Professor Jun Murai of Keio University, who took the stage at the opening session, called for a fundamental shift in how security measures are viewed, stating that “in a society based on digital transformation and the use of AI, cyber risk is unavoidable and technical countermeasures alone are insufficient.” He stressed the need to treat cybersecurity — symbolized by zero trust architecture — as a culture that must be instilled across society, from corporate leadership to educational settings.

With rising geopolitical tensions and the rapid proliferation of AI, threats in cyberspace are changing in both scale and the way attacks are conducted. In a dialogue titled “International Relations and Emerging Cyber Threats: The Future of Cooperation and Partnership,” Christopher Painter, a former US State Department cyber diplomat, and Ikuo Misumi, a guest professor at Tokai University, took the stage to discuss how national security and cybersecurity are interlinked.

Painter warned that “as society becomes increasingly dependent on technology, the societal and economic costs of cyberattacks are escalating dramatically.” With state-sponsored attacks and activity by criminal groups intensifying, the boundary between state-sponsored threat actors and cybercrime organizations is becoming increasingly blurred. With ransomware attacks, in particular, expanding to target critical infrastructure such as hospitals and energy supply networks, “cyber threats are closely tied to national security,” he continued.

To combat these increasingly sophisticated cyber threats, effective international cooperation and public-private partnerships are vital. Painter noted, “There is no point in only talking about PPP, or public-private partnerships, as a concept. We need to define the scope of information that will be shared and how roles and responsibilities will be divided in concrete terms before an incident occurs.” Specifically, he highlighted the importance of a role-based approach where the private sector takes the lead in frontline defense, while the government provides support through diplomatic means, sanctions and other measures.

In response to Painter’s observations, Misumi summarized, “This overview has shown that Japan-US cooperation and public-private partnerships must evolve beyond mere frameworks and slogans into meaningful partnerships backed by concrete role sharing and action.”

2025 was a year in which many companies were awakened to the severity of ransomware damage, realizing that it was a real and immediate threat that could also happen to them. In a panel discussion titled “Cybersecurity as a Management Issue,” Shunsuke Yoshida, CISO of AEON Co., Ltd., Tetsuro Yabuki, Executive Officer and CDO of Toyobo Co., Ltd., and Masaya Mori, Chief AI Officer of Hakuhodo DY Holdings Inc., discussed how to reframe cyber risk as a management decision.

Moderator Toshinori Kajiura, President of the Japan Cybersecurity Innovation Committee, noted that “in today’s environment, where multiple unknown risks materialize rapidly and simultaneously, the traditional plan-do-check-act, or PDCA, cycle can no longer keep up.” He posed that perhaps a more agile risk management approach based on the observe-orient-decide-act, or OODA, loop may be required to enable a faster cycle of situational assessment and action.

AEON’s Yoshida explained that advances in AI have led to an increase in phishing attacks that use natural, fluent Japanese, resulting in a sharp rise in attacks targeting Japanese companies. He noted that in organizations with numerous group companies, stores and employees, “there is a high risk of attackers gaining entry through locations with insufficient security measures, and of the damage spreading across the entire organization.” He identified implementing comprehensive measures and establishing sound governance as the greatest challenges.

Toyobo’s Yabuki shared how the company is rebuilding its business continuity plan by treating the risk of supply chain disruption caused by cyberattacks as equivalent to a natural disaster. Toyobo is currently building a system that uses AI to make comprehensive judgments spanning multiple security tools. He also related how the company is working to foster a workplace culture that prioritizes preventing the spread of damage above all else by embracing a “when in doubt, stop” principle — even if this may risk a certain level of disruption to operations or false positives.

Meanwhile, Mori of Hakuhodo DY Holdings voiced concern that as advances in AI technology change the dimension of attacks, countermeasures may lag behind. At the same time, he emphasized that “security measures, such as zero trust architecture and review of ID management processes accompanied by an inventory of business operations, are also a key foundation for AI utilization,” stating that “security measures are investments that support future business growth.”

