Mihoko Matsubara: A Roadmap for U.S.-Japan Cybersecurity Cooperation

This is a blog post by Mihoko Matsubara, a cybersecurity analyst and adjunct fellow at the Pacific Forum Center for Strategic and International Studies in Honolulu, Hawaii. 

On May 9-10, 2013, American and Japanese governments held the first U.S.-Japan Cyber Dialogue in Tokyo. This meeting comes nineteen months after the two sides met in September 2011, for the first working-level dialogue on cybersecurity. These meetings have set a good foundation for cooperation, but they must be followed by concrete steps if Tokyo and Washington truly want to make cybersecurity a cornerstone of the U.S.-Japan relationship.

The joint statement on U.S.-Japan Cyber Dialogue indicates that policymakers discussed a wide range of issues including cyber defense, the establishment of norms of behavior in cyberspace, and the protection of critical infrastructure. Interestingly, the document makes no mention of cyber espionage, even though the conference was held right after the U.S. Department of Defense report to Congress that accused the Chinese government and military of information and data theft.

There are two possible reasons. First, the participants could not discuss sensitive information about damages, targets, and techniques. Participants came from nine Japanese and four American governmental organizations and did not necessarily share the same level of security clearance. Japan also lacks a security clearance system that encompasses the entire government. That fact might have prohibited the dialogue participants from going beyond merely consulting on“cyber defense” in general. Second, the two governments actually conferred on espionage but refrained from using the word in their diplomatic document to evade speculation about the alliance’s stance toward China, even as growing media reports suggest China’s involvement in cyber espionage. Furthermore, given the continuing tension between Japan and China in the East China Sea, Tokyo and Washington may have wanted to avoid introducing one more sensitive topic that could exacerbate relations with Beijing.

A comprehensive dialogue is needed to bring all the governmental policymakers together, but such an all-encompassing approach risks making it difficult for dialogue participants to focus on, and follow up on, specific policies. In fact, the only concrete recommendation mentioned in the joint statement is the protection of critical infrastructure. The document argues that the Cyber Dialogue “identif[ied] actions government and the private sector entities can take to secure critical infrastructure,” although the document does not elucidate the details.

The protection of critical infrastructure is a good place to start, but Tokyo must identify priority areas for cooperation with Washington. Japan has ten critical infrastructure sectors, whereas the United States identifies eighteen. Both sides categorize communication, financial institutions, transportation, and water as critical infrastructures. Japan does not regard the defense industry as having critical infrastructure, but this is likely to be an area where Washington would like to start information-sharing. There are multiple media reports about cyber espionage against Japanese defense contractors including Mitsubishi Heavy Industries (MHI), Ltd. Such attacks not only expose vulnerabilities in the capability of the Japanese Self-Defense Forces (SDF), but also have a negative impact on operational cooperation between the SDF and the U.S. military.

Although Japan does not regard the defense industry as part of the critical infrastructure, the country already has a system for information-sharing between the public and private sectors, called the Cyber Intelligence Information Sharing Network. After the MHI case was revealed in summer 2011, Japan became more concerned about cyber espionage. In August 2011, the Japanese National Police Agency established public-private partnerships with critical infrastructure companies, defense contractors, and information and communications technology-related companies to share information on hacking and malware.

Still, cooperation in the defense industry is likely to be difficult. The sensitivity of national security-related information requires the Japanese and American governments and private companies on both sides of the Pacific to share the same level of security clearance and information assurance system for the partnership to be effective. Creating such a system, as well as a secure communication method, will take time.

It would be easier to start out with a few critical infrastructure sectors such as communications, electricity, and financial institutions. Then, the two governments can gradually expand the framework to other sectors including the defense industry, once the bilateral cooperative framework is established.

The first Cyber Dialogue heralds a new chapter in the bilateral relationship between Japan and the United States by creating a template for comprehensive cybersecurity cooperation. Now, it is time for Tokyo and Washington to identify specific steps to share information to protect critical infrastructure. This focused effort will certainly help the governments use their resources efficiently to protect cyberspace and make the alliance more robust.