Buffering: Cybersecurity in the U.S.-Philippine Alliance

Issues & Insights Vol. 22, SR1, pp. 1-8

Abstract

This study examines the integration of cybersecurity within the U.S.-Philippine alliance. Technological change poses distinct challenges to international alliances by presenting new security threats and vulnerabilities that alliances must adapt to address. Using a process-tracing approach, this article investigates the evolution of cybersecurity within the U.S.- Philippine alliance and whether existing defense arrangements have been effectively leveraged to meet the challenges of a cyber insecure world. It finds that despite initial momentum toward integrating cybersecurity within the alliance, cyber cooperation has largely stalled since 2016. Although the elections of Rodrigo Duterte and Donald Trump contributed to this malaise, the stagnation also reflects a larger strategic divergence in how Washington and Manila approach the digital domain. This contrasts sharply with other alliances like NATO and must be addressed to sustain alliance activities in cyberspace.

Click here to download the full volume.


About this Volume

Authors of this volume participated in the inaugural U.S.- Philippines Next-Generation Leaders Initiative, sponsored by the U.S. Department of State, through the U.S. Embassy in the Philippines. With backgrounds from academia, public policy, civil society and industry, the cohort brings rich insights on the past, present, and future of the U.S.-Philippines bilateral security relations.

The statements made and views expressed are solely the responsibility of the authors and do not necessarily reflect the views of their respective organizations and affiliations. Pacific Forum’s publications do not necessarily reflect the positions of its staff, donors and sponsors.


Gregory Winger is an Assistant Professor of Political Science and Fellow with the Center for Cyber Strategy and Policy at the University of Cincinnati. He is also a former Fulbright Scholar to the Philippines and Fellow with the National Asia Research Program.


Photo: Philippine Army-United States Army Pacific during the Cyber Security Subject Matter Expert Exchange (SMEE) in Manila, May 14 to 18, 2018. Source: Philippine Army/Public domain

PacNet #7 — China’s growing confidence in drone warfare

After a decade of extensive research and development, China has begun demonstrating growing confidence in drones’ manufacture—and their use in warfare.

Although many militaries around the world use drones in military operations, none integrate them in such a comprehensive a manner as the People’s Liberation Army (PLA). While US military operations in Afghanistan and Pakistan limited drone use to specific targets and individuals, the PLA, particularly its air force and navy, considers drones to be as important as any other offensive combat system. It does not see drones as mere auxiliaries, but a crucial combat component to compensate for some of its weakness.

For example, even though China has begun deploying modern combat carriers such as the J-20 stealth fighter and nuclear-armed submarines, it does so in relatively small amounts, and many believe its capabilities remain inferior to the United States’. To compensate, the PLA has adopted an asymmetric strategy. Thousands of missiles are deployed near the coast of Taiwan that can strike US aircraft carrier battle groups and reach US military bases as far as Guam. Drones complement the strategy of missile strikes in combination with modern fighter jets, submarines, and surface ships operating closer to China’s coast, which would be deadly for American forces.

Chinese sources report that a twin-seat version of the J-20 is under development. The extra pilot will allow the aircraft to perform more tasks, including operating several air drones which could be used for recognizing and partaking in attack missions, providing a protective barrier to the J-20 and improving its odds against superior American fighters. The Chinese air force’s most ambitious project is the “flying aircraft carrier,” a mother ship air drone that would carry several drones to be used in swarm attacks against enemy aircraft and air defense systems. Airshow China 2021 displayed the GJ-11 stealth air drone, designed for reconnaissance and attack missions in heavily defended air space. The GJ-11 is the most advanced drone of its kind; more advanced than anything the United States currently has in its inventory.

The Chinese air force is not merely relying on state-of-the-art drones. It is also converting obsolete fighter jets such as the J-7 into drones. Some analysts have speculated that these conversions have been used for incursions into Taiwan’s Air Identification Zone. Though no match for Taiwan’s modern fighters, when used in large numbers and mixed with modern fighters, they can confuse an opponent’s air defenses.

The PLA Navy (PLAN), just like the US Navy, believes that the odds of war between China and the United States will increase in the coming years and that naval warfare will be crucial. To counter US aircraft carriers, nuclear-armed submarines, and modern fighters, the PLAN is also investing heavily in drones. In July, one source reported that China was testing a “cross medium UAV,” a drone that can operate both underwater and in the air. The United States operates such drones, but those developed by China are far more sophisticated.

China’s Yunzhou Tech is developing a drone ship carrying six smaller water drones to attack the surface of enemy ships. The six-armed drones are to work in a coordinated manner to surround and proceed with its offensive operations. The growing sophistication of Chinese technology suggests that these ship drones will become more powerful and carry greater numbers of smaller attack drones. Chinese scientists have also developed a shark-shaped drone to attack submarines. In December 2020, for instance, an Indonesian fisherman found a Chinese underwater drone off the coast of South Sulawesi, close to northern Australia.

In September, several media reports claimed that China successfully landed a hypersonic drone. If such reports are accurate, China will be the first nation to achieve such prowess, placing it ahead of the United States in both drone and hypersonic technology.

If a conflict were to break out with the US Navy over Taiwan, the PLAN has no intention of fighting the United States in an open conventional naval battle, like the Battle of Midway. US forces will have to come closer to China’s coast, where the PLAN and PLA Air Force (PLAAF) enjoy the advantages of proximity to their logistic base and the protection of its missile umbrella. That means reaching Taiwan will be a difficult and bloody operation for the United States.

The US military has the upper hand in many areas, such as aircraft carriers, stealth fighters, nuclear-armed submarines, and satellites. However—and such a possibility is by no means certain—if China were to acquire the lead in hypersonic missiles, hypersonic and stealth attack drones, cruise and ballistic missiles, and cyber warfare, it is no longer clear that the balance of power favors the United States.

What’s clear is that the PLA believes that drones are the future of modern warfare, which is why it has embraced it. The United States would be well-advised to invest more in drone technology and the means to counter it.

Loro Horta (embajadorlorohorta@gmail.com) is an academic and diplomat from Timor Leste. The views expressed here are strictly his own.

PacNet commentaries and responses represent the views of the respective authors. Alternative viewpoints are always welcomed and encouraged. Click here to request a PacNet subscription.

U.S.-Singapore Cooperation on Tech and Security: Defense, Cyber, and Biotech

Issues & Insights Vol. 21 SR4, pp. 5 – 15

About this Volume

Authors of this volume participated in the inaugural U.S.- Singapore Next-Generation Leaders Initiative, sponsored by the U.S. Department of State, through the U.S. Embassy Singapore. With backgrounds from academia, public policy, civil society and industry, the cohort brings rich insights on the past, present, and future of the U.S.-Singapore relationship. Between September 2020 and August 2021, cohort members engaged with senior experts and practitioners as they developed research papers addressing various aspects of the bilateral relationship.

The statements made and views expressed are solely the responsibility of the authors and do not necessarily reflect the views of their respective organizations and affiliations. Pacific Forum’s publications do not necessarily reflect the opinions of its staff, donors and sponsors.


