Japan’s immediate security environment is a global cyberthreat hotspot, with three adversaries possessing some of the world’s most advanced state-sponsored cyber capabilities and frequently engaging in large-scale cyber espionage: the Democratic People’s Republic of Korea, the People’s Republic of China and the Russian Federation. These direct cyberthreats, which often materialized in the form of massive industrial and governmental data theft incidents, combined with pressures from its primary security ally, the United States, prompted the Government of Japan to adopt various measures to strengthen the cybersecurity of vital domestic infrastructures, including critical civil and military space assets. In addition, the risks brought by the congestion of useful orbital regimes have led the government to strengthen the national space safety and sustainability regulatory framework. By reviewing the efforts made by the Government of Japan concerning cybersecurity, space sustainability and their areas of intersection, this essay demonstrates that the current approach, while going in the right direction, requires further depth in various dimensions, such as the conduct of a comprehensive assessment of both cyber and space safety risks against critical space infrastructures, a deeper integration of civil and military capabilities and knowledge in these matters, and a stronger reliance on expertise from the commercial sector.
The Need to Ensure Cybersecurity and Safety of Vital Japanese Space Infrastructures
Like other advanced space powers, Japan is strongly reliant on space technology applications for the functioning of numerous governmental and industrial sectors: timing services are necessary for the synchronization of financial (for example, stock exchange, retail banking, automated teller machines) and communication infrastructures; meteorological and positioning services are vital to ensure public safety in a country as prone to natural disasters as Japan; and satellite-based intelligence is critical to monitor suspicious activities in the country’s vicinity and so forth. To fulfill these multi-faceted needs while ensuring a certain level of national autonomy, Japan has developed an important space infrastructure composed of civil, military and commercial space-based assets. The most critical elements of Japan’s domestic space infrastructures include the Quasi-Zenith Satellite System, operated by the Cabinet Office to provide the country and its regional partners with an alternative to the GPS’s positioning, navigation and timing services; the Cabinet Satellite Intelligence Center’s Information-Gathering Satellite multi-purpose satellite program, initiated in the early 2000s in response to repeated ballistic missiles launched from North Korea but also covering disaster management functions; and the Himawari series of meteorological satellites, which is critical to properly forecast the various hydrometeorological disasters facing Japan every year. On the defence front, although the national space infrastructure remains very limited with only two Kirameki communications satellites, national defence-planning documents outline the launch of advanced satellites for various purposes, such as space-based space situational awareness (SSA) and hypersonic glide vehicle detection.
Despite Japan being highly integrated with US space infrastructure, allowing some mission assurance for Japan’s space-reliant services, cyber operations aimed at any of the major Japanese space assets mentioned above could have far-reaching consequences for national safety and security. Cyberattacks against space infrastructures are targeting “the data itself and the systems that use, transmit, and control the flow of data” (Harrison et al. 2022, 4), including on-orbit assets and any relevant ground infrastructure. In the context of heightened tensions in outer space and the identification of cyber capabilities as one of the most significant sources of counterspace threats (Weeden and Samson 2022, 13-02), it is critical for Japan to review and address the potential cyber vulnerabilities of its primary space infrastructures. From 2016 to 2018, about
200 mostly aerospace-related companies and research institutions — including the Japan Aerospace Exploration Agency — were the targets of massive cyberattacks suspected to be linked to the Chinese military (Nikkei Asia 2021).
Beyond security considerations, cyberattacks leading to the seizure of control, disabling or destruction of on-orbit assets can also have wide-ranging consequences for the safety and sustainability of space operations. A fortiori, with the progressive deployment of large constellations of satellites requiring a high-level of automation for normal operations and hazard management (for example, collision avoidance), any disruption caused by the exploitation of cyber vulnerabilities could lead to a rapid and durable degradation of extensive orbital regimes. In fact, various Japanese entities are engaging in constellation development and operations: the government has identified satellite constellations as a priority development area in the latest revision of its national Basic Space Plan, and a few Japanese start-up companies have raised important private funding and obtained government subsidies for that purpose.
