By Mihoko Matsubara
The United States and Japan are perhaps the two countries for which cooperation on cybersecurity is the most crucial. They are, respectively, the largest and third-largest economies in the world, and two of the largest military powers. Moreover, the economic and military strength of both countries relies on sophisticated intellectual property, military intelligence and trade secrets. As a result, they have more to lose from cyber threats than any other countries in the world.
Recognizing the importance of cybersecurity cooperation, leaders in both Japan and the U.S. have advocated bilateral dialogue on the issue. Most recently, during a meeting with U.S. President Barack Obama in Washington on Feb. 22, Japanese Prime Minister Shinzo Abe heralded the launch of a comprehensive U.S.-Japan cybersecurity dialogue. On the same day, Japanese Foreign Minister Fumio Kishida and U.S. Secretary of State John Kerry also welcomed the comprehensive dialogue and confirmed the importance of cybersecurity collaboration to both countries’ economies and security.
The first meeting of the comprehensive dialogue will take place in May. However, the reported agenda remains vague, despite the first working-level meeting between the two sides on cybersecurity having in fact been held in September 2011. This indicates that the partners are still trying to figure out the operational agenda for the comprehensive dialogue, which must bring specific action items to the table.
If the alliance is to remain strong in the realm of cybersecurity, the comprehensive dialogue must produce action on three essential fronts. First, the U.S. and Japan must find a way to share information on the occurrence and characteristics of cyberattacks in a secure and timely manner. Second, both sides must agree on a list of prioritized critical infrastructure sectors and cybersecurity requirements to mitigate supply-chain risks. Finally, the U.S. and Japan must revise their Treaty of Mutual Cooperation and Security to cover cyberspace.
Information sharing between the two allies, which is essential to prevent cyberattacks and minimize the damage from attacks that do occur, will require not only shoring up database security, but also reforming Japan’s security clearance and information assurance systems. Japan currently lacks an anti-espionage law and an overarching security clearance system (.pdf) for its agencies and ministries. That is why, in a January 2013 meeting with Katsuyuki Kawai, the chairman of the committee on foreign affairs in the lower house of the Japanese legislature, U.S. Assistant Secretary of Defense for Asian and Pacific Security Affairs Mark Lippert encouraged the passage of legislation to protect state secrets as soon as possible in order to deepen bilateral cooperation on cybersecurity.
Washington’s reluctance to share sensitive information in the absence of robust information assurance is just one of the reasons Tokyo needs to establish a security clearance procedure for those accessing a cybersecurity-related information-sharing framework. Without such security clearance for private sector actors, the Japanese government cannot share classified information about emerging threats with Japanese businesses, hindering Japan’s ability to take advantage of industry expertise.
The need to ensure the cybersecurity of critical infrastructure, such as power grids and telecommunications systems, must also be a priority, as reported cases of cyberattacks on critical infrastructure in the United States are increasing. Given the global scope of supply chains, attacks on such infrastructure could have crippling effects, both economic and psychological, that could potentially spread widely, not only within the targeted country but also throughout the region and the world.
The global scope of supply chains also makes international cooperation necessary if Washington is to operationalize President Barack Obama’s recent executive order on improving the cybersecurity of critical infrastructure. As a U.S. ally, Japan is naturally among the first countries the U.S. would want to reach out to for support. But before anything else, Tokyo and Washington must synchronize their priority lists of critical infrastructure sectors in order to mitigate supply chain risks. While the United States has 18 such critical infrastructure sectors, Japan has only 10.
After that, attention should be directed to the regulatory body currently being launched by the Japanese Ministry of Economy, Trade and Industry to issue cybersecurity certification for critical infrastructure essential to overseas exports. Japan currently has to rely on European or U.S. institutes for such certification. The new Japanese institute will enable the United States to confidently import safe products from Japan while promoting critical infrastructure security. But to support its work, Washington should coordinate with the ministry to keep Tokyo informed of new cybersecurity requirements for critical infrastructure as the U.S. government adds them based on the executive order.
Finally, revising the U.S.-Japan security treaty will demonstrate the two governments’ commitment to work together to defend their cyberspace. It would also align with U.S. strategy: Washington declared that expanding cybersecurity cooperation with allies for collective security would be part of its international strategy for cyberspace (.pdf) in May 2011. Australia and the U.S. already revised their security treaty to cover cyberspace in September 2011.
Nonetheless, the current security treaty between Japan and the U.S. does not explicitly cover either space or cyberspace. Article 5, which deals with the “common danger” of any “armed attack against either [Japan or the U.S.] in the territories under the administration of Japan,” fails to spell out what either party’s commitments would be in the case of a cyber-attack. There is no established definition of the use of force in cyberspace in international law, and borders do not clearly demarcate cyberspace. Thus, revising the security treaty is critical for the alliance to face new types of threats in the 21st century.
The steps advocated here are of course useful for Japan and the U.S., but they would also be effective for other countries. The Japanese and U.S. governments should use this list of action items as a template for expanding their international cooperation and strengthening their alliance, while setting a model for the world in addressing cybersecurity.
Mihoko Matsubara is a cybersecurity analyst and a nonresident research fellow at Pacific Forum CSIS, a think tank in Honolulu.