Abstract

The partnership between the United States and Singapore is founded in no small part on the shared recognition of the value that technology has for national security. Over the last 55 years, Singapore has become an established purchaser of U.S. defense technology, but the past 20 years have also seen the U.S.-Singapore relationship mature into an increasingly collaborative one, tackling newer fields like cybersecurity and biosecurity. However, current geopolitical tensions present a challenge for Singapore, which strives to retain its strategic autonomy by maintaining positive relations with all parties. Paradoxically, the rise of non-traditional security threats may pave the way for greater bilateral cooperation by allowing Singapore to position itself as a hub for cooperation on regional security issues in Southeast Asia at large. In such spirit, this paper recommends that the United States and Singapore do the following: 1) in defense technology, co-develop niche capabilities in C4ISR and unmanned systems with peacetime applications; 2) in cybersecurity, improve their domestic resilience against sophisticated nation-state actors while also building regional capacity to counter cybercrime in Southeast Asia; and 3) in biosecurity, strengthen regional epidemiological surveillance to brace against possible future pandemics.

Click here to download the full volume.


Shaun Ee is a nonresident fellow in the Atlantic Council’s Scowcroft Center for Strategy and Security, working at the nexus of security policy, emerging tech, and U.S.-China relations. He is also a Yenching Scholar at Peking University and writes for TechNode, a Beijing- and Shanghai-based publication covering China’s tech ecosystem. Previously, Shaun was assistant director of the Scowcroft Center’s Cyber Statecraft Initiative, and served in the Singapore Armed Forces as a signals operator in an artillery unit. He holds a BA from Washington University in St. Louis, where he studied cognitive neuroscience and East African history.


Photo: Secretary of Defense Lloyd J. Austin III and Singaporean Defense Minister Ng Eng Hen stand at attention for the playing of both countries national anthems during a bilateral exchange at the Pentagon, Washington D.C., Nov. 3, 2021. Source: DoD photo by Mass Communication Specialist 2nd Class Chris Roys

 

PacNet #54 – What AUKUS means for Malaysia’s technological future

When the leaders of Australia, the United Kingdom, and the United States announced their new trilateral security partnership, AUKUS, on Sept. 15, Malaysia’s prime minister released a statement expressing concern about its impact on stability in Southeast Asia. Malaysia’s minister of foreign affairs and minister of defense separately issued a statement in support of the prime minister’s position, underscoring the risks of a conventional and nuclear arms race, particularly in the South China Sea.

These statements are worth parsing out. At the outset, however, it is important to note that despite Malaysia’s reservations about AUKUS, the government has continued to welcome deeper relations with all three countries in the pact, bilaterally and through multilateral platforms such as the Five Power Defense Arrangements (FPDA). What’s more, nuclear-powered submarines are only a piece of AUKUS. Of greater significance to Malaysia, and the rest of Southeast Asia, is the longer technological arc of AUKUS, which will reshape the regional strategic landscape.

The nuclear objection

Although uneasiness about AUKUS was downplayed as overhype or strategic naiveté, Putrajaya’s position is an assertion of Malaysia’s long-standing foreign policy. The underpinnings of AUKUS bring to bear Malaysia’s stance on nuclear non-proliferation and disarmament, non-alignment, as well as its management of the South China Sea dispute all at once.

Some may have interpreted Prime Minister Ismail Sabri’s statement that AUKUS could trigger a regional nuclear arms race as misunderstanding the nature of the deal. AUKUS, of course, involves nuclear-powered—rather than nuclear-armed—submarines. However, AUKUS marks the first time a non-nuclear weapon state would receive nuclear-powered submarines and, therefore, this raises uncertainties about proliferation and international legal safeguards. These questions, although distant for now, remain deeply unsettling for Malaysia given its position vis-à-vis the international nuclear non-proliferation and disarmament regimes. For example, Malaysia has tabled a United Nations resolution every year since the 1996 International Court of Justice’s advisory opinion on the Legality of the Threat or Use of Nuclear Weapons. The resolution underscores the ICJ’s call for nuclear disarmament “in all aspects under strict and effective international control.” Since AUKUS exploits a loophole in existing nuclear safeguards regimes, Malaysia believes that there is a risk that this will undermine the disarmament goal.

But even if Malaysia’s nonproliferation concerns with AUKUS may be misplaced, Putrajaya is not alone in fearing that it will trigger a conventional arms race among the major powers in Southeast Asia’s backyard—specifically, in the South China Sea. In looking at AUKUS, Indonesia’s foreign ministry, for instance, voiced “deep concern” over the continuing arms race and power projection in the region. Even Singapore and Vietnam, which are often described in the media as welcoming of AUKUS, gave carefully crafted responses that suggest they are cautious. Both states stress the importance of regional peace, stability, cooperation, and prosperity.

Partners and problems

Despite Malaysia’s apprehension of AUKUS, Putrajaya has continued to welcome closer bilateral and multilateral ties with Washington, London, and Canberra, including in the areas of security and defense. Only a month after AUKUS was announced, Malaysia’s Defense Minister Hishammuddin Hussein affirmed the country’s commitment to the 50-year-old FPDA, the overlap in FPDA and AUKUS partners notwithstanding. As part of the FPDA, Malaysia participated in a 10-day exercise, Bersama Gold 2021, involving 25 fighter jets, six support aircraft, six helicopters, 10 maritime ships, one submarine, and over 2,000 military personnel alongside Australia, New Zealand, Singapore, and the United Kingdom in the international waters of the South China Sea. Malaysia also hosted the FPDA’s anniversary celebration and the FPDA defense minister’s meeting following the exercise.

This proclivity to segment relationships based on issues and interests as well as the desire to preserve an expansive network of ties with competing major powers are a key element of Malaysia’s foreign policy approach. This is true with AUKUS countries, as it is with China. Despite sustained harassment by Chinese vessels around Malaysian waters, the Malaysia-China relationship remains warm and friendly. Putrajaya has sought to sequester its problems with Beijing in the South China Sea from the economic, political, and socio-cultural dimensions in the bilateral relationship. This separation of issues both between and within partnerships is a feature rather than a bug of Malaysia’s foreign relations. It does not, however, always work perfectly.

Technological pathways

Accordingly, to retain geopolitical space for itself in the middle of deepening fissures between the United States and its allies on the one hand and China on the other, Putrajaya will need to intensify its diplomatic engagement with all sides proactively rather than reactively. This will require looking at trends which now appear to coalesce around technology as well as the governance and regulatory frameworks that underpin it. AUKUS underscores this point.

Nuclear submarine technology for Australia is but a “first initiative” under AUKUS. In the pipeline is trilateral collaboration on cyber, artificial intelligence (AI), quantum, and undersea capabilities. While the subtext for these plans may be defense technology competition with China, there are converging opportunities for cooperation between Malaysia and the three AUKUS countries that could empower Putrajaya in shaping the regional tech landscape. The most accessible, benign, and functional entry point for tech cooperation is the digital economy. Much of this is already underway in Malaysia, with ongoing industry partnerships as well as capacity-building and training efforts to improve cyber security and the operationalization of AI in various economic sectors.

