Ladies and gentlemen, distinguished, colleagues, members of the government and leaders of Japan's industry and technology sectors, thank you for the privilege, the distinct privilege of speaking with you today at a critical moment for the future of health, safety, economic vitality, and national security, all of which have an existential dependance on digital infrastructure, a shared resource that is often referred to as cyberspace.
I will use the terms cyberspace and digital infrastructure interchangeably in this talk. They're not exactly the same, but for rough approximation, let's treat them that way. But it's important to note that when I use those terms, their performance in delivering critical services depends on far more than technology.
We live in an era defined by rapid innovation. Much of our forward progress is, however, overshadowed by cyber threats that grow daily in scale, sophistication, and ambition. And in the face of those two strategic trends, one good, the other not good, the question is whether we are prepared and willing to seize the future that we want.
There are many reasons to be boldly optimistic about the current services and future innovations that digital infrastructure can deliver to our society. We could not, for instance, have diagnosed the Covid 19 virus and devised a vaccine in record time without it.
Artificial intelligence going forward offers extraordinary efficiencies to essential work processes. Japan stands at the forefront of technological development its industrial internet, its autonomous transportation systems, its financial networks, and its energy grids form the foundation of an advanced economy and a global democracy rooted in transparency and trust.
But this dependance on digital infrastructure, that which makes Japan strong, also makes it vulnerable. The theft of intellectual property robs businesses of precious proprietary information. Ransomware attacks shut down health systems at the cost of personal health and system efficiency, and assaults on critical infrastructure and on the exchange of ideas in a free and open society erode the confidence that people have in shared systems and interdependent societies, and the trends are worrisome.
In recent years, cyber incidents targeting government agencies, private companies, even social infrastructure have intensified. Nation state actors are probing the digital perimeter daily, seeking to exploit vulnerabilities in power networks, satellite systems, defense supply chains, and maritime logistics. These intrusions are not random. They are strategic. They are persistent. They are coordinated.
Reconciling these two strategic realities will not be determined by fate or by chance. It will be driven by the choices that we make or that we fail to make.
As the Irish statesman Edmund Burke said some 250 years ago, all that's necessary for the triumph of evil is for good people to do nothing. The world we want to live in must be built by us, proactively built by us. It cannot be built by simply calling out the misdeeds of others while most of us stand on the sidelines.
In defining the critical actions that must be undertaken to achieve the future that we seek, it's important to first establish a common frame of reference, one that outlines why we care about cyberspace and defines its major components so that we can prioritize our efforts in a world where resources are limited in both capital and time.
Simply put, we must establish the why and the what before we can reasonably consider the how in the who in charting our future course. So let me begin.
First, why do we care about cyberspace? In answering that question, I'd like to ask another question a seemingly odd question first. Does anyone in the room know why high performance cars have brakes? I don't expect an answer. I will answer the question. The reason that high performance cars have brakes is so that they can go faster. It is not about the brakes. Bigger brakes allow us to have full confidence that the cars will perform as expected on a challenging racetrack or on difficult terrain.
But it's not about the brakes, it's about the car. It's about the performance of the car. That's what drives our interest in everything that that's dependent on.
The focus of this question helps us then understand why we care about cyber security, because cyber security is the same. We should not seek to defend digital infrastructure because infrastructure is important. It isn't. It is only important when the things that depend on it are important.
So we need to begin with those things. Things like the production and distribution of energy, the processing and flow of water, the production processes of a modern factory floor, the workings of an economy, the delivery of health care and the conduct of free and fair elections. They're all important to us, and they're all dependent on digital infrastructure. That's why we care about digital infrastructure. But we need to start with the aspiration.
A cyber expert, then, who begins a presentation with a list of actions necessary to defend digital infrastructure is unlikely to get the kind of response than one who begins with a discussion of what the audiences aspirations are, before establishing how those aspirations are dependent on digital infrastructure, and then and only then, describing the actions that must be taken in digital infrastructure to achieve them.
