February 19, 2021

So Far, Yet So Close: Japanese and Estonian Cybersecurity Policy Perspectives and Cooperation

Despite the geographical distance between them, Estonia and Japan share many similar security challenges, such as potential destabilisation in cyberspace due to geopolitical tensions and conflicts, the vulnerability of national digital infrastructure, and the impact of cyber-attacks on trust in open, democratic societies. Tackling such challenges requires close international cooperation and the exchange of national best practices and experiences.

On 3 February 2021, the ICDS organised a webinar that brought together experts from the two countries to explore national cybersecurity policy perspectives and discuss opportunities for cooperation. Moderated by ICDS Non-Resident Fellow Henry Rõigas, the event attracted an audience of almost 70 participants from Estonia and Japan as well as a number of other countries such as Bangladesh, Belgium, Georgia, Germany, Portugal, Spain and Sweden. The webinar’s proceedings will be published in an ICDS research report in the spring of 2021.

Jun Osawa, Senior Research Fellow at the Nakasone Peace Institute, spoke about Japan’s cybersecurity challenges and highlighted the difficulties of enhancing situational awareness, expanding international cooperation and building credible deterrence in cyberspace. He particularly noted the growing number and intensity of cyber-attacks against Japan by state-sponsored actors (China and North Korea) as well as some manifestations of geopolitical tensions between the US and China in cyberspace, as both countries vie for digital supremacy in the coming age of Internet of Things (IoT). Espionage, theft of intellectual property and, recently, manipulation of information for propaganda purposes are some of the key aims of China-linked actors, while the North Korean regime also resorts to financial cybercrime to boost its revenue. Building comprehensive cyber-deterrence must be a central thrust in the efforts of liberal democracies to counter state-sponsored cyber-threats, and international cooperation is one of the key facilitators of these efforts.

Kadri Kaska, Head of the Legal Branch of the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCDCOE), highlighted Estonia’s experience in addressing various governance challenges when crafting and implementing a national cybersecurity strategy (NCS). The first iteration of this strategy was driven by a well-recognised national need to address gaps in preparedness and institutionalise successes (such as interagency and public–private collaboration and international cooperation) identified after the 2007 cyber-attacks. The 2008 NCS laid the foundation for Estonia’s cybersecurity model, which relies on infrastructural resilience, clear allocation of roles and responsibilities, and a comprehensive national cybersecurity toolbox (technology, legal framework, processes etc.). While the 2014 iteration expanded these foundations, the 2018–20 review revealed both strengths and weaknesses. On the one hand, the maturity, agility and flexibility of the system as well as trust in both public institutions and digital technology and reasonably high societal awareness of the importance of cybersecurity were apparent. On the other, some important systemic challenges were identified, such as difficulties in the practical implementation of neat division of responsibilities between various actors, slow reorientation from managing “risks to technology” to managing risks to business models and governance, and lack of clarity in priorities.

Atsuko Sekiguchi, Deputy Counsellor of the International Strategy Group at the National Centre of Incident Readiness and Strategy for Cyber Security (NISC) in the Cabinet Secretariat of the Government of Japan, focused her remarks on the Japanese approach to public–private partnerships in cybersecurity. The growing digitalisation of societies—now further accelerated by the Covid-19 pandemic—is increasing their vulnerability to malicious activity in cyberspace. The fragmentation of the internet in terms of fundamental values, legal and technical standards, as well as cyber becoming a domain of conflict between various states that pursue cyber capabilities, further accentuates the dangers of instability in cyberspace. In this context, public–private partnerships and international collaboration are becoming ever more important in countering malicious cyber activities, with information sharing between the partners and advancement of confidence-building measures in a multi-stakeholder framework among the key ingredients of success. The former is advanced in Japan through the Cybersecurity Council, established in 2019 and composed of government agencies, critical infrastructure owners and various other public and private entities. The latter is furthered through membership of and participation in international forums such as the United Nations Group of Governmental Experts (GGE) on advancing responsible state behaviour in cyberspace in the context of international security, as well as through bilateral cyber dialogue, including with Estonia.

Dr Anna-Maria Osula, Senior Researcher at the Centre of Digital Forensics and Cyber Security at Tallinn University of Technology (TalTech) and Senior Policy Officer at Guardtime, a software security company, spoke about the role of small states such as Estonia in building norms in cyberspace. Estonia is an excellent example of what a small nation with great ambitions can achieve in digitalisation and how cybersecurity becomes an integral part of economic, national defence, foreign-policy and other activities. However, small nations have a vested interest in developing international norms that address issues such as power and resource imbalances, diverging perceptions of sovereignty, applicability of international humanitarian law and appropriate responses to malicious actions in cyberspace. Estonia has been very active in various fora, formats and frameworks, including the UN GGE, the UN Security Council, NATO and the EU, and its efforts enabled and facilitated successes such as the development of the Tallinn Manual on international law applicable to cyberwarfare. It continues these activities, including through bilateral and multilateral cooperation aimed at promoting cybersecurity and cyber capacity building.

Dr Koichiro Komiyama, Visiting Fellow at Keio University Global Research Institute, focused his remarks on cyber capacity building in the Asia-Pacific region, where Japan has been actively working to support several countries in their efforts to enhance cybersecurity. This effort is based on the premise that, in our interconnected world, greater cybersecurity in other nations enhances Japan’s own. Although some cyber capacity-building projects, such as Japan’s attempts to establish a Computer Security Incident Response Team (CSIRT) in the South Pacific, have not been successful, many other initiatives from the total of 669 projects globally involving 594 different actors (according to a survey on the Cybil knowledge-sharing portal on cyber capacity building) continue to improve cybersecurity. However, these efforts have been facing some headwinds, such as the rise of nationalism in many parts of the world and the impact of the Covid-19 pandemic. Nevertheless, access to cyberspace is a fundamental human right and the international community has an obligation to protect it. To this end, cyber capacity building should also be part of humanitarian assistance programmes.