Net positive: Europe, Japan, and the benefits of small-scale cyber-security cooperation

On 22 February, France will host the Indo-Pacific Ministerial Forum, at which leaders from the European Union and the Indo-Pacific will discuss issues of security, defence, digital connectivity, and infrastructure development. The forum is designed to demonstrate to the EU’s allies in the Indo-Pacific that it is a reliable partner and is serious about promoting infrastructure development, collaborating on issues related to emerging technology, and upholding economic stability and security in the region. These goals, which are enshrined in the Strategy for Cooperation in the Indo-Pacific the EU released in September 2021, are key to greater European engagement with “core allies” in the region, chief among them Japan. In their joint efforts on security and defence, the EU and Japan have a mutual interest in cooperation on cyber-security.

Cyber has become a pertinent issue for the EU. As it seeks to build stronger relationships and promote infrastructure development, the bloc is increasingly aware that enhanced global interconnectedness can mean greater vulnerability. Recent Russian and Chinese cyber-operations show that authoritarian regimes will not hesitate to use cyber-tools for coercion worldwide. Both offensively and defensively, cyber concerns are becoming increasingly important to many states’ geopolitical strategies.

Although such operations have yet to directly affect EU institutions, European policymakers recognise that cyber is a security priority for individual member states and the union as a whole. The EU’s Cybersecurity Strategy, released in December 2020, acknowledged the shift in the threat landscape brought about by increasingly advanced and frequent cyber-attacks. At the same time, the strategy also recognises that the EU only has a limited capacity to address these new challenges.

Last year’s SolarWinds and Colonial Pipeline attacks made it clear that cyber-security vulnerabilities can directly threaten a state’s critical infrastructure and national security, which can have ripple effects in the global economy. Closer to home, the Russia-Ukraine crisis is again highlighting the spill-over threat of cyber-incursions even when the EU is not the primary target: the European Central Bank is preparing for a scenario in which Russia targets it with a cyber-attack as part of a campaign against Ukraine. If the EU is to improve its cyber-resilience and address threats of this kind, it will need to cooperate with like-minded partners such as Japan.

Tokyo, for its part, has identified cyber as a key security priority and sought enhanced international engagement following the release of its Cyber Security Strategy in September 2021, which acknowledges the geopolitical tension created by cyber-attacks and the implications of cyber-security for economic security, including the mitigation of risk in supply chains. Japan is not only relying on its own cyber-security ecosystem to shore up its defences but is also working with its allies and partners through bilateral commitments (such as the US-Japan Competitiveness and Resilience Partnership and the Joint Declaration on Security Cooperation with Australia) to further develop its domestic capabilities and to promote enhanced cyber-security measures across the Indo-Pacific.

Although Japan typically views cyber issues through the lens of economic stability, the country is also participating in broader security frameworks with the Quad and the Association of Southeast Asian Nations to develop greater cyber-response capabilities. Japan supports an open, free and secure internet, as well as the application of international norms to state activities in cyberspace. This is why the EU regards the country as a trusted and vital actor in the Indo-Pacific on issues of cyber-security and cyber-technology. Accordingly, Japan should be the union’s primary focus for developing a shared cyber-security agenda in the region.

While there is some coordination on cyber between Brussels and Tokyo, the sides should identify more focused, smaller-scale avenues of cooperation and intensify their collaboration on these efforts. Reconfiguring their joint efforts to hone in on specific, achievable objectives would enhance their individual security while promoting cyber-security across the Indo-Pacific.

The EU and Japan should coordinate their joint efforts both internationally and domestically. On the international front, Tokyo and Brussels should collaborate to help define common norms and standards, and should develop shared plans for attribution when identifying and responding to cyber-threats. On the domestic front, the EU and Japan should share best practices for encouraging cooperation with the private sector while simultaneously striking the appropriate balance with government regulation when it comes to establishing their cyber-security frameworks. Japan is already a global leader in the use of public-private partnerships to strengthen state cyber-security, while EU member states such as Estonia and Germany have some expertise in these areas. Together, Tokyo and Brussels can develop such efforts to enhance each other’s cyber-capabilities.

The EU and Japan should begin by narrowing the scope of their collaboration to focus on relatively small, achievable goals that will have a lasting impact on their shared cyber-priorities. The following approaches would set the stage for greater engagement on cyber and other issues related to emerging technology.

• Efforts to build platforms of mutual trust

Both the EU and Japan view enhanced global, regional, and bilateral cooperation between democracies as pivotal to shaping the cyber-security landscape in line with their common values, chief among them openness and trustworthiness. Individually, both the EU and Japan are global leaders in cyber-diplomacy and are actively developing international norms to promote stability in cyberspace. The EU and Japan should build platforms of mutual trust by leveraging the union’s Cyber Diplomacy and Cyber Security Toolboxes, as well as the union’s experiences with cyber-security resilience through the new NIS2 Directive.

• Cooperation on standard-setting

Japan and the EU have rightly recognised that initiatives to shape cyber-standards should underpin any effort to improve the cyber-security of citizens in both Europe and the Indo-Pacific. The European Commission’s recently released Standardisation Strategy acknowledges that standards for cyber-security “carry a strategic dimension”. Tokyo and Brussels are increasingly aware of the key role of cyber-standards in maintaining the compatibility and security of global supply chains. One of the best ways for the EU and Japan to improve their cyber-security is to focus on specific standards and, better, on small, achievable goals that play to their strengths. A key issue could be cyber-hygiene, an area in which Estonia has established public sector training platforms to help secure its highly digitised society. Direct efforts such as this could be highly beneficial to Japan, which is working to promote a “Digital Society” among its ageing population.

• Intelligence-gathering and information-sharing on cyber-threats

A coherent approach to cyber-security will require information-sharing with trusted partners. This is critical to building up awareness of the myriad cyber-threats democracies face and to ensure that their cyber-security mechanisms and strategies are robust. Since most cyber-attacks target entities that house sensitive data, an unwillingness to share information and legal barriers to doing so could make it exceedingly difficult for the EU and Japan to find common ground on which vulnerabilities to disclose and how to do so. Therefore, the EU and Japan should invest in an established information-sharing framework such as the Agreement on the Security of Information between Germany and Japan. This framework could expand to cover other individual EU member states or be modified for EU-wide implementation with the aim of creating a safer, more secure information environment between Tokyo and Brussels.

The EU and some of its member states have already engaged with Japan on key cyber issues. They should now develop new mechanisms that enhance cyber-security on all sides. As Tokyo and Brussels work toward shared goals in the Indo-Pacific, they should extend their joint approach to cyber-security to third parties in the region that have similar cyber-security capabilities. In this way, they could enhance their resilience together.

The authors would like to thank the speakers and participants at the February 2022 Japan-Europe Forum in Berlin for their insights into many of the issues discussed above.