Cybersecurity is becoming more important to the economic, security, and social well-being of both the United States and Japan. Sasakawa Peace Foundation USA therefore commissioned this paper to examine ways to improve cybersecurity cooperation between the two nations. Its main parts include (a) how the U.S. and Japanese governments are organized to deal with cybersecurity issues; (b) how the two governments currently coordinate in cybersecurity; (c) how the differences in organization and other matters affect coordination; (d) “whole-of-society” approaches to overcoming impediments, and (e) recommendations.
Several recent studies of Japan’s cybersecurity and Japan-U.S. cooperation have produced useful recommendations. This paper tries not to duplicate them. Rather, based on recent discussions in Japan and the United States, it focuses on ways to change behaviors to improve both long-term coordination and crisis response. Both nations have policies, procedures, plans and organizations in place to promote cybersecurity-related information sharing, law enforcement and incident response. But there are critical gaps in how well these work in practice. However good high-level pronouncements may be, they have to be implemented effectively.
Improving information sharing across stovepipes needs particular attention in both countries. This requires agreed-upon frameworks for understanding risk and liability. Legal structures and other procedures and regulations should incentivize sharing and collaboration.
No one government or private sector organization has all the answers, and each nation can learn from the other. Since most economic assets and critical national infrastructures (CNI) are privately owned and operated, cybersecurity-related solutions will need significant amounts of public-private cooperation. This includes education for citizens, the workforce, and management. Despite pronouncements by senior officials, many still don’t see cybersecurity as a priority. However, people in both countries understand the need for counterterrorism and disaster preparedness, and cybersecurity can be related to these.
For example, a challenging, yet plausible, threat involves the concurrent disruption of several infrastructures by physical and virtual means, causing casualties that could cascade from one sector to another. This would require “whole of society” responses, across sectoral, organizational, and political boundaries, probably with international collaboration. Both countries already have effective mechanisms in place for counterterrorism and “all hazards” emergency preparedness—these could be brought to bear. Improvements certainly will be needed to fold cybersecurity into these frameworks, but whole new concepts need not be invented.
Japan can use the 2020 Tokyo Olympics as a “forcing function” to focus attention, identify gaps, shape training and exercises, and accelerate responses, but deadlines already are tight. The accelerating pace of technological change increases the penalties for inaction. This paper offers actionable recommendations in four areas to improve cybersecurity cooperation:
• Between the U.S. and Japanese governments in civil sectors: Establish exchange positions at Japan’s Government Security Operations Coordination (GSOC) team and the U.S. National Cybersecurity and Communications Integration Center (NCCIC). Hold secure videoconferences among leaders and stakeholders, augmented by in-person meetings, plus real-time coordination when incidents do occur. Other organizations lend themselves to similar relationships.
• Between the U.S. Armed Forces and Japan Self-Defense Forces on military networks: Work to include Japan in the U.S. Mission Partner Environment (MPE) and related communications systems to improve security and interoperability. Begin with bilateral government-to-government talks to understand Japan’s present reluctance to join. Emphasize that the effective defense of Japan’s networks is essential not just to Japan, but also to the alliance itself. The reverse also is true.
• Between public and private sectors: Take advantage of the fact that both countries already have integrated, well-understood response frameworks for counterterrorism and natural disasters and fold cybersecurity incident responses into them, vice inventing new approaches. Improve public-private collaboration by focusing on the U.S. and Japanese Information Sharing and Analysis Centers (ISACs) that serve common customers, e.g. information and communications technology and financial services. Promote (a) government actions to improve information flow to the ISACs and to address legal, policy, and regulatory issues; (b) private sector actions to let companies share more of the information on their networks with organizations such as law enforcement; and (c) direct binational coordination to facilitate more effective international exchanges. Ensure these mechanisms produce value to make business want to participate.
• Among private sector entities: Survey private sector organizations in both countries to identify the collaborative organizations with which members are particularly satisfied. Share best practices and examine ways to institutionalize these approaches. Incentivize action and train.
The authors, and Sasakawa Peace Foundation USA, are prepared to support interested parties in developing cybersecurity initiatives that can benefit the people of both our nations.