Japan’s Economic Security and Cybersecurity
The intensifying U.S.-China conflict and supply chain disruptions caused by the COVID-19 pandemic are fueling the debate on economic security policy in Japan. The Economic Security Promotion Act (ESPA), enacted in the 2022 ordinary Diet session, consists of four pillars, including “ensuring the safety and reliability of the Core Infrastructure,” which is to enhance cybersecurity.
The law requires the Core Infrastructure operators above a certain size to go through preliminary government review when procuring critical equipment or services to prevent external cyber risks. Although applicable industries, operators, and facilities are likely to be limited, its significant impact will extend across other business entities.
The private sector should consider the enactment of the ESPA as a “beginning” rather than the “end” of dealing with economic security issues. For example, although the act does not focus on data-related economic security risks, data is one forefront of geopolitical battlefield, as typified by cyber-enabled theft and “government access,” foreign government’s forced access to data that private firms hold. Today, it is essential for companies to consider economic security and geopolitical risks in their risk management and cybersecurity.
Ⅰ．Surging Challenges Over Economic Security
From 2021 to 2022, Japan’s economic security policy has made great strides in the legislation development, and it has become a corporate-wide challenge for the private sectors to respond to this issue.
Economic security is defined as achieving political objectives through economic means and applies to a broad range of areas. It is also known/called as “geo-economics” or “economic statecraft” in the U.S. and other countries.
Economic security is not a new concept in Japan. In the 1970s, “comprehensive security” that includes energy, food, and sea lanes was proposed. The study group on comprehensive security, established by Prime Minister Masayoshi Ohira, also referred to “economic security.” Although no specific definition was stated, the group placed economic security in contrast with “narrowly defined security” (in military terms) and positioned the economy as the objective and means for national security.*1
Yet, in recent years, economic security is back in the spotlight amidst the intensifying U.S.-China confrontation, competition over emerging technologies, and the rise in cyberattacks motivated by geopolitical disputes. Especially from 2019, the ruling Liberal Democratic Party (LDP), the administrative agencies such as the Cabinet Secretariat and the Ministry of Economy, Trade, and Industry (METI), and economic groups including the Japan Business Federation (Keidanren), Japan Association of Corporate Executives (Keizai Doyukai), and Japan Association of New Economy (JANE) have been addressing this issue (Table 1). The supply disruptions in medical goods caused by the pandemic have further driven the government’s policy development for economic security.
Moves towards legislation has rapidly proceeded in the Fumio Kishida administration, especially since October 2021, when Takayuki Kobayashi, a member of the Diet, was appointed to the new post of the minister in charge of economic security. In the following November, the Economic Security Promotion Council chaired by Prime Minister Kishida was held, and the act was submitted and enacted in the 2022 ordinary Diet session.
Table 1. Major Political and Business Developments on Economic Security (as of September 2022)
|LDP legislators’ group for rule-making strategies (chairman: Akira Amari) proposes the establishment of the Japanese version of “national economic council” (NEC)
|Economic Security Office established in MEITI Minister’s Secretariat
|Economic Group established in National Security Secretariat of Cabinet Secretariat
|Revised Foreign Exchange and Foreign Trade Act enforced
|Keidanren announces “New Growth Strategy” proposal for “ensuring proactive and strategic economic security”
|LDP’s Strategic Headquarters on the Creation of a New International Order announce “Towards ‘Formulation of Economic Security Strategy'” proposal (director general: Fumio Kishida, chairman: Akira Amari)
|Comprehensive Strategic Center for International Economic Diplomacy established (organization consisting mainly of Keidanren member firms)*
|Keizai Doyukai announces “Towards establishing resilient economic security: Japan’s path in the age of geoeconomics” proposal
|Requests some private companies to appoint executive in charge of economic security**
|LDP’s Strategic Headquarters on the Creation of a New International Order announce “Interim Summary: ‘Basic Policies for Economic and Fiscal Management and Reform 2021’ proposal” (LDP reorganizes Strategic Headquarters on the Creation of a New International Order to Economic Security Headquarters on October 12)
|Law regulating acquisition and use of land with national security concerns enacted
|Minister for economic security established
|JANE announces“New Growth Strategy under Digital Economy” proposal
|First meeting of Economic Security Council held
|Expert panel on economic security act established
|Keidanren releases “Opinions on economic security act: based on expert panel proposals”
|The Economic Security Promotion Act was enacted in ordinary Diet session
|The National Security Strategy and other strategic documents to be revised by year end
* From “Government request major companies to establish executive in charge of economic security,” The Nikkei, May 3, 2021
** From “Exclusive: New organization for economic security discussions, mainly with Keidanren members,” Sankei Shimbun, July 2, 2021
Source: compiled by the author
Ⅱ．The Backdrop of U.S.-China Confrontation
Behind Tokyo’s growing attention on economic security is the intensifying U.S.-China conflict. The two great powers are mutually tightening regulations in the areas of investment, export control, and cybersecurity.
