An Open Letter to the Japanese Government on Cybersecurity

Times are changing, and the Japanese Government’s Cybersecurity posture lags behind the best of NATO and other prominent countries.

Published on Apr 18, 2022

Reading time: 17 minutes.

An Open Letter to the Japanese Government on Cybersecurity




Every nation that has grown in the Cybersecurity space has felt the woes of malicious threat actors exploiting their systems. The United States for instance, has felt the pain of continued occurrences of ransomware, with one of the worst US Government-affected instances being DarkSide’s attack on the Colonial Pipeline. The pipeline carries fuel from Texas to as far away as New York. Forty-five percent of all fuel consumed on the East Coast arrives via this system. The Colonial Pipeline ransomware attack was one instance of heaps of malicious threat activity carried out over the years.

The United States, however, is one country out of dozens that allow responsible vulnerability reporting. In previous years, allowing ethical hackers to report discovered security concerns was premature, offloading nearly all government vulnerability discoveries onto the plate of US CERT/CC. A breakthrough as a result of the Cybersecurity & Infrastructure Security Agency’s Binding Operational Directive (BOD) 20-01 made it a federal requirement for every government entity to develop, publish, and maintain a vulnerability disclosure program - opening the door for ethical hackers to report security issues in good faith.

Other countries such as the United Kingdom and the Netherlands operate their own form of responsible vulnerability disclosure. The United Kingdom operates through a third party, allowing hackers to conduct vulnerability assessment through Hackerone. The UK’s scope of Government assessment is defined here and issues are routed to the National Cyber Security Centre. In a similar sense, the Netherlands also allows responsible vulnerability reporting through their National Cyber Security Centrum, here.

Lack of Adaptation

The Japanese Government operates a base level of Cybersecurity emergency alerting through JPCERT/CC but much like the adolescent disclosure policies offered by the United States and other NATO Governments in the past, CERT/CC offers limited assurance of safe reporting. Japan isn’t a stranger to exploitation though, for instance, in May of 2021, Fujitsu’s software-as-a-service platform was hacked - resulting in a suspension of all projects using ProjectWEB. In July of 2021, the Japanese Government announced that various Japanese companies were targeted by APT-40, a Chinese state funded cybercriminal group.

Japan has hosted various hacking competitions and has been known to hire whitehat hackers through various private firms for consultation. In retrospect, this isn’t enough. It’s not a surprise that Japan has the third-largest GDP in the world, and the digital expansion hasn’t slowed.

Deconstructing Disclosure

Japan lacks appropriate mitigations for Cybersecurity instances, effectively increasing the attack surface of internet connected assets. Hackers operating in good-faith do not have the appropriate reassurance to communicate with the Japanese Government or companies. As an example, if a citizen were to discover a vulnerability while utilizing a Japanese Government website, they would be unlikely to report it due to fears of prosecution. In a similar sense, hackers equipped with the skills to assist organizations with finding vulnerabilities will not do so without knowing whether they’d be safe to do so.

There have been many instances in which hackers have been willing to assist governments and organizations in identifying vulnerabilities in good-faith, without expecting monetary compensation. As an example, Sakura Samurai has helped the United Nations, Indian Government, Fermilab and the Department of State, which are all Government entities. While the news coverage might sound alarming, the severity of the situation would have increased ten-fold given malicious intent operated by a threat actor or cybercriminal group. The United Nations, Indian Government, Fermilab, and the State Department all benefited from responsible vulnerability reporting and are just several examples of thousands of vulnerabilities reported by hackers with good intention.

Proposed Resolve

Japan’s Government should reconsider the role that hackers with good intentions play in vulnerability disclosure. Japan needs to consider a more receptive vulnerability disclosure policy to adapt to increasing attack surface. While it would be unrealistic to ask the Japanese Government to write a policy similar to CISA’s operational binding, the idea of an expansion should be considered. Japan could benefit from the expertise of hackers who are willing to help Government and enterprise organizations.

Japan can lead by example by creating a basic vulnerability disclosure process for vulnerabilities identified on .jp assets, and over time, mandate Government organizations to maintain their own vulnerability disclosure program much like CISA did. Over time, encouragement from the Japanese Government may inspire enterprises to follow suit and offer Bug Bounty Programs to pay hackers for vulnerability reports. The strongest fight is the one fought with the assistance of hackers from around the world that are willing to help Japan.

The battle for increased security doesn’t have to be fought alone. Hiring private consulting companies to evaluate Cybersecurity posture is a great step in the right direction, but private firms cannot cover the absolute breadth of all Government assets. Responsible vulnerability reporting and disclosure is the future of crowdsourced assistance for Governments around the world.




John Jackson
Daichi (mshlomd), Security Researcher



 責任の所在がはっきりした形で脆弱性報告を認めている国として、米国や諸外国が挙げられます。数年前までは、倫理的価値観のあるハッカーが自ら発見したセキュリティにおける懸念点を当局と共有するといった仕組みが未熟であったため、脆弱性発見については、ほとんど全てUS CERT/CCの手に委ねられていた形となっていましたが、現在では、米国土安全保障省が発表した「「Binding Operational Directive(仮訳:団結的運用指令)」により、連邦政府レベルで脆弱性公開プログラムの開発、公開、管理を行うことが必須とされたことで、倫理的思考を持ったハッカーが善意でセキュリティの問題点を報告する道が開かれています。英国やオランダといった国でも、それぞれ独自の脆弱性公開方法を採用しています。英国政府は、Hackeroneと呼ばれる第三者機関を通して、善意あるハッカーが脆弱性診断を行うことを可能にしています。英国政府が監督している診断領域についてはこちら(英文)で詳しく記載があり、対象となる領域の問題はNational Security Centre(国家安全保障センター)へと送られます。同様に、オランダもNational Cyber Security Centrumを通して(詳細はこちら)脆弱性報告が可能となっています。




 日本のサイバーセキュリティ有事対応・収束を適切な形で行える手段は十分でないといった要因から、インターネットに接続された資産に対しての攻撃可能範囲(= attack surface)を広げてしまっています。しかし、善意を持って活動しているハッカーたちは、日本政府や日本の企業に対して身の危険を感じずに連絡できる手段を持っていません。例えば、日本政府のウェブサイトを使用している間に、何かしらの脆弱性を発見した一市民は、処罰されるのではないかという意識が働き報告をしないでしょう。同じようなケースでは、組織の脆弱性発見を手助け可能な知識やスキルを持ったハッカーがいたとしても、安全である保証がなければ、行動に移すことはないと考えるのが現状では普通です。