Photo/Illutration Computers at the Osaka General Medical Center in Osaka, which was hit by a cyberattack in 2022. (Asahi Shimbun file photo)

Japan plans to give the United States data obtained from private-sector telecommunications carriers under the proposed active cyberdefense framework, sources within the two governments said. 

The policy is expected to be stipulated in upcoming legislation for an active cyberdefense, which aims to prevent cyberattacks on the nation’s critical infrastructure, the sources said.

The government has already informed the United States of its plan, the sources said.

Data sharing will be in the background as the Japanese and U.S. foreign and defense ministers meet in Tokyo at the end of this month.

They are expected to pledge strengthened cooperation against cyberthreats at the meeting.

An active cyberdefense calls for government monitoring of computer networks even in peacetime by analyzing communications data provided by private-sector telecommunications carriers.

It can also entail, when necessary, the infiltration of an attacker’s computer to render it harmless.

By providing communications information to the United States, the government expects reciprocity, the sources said.

Information from the U.S. side could alert Japan to new cyberattacks that it is unaware of.

The information might also include details of how to respond.

The government hopes to enhance the accuracy of its analysis and improve its response capabilities based on such information, the sources said.

The United States has been urging Japan to institute an active cyberdefense. The government’s decision to provide communications intelligence to the U.S. side is also a response to its request.

An active cyberdefense was included in the National Security Strategy, a 2022 document that spelled out new approaches to defense.

The document states that “the government will continue to work for the enhancement of information gathering and analysis … in a coordinated manner with its ally, like-minded countries and others.”

The government proposes requiring telecommunications carriers to release communications data with a new law. It plans to submit a bill to an extraordinary Diet session in the autumn at the earliest.

The new law is expected to specify that the information to be collected will be limited, in principle, to metadata, or a set of data that does not include the content of emails, their subjects or similar personal information.

However, an active cyberdefense restricts the protection of the secrecy of communication, which is guaranteed under Article 21 of the Constitution, within the scope of “public welfare.”

Concerns remain about the government’s information-gathering activities, and whether these violate privacy or amount to surveillance of citizens. Another concern is the risk of data leaks.

In addition, many issues need to be addressed before information is shared with the United States, even if it is only metadata. These include the scope of the information, the risk of individuals being identified and ensuring that the data is handled properly.

More fundamentally, the validity of providing communications information to the United States itself may be questioned from the perspective of data sovereignty, which calls for a country to manage its information within its borders.

(This article was written by Tamiyuki Kihara and Taketsugu Sato, a senior staff writer.)

Related News