(Part 1 of UK-Japan-US Trilateral Proposal)
CSIS Issues and Insights, Mihoko Matsubara, March 2013
The cyber realm is part of a new security framework, extra-regional in nature and in threat. It is therefore fitting that real world allies should create a cyber-partnership to complement their cyber interests. Indeed, all three states have recently launched bilateral cybersecurity dialogues. Since they have many cybersecurity interests in common, and the borderless nature of cyber-threats requires international collaboration, this paper argues that it is more efficient to collaborate trilaterally.
- Japan, the UK, and the US should develop a common definition on what constitutes “use of force” in order to legitimize and prompt proportional and necessary retaliation. They should also seek international advocates for an agreed approach.
- Japan, the UK, and the US should reach a consensus on the area of responsibility (AOR) and a watch list to cover counter cyber-espionage. The three governments will review the AOR and the watch list on a yearly basis to reflect the dynamics of cyber-threats.
- Japan, the UK, and the US should establish points of contact at relevant ministries or departments to share information on cyber-threats, and also a secure communication method to exchange such information.
- Japan, the UK, and the US should share information on the methodology of cyber-attacks and alerts on ongoing or potential threats to minimize damages in a timely manner.
- Japan, the UK, and the US should launch a common system to check supply chain risks and share that information to minimize cyber-espionage and sabotage on government/military equipment and critical infrastructures.
Current levels of dialogue
The three states remain committed to bringing the cyber realm under the auspices of international law. However, under current international legislation, the execution of self-defense requires the “attack” to constitute “use of force” in order to legitimate and prompt proportional and necessary retaliation. In September 2012, Harold Koh, Legal Advisor for the US Department of State, argued, “Cyber activities that proximately result in death, injury, or significant destruction would likely be viewed as a use of force.” If London and Tokyo agree with this principle, the three governments should define a threshold for what kind of “significant” destruction constitutes “a use of force” and set an example for the international community. Such a definition should seek to describe the impact of the destruction in order to justify and decide on a response. Such a definition could ultimately prove useful to other US allies.
Second, all three are concerned about the growing cases of cyber-espionage on industries that relate to national security. High technology-related industries, such as machine tools, chemical industries, and defence industries are all high-value targets of foreign cyber-espionage. The three states are already beginning to develop cooperation in these three areas: in December 2011, Tokyo eased the ban on arms export and indicated its interest in joint development of arms with the UK. In July 2013, the UK and Japan signed a defence equipment cooperation framework and information security agreement, indicating that this trend towards closer security cooperation is continuing. Such cooperation, however, is an Achilles’ heel for cyber-attack and requires trilateral detection and protection efforts. Information leaks can erode national security for all three. A prime example of this growing interoperability and the resultant vulnerability is the alleged exfiltration of information on the Lockheed F-35 fighter, which will be procured by all three countries. That China’s military stole data on the design, electronic system, and performance of the aircraft affects the security interests of all three.
Potential areas for deeper coordination
To counter cyber-espionage, both policy and technical approaches are necessary. The governments have to reach a consensus on the AOR and a watch list to cover. This decision-making should be assisted by geopolitical risk analysis and their strategic interests in terms of defense, economy, and social well-being. The governments will review the AOR and the watch list on a yearly basis to reflect the dynamics of cyber threats.
It would be beneficial for the three governments to share the methodology of cyber-attacks and alerts on ongoing or potential threats to minimize damages in a timely manner. To do this, the three governments must establish a procedure and secure communication to exchange such information. They first need to assign a point of contact in relevant departments and ministries and reach an agreement on how to exchange information in a safe manner.
Finally, it is indispensable for the three governments to minimize the risks of supply chains, which may lead to cyber espionage or sabotage on sensitive government/military equipment and critical infrastructures. For example, Bloomberg Businessweek warned in May 2012 that China is the “dominant source” of counterfeit components to the US defense supply chain. Also, the 2012 US congressional report about Huawei and ZTE indicates possible implanting of malicious software, hardware, or kill switches in electronic devices. These reports have made it clear that vulnerable supply chains can lead to cyber espionage and sabotage.
Given the globalization and limited resources, it is challenging for the three countries to track every single component. Thus, they have to make a priority list on the types of equipment and systems to protect first. At the same time, it is necessary to reach an agreement on how to exchange information and prevent malicious components from going into their systems.
London, Tokyo, and Washington must launch a trilateral cybersecurity cooperation framework to protect their shared interests and values and minimize cyber-threats on their critical infrastructures and military and economic strength. At the same time, the three governments should work with their allies and friendly countries to establish an international agreement on what constitutes “uses of force” in cyberspace.
To read this chapter in the original report, please click here.