As the adoption of generative AI by society accelerates, insufficient speed in devising security measures and governance frameworks premised on AI utilization presents a pressing challenge. In a panel discussion titled “Security Management in the AI-First Era,” Masaya Fukushima, VP of System Management Dept. of Japan Airlines Co., Ltd., Joichi Ito, President of Chiba Institute of Technology, and Atsushi Okada, partner of Mori Hamada & Matsumoto, discussed the security and governance approaches required in an age where AI utilization is the norm.

Fukushima noted that “with AI becoming an integral tool to unlocking operational efficiency and value creation, opting not to actively use AI can be a long-term management risk in itself.” Ito also remarked that the evolution of AI agents has “both a bright and dark side,” stating: “While AI is extremely capable, depending on how it is designed, it can also be easily misdirected or malfunction. For critical decisions and their implementation, it is essential to design systems that require human involvement.”

Recognizing these technological and operational challenges, Okada stressed that “responsibility for the actions of autonomous AI, and the handling of data by such AI, are not things that can be resolved by technology alone.” He emphasized that “as AI utilization expands, companies must put in place comprehensive risk management systems, including establishing internal rules, revising contracts and ensuring alignment with legal frameworks.” Reflecting on the discussion, moderator Jun Murai summed up the discussion by remarking that “in an AI-first society, designing technology, organizations and rules from an integrated, holistic perspective is crucial.”

Amid this environment, the acute shortage of cybersecurity professionals is a critical issue. Despite repeated concerns from the field over a lack of staff, effective solutions have not been sufficiently shared. In a panel discussion titled “Exploring Solutions to the Shortage of Security Talent,” speakers at the forefront of industry, research institutions, education and law enforcement gathered to discuss practical approaches for developing and utilizing cybersecurity talent.

To begin the discussion, the participants shared the current challenges companies face in securing cybersecurity talent. Naohisa Ichihara, Group CISO at Mercari Inc., noted that more than 60% of the company’s security team consists of non-Japanese employees, stating: “You won’t be able to attract talent if you only focus on the domestic market. But if you broaden your search globally, you can definitely find the people you need.” He explained that the cybersecurity talent shortage is not merely an issue of numbers, but a challenge that requires companies to rethink their fundamental assumptions and approach to hiring.

Mobility between the public and private sectors is often said to be an effective method for developing talent. Hiroshi Ito, chief researcher at the National Institute of Information and Communications Technology, sharing his experience working in both government and industry, noted that “from a different position, your perspective of the same situation shifts dramatically.” Emphasizing that a determination to empower and maximize talent is essential, he urged senior management to act decisively, stating: “Decide, delegate, and be accountable. Senior leadership must commit to these three principles.”

From an educational perspective, Midori Inaba, a professor at the Institute of Information Security, raised a key issue, noting that companies tend to rely heavily on outsourcing without considering the option of appointing and developing cybersecurity talent internally. She stressed: “Before complaining about the shortage of talent, senior management must understand the type of talent that is required and take a long-term outlook on developing their human resources accordingly.”

This approach of taking a long-term outlook to development is naturally required in the public sector as well. Yoshitaka Hamaishi, special analyst for cyber investigation at the National Police Agency, sharing his experience being seconded to the agency from the private sector, stated, “To enable effective information sharing between the public and private sectors, people who can understand each other’s language and culture are essential.” He suggested that building systems that value and leverage diverse experiences rather than single-track careers could help broaden the pool of cybersecurity talent.

In the event’s closing session, Toshikazu Okuya, Deputy Director-General at the Ministry of Economy, Trade and Industry, joined Murai to discuss the current state of Japan’s cybersecurity policy and its future direction. Again, the importance of public-private partnerships was emphasized.

Okuya stressed, “In Japan, where much of the nation’s key infrastructure is operated by the private sector, it is critical that the government and industry work together and steadily build measures that can be rolled out at frontline level.”

He also highlighted Japan’s strengths, citing its frontline capabilities and expertise in operational technology cultivated primarily through the nation’s manufacturing industry. He expressed hope that Japan has the potential to build world-leading models in the cyber-physical domain, where the real world and cyberspace are deeply integrated. “As AI and robots become instilled in society, Japan’s traditional focus on safety and reliability can serve as a major competitive advantage.”

Finally, Murai wrapped up the event by concluding that “cybersecurity is not an issue for experts alone to tackle, but a culture that must be shared throughout society.”