We could call this situation a “limited U.S.-China decoupling.” In other words, a Washington-Beijing chasm already exists in some areas close to their national security, such as the development of advanced technologies that could lead military hegemony, supply chains for critical goods, and cybersecurity for critical infrastructure, and companies are being forced to choose between the U.S. and China.
The “limited U.S.-China decoupling” is not solely caused by the former Donald Trump administration’s policy toward Beijing. It is also the result of the structural power transition of a rising China vis-à-vis the U.S., the bipartisan consensus and competitive strategy towards Beijing in Washington, and China’s long-term strategy towards 2049.
Since the diplomatic normalization between the two powers in 1973, the basic concept of U.S. policy toward China had been the “engagement policy” that through Washington’s continuous engagement, Beijing would promote market and economic reforms, democratize its political regime, and take on an important responsibility in the international community. However, from around Barack Obama’s second term, this engagement policy was found to be failed and begun to be revised.*2
The National Security Strategy (December 2017) during the Trump administration acknowledged the failures of the previous Washington’s policy toward Beijing, stating that China and Russia are “revisionist” powers. “For decades, U.S. policy was rooted in the belief that support for China’s rise and for its integration into the post-war international order would liberalize China. Contrary to our hopes, China expanded its power at the expense of the sovereignty of others.”
Joe Biden administration’s Interim National Security Strategic Guidance (March 2021) also positioned China as “the only competitor potentially capable of combining its economic, diplomatic, military, and technological power to mount a sustained challenge to a stable and open international system.”
Meanwhile, Beijing also advocates long-term strategies and plans to overwhelm Washington in every area, including society and state, military and security, and economy and industry, and become the global leader by 2049, the 100th anniversary of the People’s Republic of China. In 2015, Beijing announced “Made in China 2025,” an ambitious plan to develop their industries, and upgraded its Military-Civil Fusion to a national strategy.
Washington considers that in the name of Made in China 2025 and Military-Civil Fusion, Beijing is forcing the transfer of advanced technologies prohibited by international rules. Specific examples are technology transfer in exchange for market access approval, company acquisition based on Chinese government instructions, and stealing intellectual property through cyber-operations.
In recent years, China has also been working on legislative measures on economic security. Typical cases include the revision of the Catalogue of Technologies Prohibited or Restricted from Export of the PRC (August 2020), the issuance and enforcement of the Unreliable Entity List (September 2020), the enactment of the Anti-Foreign Sanctions Law (June 2021), and the enactment and enforcement of the Data Security Law (September 2021).*3
A period of U.S.-China “reversal” is likely in near future. China will overtake the U.S. in nominal GDP by 2033-34 (Figure 1) and by around 2030, U.S. military supremacy in the Western Pacific will waver. On the other hand, China’s population decline will begin around 2030 (Figure 2, population decrease in working-age even earlier), which may result in a U.S.-China “re-reversal” in the future. Some view that the period around 2030 is a window of opportunity for Beijing to challenge Washington and the existing international order.
Ⅲ．Economic Security Promotion Act and Cybersecurity
With the economy weaponized, Washington and Beijing are intensifying geopolitical competition and fighting for supremacy. This recognition and medium-term outlook have led to the current discussions on economic security in Tokyo, and the Kishida administration passed the ESPA in the 2022 ordinary Diet session.
