks presented by AI, and identifying and mitigating supply chain vulnerabilities. The document then outlines the priorities for mitigating those risks, including adopting baseline requirements, incentivizing service providers to reduce risk, and identifying SIEs.

The National Cyber Incident Response Plan (NCIRP) was developed in 2016 as a document outlining a national approach to addressing large-scale cyber incidents. In accordance with the NCS, CISA is currently leading the revision of this plan, which is scheduled for release by the end of 2024. The U.S. critical infrastructure protection effort is in the midst of a major renewal, with anticipated developments over the next year.

• Sectors

NSM-22 defines 16 critical infrastructure sectors and SRMAs for the sectors (Figure 4). While there has been discussion about whether cloud infrastructure, on which all sectors depend, and space systems, which have become more strategic for both commercial and military use, should be added as new sectors, NSM-22 does not change the sector designation of the previous directive. However, NSM-22 requires DHS to develop recommendations for the president regarding the list of critical infrastructure sectors and subsectors, leaving the potential for future designation.

There is a wide range of sector types, from those with strict cybersecurity regulations to those with few such regulations, and the maturity of cybersecurity varies from sector to sector. Even within a sector, there is a large gap in maturity between large and small companies. The government has identified water, healthcare, and K-12 educational institutions as sectors that are particularly vulnerable to attack and under-resourced. It is, therefore, providing support through the provision of sector-specific guidance and shared services. The significant cyber incident at Change Healthcare in February 2024, which reportedly affected the patient records of one in three Americans and had a broad impact on the entire sector, was a clear example of the urgent need to elevate the cybersecurity posture of these sectors. This has led to accelerated discussions on the development of minimum cybersecurity requirements and legislation in the healthcare sector. The Department of Health and Human Services (HHS), as the SRMA, has also published a sector-specific strategy that includes setting sector-specific performance goals, encouraging best practices, and providing financial support and incentives to strengthen sector-wide cybersecurity. The water sector has also been engaged in discussions on developing cybersecurity requirements and regulations in light of the widespread cyberattacks by Iranian-supported actors as well as growing concerns about being a potential target of Volt Typhoon.

▲ Figure 4: Critical Infrastructure Sectors in the United States. Source: Author’s compilation based on “National Security Memorandum on Critical Infrastructure Security and Resilience,” White House, April 30, 2024.

• Structure of Information Sharing and Incident Response

Figure 5 shows the nationwide information-sharing and incident response structure, including both public and private sectors, in relation to critical infrastructure. Please note that this figure is created based on publicly available information, including NCIRP, and has been generalized to provide a comprehensive overview rather than specific details. Therefore, it should be noted that the information provided may not be entirely precise or applicable to all cases.

CISA serves as the national coordinator for critical infrastructure protection. The National Cybersecurity and Communications Integration Center (NCCIC) within CISA serves as the operational center for critical infrastructure protection, coordinating and sharing information on vulnerabilities, incidents, risk mitigations, and others in cooperation with public and private organizations. The National Coordinating Center for Communications (NCC), under the NCCIC, monitors events affecting telecommunications services and infrastructure and leads incident response in cooperation with the United States Computer Emergency Readiness Team (US-CERT)/the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), government agencies, and private operators, mainly in the communications sector. Unlike other ISACs established independently in the private sector, the Communications ISAC is an operational function of NCC. It facilitates information sharing and analysis in the private sector while operating within the government. The Office of the National Coordinator, which serves as a single coordination point for SRMAs, will be established within CISA under the direction of NSM-22. The Cyber Threat Intelligence Integration Center (CTIIC) is operated by ODNI and serves as the central hub for cyber threat intelligence, integrating and analyzing information collected from intelligence communities such as the Central Intelligence Agency and the NSA to support incident response. NCIJTF is hosted by the FBI and serves as the primary coordinating body for law enforcement operations, including cybercriminal investigations and prosecutions. In the event of significant incidents, the Cyber Unified Coordination Group (UCG) is formed to facilitate the coordination of incident response among NCCIC, CTIIC, NCIJTF, and other relevant agencies. The Cyber Response Group, which is organized under the NSC, coordinates the incident response at the policy level. Sector-specific coordination is conducted through SRMAs.

Each sector has a self-organized and self-governed SCC. It comprises critical infrastructure owners and operators, trade associations, and other relevant entities. SCC serves as the primary coordinating body within the sector, facilitating information sharing and the discussions of sector-specific strategies and risks. It also serves as a point of contact for the corresponding GCC and SRMA within the government. Cross-sector cooperation among SCCs is facilitated by the Critical Infrastructure Cross-Sector Council (CICSC). The Critical Infrastructure Partnership Advisory Council (CIPAC) serves as a framework for cross-sector cooperation between the public and private sectors (both SCCs and GCCs). Additionally, ISACs have been established in the private sector as industry-led organizations for day-to-day operational cooperation. There are more than 20 ISACs in the United States. While they are not necessarily mapped with sectors on a one-to-one basis, there is an ISAC that covers each sector, such as the Communications ISAC, Financial Services ISAC (FS-ISAC), Electricity ISAC (E-ISAC), and so on. NCI facilitates cross-sector operational cooperation among ISACs. These ISACs also cooperate with CISA and SRMAs at the operational level. Moreover, several cross-sector initiatives exist, such as JCDC, where major companies and government agencies engage in operational cooperation on specific issues. As outlined above, collaboration between critical infrastructure owners and operators and government agencies is being implemented at various levels, from strategic and planning aspects to operational aspects through various channels, including SCC and ISAC, as well as direct communication with CISA and SRMAs.

▲ Figure 5: Information-Sharing and Incident Response Structure in the United States. Source: Author’s analysis based on U.S. Department of Homeland Security, National Cyber Incident Response Plan (Washington, D.C.: DHS, December 2016).

• Public and Private Initiatives

The United States has a long history of close PPPs in critical infrastructure protection, with a variety of collaborative initiatives currently in place. JCDC, one of the most notable initiatives in recent years, is a cross-sector, operational collaborative framework composed of key government agencies and selected private-sector companies. This enables members to share and analyze unique threat intelligence and information from both the government and the private sector, as well as jointly develop countermeasures in a timely manner. The initiative was launched in 2021 with the participation of approximately 10 companies, primarily in the IT, communications, and cybersecurity industries. The number of participating companies has since expanded to other sectors, and there are now over 300 members, including NTT, a major telecommunications carrier in Japan, as the first member in the Asian region. As indicated in the NCS, one of the current focuses is to enhance the speed and scale of operations. This would need to include cooperation with major foreign companies to address growing global-scale threats posed by state-sponsored actors. Other sector-based operational cooperation includes the Department of Energy’s Energy Threat Analysis Center, the DOD’s Defense Industrial Base Collaborative Information Sharing Environment, and the NSA’S CCC. The government plans to further strengthen and integrate these individual efforts into a federal cybersecurity center.

