On May 1, Minister of Economy, Trade and Industry Ryosei Akazawa met with operators of critical infrastructure to discuss responses to advanced AI. The talks offer a window into the state of corporate cybersecurity in Japan.
A Meeting Driven by Fears of AI Misuse
The following participants were named by the Ministry of Economy, Trade and Industry (METI) in its official release:
- Nozomu Mori, Chairman of The Federation of Electric Power Companies of Japan (a body whose members include major electric utilities); Mori is also President of The Kansai Electric Power Company.
- Takayuki Hakugin, Chairman of the Transmission and Distribution Grid Council; Hakugin is President of Kansai Transmission and Distribution.
- Takashi Uchida, Chairman of The Japan Gas Association (a body whose members include city gas suppliers); Uchida is Chairman of Tokyo Gas.
- Kazuhiro Noda, Vice Chairman of the Japan Petrochemical Industry Association; Noda is President of Nippon Shokubai, a specialty chemicals manufacturer.
- Yutaka Yamamoto, Chairman of the Japan Consumer Credit Association (the industry body for credit-related services); Yamamoto is a scholar of civil law.
- Mr. Morishita, Chairman of the Crisis Management Committee of the Petroleum Association of Japan (the industry body for oil wholesalers). The METI release listed only his family name.
Representatives from 24 companies in the electricity sector also attended.
The meeting was prompted by the growing capability of advanced AI to identify vulnerabilities in systems and networks. While such AI can strengthen security, it also raises the prospect of malicious exploitation and the development of attack methods with no historical precedent.
Akazawa stated that “we must act to ensure that cyberattacks on critical infrastructure do not disrupt operations or cause malfunctions that significantly affect people’s lives and economic activity.” He identified three concrete priorities: leadership from the top of each organization, early detection and response to vulnerability information, and a transition to Zero Trust architecture.
Industry representatives broadly echoed these concerns in their remarks.
Japanese Companies Have Been Slow to Adopt Zero Trust
The fact that Zero Trust appeared on Akazawa’s list of priorities is itself telling: adoption among Japanese companies has lagged. A 2024 survey by Internet Initiative Japan asked companies which of the seven elements required for Zero Trust they had already implemented. Around 60% reported having addressed multi-factor authentication, treating all resources as protected assets, and securing all communications. Fewer than 50% had achieved visibility and analysis of asset and network status, or monitoring of patch management and security policy compliance. Only around 40% had implemented dynamic access control or per-session verification and authorization for resource actions—both of which are critical components of any genuine Zero Trust environment.
Why has Zero Trust been slow to take hold in Japan? The answer lies in concerns about data sovereignty and the continued widespread use of VPNs and similar network architectures that those concerns have sustained.
Data sovereignty is a legitimate concern. But VPNs have persisted for another reason as well: familiarity among ordinary users within organizations. An IT security industry source told the author: “There is a perception that VPNs give you the same workspace environment whether you’re in the office or at home. Because of that, people at Japanese companies tend to feel that VPNs simply make it easier to get various kinds of work done.”
VPNs have become an active target. Both Asahi Group Holdings (best known internationally for its Super Dry beer) and the Japanese e-commerce company Askul—each hit by ransomware attacks in 2025—were using VPNs, and it was those VPNs that the attackers exploited.
To reiterate: data sovereignty is an important issue, and the author’s own view is that data should be kept within Japan wherever possible. At the same time, security standards cannot be allowed to slip.
As an immediate step, operators directly connected to people’s daily lives—not only those who attended this meeting, but also those in transport, media, and other sectors—should build out Zero Trust environments regardless of which network architecture they choose, and work toward establishing models that others can follow.