There is one practical way Malaysia can carve out strategic agency while helping chart the region’s tech-based future amid rival powers. The government could create either a coordinating ministerial or ambassadorial portfolio specific to the cross-cutting role of technology. This senior official would stitch together the country’s technology interests in trade and economy, national security, and foreign affairs, and register Malaysia’s perspectives on tech’s rules of the road—from ethics and norms to standards and laws—in bilateral, multilateral, and multi-stakeholder discussions. Although the National Cyber Security Agency of Malaysia currently functions as the lead coordinating agency on cyber security matters, a senior official representing the country’s cross-sectoral interests in broader emergent/emerging technologies could help streamline multi-faceted policies at the domestic level. Additionally, a single, senior point of contact could facilitate cooperation with AUKUS countries and others on new and unfolding technologies. In both substance and form, a coordinating minister or ambassador would recognize tech’s reach across agency silos and the importance of a whole-of-government approach in contributing to the evolving governance frameworks of technology.

Several countries outside of Southeast Asia already have representatives in similar roles that reflect the ubiquity of technology transcending a range of agendas in government, industry, and civil society. Malaysia could benefit from that model. A focused and active Malaysia, along with its ASEAN counterparts, offering thought leadership on tech governance would not only design the country’s digital future in a more comprehensive manner but also potentially help the region avoid the pitfalls of US-China decoupling.

Malaysia may not welcome AUKUS. But it should use it to shape rules of the road to ensure that Southeast Asia’s tech and strategic landscape remains inclusive rather than exclusive.

The author would like to thank the Asia Pacific Team from the Defence and Security Foresight Group (DSFG) for their support during the development of this piece. 

Elina Noor (ENoor@asiasociety.org) is Director, Political-Security Affairs and Deputy Director, Washington, D.C. Office at the Asia Society Policy Institute.

US-Japan Cybersecurity Cooperation: Beyond the Tokyo 2020 Olympics

As an anchor of stability in the Indo-Pacific region, the US-Japan alliance faces enormous challenges and opportunities to revisit, review, and reinvigorate existing approaches in cybersecurity cooperation. The two countries face an ever-changing cyber threat environment, especially with the advent of disruptive technologies like artificial intelligence, big data, cloud-computing against the backdrop of deteriorating global Internet consensus.

The US-Japan Virtual Forum on Cybersecurity Cooperation: Beyond the Tokyo Olympics examined the progress, challenges, and prospects for US-Japan cybersecurity cooperation in securing critical national infrastructure (CNI) against the backdrop of the Tokyo 2020 Olympics, the ongoing COVID-19 pandemic, and increasing great power competition. Experts from both countries convened for two days of closed-door sessions and a cybersecurity table-top exercise. Policy recommendations were then shared by select speakers at a public panel. This special report showcases research originating from these discussions that was conducted by select Forum attendees.

Table of Contents

  1. Introduction 
  2. Key Findings from the US-Japan Virtual Forum on Cybersecurity Cooperation: Beyond the Tokyo Olympics 2020
  3. Next Steps for US-Japan Cybersecurity Cooperation After Tokyo 2020 | Mihoko Matsubara
  4. Threats & Trends in Critical National Infrastructure | Gregory Winger, Ph.D.
  5. Strengthening US-Japan Cooperation on Protection of Critical National Infrastructure | Benjamin Bartlett, Ph.D.
  6. Seizing on US-Japan Opportunities for Submarine Cable Security | Justin Sherman
  7. US-Japan Cybersecurity Cooperation | Professor Wilhelm Vosse, Ph.D.
  8. The Cyber AI Nexus: Implications for the US-Japan Cybersecurity Alliance | Mark Bryan Manantan


Click here to download the report.

Introduction

The Tokyo 2020 Olympics put into sharp focus the increasing significance of cybersecurity to Japan’s national security agenda in recent decades. Ahead of the highly anticipated 2020 Olympics and Paralympic Games, Japan’s National Intelligence Agency warned the government about an expected influx of state-sponsored hackers targeting critical national and digital infrastructure to disrupt or hijack the historic sporting events. The warning is reminiscent of the 2018 Pyeongchang Winter Olympics held in South Korea, where malware nearly delayed the opening ceremony. In 2018, a recorded cyberattack also compromised 300 computer systems, affecting the inter- net and television services managed by the International Olympic Committee.

Amid postponement of the 2020 Olympics due to the global pandemic, Japan has remained focused on mitigating malicious cyberattacks, especially with increasing tensions in the region, including US-China geostrategic and geo-economic rivalry and Russia’s four-year Olympic ban. Japan continues to ramp up its cyber defenses. Amid the limitations of its pacifist constitution, Japan has made leaps in the adoption of a more defense-oriented posture in cybersecurity. Japan is now an emerging cyber power.

Integral to Japan’s overall cybersecurity policy is closer cooperation with the United States. The US-Japan alliance anchors the stability and prosperity of the Indo-Pacific. Enduring regional security therefore relies on the bilateral initiatives undertaken by Tokyo and Washington across all domains, including cyberspace. Although cybersecurity cooperation within the alliance has been robust, the urgency to constantly review, assess, and upgrade facets of cybersecurity engagements — confidence-building measures, and international law and cyber norm promotion — is imperative due to the evolving nature of sophisticated cyberattacks and the disruptive effects of technological advancements.

In light of these recent developments, Pacific Forum hosted a three-day virtual workshop from August 17-19, 2021, titled the US-Japan Cybersecurity Cooperation Virtual Forum: Beyond the Tokyo Olympics. The work- shop examined the progress, challenges, and prospects for US-Japan cybersecurity cooperation in securing critical national infrastructure (CNI) against the backdrop of the Tokyo 2020/2021 Olympics, COVID-19 pandemic, and ongoing great power competition. The workshop gathered over 70 individuals representing government, industry, academia, and civil society from the Indo-Pacific. The first two days were closed-door, while the final day’s proceedings were open to the public. The virtual dialogue featured well-known Japanese and American speakers who tackled key dimensions of cybersecurity cooperation under the US-Japan alliance. In parallel to the virtual discussions, a cybersecurity tabletop exercise was conducted to test and operationalize the concepts and deliberations and formulate actionable and pragmatic policy insights. 

To sustain the virtual dialogue’s relevance and policy impact, Pacific Forum has compiled this special digital publication with select contributions from the panelists. With the increased attention on state-sponsored cyberattacks, the proliferation of ransomware, and the disruptive effects of emerging technologies, the launch of this special issue comes at an auspicious time. Reflecting on the outcomes of the virtual event, the authors in this volume took a step back to locate gaps in the US-Japan alliance’s role in securing cyber stability in the Indo-Pacific region before zooming in on concrete policy recommendations. 

This digital publication begins with the Key Findings report that outlines the salient points of the three-day virtual dialogue, including the deliberations during the cybersecurity tabletop exercise. Reflecting on the aftermath of the Olympics, Mihoko Matsubara’s “Next steps for US-Japan cybersecurity cooperation after Tokyo 2020” offers insights on the lessons learned and best practices that Japan can apply and sustain with its ongoing collaboration with the US and its partners across Asia and Europe. Dr. Gregory Winger’s “Threats and trends in critical national infra- structure” examines the SolarWinds and Colonial pipeline hacks to expose the evolving patterns of malicious behavior on supply chains before calling for a more proactive and persistent type of engagement between the US and Japan. 