Another key initiative is the ICT Supply Chain Risk Management (SCRM) Task Force, which was launched in 2018. It is a PPP program that identifies challenges and develops solutions to enhance the resilience of the global ICT supply chain. The group is primarily composed of private companies in the communications and IT sectors, as well as CISA, and works on specific topics such as AI, SMBs, and software, providing guidance and other deliverables to the public.

• Laws and Regulations

As previously stated, the Biden administration has acknowledged the importance of long-lasting voluntary PPPs. However, it has also recognized that this alone is not sufficient and has taken a major step in strengthening laws, regulations, and requirements for critical infrastructure.

CIRCIA is one of the examples that highlights this approach. This is the first cross-sector legislation requiring critical infrastructure owners and operators to report significant cyber incidents to the government within 72 hours and ransomware payments within 24 hours. The Notice of Proposed Rule Making was released in April 2024, and the final rule is expected to take effect in 2025. In addition, the White House is currently leading a review and reinforcement of sector-specific cybersecurity requirements as part of existing regulations. The pipeline, rail, and airline industries have made notable progress in recent years in enhancing and refining their cybersecurity requirements, overseen by the Transportation Security Administration. Furthermore, in February 2024, an EO was issued to reinforce cybersecurity in the ports industry, with requirements currently under development. In the healthcare sector, the NDAA of FY 2023 included enhanced security requirements for medical devices, and further requirements and regulations for organizations are also under discussion. In the communications sector, FCC is exploring the potential use of its existing regulatory authority over communications carriers to establish and expand cybersecurity rules. Congress is also considering a legislative approach for certain sectors, such as the water sector, where regulators have limited authority to build additional cybersecurity requirements on existing regulations. The variation from highly regulated to largely unregulated sectors is a significant concern, and the NCS and NSM-22 have emphasized the need to develop common baseline requirements for entire sectors. Moreover, as a broader regulation beyond critical infrastructure, SEC’s updated rule of December 2023 requires listed companies to disclose material incidents within four business days and to annually disclose the cybersecurity posture of their organizations. As previously stated, there are a number of regulations across sectors, and some of these are said to be duplicative and inefficient, leading to unnecessary burdens for companies. ONCD is now taking the lead in studying ways to harmonize these regulations.

• Other Policy Approaches

There are several ways to encourage companies to meet cybersecurity requirements, including not only regulations but also various policy approaches, such as the use of government procurement power and grants. This is a strategic objective included in pillar 3 of the NCS, as well as a policy objective incorporated into NSM-22. For instance, while not necessarily limited to critical infrastructure, the proposed revisions to the Federal Acquisition Regulation include relatively strong requirements for federal contractors to report cyber incidents within eight hours, provide SBOM information for systems involved in contracted services, and allow government agencies access to their network systems in the event of an incident. For cloud services, the Federal Risk and Authorization Management Program (FedRAMP) is in operation as a federal procurement requirement. This requires cloud providers to comply with cybersecurity requirements based on NIST SP 800-53 and obtain certification. In the defense industry, the Cybersecurity Maturity Model Certification 2.0 is being developed to certify the cybersecurity maturity of contractors based on NIST SP 800-171. Moreover, it has become more common in recent years for certain cybersecurity requirements to be incorporated into the application process for federal grant programs.

• Voluntary Framework and Guidance

Government agencies frequently publish cybersecurity frameworks, guidance, best practices, and other resources, with NIST playing a central role. The NIST Cybersecurity Framework (CSF) would be the most central document of them all. The CSF 1.0 was initially developed in 2013 for critical infrastructure, and the CSF 2.0, the latest version, was released in February 2024. The CSF has been widely adopted internationally as a common framework that can be used by a wide variety of organizations, regardless of size or industry. The CSF 2.0 is a voluntary, risk-based, and global consensus-based framework that was developed through a two-year revision process, incorporating stakeholders’ comments and feedback. Japanese companies have been actively involved in the revision process, providing comments, participating in workshops, and engaging in individual discussions. In addition, the framework concept has recently gained recognition even in the regulatory environment. In regulatory discussions, there is a clear need for a risk-based approach rather than prescriptive checklist-based requirements. There is also a need for a common framework that all industries can rely on to help avoid duplicative requirements, as well as a common language that facilitates communication with stakeholders at all levels. The CSFs are increasingly being brought up as a potential solution to the needs. Furthermore, CISA has developed voluntary Cross-Sector Cybersecurity Performance Goals (CPGs), which are based on the CSF and summarize the minimum practices that should be implemented by critical infrastructure owners and operators in all sectors. Moreover, sector-specific goals are being developed based on these CPGs under the leadership of CISA and SRMAs.

CISA and SRMAs provide sector-specific guidance and best practices, such as for the water and healthcare sectors. CISA, NIST, ICT SCRM Task Force, and other entities also provide resources to support SMBs that lack the resources to implement cybersecurity measures. In addition, industry-led guidance is also being developed in each sector. For instance, the Cyber Risk Institute in the financial sector provides resources to assist financial organizations in implementing risk management aligned with the CSF, which takes into account sector-specific risk and regulatory environments.

In addition, technical and operational advisories and guidance, including those for significant threats such as severe vulnerabilities and large-scale attacks by state-sponsored actors, are being published by major government agencies such as CISA, the FBI, and the NSA, in cooperation with international partners. The partners are primarily Five Eyes countries, with some EU countries, but there have been cases where the United States and Japan have collaborated on the release of advisories, such as the joint advisory on BlackTech in September 2023.

• Plan and Preparedness

As part of the NIPP, a Sector-Specific Plan is developed in each sector, which outlines the sector-specific environment and risks, along with goals and priorities for addressing those risks. Going forward, SRMAs will conduct sector-specific risk assessments in accordance with NSM-22 guidance. The assessments will identify major risks within a sector, taking into account any interdependencies with other sectors. The Sector Specific Risk Management Plan will be updated based on the assessment every two years. CISA will also conduct a cross-sector risk assessment based on each sector’s risk assessment and input from the intelligence community and identify cross-sector critical risks. The NIRMP will then be developed every two years based on the work completed. These plans will serve as the foundation for risk management across the entire critical infrastructure.

In an advanced effort, the National Risk Management Center (NRMC) under CISA has developed the National Critical Functions (NCFs), which analyze critical infrastructure in terms of functions essential to national operations rather than sectors or companies. The NCFs have a set of 55 functions in four categories: “connect,” “distribute,” “manage,” and “supply.” The NCFs are designed to assist CISA in examining interdependencies and systemic risk among critical infrastructure entities as functions. The NCF Risk Architecture is being developed under the leadership of NRMC to structure dependencies between sub-functions, systems, and assets and components by decomposing the NCFs. The results will be used for more advanced risk analysis, such as identifying the critical elements and entities on which the NCFs depend. The initial set of NCFs was released in 2019, but subsequent studies, such as the development of the NCF Risk Architecture, have taken time due to the complexity of the task. The NCFs can be utilized as a tool for advanced risk analysis of critical infrastructure. However, at this point, there is still a need to increase awareness of NCFs among stakeholders and ensure that they are being fully utilized in actual operations. Another related concept is the one proposed by the CSC, which is to identify and support systemically important entities among a wide range of critical infrastructure owners and operators in exchange for higher-security requirements. Although several attempts to legislate this idea have failed, the administration is currently pursuing the work to identify and prioritize these entities as SIEs. This effort is also formalized in NSM-22. While the list will not be publicly available, it is expected to be used for a variety of purposes, including national incident response, prioritization of government efforts, and consideration of the applicability of regulatory requirements.