So I suggest that our goal is not one of improving cybersecurity or even of defending critical infrastructure. Our goal is simply this – to ensure that critical functions, critical services dependent on digital infrastructure, meet our expectations. It's that and that alone, and everything else will flow from that. That they deliver on our expectations of life enhancing, life critical services and on our expectations for a free and open society's ability to build and sustain a viable economy, domestic order, and national security.
If those aspirations are important to us, then the things they depend on will be important to us, and everyone will care about the outcome of efforts to deliver those services, not just the people who have cyber or IT or government in their job titles. Again, if we remember it's not about the brakes, it's about the performance of the larger activity that we're interested in.
So moving on to then what is cyberspace? If that's the why, then what is the what? More specifically, what are the levers that we should pull to change the outcomes in cyberspace.
To begin with, as I mentioned earlier, cyberspace is comprised of far more than technology, like any of any system of interest that serves the needs of people, there are three distinct and complementary components.
Technology is the obvious component, and in the case of cyberspace, technology is comprised of subcomponents like hardware and software, telecommunications pathways, storage devices, and many other technical wonders.
But less obvious a component is the component of people. That's the second component. I say less obvious because people are not merely users of cyberspace. They're an integral part of it. The choices that people make in the programs that they run, the links that they click, the devices that they enable, the data that they provide, and the permissions that they grant are all inputs into how cyberspace will perform.
Finally, there is a third component, a more intangible but absolutely essential component, what I would call doctrine. That simply means that roles, expectations, and accountability must be assigned to the various pieces and participants in the system.
Taken together, these three components – technology, people, and doctrine – are all the points of influence, the levers of influence that we must focus on to deliver the preferred outcomes in cyberspace. And their importance is in the reverse order in which I listed them. Bad actors in cyberspace will find and take advantage of any weakness, and they understand that poor defensive doctrine, or poor human awareness, or weak defensive skills give them the highest leverage and optimal results.
So some examples. If no one has been assigned the role of building security into critical products and services, or the role of defending them from malicious manipulation across dispersed supply chains, then that failure in doctrine will be exploited. If users of personal, business or national security systems do not understand the consequences of their security-relevant decisions, then bad actors will cause and exploit weaknesses in those human choices.
Users clicking on malicious links today are still the number one vector for malicious code to enter systems at the beginning of ransomware attacks, attacks that remain a global scourge more than a decade after they first exploded, virtually of course, on the scene. This is not to say that technology flaws do not matter. They do matter. But fixing the technology flaws while ignoring doctrine and user performance is like trying to secure your car by installing seatbelts while leaving the windows open and the engine running. Technology alone does not solve the problem.
The lesson here is that ensuring critical infrastructure and its essential services meet our expectations requires us to address all three components in cyberspace – doctrine, human performance, and technology – in that order.
A consideration of the threat will enable us to prioritize our efforts to design, build, and sustain systems in this highly challenged world. The threat landscape facing Japan like that in the U.S. can be divided into three broad categories.
Nation state actors typically top the list, while few in number. They have a disproportionate outsized effect. Adversarial states are investing heavily in offensive cyber capabilities. Their objectives range from espionage and intellectual property theft to the disruption of defense and infrastructure networks.
Transnational criminal groups are second. Cyber criminals have evolved into organized organizations exploiting ransomware, phishing, and supply chain vulnerabilities. They target hospitals, manufacturing plants, and municipal governments.
And third, but importantly on the list, hacktivist and emerging AI driven threats. Malign actors flood social media with disinformation. Generative AI makes spear phishing, data poisoning, and misinformation campaigns far more deceptive and much more rapid in their onset.
Japan has already felt the tremors of these forces. In the past few years, attacks have disrupted ticketing systems, targeted defense contractors, infiltrated government email networks. Each incident reveals the fragility of essential systems.
And let us remember that cyber conflict is borderless. A single vulnerability in a foreign supplier's software can ripple through a domestic economy within seconds. A breach in just one company's network can become a national emergency when that network is a critical asset for others.
