Mihoko Matsubara is an adjunct fellow at the Pacific Forum. You can follow her @M_Miho_JPN.
Japan and the UK have been strengthening their cybersecurity collaboration over the last six years. Last month, they held their fourth bilateral dialogue on cyberspace in London to discuss their cooperation on the Tokyo Summer Olympic and Paralympic Games, the development of international cyber norms, the security of internet of things devices, and capacity building. Although the benefits of Japan-UK cybersecurity collaboration might not be self-evident, both can learn from each other to improve their respective cybersecurity and jointly collaborate on cybersecurity capacity building efforts in Southeast Asia.
Japan, which is hosting the 2020 Summer Olympics and Paralympics, has a lot to learn from the United Kingdom on cybersecurity. Major sporting events have become targets for malicious cyber activity. UK authorities had to contend with a potential cyber incident that could have disrupted the electricity infrastructure powering the opening ceremony of the 2012 London games. More recently, Olympic officials in South Korea had to fend off cyberattacks, some of which were also aimed at disrupting the opening ceremony in Pyeongchang. While the Japan national computer security incident response team will use next year’s Rugby World Cup as a dry run for the next Olympic, it can also take advantage of lessons learned from London 2012 and Pyeongchang 2018 to improve Japan’s risk management and cyber threat intelligence capabilities.
If Japan can learn from the UK, then what’s in it for London? The answer is simple: access to the Southeast Asian cybersecurity market via capacity building efforts.
Southeast Asia is a lucrative market for tech investment as the region becomes more connected to the internet. The region received $274 billion in foreign direct investment last year and that number is poised to grow thanks to investment from Japan, China, and India. The region is also the fastest growing internet market in the world, adding 3.8 million internet users every month. The region’s digital economy was worth $31 billion in 2015, and is expected to grow to $197 billion by 2025.
Physical critical infrastructure is also growing fast. Singapore is expanding the Changi Airport. Indonesia is building a metro in Jakarta. To remain an attractive market for foreign investment, Southeast Asia needs to improve its cybersecurity to ensure cyberattacks will not disrupt trust in digital assets and critical infrastructure.
Japan has a long history of supporting cybersecurity capacity building efforts in the region, both on the policy and technical fronts. Tokyo has hosted workshops under the auspices of the Association of Southeast Asian Nations (ASEAN) to train government officials in developing sound cybersecurity policy and strategy, and developed the Internet Traffic Monitoring Data Sharing Project (TSUBAME Project) in which the Japan Computer Emergency Team/Coordination Center (JPCERT/CC) monitors malicious internet traffic in the Asia-Pacific. Japan has also developed public outreach and awareness materials to promote cybersecurity through short video clips , and posters and brochures in English.
Although the UK places a heavy emphasis on capacity-building in promoting its cybersecurity interests on the world stage, it has less experience working in the ASEAN region than Japan. The UK also has a growing cybersecurity market of $5 billion and the industry would like access to Southeast Asian customers. With a decade-long experience in the field, Japan should be an important partner to the UK, facilitating London’s access to the region.
Last year, both governments hosted a cybersecurity workshop in Brunei, inviting representatives from other ASEAN countries to discuss the rule of law in cyberspace, internet governance, and cybersecurity agencies. The workshop is one step forward for the joint capacity-building project between Japan and the UK.
One area ripe for UK-Japan collaboration in the ASEAN region is cybersecurity training. While Japan itself expects to face a shortage of 193,010 cybersecurity professionals by 2020 and 45 percent of organizations in the UK acknowledges a shortage of cybersecurity skills, the problem is also acute in Southeast Asia. For example, Malaysia needs 10,000 professionals by 2020 while the country has only 6,000 as of 2017.
Both Japan and the UK have national level efforts to cultivate cybersecurity professionals from the entry level to the C-suite as well as those who can craft strategy and policy and protect critical infrastructure. The Japanese government, for example, founded the National Cyber Training Center to educate young people under 25 years-old to research and develop cybersecurity technologies, and the Industrial Cyber Security Center of Excellence to train mid-career and C-suite professionals about the protection of critical infrastructure in collaboration with international partners such as the US and Israel in 2017. While there are not many English documents available about these projects, their lessons could be shared with ASEAN partners. Similarly, the UK government provides an apprenticeship scheme to train people to protect critical infrastructure.
Any joint UK-Japan effort should be aware of other ongoing efforts. Australia and Singapore in particular are also looking to strengthen their capacity building support in the ASEAN region. Singapore, for example, launched the ASEAN Cyber Capacity Program, with a commitment of $7.62 million over five years in April 2017. To facilitate resource coordination and prevent the duplication of projects, ASEAN should map all regional, national, and private sector programs.
The Japan and the UK are well on their way to taking their cybersecurity relationship to the next level. The next Japan-UK cyber dialogue will be held in Tokyo in 2019, and will be another opportunity to assess the strength of the relationship and the effectiveness of their capacity building efforts in ASEAN.