Regarding national-level cyber exercises, the Cyber Storm initiative, hosted by CISA, has been conducted every other year since 2006. This cross-sector, public-private, operational-based functional exercise brings together over 2,000 participants, including federal agencies, local governments, multi-sectoral critical infrastructure owners and operators, ISACs, and international partners. The exercise simulates responses to significant cyber incident scenarios in critical infrastructure. While this exercise is primarily for public and private-sector participants in the United States, Japan participates in the information-sharing and incident response coordination exercise as a member of the International Watch and Warning Network with like-minded countries. Another industry-led initiative is the tri-sector exercise, which brings together owners and operators in the financial, power, and communications sectors. Participants are divided into attack and defense teams. Previously, the lessons learned from the exercise were shared with the government after the event, but government officials have directly participated in the exercise since the third event held in March 2024.

• Technologies, Products, and Services

The critical infrastructure is based on a diverse range of technologies, products, and services. While this paper does not cover all topics in detail, it does briefly address two recent developments of note: AI and internet routing security.

A number of AI-related initiatives are being undertaken in line with EO 14110, which places the safety and security of AI at the forefront of all considerations. One of the key areas of the EO is to manage AI risks in critical infrastructure. A cross-sector and sector-specific risk assessment related to the use of AI in critical infrastructure was conducted, and based on the results, guidelines on AI safety and security for critical infrastructure owners and operators were developed in April 2024. Furthermore, the EO directs federal agencies to utilize these guidelines to consider mandating certain guidance for critical infrastructure. In April 2024, DHS established the AI Safety and Security Board, which brings together AI experts from industry, academia, and government based on the EO’s direction. The board will provide recommendations to DHS and SRMAs on security, resilience, and incident response related to the use of AI in critical infrastructure.

Another area of growing government concern in recent years is internet routing security. The security challenges associated with internet technologies have been well known for many years. However, with the recent increase in threats posed by state-sponsored actors, security issues on Border Gateway Protocol and the potential attacks, such as route hijacking, are now considered part of the national security problem. The NCS has identified this as an area for improvement. Furthermore, FCC is considering implementing regulations that would encourage ISPs to adopt Resource Public Key Infrastructure (RPKI) as a technical measure. ONCD released a roadmap outlining measures for both the public and private sectors to enhance internet routing security. Given the nature of the internet, this issue cannot be resolved by U.S. carriers alone. It is essential to coordinate with a broader range of stakeholders involved in internet routing.

JAPAN

• Basic Strategy and Policy

The basic policy framework for critical infrastructure protection in Japan is based on the CPCIP. The document outlines the designation of critical infrastructure sectors, the roles and responsibilities of government agencies and critical infrastructure owners and operators, and the basic framework for public-private information sharing and incident response. The CPCIP is reviewed every few years to reflect changes in the threat landscape and cyber environment. The latest version was released in March 2024. It puts a strong emphasis on cybersecurity as a business management issue, organizational governance, risk-based management tailored to specific organizations and sectors, and comprehensive measures throughout the supply chain, including critical infrastructure owners and operators.

• Sectors

The CPCIP designates 15 critical infrastructure sectors and government agencies responsible for overseeing sectors (Figure 6). In response to the cyber incident caused by suspected state-sponsored actors in the Port of Nagoya in 2023, the government elevated ports and harbors as the fifteenth sector, previously part of the logistics sector. The sector designation is subject to ongoing review, with the policy document revised in light of the evolving threat landscape. This has resulted in an expansion from the original 10 sectors in 2005 to 13 sectors in 2014, 14 sectors in 2018, and 15 sectors in 2024. There is a discussion about whether cloud infrastructure should be included in the list of sectors due to other sectors’ high degree of dependence on it for a digital infrastructure. While the space system is not currently included in the sector, due to its importance, discussions on space cybersecurity are ongoing, led by METI, including the release of voluntary guidelines to encourage commercial space operators to take measures.

In Japan, as in the United States, cybersecurity requirements and regulations for critical infrastructure vary by sector, and there are variations in maturity levels across sectors and among companies of different sizes within the same sector. For example, ransomware attacks on healthcare organizations have been a particular challenge in recent years.

Figure 7 provides the mapping of the critical infrastructure sectors in the United States and Japan. Note, however, that this is a simplified overview and that the industries and services included in the sectors in the two countries may not be identical or perfectly aligned.

▲ Figure 6: Critical Infrastructure Sectors in Japan. Source: Author’s compilation based on National Center of Incident Readiness and Strategy for Cybersecurity (NISC), The Cybersecurity Policy for Critical Infrastructure Protection (Tokyo: Cybersecurity Strategic Headquarters, Government of Japan, March 8, 2024), 55.

▲ Figure 7: Mapping of Critical Infrastructure Sectors in Japan and the United States. Source: Author’s analysis.

• Structure of Information Sharing and Incident Response

Figure 8 shows the nationwide information-sharing and incident response structure, including both public and private sectors, in relation to critical infrastructure. Please note that this figure is created based on publicly available sources, including CPCIP, and has been generalized to provide a comprehensive overview rather than specific details. Therefore, it should be noted that the information provided may not be entirely precise or applicable to all cases.

NISC is the national coordinator for critical infrastructure protection, acting as a counterpart to CISA. NISC serves as a government Computer Security Incident Response Team (CSIRT) as well as the national CSIRT, which is operated jointly with the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) that coordinates with the private sector. NISC leads the coordination and sharing of information on vulnerabilities, incidents, and risk mitigation in cooperation with private-sector and government agencies, including NPA, MOD, MOFA, MIC, METI, Digital Agency, and agencies responsible for sector risk management, crisis management, and disaster prevention. Sector-specific coordination is conducted through relevant agencies, which is similar to SRMAs in the United States. NISC is more focused on coordination, and the substantive measures are being developed and implemented primarily by agencies responsible for cybersecurity and critical infrastructure protection.

Each sector and subsector has an organization called CEPTOAR, which comprises critical infrastructure owners and operators and trade associations (e.g., general incorporated associations) as a point of contact for NISC. The CEPTOAR Council is a cross-sector council comprising representatives of CEPTOAR in each sector. In Japan, as in the United States, ISACs exist as industry-led organizations for day-to-day operational cooperation. In contrast to the United States, ISACs in Japan are not necessarily established in all sectors, but there are ISACs in major sectors such as ICT, finance, power, and transportation. The ICT-ISAC Japan, previously known as the Telecom-ISAC Japan, is the oldest ISAC in Japan, established in 2002. Additionally, there are ISACs that focus on specific industries, including software, automotive, and trade. In recent years, there has been a growing movement to establish new ISACs in other sectors, including the medical sector. While there is no formal organization like NCI in the United States, regular inter-ISAC meetings are held to facilitate cooperation among ISACs to address cross-sector issues.

