Rob Sheldon: Advancing U.S.-Japan Collective Cyber Capabilities (Part II: Practical Steps)

Rob Sheldon is a 2013-2014 Mansfield Fellow based in Tokyo. Follow him at @shorttelegrams. Also see Part I and Part III of this series.

Washington and Tokyo are clearly interested in continuing to increase cyber cooperation—potentially in the context of collective defense. Given the nature of the alliance, “collective cyber” should be more than just policy commitment; it should be undergirded by collective capabilities. Unfortunately for planners on both sides, there is little precedent from which to draw on building international-level interoperability in the cyber domain. In September 2011, the United States and Australia formally recognized their need to incorporate cyber in the Australia, New Zeleand, United States (ANZUS) treaty. The countries have also, along with the UK, established a Defense Cyber Contact Group for gaming and planning. (However, that this sort of cooperation has not yet extended to the other Five Eyes—the UK, United States, Canada, Australia, and New Zealand—with whom the United States has existing mechanisms to share classified information, illustrates the extent of the challenges ahead.) And finally, the United States reportedly worked in tandem with Israel to create and propagate Stuxnet, the computer worm that targeted control systems at Iranian nuclear facilities.

Although all of these examples are instructive, none offers a template for the integrated and comprehensive capabilities that the United States and Japan should seek. To that end, they should consider the following measures:

Routinize the exchange of technical threat information. Some in Washington worry about Tokyo’s ability to safeguard sensitive information. Indeed, previous incidents led to an April 2006 exchange of notes on information assurance and computer network defense, and later, the August 2007 agreement on the handling of classified information. Several issues should mitigate such concerns. First, if Tokyo’s “secrets bill” passes, Japan’s intelligence information management system will become more structured and more closely aligned with U.S. standards. Second, the most actionable types of cyber intelligence, such as malicious software signatures or identifiers about malicious domains, are relatively straightforward to share. As the Atlantic Council’s Jason Healey has persuasively argued, in most cases, just by virtue of utilizing a novel vulnerability, the adversary himself makes its characteristics public, obviating most of the potential classification concerns. Third, even if an information sharing channel is compromised, the data itself would likely reveal little or nothing about the sources and methods—protection of which is the fundamental purpose of classification—used to collect them. Disclosure may cause an adversary to adjust tactics, techniques, and procedures, which could undermine defensive measures; however, the possibility of compromises should not disrupt cooperation where the benefits of such exchanges outweigh the risks.

Pluralize information sharing channels and expand points of contact. Bureaucrats on both sides of the Pacific should resist pathologies that would create a lone, highly-restrictive information sharing channel; an exchange that relies exclusively on high-level rather than working-level personnel; or multiple stove-piped channels. Organizational reforms within Japan’s defense establishment and civilian bureaucracy will soon strengthen the institutions that serve as counterparts to U.S. Cyber Command and the Department of Homeland Security. Military services, particularly their respective navies and air forces, should establish or improve working-level coordination with counterpart components. Particularly with more data from the intelligence community, existing contacts could be enhanced between the Federal Bureau of Investigation and the National Police Authority, as well as the respective Computer Emergency Readiness Teams. Finally, both sides have critical infrastructure protection working groups that, notwithstanding different architectures, could benefit immensely from enhanced communication. Linkages between counterpart organizations constitute the best mechanisms for developing responsive, heuristic problem solving strategies.

Inventory and develop shared cyberspace situational awareness capabilities. The 2011 U.S. International Strategy for Cyberspace specifically articulates the need to leverage international partnerships to increase early warning capabilities in cyberspace. Japan has already demonstrated real leadership in this area through its Proactive Response Against Cyber-attacks Through International Collaborative Exchange (PRACTICE) initiative and Internet Traffic Monitoring Data Sharing (TSUBAME) Project. The latter of which, following discussions at the September ASEAN-Japan Ministerial Policy Meeting on Cybersecurity Cooperation, will seek to include data from all ten of the Southeast Asian nations. There are numerous commercial sensors and solutions for monitoring internet conditions, using data streams that vary from Border Gateway Protocol (BGP) broadcasts to reporting from real-time monitoring of botnet traffic and spam levels. Most or all of the large internet service providers have visibility across their own networks, information from which may be shareable. For the U.S. and Japan, an important task will be to survey these capabilities and determine the extent to which they can be aggregated and deployed to relevant stakeholders.

Evolve these capabilities into a common operating picture. The ultimate goal for joint U.S.-Japan cooperation in cyberspace should be a common platform for managing operations. At present, this may be difficult to achieve even on an inter-service basis at the national level. But the advantage of considering the matter now is that United States and Japan, as well as other international partners, can have deliberate conversations about technical standards and integration as well as various legal considerations. Absent a process for these discussions, each side will continue to develop unique solutions that may yield drastically different architectures, risking entrenched path dependencies. Experience from the unmanned aerial vehicle sector demonstrates that retrofitting compatibility is possible but time-consuming and painful. Concerted planning at the earliest stages of capacity and institutional development is the most efficient course of action.

The views expressed here are personal and do not necessarily reflect those of the Maureen and Mike Mansfield Foundation, nor any other institution with which the author is affiliated.