China hacked Japan’s classified defense cyber networks, officials say

“It was bad — shockingly bad,” recalled one former U.S. military official, who was briefed on the event, which has not been previously reported.

Tokyo has taken steps to strengthen its networks. But they are still deemed not sufficiently secure from Beijing’s prying eyes, which, officials say, could impede greater intelligence sharing between the Pentagon and Japan’s Ministry of Defense.

The 2020 penetration was so disturbing that Gen. Paul Nakasone, the head of the NSA and U.S. Cyber Command, and Matthew Pottinger, who was White House deputy national security adviser at the time, raced to Tokyo. They briefed the defense minister, who was so concerned that he arranged for them to alert the prime minister himself.

Beijing, they told the Japanese officials, had breached Tokyo’s defense networks, making it one of the most damaging hacks in that country’s modern history.

The Japanese were taken aback but indicated they would look into it. Nakasone and Pottinger flew back “thinking they had really made a point,” said one former senior defense official briefed on the matter.

Back in Washington, then-President Donald Trump was busy contesting Joe Biden’s election victory, and administration officials were preparing for a transition. Senior national security officials briefed incoming national security adviser Jake Sullivan during the handoff, but the incoming Biden administration faced a swirl of issues — including how to deal with a major Russian breach of U.S. agency networks discovered during the Trump administration — and some U.S. officials got the sense the Japanese just hoped the issue would fade away.

By early 2021, the Biden administration had settled in, and cybersecurity and defense officials realized the problem had festered. The Chinese were still in Tokyo’s networks.

Since then, under American scrutiny, the Japanese have announced they are ramping up network security, boosting the cybersecurity budget tenfold over the next five years and increasing their military cybersecurity force fourfold to 4,000 people.

Beijing, bent on projecting power across the western Pacific — an area it controversially claims as part of a historic maritime dominion, has increased confrontation in the region. It fired ballistic missiles into Japan’s exclusive economic zone last August after then-House Speaker Nancy Pelosi visited Taiwan, a self-ruled democracy that China claims. It has embarked on a major nuclear weapons buildup. And it has engaged in dangerous air and naval maneuvers with U.S., Canadian and Australian ships and jets in the Pacific.

China, which already boasts the world’s largest legion of state-sponsored hackers, is expanding its cyber capabilities. Since mid-2021, the U.S. government and Western cybersecurity firms have documented increasing Chinese penetration of critical infrastructure in the United States, Guam and elsewhere in the Asia-Pacific. The targets include communication, transportation and utility systems, Microsoft said in May.

China-based hackers recently compromised the emails of the U.S. Commerce secretary, the U.S. ambassador to China and other senior diplomats — even amid an effort by the Biden administration to thaw frosty relations with Beijing.

“Over the years we have been concerned about its espionage program,” said a senior U.S. official. “But China is [also] developing cyberattack capabilities that could be used to disrupt critical services in the U.S. and key Asian allies and shape decision-making in a crisis or conflict.”

In the face of this aggression, Japan has stepped up, moving beyond the traditional “shield and spear” arrangement in which Tokyo focuses on the country’s self-defense, while Washington provides capabilities that support regional security, including the nuclear umbrella that protects Japan and South Korea. Japan is developing a counterstrike capability that can reach targets in mainland China. It is buying U.S. Tomahawk cruise missiles. And it is permitting the U.S. Marine Corps to place a new advanced regiment in remote islands southwest of Okinawa, a location that along with the northernmost islands of the Philippines, allows the U.S. military proximity to Taiwan should a conflict with China erupt.

“Japan and the United States are currently facing the most challenging and complex security environment in recent history,” Prime Minister Fumio Kishida said at a news conference with President Biden in Washington in January. He noted Japan’s new national security strategy boosting its defense budget and capabilities. “This new policy,” he said, “will be beneficial for the deterrence capabilities and response capabilities of the alliance as well.”

U.S. Defense Secretary Lloyd Austin has indicated to Tokyo that enhanced data-sharing to enable advanced military operations could be slowed if Japan’s networks are not better secured.

“We see tremendous investment and effort from the Japanese in this area,” said a senior U.S. defense official. But work remains to be done. “The department feels strongly about the importance of cybersecurity to our ability to conduct combined military operations, which are at the core of the U.S.-Japan alliance.”