Furthermore, there are several initiatives, such as the Cybersecurity Council, where selected major companies and government agencies gather across sectors to share information, conduct analysis, and develop countermeasures. The collaboration between critical infrastructure owners and operators and government agencies, which is similar to that in the United States in terms of organizational structure, is conducted through various channels, including ISAC, as well as direct communications with NISC and agencies responsible for the sector.

▲ Figure 8: Information-Sharing and Incident Response Structure in Japan. Source: Author’s analysis based on National Center of Incident Readiness and Strategy for Cybersecurity (NISC), The Cybersecurity Policy for Critical Infrastructure Protection (Tokyo: Cybersecurity Strategic Headquarters, Government of Japan, March 8, 2024), 62–64.

• Public and Private Initiatives

Japan’s approach to critical infrastructure protection is also based on a voluntary PPP, as outlined in the CPCIP. While there have been several information-sharing frameworks, including the Initiative for Cyber Security Information Sharing Partnership of Japan (J-CSIP) and JC3, in 2019, the Cybersecurity Council was established to further strengthen public-private information sharing. The council is composed of three tiers of memberships: Category 1, Category 2, and General. Its objective is to facilitate the sharing and analysis of threat information and the development of countermeasures in a timely manner while establishing nondisclosure agreements within a membership tier. Category 1 members bring predictive, undetermined, or undisclosed threat information under a strong obligation of confidentiality with legal penalties for noncompliance. The members then analyze the information, provide feedback to each other, and develop countermeasures. NISC serves as the secretariat, while JPCERT/CC serves as the operational coordinator. Finally, developed countermeasures are shared with the entire council if there is a high degree of certainty. If this is not the case, only Category 2 members receive the information in advance of the general members under a strong obligation of confidentiality and provide their own feedback, thereby contributing to improving the degree of accuracy of the information. The council started with 91 members and has since grown to over 300.

Another major initiative, SC3, has been in place since 2020, aiming to enhance cybersecurity throughout the supply chain, including critical infrastructure. This is an industry-led consortium comprising private companies of all sizes across various sectors. It is structured around several working groups, each focusing on a specific topic related to supply chain cybersecurity, including SMBs, attack trends and countermeasures, industry-academia-government collaboration, and international collaboration. Furthermore, the Cyber Risk Intelligence Center-Cross Sectors Forum (CRIC CSF), established in 2015, is another industry-led cross-sector initiative comprising companies primarily in the critical infrastructure sector. The forum is focused on specific themes related to cross-sector issues in the industry, including the definition of cybersecurity human resources, cybersecurity as business management, laws and regulations, and cybersecurity in DX. In Japan, there are a number of examples, such as SC3 and CRIC CSF, where private companies in the critical infrastructure sectors have taken the initiative to lead discussions on national-level cybersecurity issues. This would indicate a high degree of industry independence and the maturity of mutual aid. This may be a distinctive feature of Japan, in contrast to Western countries where the government typically plays a more prominent role.

• Laws and Regulations

Currently, Japan does not have a legal requirement for sector-wide incident reporting like CIRCIA in the United States, although the necessity of such a mandate is being discussed. Some sectors have sector-specific regulations in place to maintain critical infrastructure services that require incident reporting to the relevant agencies. For instance, in the case of the information and telecommunications sector, carriers are obliged to report both the physical failure and cyber incident to MIC if the impact exceeds the threshold defined in the Telecommunications Business Act.

Furthermore, the Economic Security Promotion Act introduced a new rule in May 2024 to ensure the safety and reliability of essential infrastructure. The government designates essential infrastructure sectors and operators within these sectors based on specific criteria. Prior to the introduction of designated critical facilities and the outsourcing of their maintenance to third parties, covered operators are required to submit plans to the government for screening. Although there is not a one-to-one correspondence between the 15 essential infrastructure sectors and the 15 critical infrastructure sectors, there is a large overlap between them. Currently, over 200 companies have been designated based on criteria such as service scale, coverage, and number of customers. The plans that covered operators submit must include an outline of the facilities (e.g., function, purpose, and location); information on all contractors, including cascaded subcontractors, involved in the equipment or outsourced maintenance (e.g., country of establishment, nationality of board members, country of manufacture, business relationship with foreign governments); and a risk management plan, including cybersecurity measures. If the government determines that there is a significant risk that the facilities may be used as a means of disruptive attacks by foreign adversaries, it may recommend or order the operators to take necessary preventive measures. The rule is risk-based, with covered operators and facilities limited based on criteria from an economic security standpoint. However, it could have a broad impact on major critical infrastructure owners and operators across sectors.

• Other Policy Approaches

The government is implementing enhanced cybersecurity requirements for both government agencies and contractors. The Common Standards for Cybersecurity Measures for Government Agencies and Related Agencies, issued by NISC, outlines the cybersecurity standards that government agencies must meet. The July 2023 revision reinforced the standards required for contractors based on NIST SP 800-171 to address supply chain risks. In the defense industry, the Acquisition, Technology & Logistics Agency under the DOD introduced a new cybersecurity standard for defense contractors in 2023 that incorporates the requirements of NIST SP 800-171, aligning it with the U.S. standards for the defense industry. Regarding cloud services, the Information system Security Management and Assessment Program (ISMAP), a program similar to the FedRAMP of the United States, has been operational since 2020. Furthermore, government funding programs include cybersecurity requirements, such as IT implementation subsidies, in their application requirements. Additionally, there is discussion on a potential tax incentive program for companies in the defense industry that meet certain cybersecurity requirements.

• Voluntary Framework and Guidance

NISC publishes the guidelines for establishing safety principles for ensuring the cybersecurity of critical infrastructure as a document based on the CPCIP, which outlines common cybersecurity measures required for all sectors. Based on this document, agencies responsible for the sectors and industry develop their own cybersecurity standards and guidelines, taking into account sector-specific features. It is the responsibility of critical infrastructure owners and operators to ensure the cybersecurity of their infrastructure by utilizing these standards and guidelines, or in some cases, complying with them in accordance with relevant regulations. NISC’s guidelines are reviewed on a regular basis, and the latest version, released in July 2023, have focused on strengthening organizational governance and supply chain risk management in cybersecurity as well as clarifying the minimum baseline standards to be implemented and additional ones as recommended options.

Regarding the NIST CSF, IPA has been providing Japanese translations since the initial release. NISC’s guidelines and their supplementary documents also reflect the CSF concept as the basis for the risk-based approach. In addition, the Cybersecurity Management Guidelines for Japanese Enterprise Executives, published by METI, also reflect the basic concepts of the CSF. As previously noted, Japan has been engaged in the CSF revision process, providing comments and participating in workshops. The CSF has been increasingly adopted in Japanese industry, particularly among multinational companies, as a way to ensure consistent and aligned risk management with international stakeholders.