The four main points of the act are: (1) strengthen the supply chain of critical goods, (2) ensure the safety and reliability of Core Infrastructure, (3) foster and support the development of critical advanced technologies by public-private partnership, and (4) non-disclosure of sensitive patents (Table 2).
Table 2. ESPA Outline: Four Areas Requiring Legislative Measures
|Strengthening of Supply Chains
|・To prevent supply chains disruptions of specified critical goods (semiconductors, pharmaceutical products, etc.) which are manufactured or procured largely from foreign countries.
・Companies that manufacture and sell critical goods may prepare a “Secure Supply Plan,” and receive financial support, etc. if it is certified by the government.
|Ensuring Safety and Reliability of Core Infrastructure
|・Preliminary review by the government on the externally implanted cyber risks when the Core Infrastructure service providers procure critical equipment (including software, cloud services, and contractors for maintenance and operation).
・The Core Infrastructure consists of 14 industries of energy, water, communications, finance, postal services, etc.
|Public-Private Partnership for Advanced Technologies
|・Build public-private partnership for developing advanced technologies in the areas of space, marine, quantum, AI, biotechnology, etc.
・Specifically, financial support such as the Critical Technologies Development Program for Economic Security etc., establishment of public-private partnership council, and think-tank to provide expert advice.
|Non-disclosure of Sensitive Patents
|・A patent application for an invention that is extremely sensitive to national security will not be disclosed. It is a measure to prevent the proliferation of sensitive inventions, and to make first filing in Japan mandatory for inventions subject to non-disclosure examination, with penalties imposed for violations.
From cybersecurity perspectives, the regulations on the Core Infrastructure are especially crucial.
Behind these measures is the assumption that once equipment or services with national security risks are implanted within the Core Infrastructure, it would be extremely difficult to remove the risk.
The ESPA focuses to prevent in advance external malicious entities from imbedding fraudulent functions or exploit vulnerabilities on infrastructure essential for people’s lives and economic activities. In effect, enhancement of cybersecurity.
“External malicious entities” obviously include domestic operators. In fact, the proposal by the expert panel on the ESPA (February 2022) also states that it is not appropriate to evaluate and assess risks based solely on the business operator’s nationality or capital.
However, it is clear that the ESPA implies specific foreign governments, militaries, intelligence agencies, and companies under their control and influence. Based on the discussions of the LDP’s senior leaders and experts so far, we could say that at least China, Russia, and North Korea are intended targets of Core Infrastructure regulation.
Actually, most states do not name specific countries or companies and exclude them from government and critical infrastructure procurement as the U.S. has declared. In August 2018, the Australian government announced that “involvement of vendors who are likely to be subject to extrajudicial directions from a foreign government that conflict with Australian law,” was a risk in the procurement of the 5G mobile communications network, as other countries do so in the similar manner.
Besides stealing sensitive information during peacetime, such venders with security concern may also conduct disruptive and subversive operations on infrastructure in contingencies. On February 14, 2022, amid growing concern over Russian invasion of Ukraine, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warned that Russian cyberattack on critical infrastructure, including power and communications, is “a key component of their force projection.”
Potential targets include not only Ukraine but also the U.S. and other third countries, the CISA said. Similarly, if military tensions rise in the Taiwan Strait, Japan’s critical infrastructure is a potential target for adversaries’ destructive cyberattacks.
Private companies must be particularly concerned whether they are subject to this preliminary review. Currently, the Core Industries consists of 14 industries including energy, water, communications, finance, transportation, and postal services.
Those applicable to preliminary review by the government are expected to be limited, as company size and market share will be considered. Yet, it will also have a significant impact on those not named.
Even if their own industry or company do not apply as the Core Infrastructure (operator), publicly listed companies should thoroughly assess their key facilities, services, and outsourcing vendors from the standpoint of the ESPA’s purpose and “ensuring safety and reliability” of the information infrastructure. There are only minimum legal requirements in the act, and non-Core Infrastructure providers will be expected to make business decisions.