Focusing on practical collaborative steps that the US and Japan can undertake in protecting their critical national infrastructure, Dr. Benjamin Bartlett’s contribution probes into how the alliance can address cyber incidents that fall under the level of an armed attack. He explores what coordinated responses Tokyo and Washington should pursue to confront low-level yet persistent threats like cyber espionage in critical national infrastructure. 

Justin Sherman’s “Seizing on US-Japan opportunities for submarine cable security” explores the physical dimension of cybersecurity, scrutinizing the strategic issues underpinning undersea cable networks. Mr. Sherman’s article emphasizes the importance of regulatory func- tions and joint capacity building to safeguard submarine cables, which are the connective tissue of US-Japan cyber intelligence-sharing, and more broadly the global internet infrastructure. 

Looking ahead, Professor Wilhelm Vosse’s piece scans the weaknesses and strengths of Japan’s cybersecurity architecture. Although Japan has made impressive strides in its regional and international cyber diplomacy — capacity building, confidence-building measures, and joint training exercises — it needs to review the fundamental elements of its cyber policy. This will entail narrowing the definition of cyberattacks and exploring the notion of what offensive and defensive cyber capabilities look like for Japan given its pacifist constitution amid rising concerns over China, Russia, and North Korea’s cyber activities. Finally, Mark Bryan Manantan’s “The cyber AI nexus: Implications for the US-Japan cybersecurity alliance” tackles how emerging and dual-use technology like AI is tilting the alliance’s cyber cooperation. Mr. Manantan explores the mutual relationship between cyber and AI from normative and technical perspectives to conduct an in-depth analysis of the opportunities, challenges, and prospects for Tokyo and Washington in the age of technological disruption. 

As geostrategic competition shifts into the geo-economic and geo-technological spheres, cybersecurity will become even more central. It is our hope that the policy recommendations and insights offered by this digital publication will be applied among policymakers to enable deep reflection on the rapidly changing cyber landscape and consequently upgrade the existing dimensions of cyber cooperation. With current US-China relations hitting a cul-de-sac, clandestine and covert operations in the cyber arena will further accelerate — a reality that Tokyo and Washington must confront with both strategic pragmatism and prudence

Acknowledgments

The completion of this Special Edited Volume would have not been possible without the generous contributions of our featured authors, and the active participation and support from all the speakers, advisors, and participants during the US-Japan Virtual Forum on Cybersecurity Cooperation: Beyond the Tokyo 2020 Olympics. 

 

Issues & Insights Vol. 21, SR 1 – 21st Century Technologies, Geopolitics, and the US-Japan Alliance: Recognizing Game-changing Potential 

Key Findings

Throughout the month of October 2020, with support from the US Embassy Tokyo, the Pacific Forum cohosted with the Center for Rule-Making Strategies at Tama University, the Keio University Global Research Institute, and the Okinawa Institute of Science and Technology a series of virtual panel discussions on “Game Changing Technologies and the US-Japan Alliance.” Over 280 individuals joined the 10 sessions – 7 closed door and 3 public panels – that examined issues such as artificial intelligence, autonomous vehicles, big data, cybersecurity, drones, quantum computing, robots, and 3-D printing. A conversation of this length and breadth is difficult to summarize, but the following key findings attempt to capture this rich and variegated discussion.

General landscape

Mastery of new and emerging technologies is key to success in 21st century economic competition and global leadership. There is much talk about those technologies’ impact on “the balance of power,” but a fundamental question remains: The power to do what?

Technological prowess is vital not only to national defense and dominance, but also to provide a bulwark against interference by authoritarian governments in domestic and personal affairs.

Democracies are losing their historical influence over technology development, standard-setting, and limiting proliferation relative to the growing capacity of authoritarian competitors, but this can be corrected.

Japan has made national economic statecraft a priority but has considerable work to do to deal with the suite of issues associated with creating and effectively exploiting emerging technologies.

The ubiquity of many of these technologies and government initiatives like China’s Military-Civil Fusion (MCF) erase historical distinctions between military and civilian use. Traditional export controls focus on protecting military and dual-use items. The growing difficulty in distinguishing between military and civilian end-use and end-users makes export controls challenging to apply, and ineffective in practice.

Emerging technologies

Despite growing attention to emerging technologies in the US and Japan and acknowledgement of the need for coordinated action to regulate their use, disparities between the two countries in terms of knowledge about, impact of, and proficiency in these technologies inhibit coordinated action.

Uncertainties inherent in the development of “emerging technologies” make regulation of their use and control of their dissemination difficult, if not impossible. Identifying the appropriate technology to control is also problematic, and there is agreement that “casting the net” too wide will inhibit innovation.

There is an inherent tension between a desire for international collaboration to spur innovation and the perceived need to control access to technologies to preserve economic and security-related advantages, particularly to prevent their diversion by or to other countries.

While there is an instinct in the US to decouple economic exchange from perceived adversaries to prevent technology leakage, connections afford the US and its allies a window into the work of perceived adversaries and prevent surprise – both economic and strategic.

Economic incentives to get new technologies to market as quickly as possible may undermine the readiness of entrepreneurs to build in safety, security, and ethics. The declining cost of new technologies and their increasing availability to the public democratize access to dangerous tools and create a leveling effect among nations.

Cyberspace

If data is “the new oil” – and there was little dissent about this – then the norms and regulations regarding its “ownership” and/or use will be vital to success in the 21st century economy. Coordination among governments that facilitate or inhibit sharing of such data is critical.

We are only beginning to understand how data processing outcomes can be influenced by the types of algorithms used. Ostensibly “neutral” algorithms can prejudice decision-making by incorporating subtle but important biases. Even nontechnical policy people should seek to shine light into the algorithm “black box” to understand what assumptions are being made.

The COVID-19 pandemic has accelerated demand for better cybersecurity practices – and made plain the alarming gap in both the capacity and the will to implement those practices. At the same time, the pandemic-triggered recession has forced companies to cut their cybersecurity budgets just as they have increased spending on IT capabilities to account for a surge in remote working arrangements.

Be wary of comparisons of who is “winning” cyber or technology races. Much depends on the metrics used and assumptions about the nature of the competition. The “race” metaphor also obscures the importance of international collaboration and reduces the equation to a zero sum.

Identifying and thinking about cyberspace as a separate military domain on par with air, sea land, or space encourages clarity in relevant decision making – whether civilian, military, government, or private. On the other hand, such a distinction risks obscuring the fact that cyberspace is intrinsic to, and fully permeates, the other domains.

As governments attempt to secure national cyber networks, small- and medium-size businesses continue to struggle to protect themselves from cyberattacks. Their shortage of cybersecurity resources makes them vulnerable to cyberattacks, and both government and industry-driven initiatives have been launched to help these smaller businesses enhance their cybersecurity.

There is a tension between resilience and deterrence in national security planning for cyberspace. While technology is often the focus of security concerns, the human factor must not be overlooked. Trust may be the key concept in developing secure cyber networks.

Robotics

While there is concern about the role of robots or autonomous weapons on the battlefield and their impact on human control and delivery of intended effects, advocates counter that autonomous weapons can be discriminating and more accurate than humans, creating less collateral damage.

Public sensitivity to (or aversion toward) the application of advanced technologies in the national security space has kept some researchers (many Japanese but also some American) from considering the military applications of their work.

