Japan’s Cybersecurity Minister Yoshitaka Sakurada grabbed global headlines after admitting he doesn’t use computers. He later conceded he also doesn’t know much about cybersecurity at a legislative meeting revising Japan’s cybersecurity structure.
It may come as little surprise then that the Japanese government will look to enlist the private sector to help fight against cyber threats during the upcoming Tokyo Olympics, beginning in July 2020.
Earlier this month, Japan’s National Diet, the country’s legislative body, passed a law that allows more public and private sector stakeholder collaboration and information sharing regarding cybersecurity. Shinsuke Yakura, a partner at Orrick, Herrington & Sutcliffe’s Tokyo office, said a formal council of the public and private cybersecurity sector wasn’t available before.
“So far, there’s no unified entity that can oversee such activity of many stakeholders,” Yakura said.
Kenji Uesugi, senior fellow of the Tokyo-based think tank Japan Cybersecurity Innovation Committee, said the heightened probability of cyberattacks during the Olympics have pushed the Japanese government to act.
“It is obvious that the Tokyo 2020 Olympics would be targeted by the cyberattackers,” Uesugi said. “The worst scenario might be serious damage to the games by cyber or physical terrorists. What is needed for Japan’s anti-cyber-terrorism [to deal] with incidents by flexibly collaborating with the public and the private sectors.”
D.C.-based Paul Hastings partner Robert Silvers, who also worked in the Obama administration and negotiated cybersecurity priorities with Japan and other countries, said Japan’s cybersecurity concerns with North Korea are still particularly fresh in that country’s mind.
In 2014, North Korean government hackers breached Japanese-owned Sony Pictures Entertainment’s employee computers and leaked numerous company emails, documents and some unreleased movies, including a comedy parodying North Korea leader Kim Jong Un.
“Obviously, Japan has a tense relationship with North Korea, and we have seen North Korea is one of the menacing actors in cybersecurity,” Silvers said. “North Korea’s threats are on everyone’s minds over there.”
Silvers said he expected forthcoming regulations in Japan to focus closely on internet of things and cybersecurity. He also noted it would be interesting to see if the Japanese government tightens its rules around data breach notifications.
“Traditionally I don’t think there’s been a strong enforcement. … It’ll be interesting to see if regulators or legislators look to strengthen enforcement authorities,” Silvers added.
There are, however, some data security laws on the books in Japan. Uesugi, for instance, cited the Act on the Protection of Personal Information and the Basic Cybersecurity Act as key Japanese cybersecurity regulations companies should know.
The Act on the Protection of Personal Information concerns data privacy issues. The law also established the Personal Information Protection Commission, an independent agency whose primary responsibilities including protecting personal information and confirming compliance.
On the other hand, the Basic Cybersecurity Act describes the cybersecurity duties of state and local authorities and “critical infrastructure operators,” including information and communications technologies, finance, government and credit card services.