Acknowledging the problem

As the Biden administration took office, it faced a maelstrom of cybersecurity crises.

The United States was debating how to respond to the massive Russian “SolarWinds” hack, which was uncovered during the Trump administration and had sowed malicious code and enabled cyberspies to steal information from several major U.S. government agencies.

Soon after, a Chinese compromise of Microsoft Exchange servers around the world — including at least 30,000 entities in the United States alone — threatened to cripple small and midsize businesses and state and local government agencies. Then, in the spring of 2021, a ransomware attack on Colonial Pipeline by a Russian criminal group shut down one of the nation’s largest fuel pipelines for six days.

In the midst of this, Cyber Command offered Tokyo a team of cyber-sleuths to help assess the scope of the breach and begin to cleanse its networks of Chinese malware. The command’s “hunt forward” teams for several years had been assisting partners in countries including Ukraine, North Macedonia and Lithuania dig for foreign intrusions.

But the Japanese were wary. “They were uncomfortable having another country’s military on their networks,” said the former military official.

The two sides came up with a compromise approach: The Japanese would use domestic commercial firms to assess vulnerabilities, and a joint NSA/Cyber Command team would review the results and provide guidance on how to seal gaps.

Meanwhile, White House national security staff and Tokyo’s National Security Council set up regular technical exchanges and video conference calls to keep on top of the issue. Defense officials in both capitals did the same.

Upon taking office, the Biden administration created a new cybersecurity position, and placed a senior NSA official in the job. Anne Neuberger, had been appointed as a deputy national security adviser for cyber and knew about the Chinese breach coming in.

But for much of the first year she was occupied with SolarWinds, Chinese compromises and Russian ransomware, and a presidential order to secure the federal software supply chain.

Then in fall 2021, Washington uncovered fresh information that reinforced the severity of China’s breach of Tokyo’s defense systems and that Japan was not making much progress in sealing it.

A warning from Washington

That November, despite Japan being in pandemic lockdown, Neuberger and a handful of other U.S. officials flew to Tokyo and met with top military, intelligence and diplomatic officials, according to several people with knowledge of the trip.

To protect sensitive sources and methods, Neuberger could not explicitly tell the Japanese how U.S. spy agencies knew about the Chinese compromise. She tried in an oblique way to assure Tokyo that the Americans were not in their networks, but suspicions lingered. After all, the Japanese, like other allies, knew that the United States spies on partners.

In 2015, the anti-secrecy website WikiLeaks revealed that the NSA had spied on 35 targets in Japan, including cabinet members and the corporation Mitsubishi. Biden, then vice president, called then-Prime Minister Shinzo Abe to apologize for the trouble caused.

In any case, Washington and Tokyo had no history of working together to address a sensitive intelligence threat.

“We were asking for an unprecedented level of access to their systems,” said one person familiar with the matter. “We were asking them to take their trust in us to a deeper level than we had before. And naturally any sovereign country would be cautious about that.”

In deliberate, measured fashion, Neuberger laid out what the United States knew. She made clear that the White House felt the problem needed to be fixed.

“We’re not here to wag fingers,” said a senior administration official, describing the approach. “We’re here to share hard-won lessons.”

Neuberger found a partner in Japan’s newly appointed national security adviser, Takeo Akiba, who zeroed in on an entrenched bureaucracy. They were helped by the fact that Kishida was keen on advancing a campaign launched by Abe to bolster Japan’s defense capabilities. Tokyo set to work on a new cyber strategy, which sought to beef up spending and personnel and align cybersecurity standards with U.S. and international benchmarks.

“The first step is acknowledging that you have a problem, and then second, acknowledging the seriousness of the problem,” said the senior U.S. defense official.

Japan launched a Cyber Command, which monitors networks “24/7,” said a Japanese defense official. It has introduced a program to continuously analyze risks throughout the military’s computer systems. It is enhancing cybersecurity training and is planning to spend $7 billion over five years on cybersecurity.

“The government of Japan intends to strengthen its cybersecurity response capabilities to be equal to or surpass the level of leading Western countries,” Noriyuki Shikata, Kishida’s cabinet press secretary, said in an interview. That goal — along with “active cyberdefense,” or a form of offense-as-defense hacking — is enshrined in Japan’s new national security strategy.