Semiconductors, 3-D Printing, and Supply Chains

Japan is several years behind the world in adopting additive manufacturing practices like 3-D printing. While 3-D printing offers many advantages, problems persist in acquiring the necessary raw materials for printing at scale. Effective utilization of 3-D printing will require more and better education about this technology.

The US has much to learn from Asia about reviving its manufacturing sector and resourcing supply chains.

Given a 60-70% cost differential between manufacturing in the US and China, relocating low-cost production out of China makes little sense in a short-term analysis that relies solely on cost. Yet there are competing and sometimes compelling longer-term factors to consider, such as geopolitical relations, political risk, and the security of supply chains in a crisis. Establishing new supply chains demands close attention to these factors.

For the US, a “National Manufacturing Guard,” modeled after the National Guard, may be one way to ensure the availability of manufacturing capacity in a crisis such as a global pandemic.

Quantum Technology

While impressive progress has been made, the world is a long way from a game-changing quantum computing capability. Small quantum computing capabilities may appear in the next three to five years, but the potential – and the hype – outpaces the technology.

It is too early to tell which quantum technologies will have an impact on national security, and different states are pursuing different lines of effort. Japan, China, and the EU are prioritizing quantum communications, which might improve the security of encrypted communications. The US and a few other countries are focusing on quantumcomputing, which could threaten the security of encrypted communication, as well as provide useful commercial applications.

It is also too early to set broad international standards for quantum technologies. Instead, it may make more sense to focus on limited cooperation among allies or like-minded countries.

Biotechnology

Biotechnology proliferation poses new security threats as nefarious actors will be able to access these capabilities soon.

While most of the focus of biotechnology is on medical and health-related products, it is estimated that more than 60% of physical inputs into the global economy can be replaced by biological production.

A shift to biological production can yield profound reductions in energy, water use, and land use, along with substantial cuts in “food miles” (the distance from production to the table).

For new types of food production, economies of scale are not everything: there is room for individual or startup competitiveness. However, supply capacity is a key limiter, particularly with regard to amino acids and water.

While Japan has been developing biotechnologies, gains have been limited by bureaucratic factionalism and stove-piping between government departments.

Areas of Cooperation

Technology can only be successfully managed through whole-of-government and whole-of-society approaches. Policymakers should promote coordinated action between allies, partners and like-minded states, where technology-generated impacts have their most far-reaching effects.

The US-Japan Cooperation Dialogue on the Internet Economy, which included discussions with private-sector representatives, is a best practice for US-Japan cooperation. The exchange of ideas among industry, government, and academia will create an open architecture highlighting the values of transparency, vendor diversity, and standardization, creating market opportunities for US and Japanese vendors and benefitting third countries by improving supply chain security.

The fundamental challenge the US and Japan face in 5G competition is a lack of attractive, alternative options to very cheap technologies offered by China to third countries. An area of focus for the US and Japan in 5G should be R&D collaboration to ensure multi-vendor interoperability on technology challenges. Our countries should also be thinking to develop 6G technology, in particular multilateral and bilateral industry consortiums for standard-setting.

One important lesson from the US-Japan trade and technology competition of the 1980s is that the US exaggerated the “threat” from a highly capable competitor to a point that it almost missed opportunities to work together for mutual benefit. (The allies should not lose sight of opportunities to do so with China.)

The US needs an accurate understanding of government involvement in industrial development.  The vital role that Washington played in creating what came to be known as Silicon Valley is often downplayed to foster a myth of “entrepreneurial independence” and advance ideological positions that are not based on history.

Alignment between the US and Japan on trade, investment, and technology controls is necessary. Otherwise, attempts to address shared security concerns will generate friction between our two countries. One vital step Japan can make is developing more sophisticated procedures to handle classified information, including a security clearance system. As a first step, the US and Japan should update their science and technology agreement signed in 1988.

要旨

パシフィック・フォーラムは、2020年10月、東京の米国大使館、多摩大学ルール形成戦略研究所、慶應義塾大学グローバルリサーチインスティテュート、沖縄科学技術大学院大学と共に「革新的技術と日米同盟」について約1ヶ月間に亘るバーチャル形式のパネルディスカッションを行った。280名を超える参加者が、人工知能や自動運転、ビッグデータ、サイバーセキュリティ、ドローン、量子コンピューティング、ロボット、3D造形技術等をテーマにした10回のセッション(7つの非公開セッションと3つの公開セッション)に参加した。これだけ長期に亘る幅広い議論を要約することは困難だが、この豊かで多様な議論を総括する試みとして以下にその要点を示す。

昨今の国際情勢

21世紀の経済競争や国際的なリーダーシップにおいて成功を収めるには、新技術及び新興技術を制することが極めて重要である。これらの技術が「バランス・オブ・パワー」に与える影響については多く語られてきた。しかし、根本的な問いは残ったままである。つまり、一体何をするためのパワーなのかという問いである。

技術力は、国防や覇権にとって重要なだけでなく、他国の内政や個人のプライバシー等の領域に対する権威主義国家による干渉及び介入行為への防壁にもなる。

権威主義的な競争相手の能力が増大しているのに対して、民主主義国家は技術革新や規格の設定、拡散の防止に対するその歴史的な影響力を失いつつある。しかし、この状況は是正することができる。

日本はエコノミック・ステイトクラフトを優先事項としてきたが、新たな技術の創造、効果的な運用に関連したこれらの問題に対処する為に一段の努力が必要である。

これらの技術の遍在性、中国の軍民融合のような政府の取り組みにより、軍事用と民生用の歴史的な区別が付かなくなっている。従来の輸出管理は軍事品目とデュアルユース品目を保護することに焦点を当てていた。しかし、最終的な使用用途とエンドユーザーを軍または民に区別することは困難になってきており、それにより輸出管理は適用することが難しく、実際運用上効果がないものとなっている。

新興技術

日米間においては、新興技術への注目が高まり、これら新興技術の利用を規制するために協調して行動することの必要性が認識されているにもかかわらず、両者の間にはこれら技術に対する認識、影響力、技術レベルに差があるため協調行動が妨げられている。

「新興技術」の開発に内在する不確実性により、「新興技術」の利用を規制しその普及を管理することが不可能ではないにしても困難なものとなっている。また、管理されるべき技術の選定も困難であり、「網を広げすぎる」ことはイノベーションを阻害するという合意がある。

イノベーションを促進するための国際的な協力が望まれる一方、経済及び安全保障上の優位を維持するために技術へのアクセスを制御し、特に他国による転用及び他国への流出を防ぐ必要があるという認識があり、そこには難しい釣り合いが存在する。

米国においては技術流出を防ぐために、敵対国と目される国家との経済的交流を分断しようとする傾向がある一方で、そのような国家間関係を維持することは、米国とその同盟国が敵対国と目される国家の動向を把握し、経済的及び戦略的な不意打ちを防止することを可能にする。

新たな技術をできるだけ早く市場に出したいという経済的インセンティブは、安全、安全保障、及び倫理的観点を勘案する意思を低下させる可能性がある。さらに、新技術のコストが低下し、危険なツールへのアクセス可能性が高まったことが国家間に平準化効果をもたらしている。

サイバー空間

もしデータが「新たな石油」であるとするならば(これに関しては参加者からほとんど異論がなかった)、その利用や「所有権」に関する規制や規範は21世紀の経済的成功に不可欠なものとなるだろう。このようなデータ共有の促進または抑制を行う政府間の調整が不可欠である。