So with those fundamentals in mind, the why and the what, we can now build a strategy to reconcile our goals to our means. To secure specifically Japan's future, we must first accept a difficult truth that preventing every cyber attack is impossible. But what we can and must do is to make the systems that support these critical services defendable, actively defend them, and then align actions to consequences, creating incentives for good behavior and consequences for bad behavior. I'll address each of these in order.
First, building defensible systems means that we must build resilience in upfront so that when attacks occur, those systems will continue to provide minimum viable functionality, the trusted data can still be accessed, and that recovery to full functionality is swift, and that resilience must be built into all three dimensions of cyberspace. Of course, the doctrine and the assignment of roles and responsibilities, but also in human performance and skills, and certainly in technology.
So let me walk through those in that order – doctrine. We must define the expected contributions of the various stakeholders, all of them. Human performance – we must improve people's understandings of the consequence of human decisions on the performance of the overall system. And technology – technology itself must be designed, built and sustained so that it is inherently resilient.
The challenge is not new or solved. Since the earliest days of the internet some 50 years ago, the successive waves of transformation we have experienced have been driven by relentless innovation and broad scale market efficiencies that put one miracle technology after another into the hands of billions of consumers.
But throughout those 50 years, we have seen uneven and largely inadequate attention given to the inherent resilience of technology of all forms. We can't afford to repeat that critical error over the next 50 years, or for that matter, over the next five months, especially as the inflection of technology bends exponentially upward in an era of artificial intelligence, agenetic AI, quantum computing, and untold other transformations that will arrive with increasing speed and impact.
So how do we drive resilience into cyberspace? There are historically three ways to do that.
First, enlightened private sector leadership can voluntarily invest time and capital to ensure that their products and services support the public's need for resilience, safety, and trust. While this approach has been shown to be more cost effective in the long term, there are unfortunately few examples of it in practice. This is primarily because many companies want immediate returns on their investments, and because this approach generally works best when it's combined with the second mechanism that drives investment and safety, market forces.
Market forces, the second mechanism, work best when there is a consumer demand and a willing first mover, someone willing to go first. People of my generation can remember when the Volvo automobile company combined these two dynamics to develop and sell crash worthy cars aimed at capturing business from a rapidly growing class of consumers who are looking for safe family transportation.
Other car companies followed their example. But in the end, the third mechanism stands in the attributes of safety, life or society critical systems that should not be optional must be made mandatory. This introduces the prospect of regulation, which is almost always a government controlled activity. Given the undeniable benefits of innovation and market efficiency, regulation in cyberspace should be undertaken with the lightest possible touch, but no lighter.
Most if not all countries have taken this approach to the safety of automobile transportation systems, commercial aviation, and health care. Why would we do anything less for the health, the life, and the society critical systems established within and by digital infrastructure?
In the U.S., by way of example, cloud systems that serve the economic and national security functions managed deregulated by the government have taken a mix of these three approaches to drive resilience by design to large enterprise widely deployed cloud infrastructure. And while the focus of what I'm about to describe is on government use, the expectation is that those benefits will then accrue to the private sector, which makes use of the same infrastructure.
First, the technical standards for cloud security are developed by the U.S. National Institute of Standards and Technology, a government organization, with significant assistance from the private sector. The U.S. federal government then uses these standards to define requirements for government use in what's called the Federal Risk and Authorization Management Program, known kind of as FedRAMP. And finally, the federal government influences the market by using its buying power through contracts that require security mechanisms defined in FedRAMP. State governments can cascade this effort to their uses, to their jurisdictions, and something called StateRAMP.
But all of that is a market imperative, a market force. None of that constitutes regulation, which by and of itself would mandate that for the use of the private sector. So it's important to note that these initiatives are not yet delivering trusted cloud services to users outside of the government. The hope is that market forces will drive that. But absent regulation, we will fall short, I think, of having that as a required feature in the systems that are used by businesses or private sector users.
So while the effort is commendable, it remains a work in progress, especially if the goal is to build in security for the users of all cloud services, whether you're a private user, a business or a government.