To protect vital infrastructure sectors, including key governmental and commercial space assets, the Government of Japan has developed laws, policies and institutions to strengthen its ability to identify and address critical cyber vulnerabilities that could be exploited by enemies and adversaries as well as measures for space safety and sustainability.
The Japanese Cybersecurity Landscape: Laws, Policies and Implementing Agencies
In 2013, the Government of Japan released its Cybersecurity Strategy (updated in 2015, 2018 and 2021), building upon previous national policies on information security. This strategy was also the first to acknowledge that cybersecurity has serious implications for national security, and to recognize cyberspace as a new operational “domain” for the Ministry of Defense (MoD) and the Self-Defense Forces (SDF). This recognition was also reflected in the National Security Strategy of 2013 that called for “Japan as a whole [to] make concerted efforts in comprehensively promoting cross-cutting measures to defend cyberspace and strengthen the response capability against cyber-attacks” (Cabinet Secretariat 2013, 17). Subsequently, the Basic Act on Cybersecurity was adopted in November 2014 and entered into force in January 2015 (amended in 2016 and 2018) to provide the legal foundation for existing cybersecurity strategies and established a multi-layered organizational structure to implement them, described below.
The Cybersecurity Strategic Headquarters (CSSH) was established by the Basic Act as the highest-level structure in charge of effective and comprehensive promotion of cybersecurity policies. Headed by the chief cabinet secretary, it is composed of the chairman of the National Public Safety Commission, other relevant ministers, and experts from academia and the commercial sector. The pre-existing National Information Security Center, established in 2005, was transformed into the National center of Incident readiness and Strategy for Cybersecurity (NISC) in 2015 to serve, inter alia, as the secretariat of the CSSH. The NISC serves as the central agency for the planning and promotion of national cybersecurity-related policies and the response to significant cybersecurity incidents against government organizations and critical infrastructures. The NISC acts as a focal point for the promotion of cybersecurity through public-private partnerships, an approach that Japanese cybersecurity policies strongly emphasize.
In the latest update of its Cybersecurity Strategy (2021), the Government of Japan recognizes that it is vital to secure “defense, deterrence, and situational awareness” capabilities to protect the “national security interest from cyberattacks” as well as to enhance “the government’s overall ability to respond seamlessly” (Government of Japan 2021, 36). Accordingly, a dedicated Cyber Defense Group was established in March 2014 as a joint unit of the SDF (MoD, n.d.). In March 2022, the SDF reorganized the unit by merging relevant capabilities of the three services (ground, maritime and air). With about 540 staff, the unit is responsible for responding to cyberattacks against the SDF network and systems, as well as for capacity building and human resource development (Kyodo News 2022).
Finally, it should be noted that Japan has placed an emphasis on international cooperation and seeks to lead cyber diplomacy from the outset under these three principles: “promotion of the rule of law in cyberspace,” “development of confidence-building measures” and “cooperation on capacity building” (Ministry of Foreign Affairs of Japan 2021, 239–40). At present, Japan holds bilateral consultations on cybersecurity with
14 countries and regions such as Australia, France, India, the United Kingdom and the United States.1 On the plurilateral side, the Quad Cybersecurity Partnership (consisting of Australia, India, Japan and the United States) was announced during the Quad Leaders’ Tokyo Summit in May 2022, defining principles for the promotion of concrete efforts in this area2 (Ministry of Foreign Affairs of Japan 2022).
The organizational structure for space policy making is similar to that of cybersecurity.
Japan is also actively participating in multilateral frameworks such as the six successive UN Groups of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (2004–2021) and the subsequent Open-Ended Working Group on security of and in the use of information and communications technologies (2021–2025). A dedicated policy, the International Strategy on Cybersecurity Cooperation was released in 2013, concurrently with Japan’s first Cybersecurity Strategy. Concerning capacity building for the benefit of developing countries, the Basic Policy on Cybersecurity Capacity Building Support for Developing Countries was released in December 2021. Recognizing that ensuring “a free, fair and secure cyberspace” (Government of Japan 2021) cannot be achieved by national efforts alone, international cooperation — especially with the United States — has been an essential part of the Japanese cybersecurity policy.