In addition to sector-specific guidance and best practices developed by government agencies and industry associations, METI, IPA, MIC, and others also provide guidance that can be used by a wide range of companies, including critical infrastructure owners and operators across sectors, including those focusing on industrial control systems, cloud infrastructure, corporate management, and SMBs. IPA is also working with NIST and CISA to disseminate key frameworks and guidance from the United States. This includes publishing Japanese translations of CISA’s CPGs and other NIST publications, in addition to the CSF.

With regard to the government’s releases of technical and operational advisories and guidance on critical threats, it is likely that the frequency of release and level of detail would be lower than in the United States, although it is not easy to make comparisons given that not all information is necessarily publicly available. The government is expected to expand its operational staff in the coming years along with the restructuring of NISC. This will enable the government to release more detailed, actionable guidance with technical and operational aspects in a timelier manner. It is also encouraging to note that the United States and Japan are increasingly issuing advisories in cooperation, as in the case of the joint advisories issued in September 2023 and July 2024.

• Plan and Preparedness

As previously stated, based on the guidelines published by NISC, agencies responsible for the sectors and industry have developed sector-specific standards and guidelines on which organizations implement and maintain their cybersecurity posture. With regard to further study on critical infrastructure protection, the Japanese government is aware of the need to address the increasingly complex interdependencies among infrastructures. The CPCIP indicates that the Cabinet Secretariat plans to conduct interdependency analysis, which will help it identify systemic risks of infrastructure, including both physical and cyber aspects. The designation of essential infrastructure owners and operators and critical facilities under the new rule based on the Economic Security Promotion Act may have certain similarities with the concept of NCFs and SIEs in terms of identifying especially important entities and functions across sectors.

Regarding national-level cyber exercises, a cross-sector exercise hosted by NISC has been held annually since 2006. This exercise involves over 6,000 participants from critical infrastructure owners and operators, government agencies, and commercial cybersecurity companies across all sectors and verifies the effectiveness of cross-sector incident response processes through tabletop exercises. In addition, sector-specific cyber exercises are conducted by ISACs, such as those in the ICT sector and the electric power sector, as well as by government agencies, such as those in the financial sector.

• Technologies, Products, and Services

While Japan has not received as much policy attention for internet routing security as the United States, the implementation of RPKI, a key technology to address the issue, is progressing. As of September 2024, approximately 48 percent of routes in Japan have been implemented with Route Origin Authorization, a key technical component of RPKI, compared to approximately 40 percent in the United States.

▲ Figure 9: Mapping of Critical Infrastructure Protection Framework between Japan and the United States. Source: Author’s analysis.

With regard to IoT security, Japan has a long history of proactive and advanced efforts focused on protecting its communications infrastructure. As previously stated, since 2019, the country has been implementing the NOTICE project, which extensively scans IoT devices connected to the internet in Japan, identifies devices with weak passwords, and encourages users to correct their settings. This has been made possible by the amendment of the law to authorize NICT to conduct the scan, and ICT-ISAC and over 80 domestic ISPs are cooperating to identify and notify the owners of vulnerable devices. This is a truly nationwide initiative to mitigate botnet risks through public-private cooperation. Additionally, NICT monitors communications flowing into the domestic darknet. By analyzing communications that are presumed to originate from botnet devices, NICT identifies infected IoT devices, followed by the same process as NOTICE. Furthermore, in 2020, the technical standards for IoT devices connected to the internet were revised to require devices to meet minimum cybersecurity requirements, such as prohibiting default passwords and implementing access control functions. METI is also developing a voluntary conformity assessment program for a broader range of IoT devices, with the aim of launching the program during FY 2024. A dialogue has been initiated with the U.S. government to establish mutual recognition with the U.S. labeling scheme.

Japan is at the forefront of the commercial 5G network deployment using the Open Radio Access Network (O-RAN). NTT DOCOMO started the world’s first nationwide deployment of 5G commercial services using O-RAN in 2020. One of the key concerns in the international deployment of secure and reliable 5G networks is the security of O-RAN. In May 2023, a report on O-RAN security was published by a Quad working group. The study found that O-RAN-specific security risks in 5G networks are only 4 percent of the total, and do not fundamentally alter the security environment of wireless communication networks compared to conventional networks. Recently, through the NTIA grant program, testing projects have been conducted by international partners, including operators from Japan, the United States, and India, to evaluate interoperability and security. Furthermore, a joint effort between companies in both countries has been made to conduct interoperability testing using test beds provided by NTT DOCOMO and other companies.

Figure 9 provides a simplified mapping of the critical infrastructure protection frameworks of the United States and Japan. It should be noted that this mapping is intended to provide a comprehensive overview and does not necessarily represent a complete one-to-one relationship in terms of roles and responsibilities, scale, and operational maturities.

Recommendations for Japan-U.S. Cooperation on Critical Infrastructure Cybersecurity and Resilience

Based on the discussions so far, this chapter outlines recommendations for Japan-U.S. cybersecurity cooperation in the areas of critical infrastructure cybersecurity and resilience. The recommendations are divided into two main categories: basic prerequisites for enhancing operational collaboration and specific areas of collaboration based on these prerequisites.

Prerequisites for Operational Collaboration

Obtain a comprehensive overview of national cybersecurity posture in both countries and comparatively map the postures

A comprehensive cybersecurity strategy requires a unified approach across the entire society. As previously discussed, the organizations and functions of national cybersecurity in the United States and Japan are highly decentralized and complex, with multiple stakeholders interacting with each other. All those involved in cybersecurity cooperation between the two countries should first have a comprehensive common understanding of the overall picture, including how cybersecurity is structured and functions in both countries, as well as what is taking place in the nation as a whole. This should be a prerequisite to pursuing specific areas of cooperation. It helps everyone understand how each specific area of cooperation fits into the broader picture and how it relates to other areas and stakeholders. It also facilitates whole-optimal and effective national-level cooperation, avoiding the creation of silos. Then, all stakeholders should have a shared understanding of mapping counterparts in both countries at the respective levels of the public and private sectors and establish the appropriate channels for structured collaboration. Regardless of the form of relationship (e.g., one-to-one, one-to-many, or many-to-many), it is important to eliminate as much duplication as possible in each channel.

In particular, Japan is currently in the process of reinforcing its government cybersecurity posture. This is being done through a review of its organizational structure and authorities, roles, and responsibilities, including the establishment of a new cybersecurity agency and the enhancement of JSDF’s capabilities. In the United States, the government structure and functions have evolved over the past several years, including the establishment of ONCD. Taking these changes as great opportunity, it is worthwhile to undertake a comprehensive review of the relationship between the two countries’ systems at all levels, including the public and private sectors, as well as policies and initiatives. The information presented in this paper would help all stakeholders obtain these aspects and serves as a first step in implementing the following recommendations.