Other governments in the world have taken a stronger hand and regulation. I commend the efforts of the European Union under what's called the Digital Operation Resilience Act, known as DORA, which imposes a requirement on financial institutions and the organizations the supply chain that supports them, including cloud providers. The European Union's network and information security Directive, Something called NIS2, also applies to most sectors and covers cloud providers. That second piece is not as robust, but it's enforced by the individual countries, not merely the EU, so it cascades nicely across the enterprise that supports the users within Europe.
I would simply close this chapter by saying that our experience in other life critical systems, like the ones I referenced earlier – automobile transportation systems, aviation systems, health care systems – can and should help guide our further work here.
All of what I've just described then sets up the task of defending systems that cannot defend themselves. Remember, these systems may not be made perfect because the dynamics of their use and the innovation and market efficiencies that rile their creation makes it such that they can never be placed into a perfect state. So the technology resilience I've just described, which is important, is only the foundation of a much important, larger effort. We must follow through with a vigorous, human-led effort to proactively defend the critical services and functions that are dependent on the technology underpinnings.
While AI can be expected to help in that defense, even systems with AI will require humans to determine priorities and to retain accountability for outcomes. So what I'm about to describe is something that AI can help with, but it's not a substitute for.
In establishing its cyber defenses. Japan must move from a posture of reactive defense, one that cedes the initiative to attackers, to a posture of resilience and proactive defense where anticipation, adaptation, collaboration replace reaction and isolation. Collaboration will be particularly important. Threats flow across jurisdictional boundaries with impunity because no single actor, no single defensive actor can see beyond the jurisdictional horizon that constrains them in terms of their authorities and their capabilities.
Therefore, constructing the complete summary and, more importantly, assessing the impact of those threats on local jurisdictions requires collaboration across those jurisdictions, not just the creation of a summary database, the capability to act on those insights will require collaboration, because no single defender has all the tools held by the sum total of all defenders.
And most importantly, no single defender has all of the authority needed to defend at the speed required across diverse public and private sector and international landscapes required to tie all of those response elements together. Again, collaboration is the only right answer.
But to put it more simply, we must ensure that any transgressor, any attacker in cyberspace, has to beat all of us in order to beat any one of us. Insights and actions constrained to narrow stovepipes will not work. A division of effort that cannot adjust to changing circumstances will ultimately fail. Collaboration within the largest possible coalition is the requisite modality to leverage inherent resilience and a proactive defense.
Finally, resilience and collaboration work best if attention is given to the incentives that motivate people to act. There should be benefits for those who help ensure that critical services dependent on digital infrastructure meet our expectations. There should also be cost for those who use digital infrastructure to hold health, safety, and security at risk. Combined, they will motivate human beings to do the right thing at the right time, in the right way.
Given the significant emphasis in this forum given to the role of government, I will take some time briefly to outline the distinct but complementary roles that must be played by the public and the private sectors.
As in most industrialized democratic societies, Japan's economy is predominantly powered by the private sector. The servers that host our financial data, the substations that manage our energy, and the computers that route our air traffic are almost always owned and managed by private entities. Therefore, it's clear that the defense of our digital nation cannot rest solely in the hands of government.
To that end, Japan needs a shared defense architecture, one in which public authorities and private enterprise function as partners, collaborators in real time. The core components of this shared defense could include information sharing and coordination centers, expanding sector specific centers with government liaisons embedded inside major industries to enable real time threat intelligence that addresses the unique needs of the financial sector or the energy sector or the water sector.
A unified national cyber threat exchange, a secure digital platform where anonymized data on malware vulnerabilities and threat indicators can be rapidly exchanged between companies and government agencies. Legal safeguards for cooperation, updating privacy and antitrust laws to ensure companies can share relevant cyberthreat information without fear of legal repercussions, ensuring benefits for collaboration done right. And then finally, mutual incident response teams creating hybrid teams composed of experts from the Japan Self-Defense Forces, the National Police Agency, and private cybersecurity firms that collectively can do what no one of them can do alone. Together, these measures transform the idea of public private partnership from symbolic to operational.