Ⅳ．Cybersecurity’s Unaddressed Issue: Economic Security over Data
Given the background and scope of the ESPA, its passage should be viewed as the “beginning,” not the “end,” to address the economic security issues. Political parties, economic organizations, and experts have already proposed a variety of new policies to strengthen economic security that includes human rights due diligence on the supply chain, creation of a security clearance system, control of emerging technologies by democracies and like-minded countries, and building new research integrity. In addition, a new National Security Strategy is expected to be formulated by the end of 2022, which will include “economic security” not limited to the ESPA.
In the economic security proposal (May 2021) by the ruling LDP, cyber security had been one of the major pillars that spanned across various ministries and sectors. However, in the ESPA that included items mainly handled by METI, cybersecurity received relatively smaller treatment.
Although the act is an important step forward, it does not include all the issues and measures that should be covered by economic security and cybersecurity. For example, data, the oil of the 21st century, is one of the cybersecurity-related issues mentioned little in the EPSA.
Today, every industry focuses on collecting and using various business-related data. Yet, these vast amount of data are also exposed to national security risks. One such risk is the so-called “government access,” the government’s forced access to data that private firms hold.
In all countries, government access has been conducted as a part of criminal investigations. However, the emerging concern in recent years is government access with the aim of intelligence gathering and forced transfer of advanced technology illegitimately.
This is made possible by data localization regulations that require foreign companies to store data within the country and prohibit or restrict transfers to third countries. Typical examples are the EU’s General Data Protection Regulation (GDPR) for personal data and China’s Data Security Law for industrial data. By physically keeping foreign company data on its territory, authorities can exert law-enforcement powers.
However, just storing data in Japan does not make it safe, since there still is a risk of cross-border access through foreign operators.
In March 2021, a Chinese affiliate of a major Japanese communication app provider was found to have accessed personal data stored in Japan. Although there was no law violation, this raised concerns from an economic security perspective.
In fact, China is focusing on collecting personal data from various countries around the world.*4 China’s National Security Law demands Chinese companies to cooperate in “national intelligence operations.” There do not seem to be any official warrants or requests from the government, so it is difficult to grasp the number of accesses from “foreign governments.” Based on this situation, “cross-border access” from China probably became an economic security concern.
Many Japanese companies outsource system development and operations to overseas firms, and there are probably no companies that do not use overseas cloud services. The “cross-border access” concerns apply to every other company.
That is probably why preliminary review of outsourcing companies and cloud services is included in the “safety and reliability of Core Infrastructure” in the ESPA.
Companies need to manage their data by considering government access and other national security risks. When considering the country/region for storing or outsourcing data, the maturity of democracy is an important indicator. Whether the national assembly has oversight and supervisory powers over intelligence agencies, or the judiciary has the power to give (or not give) authority to intelligence agency operations, or independent media can check the administrative activities, can gauge the risks of unwarranted government access.
Of course, unwarranted government access to data can occur even in a democracy. As Edward Snowden revealed in June 2013, illegal or inappropriate access can happen in the U.S. At the same time, the U.S. guarantees the right to publicly criticize the federal government.
Whether a country actually engages in cyber-operations is also an essential factor. Although Beijing denies involvement, no country continuously targets classified corporate secrets and personal data in cyberspace as China.
We can also guess which countries/regions Tokyo considers more favorable for storing or outsourcing data.
In an interview with the journal Gaiko (Diplomacy), Foreign Minister Yoshimasa Hayashi advocates “harmonization” (cooperation and collaboration) with other countries on formulating international rules for economic security, strengthening supply chains, and establishing the “free flow of data.” Specifically, he names Japan’s ally, the U.S., like-minded countries in Europe, and the Quad (Japan, the U.S., Australia, and India).*5
“Free flow of data” refers to the Data Free Flow with Trust (DFFT) concept, which then Prime Minister Shinzo Abe proposed at the Davos Forum in January 2019. The opposition over free flow of data lies not only between democracies and autocracies but also exists within democracies, the U.S. and Europe.
By balancing the “free flow” and “trust” of data, DFFT offers a way to resolve this conflict between Washington and Brussels. Based on Foreign Minister Hayashi’s comments, the countries “with trust” would be the U.S., Western European nations, Australia, and India.