Expand and operationalize the interoperable mechanism for classified and unclassified cyber information sharing

Now that cybersecurity has become a matter of national security, it is becoming increasingly important to establish a secure and efficient mechanism for sharing sensitive or classified cybersecurity information between Japan and the United States. While a framework for sharing classified information between the two countries already exists, it is limited in terms of the types of information protected and the level of classification and has not necessarily been sufficient in the area of cybersecurity. The recently passed security clearance legislation in Japan will greatly expand the scope of the existing system by extending the scope of information to include cybersecurity, the level of classified classification, and the scope of clearance to a broader private sector, which had previously been focused on government officials. This would be a major step forward in the exchange of classified information in the cybersecurity field. The government is currently developing operational standards in preparation for the launch of the system in 2025. This preparation should include ensuring interoperability with like-minded countries, including the United States, as a key area of focus. Looking ahead, it would be beneficial for both governments to engage in specific discussions on how to expand and operationalize the existing interoperable mechanism to cover the cyber domain. While Japan is not necessarily required to join the Five Eyes alliance, it is important to establish a trusted framework with the new clearance system defining procedures and protocols for cyber intelligence sharing. It is also necessary for the Japanese and U.S. governments to clearly define and agree on a centralized point of contact between them so that cyber intelligence sharing can be conducted through a single channel.

At the same time, it is important to note that today’s cybersecurity information sharing has been focused more on providing useful information in a timely manner and as broadly as possible through declassification. There are multiple ways for information sharing, including the security clearance system and the Traffic Light Protocol, for instance. It is, therefore, important for Japan and the United States to identify and clarify the various means of information exchange tailored to the specific type of information to be handled.

Japan to take further steps to enhance government cybersecurity posture through implementation of the NSS

In the NSS of Japan, Japan has committed to fundamentally enhance the government’s cybersecurity capabilities, including the implementation of proactive cyber operations. This can be achieved by enhancing both the operational authorities and capabilities of the government.

Japan is currently focusing on potential amendments to existing laws, including the Telecommunications Business Act and the Unauthorized Computer Access Prohibition Act, to grant operational authorities. While some of the legislative issues are complex, given their constitutional implications, it is essential for Japanese policymakers to accelerate the discussion to clarify the government’s strategic objectives at the operational level and identify the means to achieve them in reality. The strategy primarily outlines the government’s intended actions. However, it also assumes that telecommunication carriers and other private companies will be positioned to indirectly support government operations by providing information on communications and threat intelligence as well as analysis expertise. It is, therefore, important, in legislative discussions, to define the roles and responsibilities of private companies in national cyber defense, legal protection, and financial support for the cost of facilities, people, and operations.

Furthermore, a new cybersecurity agency, built on NISC, should become the primary entity for coordinating, operating, and enforcing national cyber resilience. It should also serve as a centralized point of contact for international cooperation. As the government’s technical and operational activities increase in this evolution, the new agency, as a national CSIRT, needs to secure additional cyber professionals. While the government’s cyber workforce is being expanded at NISC, NPA, JSDF, and other agencies, further expansion should be considered for the new agency to be fully operational. This could be done through hiring professionals from the private sector as well as leveraging capacity-building programs offered by the private sector.

The strategy is already in place and further implementation would enhance the government’s cybersecurity capabilities, which in turn will stimulate more bidirectional operational cooperation between the public and private sectors than ever before. This would further reinforce Japan’s overall cybersecurity posture and facilitate international collaboration and coordination. While the strategy is currently being implemented, it would be beneficial for Japan and the United States to proceed now with discussions on potential ways for to enhance cooperation built on the implementation.

Collaboration on Plans, Preparedness, and Operations

Engage in national-level advanced risk analysis focusing on critical infrastructures of both countries

The cybersecurity and resilience of critical infrastructure is a matter of national concern, affecting not just one organization or sector but the entire nation, as a failure in one organization can have cascading effects on that sector, other sectors, and the entire nation. It is, therefore, becoming increasingly important to conduct a national-level risk analysis that focuses on understanding the interdependencies of critical infrastructure sectors and functions, analyzing their systemic risks, and identifying the most critical entities and functions with a risk-based approach. The United States has been working in this area for several years, beginning with the development of NCFs, while Japan is currently in the early stages of conducting interdependency analysis. However, neither has necessarily focused on the international perspective but rather on the domestic one. In reality, however, the interdependencies and systemic risks have an international reach. These interconnectivities are particularly strong between nations that are allied as well as economically tied to each other.

It would, therefore, be beneficial to pursue cooperation in the area of national-level risk analysis, including critical infrastructures for which both countries rely on each other. This could include mapping out the interdependencies of both countries’ infrastructures as a whole, including, but not limited to, communications and digital infrastructure as a foundation for intelligence and information sharing; communications, power, water, and transportation infrastructure on which U.S. military bases in Japan depend; and financial and logistics infrastructure that is key to their economic activities. This would also include analyzing their systemic risks, taking into account the timescale of impacts, and identifying the sectors, operators, and functions that are particularly important. This will greatly assist both countries in responding collectively to national-scale incidents and ensuring the resilience of the alliance as a whole.

In today’s digitally interconnected world, interdependencies have become so complex that even a domestic-focused analysis is challenging. Even in the United States, which is a leader in this field, the study has not yet been fully completed. Bringing together the analytical methodologies and practices of both countries can add value to existing studies in both countries. For instance, the NCFs in the United States could be leveraged in Japan’s interdependency analysis while the concept of designating essential infrastructure owners and operators and critical facilities in Japan’s new regulation could provide insights for the study of SIEs in the United States. From this perspective as well, it would be mutually beneficial for the two countries to collaborate on risk analysis at the national level.

While this initiative should be led by key government agencies responsible for national security and critical infrastructure protection (NSC and CISA of the United States and the National Security Secretariat and NISC of Japan), it is crucial to expand the involvement of critical infrastructure owners and operators more than ever. It is clear that the owners and operators have the most accurate understanding of the functions and services on which they depend, and they are responsible for managing their own risks, including interdependencies. To be more effective, the study would need to include at least the major operators in each sector in both countries.

Regularly conduct cross-sector public-private joint cyber exercises

In the event of a significant cyber incident that could affect national security, all stakeholders across the public and private sectors, including international partners, must work together to respond. It is essential to prioritize preparedness and exercises in peacetime. While both countries have conducted cross-sector public-private cyber exercises, they have not necessarily focused primarily on collaboration with international partners, as seen in joint exercises between defense authorities.

As a first step toward conducting a joint large-scale cyber exercise, both countries, led by CISA and NISC, should work together to develop national response plans and exercise scenarios at both the national and alliance levels, with a particular focus on cross-border considerations, to enable a coordinated collective response. The plan should include the incident response procedure, its prioritization, the counterparts of each entity, and communication channels based on the national-level risk analysis. The scenario could involve a cyberattack impacting multiple critical infrastructure sectors simultaneously, assuming a significant national-level threat from state-sponsored actors. This will verify how both countries and their respective entities can collectively respond to incidents. This may be a too large-scale, near-worst-case scenario exercise, but as previously mentioned, the United States and Japan have been facing a common geopolitical threat, and the risk of both countries’ critical infrastructure being affected strategically at the same time can no longer be ignored.

It is recommended that such an exercise be conducted on an annual basis to review and reinforce the plan in response to evolving threats and to ensure its continued effectiveness. It is essential that all entities involved in the developed scenario, from both the public and private sectors, are included as participants.