So let me talk about the merits, which I think are many of the Active Cyber Defense Act that was referenced earlier, Japan's Active Cyber Defense Act, now entering early implementation, represents an historic step forward in Japan's security policy. For decades, Japan's cyber posture was limited to protecting within its own networks. This act expands that horizon, allowing Japan, under strict legal and ethical oversight, to proactively detect, disrupt and neutralize threats outside its boundaries before they reach domestic networks.
While limited today to the collection of metadata, it's a move in the right direction to seize the initiative of those who hold Japan's citizens at risk. But to provide the necessary deterrent, one that prevents escalation, Japan must be able to find and disrupt those threats before they gain a threathold. In the U.S. vernacular, we often say that it's more important to get the archer than it is to catch the arrows.
The U.S. experience may be helpful here. Quoting from the U.S. McCrary Institute's 2025 paper on U.S. Cyber Policy: Offense, Deterrence and Strategic Competition, I quote: "After the creation of U.S. Cyber Command in 2010, U.S. policymakers took a conservative approach to the employment of its capabilities, with the Secretary of Defense Chuck Hagel going so far in a 2014 speech to say that the U.S. would exercise restraint in the employment of U.S. Cyber Command, only to later realize in 2017 that the actions of North Korea and Russia in activities known as WannaCry and NotPetya, respectively, showed that the policy of restraint waiting on shore for the attacks to arrive would encourage escalation by nation states who do not have a policy of restraint.
The 2018 U.S. Defense Science Board study, entitled Cyber as a Strategic Capability, which I was privileged to co-chair, urged the United States to develop a strategic cyber power that emphasized integration with other national power instruments such as diplomacy, economic power instruments, law enforcement instruments, for deterrence and the achievement of strategic goals, tecognizing cyber as crucial for national security. It's not the only instrument to achieve security in cyberspace, but it is one of the very important instruments in that space.
Key recommendations from that study covered countering adversarial operations, strengthening defenses for critical infrastructure, and treating cyber as a core integrated capability, not just a technical function. The current U.S. approach is still a work in progress, but it now incorporates U.S. Cyber Command's persistent engagement and defend forward concepts which complement public collaboration to identify vulnerabilities and threats to U.S. critical infrastructure.
Each of those capabilities, persistent engagement and forward defense, is designed to engage threats continuously and as close to their source as possible. Most notably, the U.S. Department of Homeland Security then operates something called the Joint Cyber Defense Collaboration Center, similar to Japan's proposed Cyber Council, to engage all private sector organization, sector specific agencies such as the National Security Agency which engages the defense industrial base, to combine all of their information about the nature of threats and vulnerabilities in that space.
NSA's own engagement with the defense industrial base constitutes a rich exchange of information from the government to the private sector, so that the private sector is then equipped with what is actually happening in that space, so that they might then participate in a collaborative defense of that space.
Coherence of the various strategy components and the concurrent action is very important. Not easy, not straightforward since there's so many moving pieces, but it's really important. For instance, defend forward is almost always conducted as a collaborative activity with one or more allies. But that's why it's important to have a national cyber director in these places so that we can understand what the role of each of those pieces might be, and then integrate those so that the sum of the parts is greater than the arithmetic sum.
Taken together, threat identification and proactive action to deal with those threats to digital infrastructure are key components of the U.S. and I believe increasingly Japan's ability to make progress in conducting proactive, continuous operations that detect, engage, disrupt, and deter the rogue actions of cyber threat actors.
But I want to be very clear on this point. The U.S. effort, like the proposed Japanese act of defense, is not retaliation, and it does not hold individual privacy or corporate proprietary interest at risks. It is preemptive protection focused only on legitimate threats, and stimulated only by the provocation of those who actively seek to hold national interest at risk. It is defense.
Under Japan's proposed framework, authorized agencies can monitorcross-border malicious attacks against Japan, access communication data from telecommunication service providers without direct individual consent when a major cyber attack is suspected, receive information from operators in 15 critical sectors who are required to report on those cyber incidents, partner with private companies and allies to dismantle command and control servers used in state-backed intrusions, and to deploy defensive countermeasures when an imminent threat to national infrastructure has been verified.
