Estonia and Japan are among the leaders in cyber diplomacy and cybersecurity on the global stage, Japan also being a key strategic partner for the EU and NATO. They have many similarities in their approaches to cybersecurity and state behaviour in cyberspace, which has established solid ground for closer bilateral ties. This report, authored by leading Estonian and Japanese researchers of cybersecurity policy, gives a valuable insight into the experiences and perspectives of these two countries, their success stories and challenges in building a secure cyberspace, as well as the potential for cooperation.
The first chapter outlines the cyber threat landscape as seen from Japan, and advocates employing active cyber defence and building comprehensive cyber deterrence instead of relying on passive defence measures. In this regard, international cooperation between like-minded democratic nations, such as Estonia and Japan, plays a pivotal role in deterring cyber threats posed by hostile state actors. It also gives an overview of how authoritarian regimes have been using cyberspace to achieve strategic goals since the cyber-attacks against Estonia in 2007. Activities by China and North Korea are highlighted as the most alarming threats for Japan, but in 2020 Russia has also become a concern. In a dynamic domain such as cyberspace, sharing threat assessments and collaboratively monitoring those threats are important aspects of bilateral cooperation.
The second chapter gives a unique insight into the intricate process of forming a coherent national cybersecurity strategy. Estonia has built its current level of cybersecurity maturity over the past 12 years through the continuous and systematic development and implementation of three iterations of national cybersecurity strategy. The country is preparing a new version of this strategy – this time closely tied to its digital development agenda – and assessing the lessons from previous periods provides some crucial insights for this effort. The chapter highlights strategy as a process to bring together relevant national stakeholders, prioritise and assess cybersecurity measures and build a stronger cybersecurity community. Estonia’s experience has shown that the national cybersecurity strategy needs to be openly communicated and accessible to international partners as a tool to support international dialogue and collaboration.
The third chapter examines the Estonian and Japanese efforts to promote international norms of responsible state behaviour in cyberspace – an endeavour in which their interests and perspectives are very similar. Both nations are highly active, in various fora, seeking to inspire and mobilise the international community to develop consensus on such norms, as well as on the applicability of international law in cyberspace. In the words of Lennart Meri, Estonia’s first post-Cold War president, “international law is the nuclear weapon of a small state”, and recently Estonia has been the very first nation to suggest that international law enshrines the right of states directly unaffected by malicious cyber operations to take countermeasures that support those directly injured. Japan and Estonia also have a solid basis for cooperation in their efforts to build cybersecurity capacity in various regions.
The fourth chapter provides a historical and contemporary overview of the global Computer Security Incident Response Team (CSIRT) community. The originally intended role of this community – as a venue for cooperative response to global threats and for sharing technical and scientific knowledge – has been changing due to cybersecurity being increasingly guided by broader national security considerations, geopolitical realities, commercial interests, and technological developments. Although it is a story of some severely dashed expectations, the chapter outlines some future scenarios for cooperation between CSIRTs. Whichever shape it takes – a cyber version of the International Red Cross, a cyber replica of a World Health Organization or part of intergovernmental cooperation agendas – Estonia and Japan should encourage their CSIRTs to build close contacts and collaboration.
Download and read full report: So Far, Yet So Close: Japanese and Estonian Cybersecurity Policy Perspectives and Cooperation (PDF)