Yet, it is hasty to make decisions solely on the base of the “country” where data is stored or contracting companies are located. Due diligence to investigate the actual control or influence over the outsourced company through capital ownership is essential, as well their shareholders, management, and key business partners. Some Japanese critical infrastructure providers have already made such due diligence a standard procedure when using cloud services or offshore development.
Ⅴ．Cybersecurity Based on Economic Security and Geopolitical Risks
Economic security and geopolitical risks are issues directly linked to corporate management. Companies need to establish corporate governance and risk management systems that take economic security into account. The perspective of national security should be ensured in organizational decision-making, information gathering and analysis, risk assessment, and external disclosure and communications.*6
The same could be said with cybersecurity.
Cybersecurity with national security in mind means not only assuming individual hackers and criminal organizations as the threat but also including foreign military and intelligence agencies. For the latter perpetrators, cyber-enabled operation is not an only means to achieve their geopolitical objectives.
The adversaries mobilize all necessary means, such as stealing information and subversive acts using products and services of companies under control and recruiting personnel from private companies for industrial espionage. Therefore, in addition to scrutinizing the procuring equipment and contractors, fundamental cybersecurity framework, cybersecurity investments, data governance, and measures against insider threats are also essential.
Compliance with laws and regulations is just the minimum requirement, and that alone is not enough for private companies. With regards to the Core Infrastructure in the ESPA, being applicable to the government’s preliminary review is surely a concern, but that is not all.
Even if a company or facility is not subject to preliminary screening, it should consider its business and risks and target to meet roughly the same level required by the ESPA. At the least, business leaders must discuss this issue and make decisions. Non-requirement by the law makes it in turn more difficult for companies since they need to make their own decisions.
Corporate preparedness and responses regarding economic security does not end with complying with the ESPA. Eyeing the trend in Tokyo’s economic security policy and geopolitical great games that will probably accelerate, private companies need to enhance their risk management and cybersecurity approach.
This is a translation of the Japanese article written on February 15 and revised on September 11, 2022, which was originally published in the World Economic Review May/June 2022 issue.
*1 From The World and Japan database (representative: Akihiko Tanaka), “Comprehensive Security Research Group Report” (July 1980), Policy Research Association, Comprehensive Security Research Group (chairman: Masamichi Inoki).
*2 According to Ryo Sahashi of the University of Tokyo, the basic U.S. policy towards China since the normalization of diplomatic relations has been support and engagement. Besides the difference in national strength between the U.S. and China, continued U.S. engagement in China was based on three expectations: China would (1) advance economic and market reforms, (2) carry out political reforms, and (3) accept the existing international order and contribute to the international community. Ryo Sahashi, U.S.-China Conflict: America’s Strategic Shift and the Global Divide (in Japanese, Tokyo: Chuokoron Shinsha, 2021), pp.162-163.
*3 Toshiya Tsugami, “The Critical Three Points in China’s ‘Economic Security’,” nippon.com (in Japanese, February 2, 2022)
*4 Takahisa Kawaguchi, “China Targets Personal Data in Global Espionage,” WEDGE Infinity (in Japanese, February 5, 2022)
*5 Yoshimasa Hayashi and Akihiko Tanaka, “Harmonization with Like-Minded Countries Is Essential for Economic Security,” Gaiko, vol. 71 (in Japanese, December 2022), pp.6-14.
*6 Takahisa Kawaguchi and Shinji Shibata, “Governance and Risk Management Framework Based on Economic Security,” Risk Management Forefront, No. 2021-6 (in Japanese, August 23, 2021)
Principal Researcher at Tokio Marine dR. Born in 1985. Specializes in international relations and security, and risk management. Graduated from Yokohama City University in 2008 and earned a MA degree at the Graduate School of Media and Governance, Keio University in 2010. A visiting fellow at the Keio University Global Research Institute (KGRI). Recent publications include Hacked Democracy: Risk of Election Interference in Digital Society (in Japanese, co-edited with Motohiro Tsuchiya, Tokyo: Chikura Shobo, 2022), “The Russia-Ukraine War and Struggle over ‘Narrative Superiority’,” SYNODOS (in Japanese, May 21, 2022)