The Japan Active Cyber Defense Act will integrate closely with Japan's resilience strategy, ensuring that Japan is never again forced to simply absorb cyber aggression. But a strategy is only a guide to action. Action, transparency, and adherence to democratic values under international law will be the standard by which that action is judged.
Japan, like the U.S., has much work to do in moving from strategy to action. But I loved the early framing of this forum, which is a do tank, not merely a think tank. And so let us then proceed accordingly.
We have learned over many years that cyber threats, supply chains, and interdependencies freely cross national borders. Thus, defense cannot end at Japan's borders. Japan must strengthen interoperability with key allies, including the United States, Australia, the European Union, and Indo-Pacific partners through intelligence sharing frameworks and joint cyber exercise. This can be accomplished while achieving desired sovereignty in your data and core services.
The key will be to align rather than trade the twin imperatives of sovereignty and collaboration. I applaud the efforts that Japan has undertaken to build a collective deterrence framework, one that makes hostile actors understand that a cyber attack on one democratic nation will be met with a coordinated, incredible response from all nations.
Japan's advocacy will then be important with international forums such as the United Nations, the G7, ASEAN, for the establishment of norms against targeting civilian infrastructure and the development of responsible state behavior in cyberspace. In parallel, Japan's work to foster industry to industry alliances amongst global semiconductor, AI, and telecommunications firms will be important to harden the world's digital supply chains.
Your message to the world through your actions is clear. Japan is not only defending itself. It's helping to secure the digital commons upon which all nations depend.
So finally, as I begin to wrap up, a few comments on the need to invest in people, innovation, and trust. No cyber defense strategy can succeed without skilled people. Japan's investment in talent pipelines through programs such as the Cyber Defense Academy Initiative, offers scholarships for students pursuing cybersecurity, AI safety, and quantum cryptography that will create incentives for people to enter the field, addressing a national shortage of cyber defenders.
Improved tools, including AI and agentic AI will assist, but they cannot replace human accountability in the task of defending critical systems. Trust will be Japan's greatest assets. Citizens must know that their data, their privacy, and their essential services are safe. Therefore, every element of cyber policy, from legislation to system design, must be guided by transparency, democratic oversight, respect for personal freedom, and action that delivers on citizen expectations.
I conclude with a national call to action, in which case I join with NCD Iida and so many others within Japan. I conclude by commending Japan's call to action while noting there's much to be done. Cyber security is often invisible and underappreciated until, of course, it fails. Our collective safety depends on what we do now quietly, persistently, transparently, and together. Japan has always excelled at resilience, whether in rebuilding cities, sustaining industries or innovating against adversity. That same spirit must define our digital transformation going forward.
Through the Active Cyber Defense Act, shared public private protection, and a whole of nation resilience strategy, Japan can ensure that the technologies powering its future alongside doctrine and human performance in things like artificial intelligence, robotics, and transformative technology that lie beyond that, remain forces of prosperity, not instruments of vulnerability. The vision is simple and yet profound a Japan that is open, secure, and unbreakable in the face of cyber adversity.
It is said that the best time to plant a tree is 20 years ago. Perhaps in Japan that might be 200 years ago. But that truth applies here as well. We're all late, very late in addressing the digital underpinnings of services that are existential to every facet of our personal, business, and national lives.
Japan has an impressive, solid plan, but action on that plan will be the way that we and not chance, not fate, build the future that our citizens expect and deserve. It's been an honor to share these remarks with you. I thank you for that privilege, and I look forward to the questions that will come in the panel immediately afterwards.
Thank you.
Outro: That was former U.S. National Cyber Director Chris Inglis, sharing his keynote remarks at the Sasakawa–Yomiuri Global Forum. For more conversations and insights on global policy, visit our website, and subscribe wherever you get your podcasts. Thanks for joining us, and we’ll see you next time.