Expand overarching public-private operational collaboration in the United States and Japan

It is recommended that both countries establish a centralized framework for cross-sector operational collaboration that includes key private companies and government agencies responsible for critical infrastructure protection. While both countries have public-private cooperation frameworks in place at the domestic level, as well as operational cooperation between the two countries locally or partially in certain areas, there is an opportunity to further expand and integrate these initiatives into an environment where all necessary players can come together and cooperate in a flexible and timely manner. For instance, while NTT is involved in JCDC from Japan, there are several other companies in Japan with a high level of technical and operational expertise. Furthermore, U.S.-based companies are individually engaged in collaborative efforts with Japan. For example, Microsoft has partnered with the Japanese government, while Google has established a cybersecurity research center in Tokyo. By incorporating some of these into a larger Japan-U.S. PPP framework, the level of operational collaboration could be further enhanced. The centralized framework would enable the public and private sectors of both countries to enhance activities such as threat intelligence and information sharing, joint analysis, and the development of countermeasures. While not all information handled in operational collaboration is necessarily classified, the passage of Japan’s security clearance legislation would also greatly facilitate collaboration. This would consequently assist both countries in issuing joint attribution and advisories with greater frequency than ever before, which would contribute to reinforcing international deterrence as well as providing actionable cybersecurity measures to the public at large.

In cross-border public-private operational collaboration, it is crucial to build trust among members. It is advisable to begin with a small, limited number of the most capable companies that can interact with each other with sufficient trust and agility. This can then be expanded gradually. While the private sector plays an important role in collaboration, the role of CISA and NISC as lead agencies is also crucial to effectively promote top-down nationwide cooperation. It is essential to maintain a robust channel of collaboration between the two. One potential step would be to assign liaisons with cybersecurity expertise in CISA and NISC to each other. This would clarify the point of contact as well as build trust between the two organizations, promoting closer collaboration on a daily basis. CISA’s liaison office in the United Kingdom and the JSDF’s liaison officers at the Pentagon may be suitable models for consideration.

Deepen sector-to-sector collaboration

The United States and Japan face similar challenges in sectors that are vulnerable to being targeted by state-sponsored actors, such as the electricity, communications, transportation, and water sectors, as well as sectors that are vulnerable to ransomware attacks, such as the healthcare sector. It is, therefore, recommended that the two countries deepen direct sector-to-sector collaboration to address sector-specific cyber and physical security and resilience. In addition to the common cybersecurity standards and requirements across sectors, each sector requires sector-specific risk management and resilience that takes into account its unique ecosystems with supply chains, business practices, systems, facilities, and other specific components. This requires different expertise in different industries and sectors. Fortunately, the sector designations in both countries are similar and can be relatively easily mapped. It would be beneficial to collaborate on developing and sharing guidance, best practices, and tools between sectors in both countries to enhance sector-specific capabilities. This would also be beneficial for under-resourced sectors to optimize their limited cyber resources. Moreover, establishing an environment where sector-specific threats and vulnerabilities are directly shared between the sectors would be a significant operational benefit.

In the context of sector-to-sector collaboration, Japan and the United States can focus more on industry-specific characteristics beyond cybersecurity, including physical security and disaster management. Since the interdependency extends beyond cyberspace, it is important to consider physical security when identifying systemic risk. Japan has a long history of experiencing several national-scale disasters, including typhoons, earthquakes, and tsunamis. As a result, the country has developed a wealth of experience and expertise in dealing with such events, ensuring cyber and physical resilience. In particular, Japan’s major companies, which provide essential infrastructure services that support the functioning of the nation, are well-versed in integrated resilience measures specific to their industry. This is the source of Japan’s ability to provide infrastructure services with a high degree of stability and accuracy, and its practices can be highly beneficial for improving resilience and ensuring business continuity in sectors with similar characteristics in the United States.

Specific forms of cooperation could include operational collaboration between ISACs. While cooperation between government agencies is essential, it is also crucial to involve private companies, which own and operate the majority of critical infrastructure. It is, therefore, beneficial to facilitate direct collaboration between major companies representing sectors in both countries. One potential approach to advance this is to exchange a few selected cybersecurity staff from major companies in each sector in both countries for a certain period. Such an initiative would not only facilitate the exchange of valuable insights between the two sectors; it would also lay the foundation for the trust needed to facilitate operational collaboration.

Enhance coordinated operations to disrupt threat actors

As the number of borderless cyberattacks targeting critical infrastructure continues to grow, it is becoming increasingly clear that international law enforcement agencies must take a more coordinated approach to countermeasures, including the takedown of botnets, shutdown of cryptocurrency infrastructures, recovery of ransom, and assistance to victims. The United States and Japan have a collaborative relationship in this area, with a particularly strong partnership in recent years, including in the coordinated response to the LockBit ransomware group. However, the number of such operations is smaller than that of the United States and European countries, and there is still room to expand cooperation in this area. As NPA demonstrated its high technical capabilities with the LockBit operation, Japan can make a further contribution with these capabilities. Furthermore, with the growing geopolitical tensions, Japan’s strategic location at the center of the Indo-Pacific region presents an opportunity for Japan to contribute to criminal investigations with the unique information it gathers in the region. Japan can also serve as a hub state for cooperation with other countries in the region, working with the United States.

The FBI and NPA are responsible for the enforcement of countermeasures. However, since the cloud, networks, and cryptocurrency infrastructure utilized by attackers are tied to private providers internationally, it is necessary for companies in both countries to cooperate with law enforcement agencies within the legal framework. Further collaboration between law enforcement agencies and increased opportunities for coordinated operations involving private organizations in both countries would reinforce deterrence and demonstrate Japan-U.S. solidarity against foreign adversaries.

Additional Areas of Collaboration

Harmonize rules, standards, and framework

One key objective of Japan-U.S. collaboration is to harmonize the various cybersecurity processes in both countries. While there is a wide range of approaches to cybersecurity, from mandatory requirements to voluntary standards and frameworks, it is important to harmonize these internationally to streamline processes and ensure consistency. This is of particular importance for allied countries to ensure the interoperability of rules and frameworks, reduce the burden on multinational companies located in both countries, and ensure the same levels of cybersecurity.

There is currently a growing discussion in Japan on the potential requirement for critical infrastructure owners and operators across sectors to report significant cyber incidents. As this discussion continues, it will be necessary for Japan to investigate and analyze similar regulations in other countries, including the U.S. CIRCIA, to achieve greater effectiveness and alignment. Furthermore, as a voluntary guideline for critical infrastructure, it would be beneficial to crosswalk and map between a series of Japan’s guidelines and the U.S. CSF and CPGs. It would also be beneficial for both countries to develop and standardize basic principles with international partners, such as minimum baseline requirements that may be developed in the United States in the near future, as baseline requirements should not differ significantly across nations. It is also recommended that government procurement and certification requirements be standardized to reduce the administrative burden on companies in both countries. For example, although FedRAMP and ISMAP, certification programs for cloud services, are said to be equivalent to some extent, providers need to obtain certification separately from each. There is an opportunity to explore the possibility of mutual recognition.