For years before China audaciously hacked its networks, Japan was seen as a leaky vessel. During the Cold War, Soviet operatives used good old-fashioned tactics, capitalizing on people’s weaknesses for food, drink, money and gambling to cultivate Japanese journalists, politicians and intelligence officers.

“They bragged to themselves that Japan was ‘spy heaven,’” said Richard Samuels, a political scientist at MIT, whose history of Japan’s intelligence community was published last year.

After the Cold War ended, Japanese officials finally started waking up to the importance of tightening up access to intelligence. For one thing, the Americans were taking notice. A year before 9/11, a report produced by a Pentagon-funded think tank noted that despite the importance of the U.S.-Japan alliance, intelligence-sharing with Tokyo was far less than that with NATO partners.

“Both within and beyond Asia, Japan faces more diverse threats and more complex international responsibilities, which call for intelligence that provides a better understanding of its national security needs,” stated the report, written by a bipartisan study group including foreign policy experts Richard Armitage and Joseph Nye.

It urged Japanese leaders to build public and political support for a new law to protect classified information.

“The Americans weren’t happy with how porous the Japanese intelligence community was,” said Samuels. “They did what you would expect, which was to share less. At a time when Japan needed more and better intelligence from its powerful ally, it wasn’t getting everything it needed, and it was told it’s because your intelligence community leaks. If you tighten it up, we can have a fuller and more robust exchange.”

One of the most receptive to the message was Abe, scion of a prominent political family and twice prime minister. Abe, more than any modern political leader of Japan, paved the way for security reform in Tokyo.

During his second tenure as prime minister in the early to mid-2010s, he sparked changes. The parliament passed a state secrets law that set stiff penalties for mishandling documents and for leaking information. Abe set up a National Security Council, modeled in part after the U.S. version, to advise the prime minister.

Antiwar and civil liberties advocates protested the reforms, claiming they were infringing on privacy rights and voicing concerns about an expanding national security state. But by 2013, when the law was passed, the geopolitical landscape had shifted. The public had come to see that decades of a nominal commitment to self-defense had only emboldened a rising Beijing.

China had aggressively responded to Japan’s nationalization of the Senkaku Islands, flooding the waters off the islands with Coast Guard vessels and maritime militia. In the South China Sea, it was turning remote atolls into military outposts seemingly overnight. President Xi Jinping had come to power, accelerating a vast military modernization. Meanwhile, North Korea continued provocative nuclear tests.

Abe was assassinated in July 2022, but his legacy lives on. Over the last decade, attitudes toward China have hardened: Today, a majority of Japanese view the Chinese government unfavorably, while support for the U.S. alliance is at an all-time high.

“Enhancing bilateral cooperation between Japan and the U.S. strengthens the cyber defenses of both nations,” said Nakasone in a statement to The Post. The United States is focused on helping Japan improve its cyber capabilities, he said, noting that the goal is for both nations to be able to ensure “a safe and secure Indo-Pacific region.”

In December 2022, Chris Inglis, then the White House national cyber director, flew to Japan to speak with counterparts. Part of his mission was to share what the U.S. government was doing to better secure its own systems as he was in the midst of drafting a national cybersecurity strategy. A pillar of that strategy, which was issued in March, was strengthening partner capacities.

“My discussions were intended to be quite positive about what we could do together, how we could frame cyber strategies and national strategies that would be complimentary,” Inglis said in an interview. “But we have to make sure that each of us makes the appropriate investments in cybersecurity foundations.”

Administration officials admit that U.S. networks are far from 100 percent secure. Over the last two decades, cases abound of Russian, Chinese, Iranian and North Korean hacks. Sensitive commercial and classified material has been stolen, the NSA’s own top-secret hacking tools have been released into the wild, Hollywood studios have been coerced and embarrassed, and the United States’ democracy has been assaulted.

The “attack surface,” as cybersecurity experts call it, is vast.

Over the last 20 years, each successive U.S. administration has sought to do more to enhance American cybersecurity. New organizations have been created at the White House, Department of Homeland Security and Defense Department to deal with the issue. More money has been allocated. Authorities have been expanded. Efforts with the private sector, which owns and runs the majority of critical infrastructure, have been enhanced.

“We can’t hold the Japanese to a standard that we ourselves can’t possibly meet,” said the defense official. “At the end of the day, we’re going to share information with them,” the person added. “We just want to do our best to keep our adversaries out.”