私たちはデータ処理に関して、用いられるアルゴリズムの種類が結果にどのような影響を与えるかを理解し始めたばかりだ。微妙ではあるが重要なバイアスが組み込まれていることにより、表面上は「中立的」なアルゴリズムであっても、意思決定に影響をもたらしうる。技術分野ではない政策担当者であっても、アルゴリズムという「ブラックボックス」に焦点を当て、どのような前提のもとに組まれているのかを理解しようとする必要がある。

COVID-19のパンデミックはより良いサイバーセキュリティの実装への要求をさらに高め、技術的な能力とそれら実装に対する意思との間における深刻な差があることを明らかにした。同時に、パンデミックに端を発した不況により、各企業はサイバーセキュリティのための予算を削減する一方、リモートワークの急増に対応するため情報通信設備への支出を増加させている。

サイバー分野や技術分野での競争において誰が「勝っている」のか、という比較については注意を払わなければならない。多くは使用している指標や競争に関する前提に依拠しているからだ。また「競争」という比喩は国際的な協力の重要性を不明瞭にし、ゼロサム的な考え方に至ってしまう。

サイバー空間を陸、海、空、宇宙と同様に独立した軍事領域として認識し、考えることは関連する事項の意思決定を明確にすることにつながる。これは文民、軍、政府、民間を問わない。一方でこのような区別のあり方は他の領域にもサイバー空間が内在し深く浸透しているという事実を不明瞭にしてしまいかねない。

政府が国家レベルでのサイバーネットワークの安全性を確保しようとしている一方、中小企業はサイバー攻撃から身を守るのに苦労し続けている。彼らはサイバーセキュリティに関するリソースが不足しているためサイバー攻撃に対して脆弱であり、これらの中小企業がサイバーセキュリティを強化できるように支援するための取り組みが、政府と産業界の両方によって立ち上げられている。

サイバー空間に関する国家安全保障計画においては、強靭性と抑止のどちらを重視するかについて議論がなされている。技術が安全保障課題の焦点となることが多いが、人的要因も見落としてはならない。安全なサイバーネットワークを構築する上で、信頼が鍵となるコンセプトかもしれない。

ロボティクス

戦場におけるロボット又は自律型兵器の役割や、人間による制御や意図した行為の実行に対する影響については懸念があるが、自律型兵器は人間よりも識別能力や精度において優れており、戦闘による副次的な被害が少ないという議論もある。

最先端の科学技術を国家安全保障へ応用することに対する世間の懸念(または嫌悪感)により、一部の科学者(多くは日本人であるが、一部の米国人も)は自らの研究の軍事利用を考慮していない。

半導体、3D造形技術、サプライチェーン

日本は3D造形技術に代表されるようなアディティブ・マニュファクチャリング技術(原料を積層・付加することによって成型する技術―訳者註)の導入において、世界から数年後れをとっている。3D造形技術には多くの利点があるが、一方で大規模な造形を行う際の原料調達において依然課題が残る。将来的に3D造形技術を有効に活用するためには、本技術に関する教育が必要となるだろう。

米国は、製造業の復活とサプライチェーンの再構築について、アジアから学ぶべきことが多い。

製造業における米国と中国のコスト差が60~70%であることを踏まえると、コストのみに立脚した短期的な分析では、低コストの製造拠点を中国から移転させることはほとんど意味を成さない。むしろ、地政学的関係、政治的リスク、危機的状況におけるサプライチェーンの安全性など、競争的で時に強制力のある、考慮すべき長期的な要因がある。新たなサプライチェーンを確立する際には、これらの要因に細心の注意を払わなくてはならない。

米国においては、地球規模のパンデミックのような危機的状況において製造能力を確保するために州兵のような「国家製造部隊」を立ち上げるのも一つの手かもしれない。

量子技術

目を見張るべき進歩があったとはいえ、現時点において革新的と言えるような量子技術には未だ遠く及ばない。小型の量子コンピューティング技術は3〜5年後に登場するかもしれないが、現行技術はその潜在的な応用可能性(と誇大評価)に達していない。

量子技術におけるどの分野が国家安全保障に影響を与えるのかを判断することは時期尚早であり、各国は各々異なる分野に注力している。日本、中国、EUは暗号化通信の安全性を向上させる可能性のある量子通信を優先している。米国と他の数カ国は、暗号化通信のセキュリティを脅かすと共に、有用な商業利用ももたらす可能性のある量子コンピューティングに注目している。

また、量子技術の広範な国際基準を設定することも時期尚早である。それよりも同盟国や同志国との間での限定的な協力に焦点を当てることの方が有効かもしれない。

バイオテクノロジー

バイオテクノロジーの拡散は新たな安全保障上の懸念を引き起こしており、悪意を持ったアクターがこれらの技術を利用できるようになる日も近い。

今日、バイオテクノロジーにおける焦点の大部分は医療・健康関連製品であるが、世界経済における物理的に取引されるものの内60%以上がバイオ関連の製品に置き換わると推定されている。

バイオ関連の製品へのシフトはエネルギー、水、及び土地の利用の大幅な削減を生み出すと共に、「フードマイル」(生産から食卓までの距離)を短縮することができる。

新しい食品の生産方法においては、規模の経済がすべてではない。個人やスタートアップの競争力にも余地がある。しかし、供給能力が主要な制限要因となる。特にアミノ酸と水に関して顕著である。

日本はバイオテクノロジー分野の開発を進めてきたが、その成果は省庁間における派閥主義と縦割り行政により限定的なものとなっている。

協力できる分野

技術は政府全体、そして社会全体的なアプローチによってはじめて有効に管理することができる。政策立案者は技術の生み出す効果が最も広範囲に行き渡るように、同盟国や協力国及び同志国との協力を促進しなくてはならない。

民間企業の代表者を含む「インターネットエコノミーに関する日米政策協力対話」は日米協力における最良の事例である。

産官学の意見交換は、透明性やベンダーの多様性、標準化の価値を重視した開かれた産業構造を作り出し、日米のベンダーに市場機会を創出し、サプライチェーンの安全性を向上させることで第三国に利益をもたらす。

5G 競争において米国と日本が直面している根本的な課題は、中国が第三国に提供している非常に安価な技術に代わるような魅力的な選択肢がないことである。5Gにおいて日米が焦点とすべきは、技術課題に対するマルチベンダーの相互運用性を確保するための共同研究開発である。日米はまた、6G技術の開発、特に規格設定のための産業界での多者間及び二者間のコンソーシアムについて考えるべきである。

1980 年代の日米貿易及び技術競争からの重要な教訓の一つは、米国が有力な競争相手からの「脅威」を誇張しすぎて、協力して相互に利益を得るチャンスをほとんど見逃してしまったことである。(米国の同盟国は中国との協力という観点を見失うべきではない。)

米国は、産業開発における政府の関与について正しく理解しなくてはならない。「起業家の自助自立」という神話を維持し、史実に基づかないイデオロギー的な立場が推し進める為に、シリコンバレーの誕生において米国連邦政府が果たした重要な役割はしばしば過小評価されている。