The organizational structure for space policy making is similar to that of cybersecurity. In 2008, the Basic Space Act was introduced to provide a legal framework for space activities in Japan. It established the Strategic Headquarters for National Space Policy, headed by the prime minister, and the National Space Policy Secretariat (NSPS), housed in the Cabinet Office, to act as its secretariat and as the inter-ministerial coordinating body for national space policy. The Basic Plan on Space Policy is the main national space planning document, frequently revised by the NSPS upon recommendations from the National Space Policy Committee, a group of prominent space experts mostly from academia and industry. It serves to formulate policies on national space development and use them in a coherent manner by articulating the different roles and contributions of the government’s numerous ministries and agencies that have an area of competence in space affairs.
The issue of space debris first appeared in the Basic Plan in 2016 but merely as one of various issues relating to national space policy. However, in 2019, the Inter-Agency Task Force on Space Debris was established. Headed by the Cabinet Office’s minister of state for space policy, the task force has discussed and defined the general direction of Japan’s approach and policy regarding space debris. The 2020 revision of the Basic Plan identified space debris management as one of the policy goals of the Government of Japan, including through the development of technologies for removal and mitigation and by leading international rulemaking. Accordingly, Japan has been funding research and development for active debris removal technology through the Japan Aerospace Exploration Agency’s commercial removal of debris demonstration project, for which Astroscale has been selected as a phase 1 partner. In addition, under the initiative of the task force, the Cabinet Office introduced in 2021 a new set of licensing requirements specifically addressing in-orbit servicing to ensure safe and transparent operations (Suzuki, Kikuchi and Verspieren 2022). Finally, the task force was reformed in March 2022 as the Task Force on Space Traffic Management and issued the Mid- to Long-term Policy on Efforts for Rule-Making on the Use of Earth Orbit, covering numerous areas such as collision avoidance, SSA capability development, debris mitigation and removal, in-orbit servicing and large constellation management.
On the defence side, the SDF launched the Space Operations Squadron in May 2020, with the main mission to operate an SSA radar covering orbits above 5,800 km, and is expected to be operational by fiscal year 2023. In addition, in 2022, the SDF established a second squadron focused on monitoring electronic interferences against Japanese satellites, as well as an overarching structure combining the two squadrons: the Space Operations Group (Verspieren, Suzuki and Kikuchi 2022).
Despite having taken several measures related to space sustainability, the Government of Japan has not conducted nor published any assessment of the possible risks posed by space debris to the safety of space operations and to the utilization of space assets for both civil and defence purposes. However, Japan has certainly played a positive role in the promotion of space safety and sustainability in general. It has been one of the leading states to promote an agenda both in terms of policy and the technologies that underpin it. The question for Japan is whether it is willing to deal with more substantial global engagement on space safety and sustainability, such as calling for a global space traffic coordination framework or discussing the responsibility of removing space debris.
Cybersecurity and Safety of Critical Japanese Space Assets
The 2019 National Defense Program Guidelines, the highest-level Japanese defense-planning document, highlighted the Government of Japan’s common stance on outer space and cyberspace operations, making them among the SDF’s priorities to gain superiority in both domains. The development and international promotion of norms and rules for cyber and space security were recognized as national security issues, demonstrating a growing recognition of the interrelation between outer space and cyberspace (Cabinet Secretariat 2018). However, a robust and comprehensive policy on how the SDF should assess both cybersecurity and on-orbit risks facing critical domestic space assets and how to protect them has yet to be released, although several measures have been initiated.
On the civil front, while the Cybersecurity Strategy (2021) has recognized the necessity to formulate guidelines to ensure the cybersecurity of the space industry and the protection of space technology, the Government of Japan has chosen not to include any space assets on the list of critical national infrastructures as defined in the Cybersecurity Policy for Critical Infrastructure Protection (first released in 2005 and last revised in 2020) and in the recent Act on the Promotion of Economic Security, approved by the Diet in May 2022.