It would also be beneficial for both countries to further promote the adoption of the NIST CSF as a risk-based, standards-based, flexible, technology-neutral, and global consensus-based framework. Japan has a long history of international partners engaging in CSF development and implementation. The release of CSF 2.0 is an opportunity for the private sector to take the lead in the transition to the new version, the development of supplementary resources, the sharing of use cases and lessons learned, and the expansion of application to a wide range of organizations, including SMBs. These should continue to be promoted through cooperation with NIST and the National Cybersecurity Center of Excellence (NCCoE) community. The use of a common framework for cybersecurity risk management enables organizations in both countries to visualize risks and their management plans and communicate in a common language, facilitating discussions on operational collaboration. Furthermore, in recent years, the CSF has been frequently brought up in regulatory discussions, with a growing consensus that it should serve as a common foundation for all involved. Thus, the adoption of the CSF has become a crucial step in facilitating international regulatory harmonization as well.

Cooperate on specific technologies and services

The United States and Japan have world-leading technological capabilities and much to gain from cooperating in specific technological areas. This paper does not address all of them, as its focus is on critical infrastructure protection, but briefly outlines some of the potential areas of cooperation.

• Internet routing security

The internet is an inherently open and internationally interconnected infrastructure. In particular, routing security, which is currently a key area of focus, requires a collaborative approach involving multiple stakeholders internationally. The United States and Japan have a number of global leading providers of telecommunications, data centers, and cloud services. Many of these entities may have already implemented RPKI and other routing security measures in their infrastructure, but they could further influence the entire internet ecosystem, including SMBs and customer networks, by advocating their practices through the international community of internet operations. As the United States shifts its focus to a domestic regulatory approach, it would be highly beneficial for U.S. and Japanese operators to spearhead industry-led initiatives as a model for the community and to promote international stakeholder approaches.

• 5G/O-RAN security

The United States and Japan are in relatively similar positions with regard to the development and deployment of 5G networks using O-RAN, as there are no traditional wireless communications equipment vendors with a significant global market share, such as Nokia and Ericsson in Europe. In the international deployment of secure and reliable 5G networks, O-RAN security is a key area of focus and an opportunity for mutually beneficial collaboration between the United States and Japan. The O-RAN security report published by Quad states that networks using O-RAN do not fundamentally alter the security environment of wireless communication networks compared to conventional networks. Moving forward, it would be beneficial for the two countries to showcase their achievements in building secure networks by conducting joint tests focusing on cybersecurity in a phase closer to commercial implementation. This can be achieved through NTIA grant programs in which both Japanese and U.S. carriers participate, as well as test beds provided by carriers.

• Vulnerability scanning

The NOTICE project, which has been in operation in Japan for over five years, extensively scans vulnerabilities in internet-facing IoT devices in Japan and encourages users to take corrective action. Meanwhile, CISA has been providing a Cyber Hygiene Vulnerability Scanning service since 2022 that scans vulnerabilities in internet-facing devices owned by registered companies and issues reports and alerts. There are similarities between the two programs. Through cooperation, both programs could provide insights on how to enhance their programs from various perspectives, including technical implementations and user outreach methods. Moreover, there could be an opportunity for collaboration in sharing services, tools, and resources of the programs.

• Space system security

While space systems have not been designated as critical infrastructure in either country, it is clear that space has already become a strategic domain for both commercial and military use. While there is a growing concern about the cybersecurity of space systems, including from a national security perspective, both countries are still in the early stages of addressing the specific risk. In the United States, CISA, the NSC, and the National Space Council are taking the lead in studying minimum cybersecurity requirements for space systems. CISA, in cooperation with the private sector, recently released a paper outlining recommendations for space system operators. In Japan, METI has published cybersecurity guidelines for commercial space systems. As this is a new and evolving area, there may be an opportunity for the two countries to cooperate in assessing space-specific threats and risks and developing a risk management plan. In January 2023, the United States and Japan signed a framework agreement on comprehensive space cooperation. It would be worthwhile for both countries to prioritize cybersecurity as a key area of cooperation in anticipation of the potential designation of space systems as critical infrastructure in the future.

• Post-quantum cryptography

Cryptography is a foundational technology for ensuring the confidentiality and integrity of data. It is a critical element of cybersecurity. The release of post-quantum cryptography (PQC) standards by NIST this year further accelerates global efforts around PQC migration. In the United States, the goal is to complete the migration in federal agencies by 2035, as outlined in NSM-10 and a subsequent OMB directive. During the long-term transition, it is essential to ensure connectivity and interoperability between organizations and systems, as there will be a mixed environment of systems with both existing and PQC algorithms. This is also true for the Japan-U.S. alliance. There is an opportunity for both governments to collaborate on coordinating migration road maps for government agencies and critical infrastructure and aligning their efforts on deployment to ensure cybersecurity and interoperability of the digital infrastructure and operational environment on which both countries depend. Moreover, Japanese companies could further contribute to the advancement of international PQC migration initiatives by actively engaging with relevant communities, such as the NCCoE’s project, where they can share best practices and develop guidance on PQC migration.

Conclusion

The Japan-U.S. alliance is more important than ever in light of the growing geopolitical tensions in the Indo-Pacific region. Much of today’s alliance activities are based on cyberspace, with critical infrastructure for which both countries rely on each other being a central element. Given the shared significant threat to critical infrastructure posed by state-sponsored actors, it is imperative for the two countries to cooperate in critical infrastructure protection to ensure the cybersecurity and resilience of the alliance as a whole and demonstrate their robust solidarity against foreign adversaries.

While there are a number of policy cooperation agendas between the two countries at various levels and entities, including critical infrastructure protection, there is still room for improvement in implementing concrete and tangible operational collaboration. It is crucial for both countries to further expand and operationalize these efforts with speed and scale while ensuring further involvement of critical infrastructure owners and operators. There are several potential avenues for collaboration, including engaging in national and alliance-level risk analysis, conducting cross-sector public-private joint cyber exercises, expanding the public-private operational collaboration environment, deepening sector-to-sector collaboration, enhancing coordinated operations to disrupt threat actors, harmonizing cybersecurity processes, and cooperating in specific technologies and services. To facilitate these specific operational collaborations efficiently, it is also important for all parties involved in Japan-U.S. cybersecurity cooperation to have a comprehensive understanding of both countries’ highly decentralized and complicated cybersecurity structures and their roles, responsibilities, and authorities.

Japan and the United States are currently at a pivotal point in their national cybersecurity policies, with key national security and cybersecurity strategies and legislation being implemented. Taking these evolutions as an opportunity, it is the right time to reassess the current state of Japan-U.S. cybersecurity cooperation and explore ways forward for further collaboration.

Taro Hashimoto is a visiting fellow with the Japan Chair at the Center for Strategic and International Studies in Washington, D.C. He has been with Nippon Telegraph and Telephone (NTT) Group for over 15 years, where he has held various roles in cybersecurity and telecommunication businesses, including service planning, development and operation, research and development, corporate risk management, and human resource development from both technology and management perspectives.