貿易、投資、技術管理に関して日米間の調整が必要である。そうでなければ、共通の安全保障上の懸念に対処しようとする試みは、両国間の摩擦を生むことになる。日本ができる重要なステップの一つは、セキュリティ・クリアランス制度を含めた、機密情報を扱うためのより洗練された体制を構築することである。その第一歩として、日米両国は1988年に署名した科学技術協定を更新すべきである。

より詳しい情報についてはクリスタル・プライアー(crystal@pacforum.org)またはブラッド・グロッサーマン(brad@pacforum.org)に連絡してください。本書に記載された意見は各カンファレンスのオーガナイザーによるものであり、必ずしも全参加の意見を反映させたものではありません。

Edited by Brad Glosserman, Crystal Pryor, and Riho Aizawa

Japanese translations by Harunari Soeda, Yu Inagaki, and Erika Hongo

Download the full PDF of Issues & Insights Vol. 21, SR 1 – 21st Century Technologies, Geopolitics, and the US-Japan Alliance: Recognizing Game-changing Potential 

PacNet #60 – Industry Cooperation Uplifts Japan’s Cybersecurity—and Maybe the World’s

Cyberattacks have been growing increasingly frequent and sophisticated in recent years. Cybercriminals and cyber spies are taking advantage of the Covid-19 pandemic to launch more attacks, as the new normal has made organizations more reliant on information technology (IT), including cloud tools and web conferences. The attack surface has expanded drastically.

But along with the increased frequency of cyberattacks to disrupt business operations or steal intellectual property and national security secrets, the world also faces an acute shortage of cybersecurity professionals. The (ISC)2 Cybersecurity Workforce Study 2019 revealed the world is short 4.07 million cybersecurity professionals, and 51% of surveyed cybersecurity professionals are concerned as to whether their employer is at “moderate or extreme risk due to cybersecurity staff shortage.” Given this international situation, global supply chain risk management is a must to protect businesses, critical infrastructure, international trade, and national security. Employers need to have people who can incorporate cybersecurity into their business processes and help ensure the robustness of global supply chains.

The 2018 Japanese Cybersecurity Strategy addresses this urgent need to develop cybersecurity talent and create a wide variety of cybersecurity curricula for all ages, from elementary school students to young professionals to senior executives. Japanese industry has accelerated its cybersecurity efforts over the past several years. Still, it is expensive for companies to create cybersecurity training programs, along with curricula, as new cyberattack methods and cybersecurity technologies are always emerging.

Of course, multiple vendors around the world offer cybersecurity training programs, but as of yet there are no standardized international cybersecurity training syllabi. As such, there is a need to create internationally accepted or recognized syllabi to allow global companies to more easily choose cybersecurity training programs for specific skills and help to lower the price of training.

That is why FUJITSU, Hitachi, Ltd., and NEC Corporation, three major Japan-based global information and communication technology (ICT) service providers, declared in December 2017 that they will develop common cybersecurity syllabi together. “Cyber ranges” are popular virtual platforms offering an authentic and real-world IT environment for hands-on training of cybersecurity professionals. Many companies find cyber range training unaffordable because curricula are highly tailored and a few vendors are currently available, but these three Japanese companies believed standardized cybersecurity training could be made more accessible and reasonably priced for everyone. They embarked on a multi-phase process to achieve this goal.

The first step the three companies took was to map what types of cybersecurity professionals they needed, based on the US National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (SP800-181). Because the three companies have a global business presence, they chose the NICE standard as an international common language to more efficiently manage cybersecurity professionals around the world. It took about three months to map which types of cybersecurity professionals need to obtain which types of abilities, knowledge, and skills.

Second, the companies developed cybersecurity curricula for what they identified as the four highest priority cybersecurity professional categories: penetration testers, forensic engineers, incident responders, and security operators. Concluding in October 2018, it took one year to create a prototype for the four categories. Closing the gaps was challenging because each of the three companies was accustomed to different terminologies and had different priorities for their cybersecurity professionals.

Third, the three companies took part in discussions with the Cyber Risk Intelligence Center (CRIC), a non-profit consortium based in Tokyo, to share cybersecurity best practices with the world. Hitachi and NEC, along with Nippon Telegraph and Telephone Corporation (NTT), founded the Cross-Sector Forum in June 2015 to create an ecosystem for educating, hiring, training, and retaining cybersecurity professionals. FUJITSU is one of the 43 Forum members. The Cross-Sector Forum joined the CRIC in April 2017. These three companies believe that the Center is an ideal platform to discuss the development of cybersecurity professionals and standardized cybersecurity training curricula in an open manner with other ICT companies and cybersecurity vendors.

Because these companies collaborated to compare notes about their own cybersecurity training, they’ve been able to gather best practices to nurture cybersecurity professionals more broadly. This journey has allowed the companies to develop standardized cybersecurity training syllabi, and once a volume discount becomes available, more companies will be able to train their employees.

By the end of 2019, NTT, as a member of the CRIC, has twice conducted cybersecurity training workshop trials based on prototype syllabi. These experiments proved the trial curricula would allow companies to conduct training at lower costs. Afterward, the trainees offered feedback on how to revise the syllabi to improve future training sessions.

The Covid-19 pandemic has introduced challenges to cybersecurity training based on the new syllabi. NTT had planned to start modified cybersecurity training workshops based on the feedback shortly after April 2020, the beginning of the Japanese fiscal year. Nevertheless, the Covid-19 outbreak and state of emergency between April and May 2020 prevented NTT from hosting in-person workshops.

Online training is not ideal because instructors need to pay close attention to trainees, observing their reactions and the commands they type on screen. It is also necessary for instructors to adjust the content and speed of training for each student. Despite these challenges the companies, including NTT, plan to make some of the training program available online in fall of 2020 to accommodate wide-spread remote working during the pandemic. To ensure quality results, online training instructors will need to maintain close communication with individual students, interacting to simulate in-person training as closely as possible.

In the meantime, the next step for the CRIC will be the development of cybersecurity syllabi for the 10 remaining professional categories such as security auditor and consultant. Subsequently, they can share the newly added standardized syllabi with its members.

A final step in realizing this vision will be the global expansion of the standardized cybersecurity training syllabi. Because CRIC members necessarily have business operations outside Japan, these companies must strengthen global cybersecurity resilience and conduct cybersecurity training for all employees. NTT has translated the cybersecurity syllabi from Japanese to English. Standardized cybersecurity training curricula becoming internationally available will facilitate the pipeline generation of next-generation cybersecurity engineers.

As Japan is an aging society with a decreasing birthrate, its companies have had to invest more in the global market. Accordingly, the volume of mergers and acquisitions (M&A) of non-Japanese businesses has skyrocketed since 2013. As a result, this rapid M&A growth has made cybersecurity governance more complicated. Cybersecurity expectations and use of cybersecurity-related products and services vary significantly among nations and companies. This makes it challenging to manage and operate cybersecurity across the globe and maintain integrated visibility to tackle cyber risks. The need to standardize is growing nevertheless.

This is why it is crucial to start preparing to widen cybersecurity training syllabi beyond Japan, in both Japanese and English, by inviting non-Japanese companies to join. Fragmented cybersecurity efforts inhibit companies from more-proactively and expediently addressing borderless cyber threats. Additionally, the expansion of syllabi users would bring down the price of training in the long run around the world. Lastly, participation by non-Japanese companies will allow cybersecurity training developers to incorporate both Japanese and global perspectives to make the syllabi truly international and standardized.