It appears that, rather than developing policies and practices focused solely on addressing the cyber vulnerabilities of space assets, Japan is including cybersecurity within the broader concept of space mission assurance; hence, it is also incorporating considerations on space safety and sustainability. In fact, the Basic Space Plan places an emphasis on “strengthening mission assurance for the entire space system” (Cabinet Office 2020). Noteworthy initiatives on this subject are the two tabletop exercises on mission assurance focusing on civil aspects, hosted by the NSPS in 2021 and 2022 with the participation of relevant ministries, experts (including one on cybersecurity), and commercial companies such as SKY Perfect JSAT and Quasi-Zenith Satellite System Services Inc. The Ministry of Economy, Trade and Industry has also started to develop draft guidelines on cybersecurity for commercial space assets, an initiative mentioned in the Cybersecurity Strategy (2021). The guidelines aim to encourage commercial space companies to take voluntary measures for the protection of both their ground and space segments. In May 2022, the NSPS released the priorities for the next revision of the Basic Space Plan, which includes an item on the promotion of these guidelines and an update in recognition of the importance of strengthening the resilience of space systems, including cyber vulnerabilities. The approach to enhance public-private partnership for the cybersecurity of commercial space actors is and will be key, also considering the extent of the MoD and the SDF’s reliance on commercial space capabilities.
In sum, Japan does not have a cyber defence or security policy or doctrine specifically addressing cyberthreats against space assets, despite the SDF having established both a Cyber Defense Group and a Space Operations Group (Verspieren 2021). A more robust policy on both domains and their areas of intersection is, however, to be expected following the joint release, in December 2022, of the new NSS and the inaugural National Defense Strategy (NDS). The 2022 NSS initiated a major doctrinal change by announcing the introduction of “active cyber defense for eliminating in advance the possibility of serious cyberattacks” and the reorganization of NISC to strengthen its role as coordinator of national cybersecurity efforts (Cabinet Secretariat 2022). As for the intersection of space and cybersecurity, the 2022 NSS and NDS reiterated the call for greater integration of capabilities in the space, cyber and electromagnetic domains, and for increased efforts in building the resilience of command-and-control functions (Cabinet Secretariat 2022; MoD 2022), but without a specific announcement.
Although efforts are under way to improve Japanese laws, policies and practices in support of stronger cyber resilience of vital infrastructures, including but not focusing specifically on space assets, new challenges are arising, calling for specific considerations to be made on the cybersecurity of space assets. In line with the global trend, the Japanese space sector has seen in the last decade the emergence of a variety of very active non-traditional academic and private players — mostly university spin-off companies — leading to the development and deployment of many space assets engaging the international responsibility and liability of the State of Japan, per articles VI and VII of the Outer Space Treaty. Accordingly, although the loss or debilitation of these assets due to the cyberthreats or hazards posed by space debris may not immediately endanger national safety and security, it is important for Japan to ensure that proper measures are taken by all space operators to avoid any incident that may arise from the malicious exploitation of the cyber vulnerabilities of their on-orbit assets. Such considerations are even more critical regarding the large governmental and commercial constellation projects mentioned earlier.
Finally, Japan’s modest cyber capabilities have been identified as a limiting factor in the maintenance and expansion of its bilateral security alliance with the United States (Lewis 2015, 1–2). The further strengthening of Japanese cybersecurity and increased bilateral cooperation to reduce the capacity gap between the two allies will be necessary conditions to ensure the functioning of collective self-defence. In fact, cyber vulnerability is only one element in the overall deficiency of Japan’s capabilities to protect classified and sensitive information, which has proved to particularly impact bilateral cooperation on science and technology, especially for dual-use areas such as space. Accordingly, when the need arises to collaborate on a highly classified project (for example, an F-35 fighter plane), “information sharing…is kept to the bare minimum necessary to carry out the work” (Schoff, Rake and Levy 2021, 35).
Despite the limitations described in this section, Japan is undoubtedly on the path of improvement for the identification of cyber vulnerabilities and the development of cybersecurity capabilities, thanks to its currently strong awareness of the need to address cyberspace risks within the Japanese government as well as continue close and steadily deepening bilateral cooperation with the United States.
The authors would like to thank Kazuto Suzuki, a professor at the University of Tokyo, for his review and advice.