Mihoko Matsubara (mihoko.matsubara.er@hco.ntt.co.jp) is Chief Cybersecurity Strategist, NTT Corporation, Tokyo, responsible for cybersecurity thought leadership. She worked at the Japanese Ministry of Defense before her MA at the Johns Hopkins School of Advanced International Studies on Fulbright. She is Adjunct Fellow at the Pacific Forum, Honolulu, and Associate Fellow at the Henry Jackson Society, London.

PacNet commentaries and responses represent the views of the respective authors. Alternative viewpoints are always welcomed and encouraged. Click here to request a PacNet subscription.

Issues & Insights Vol. 20, WP 3 – The role of regional organizations in building cyber resilience: ASEAN and the EU

ABSTRACT

This paper explores the role of regional organizations in crafting solutions that are able to address both the scale and cross-border nature of cyber threats, as well as the challenges inherent to an anarchical international system. It focuses on the Association of Southeast Asian Nations (ASEAN) and the European Union (EU) and the cybersecurity frameworks they have developed in the last few years. The EU has significantly improved regional cyber resilience and cooperation by setting out ambitious goals, enhancing information sharing and harmonizing practices across its member states. In contrast, ASEAN has a lack of a strong unifying governance or legal framework, which limits the collective capability of the region to capitalize on shared knowledge to prevent and mitigate cyber threats. The paper aims to elaborate on relevant measures that could be implemented in ASEAN based on a comparative analysis with the EU. Despite the stark differences between the two organizations, there is common ground in some areas for the development of policy recommendations aimed at enhancing ASEAN’s cyber resilience, eliminating the need to reinvent the wheel in key policy areas. To this end, this paper analyzes the two organizations’ cybersecurity frameworks in line with the four pillars of cyber capacity building identified by the European Institute for Security Studies (EUISS) and adjusted to a regional context: overarching regional strategy, institutional framework for cyber threat prevention and response, harmonization of cybercrime and data privacy legislation, and cyber awareness and hygiene.

PacNet #13 – Keep an eye on North Korean cyber-crime as the Covid-19 spreads

The Covid-19 outbreak continues to cause tumult in the global economy, with countries like South Korea and Italy reporting a rapid increase in diagnoses and many companies requesting that employees work from home to keep the virus from spreading.

In North Korea’s case, it has had its Chinese borders closed for over a month, long before the rest of the world began to react to the virus. Even if it were, as its state media claims, coronavirus-free, how long could their economy sustain total global isolation? By sealing their border with their largest economic partner, North Korea has effectively placed itself at the mercy of UN sanctions.

Kim Jong-un knows that his country cannot last like this for very long, and with so much of his power stemming from the support of Pyongyang’s elite, we must prepare ourselves for their reaction. Learning from the DPRK’s past behavior, national security leaders should be less concerned about military action and focus their attention on shoring up their cyber defenses.

Jonathan Corrado, policy director for the Korea Society, noted in a recent article the extreme lengths North Korea has gone to prevent the spread of coronavirus in the country. These border closures, although necessary to reduce the chance of viral contagion, will have a lasting impact on their already minuscule economy.

Even prior to the closures, UN Security Council sanctions already heavily impacted North Korean exports. Yet, despite the cuts to the DPRK’s exports, World Bank data indicates that North Korea’s GDP has been slowly rising since 2015. This financial discrepancy can be explained primarily through North Korea’s burgeoning international crime economy.

According to the 2017 Global Initiative against Transnational Organized Crime’s 30-page report entitled Diplomats and Deceit: North Korea’s Criminal Activities in Africa, North Korean diplomats travel “regularly to Pyongyang and Beijing in China with diplomatic bags filled with contraband.” These members of diplomatic missions to countries on the African content would smuggle illegal items such as diamonds, gold, and ivory back to the DPRK and China, where they sell for exorbitant prices.

In 2016, Angolan leaders had been meeting with North Korean liaisons to collaborate on national security projects. This collaboration did not come as a surprise—Angola has long been militarily linked to North Korea. A 2015 Washington Times article identified a number of UN sanctions that Angola had violated by engaging in business with the DPRK. Angola was found to be purchasing military training, weapons, and over 4.5 tons of ship engines and parts, to service the naval boats they had purchased from Pyongyang in 2011. North Korean arms are also believed to be regularly supplied to Ethiopia, where they have been providing and manufacturing weapons since the mid-80s.

North Korea has not limited its illegal activities to Africa. DPRK embassies have long been (correctly) accused of facilitating the international trade of crystal meth, taking advantage of the high premiums their products can garner and abusing diplomatic channels to smuggle the drug into foreign countries.

However, thanks to Covid-19, protecting the elites of Pyongyang has become such a priority that the state has sent all Chinese diplomats back to China, while simultaneously suspending all flights, trains, and travel with the outside world. The shutdown means North Korea will no longer be able to rely on its diplomats returning from trips abroad to produce the much-needed cash for the economy.

To ensure that their country can continue to function while they weather the global crisis, North Korea may very likely double down on cybercrime. While smuggling and other forms of illicit trading require the physical moving of goods and/or services, cybercrime can be committed from anywhere, even a sealed North Korea.

North Korea has already proven itself adept at infiltrating computer systems around the world. Bureau 121, an elite cyber warfare agency in North Korea, has been named the leading suspect for many famous cyber-attacks, including the Sony hack in 2014, the SWIFT banking hack in 2015, and the Bangladesh Bank Robbery in 2016. All together, these operations are estimated to have cost over $100 million in stolen funds, and billions of dollars in cybersecurity damages.

The most alarming of North Korea’s alleged cyberattacks is the 2017 WannaCry ransomware attack. This ransomware—which locked 200,000 devices in a single day and demanded ransom payments in bitcoin—caused severe disruptions among businesses around the globe. But WannaCry did not just target private corporations. The attack also infected the National Health Service (NHS) in England and Scotland, causing NHS services to divert ambulances and turn away patients.

Fortunately, May 2017 was not a time of global health panic. However, as the Covid-19 continues to spread, the DPRK’s vice minister of public health declared that the Chinese border will remain shut indefinitely until a cure is completely ready. We must prepare ourselves for attempts to disrupt healthcare systems. An economically strangled North Korea has much to gain from global disruptions, and we must brace ourselves and develop our cyber defenses accordingly.

Todd Wiesel (tjw2144@columbia.edu) is a student at Columbia University completing his bachelor’s in Political Science and East Asian Studies. He is also an MBA candidate at London Metropolitan University, where his research focuses on the impact and effects of corporate social responsibility on capital markets. He previously earned a master’s degree in Innovation, Leadership and Business Management from Oxademy Business School, and is a former Kim Koo Fellow at the Korea Society, focusing his research on the inter-Korean negotiation process. Before enrolling in Columbia, he worked as the managing director of The Negotiation Institute. Prior to his tenure at TNI he served as an urban warfare and counter-terror specialist in the Israel Defense Forces.

PacNet commentaries and responses represent the views of the respective authors. Alternative viewpoints are always welcomed and encouraged. Click here to request a PacNet subscription.