Information technology has enabled the United States to achieve dominance in on the battlefield. However, it also has become a vulnerability, and now the U.S. is the primary recipient of targeted cyberattacks.
Not surprisingly, in 2018, the White House released the National Cyber Strategy, which shows a shift toward a more offensive cybersecurity posture. It emphasizes that the United States will take a strong policy stance, not only for the U.S. but also its allies and partners, to impose costs on attackers, including the use of kinetic means to deter cyber threats.
As cyberattacks pose serious national security risks to each state, the international community has also begun to discuss when cyberattacks should trigger the activation of self-defense and/or collective defense and has started cooperative programs to address the threat. For instance, the North Atlantic Treaty Organization (NATO) initiated cooperative cyber defense after a critical cyberattack on Estonia in 2007. NATO’s Tallinn Manual is a crucial publication that attempts to apply pre-cyber era international law to cyber operations, asserting that both self-defense and collective self-defense are applicable to cyberattacks.
Japan, which suffers the third most targeted cyberattacks in the world, has caught up with this trend. In April 2019, the United States and Japan agreed that their mutual security treaty will also cover serious cyberattacks against both countries, and this agreement is expected to deepen their cooperation significantly. However, three major challenges remain for the U.S. and Japan to effectively protect themselves against cyber threats.
The first is the lack of a legal framework to address cyberattacks and the issues related to countermeasures. The Tallinn Manual is the first step toward applying international law to cyber operations. However, even among NATO states there are different thresholds to activate self-defense and collective defense against cyber threats, a discrepancy that also exists between the United States and Japan. Moreover, this manual is not yet accepted as an international norm. This makes cyber defense particularly challenging for Japan. So far, the Japanese government has said the activation of self-defense should be considered case by case; however, decision-making on cases with the support of the public will be difficult without international consensus, including with the United States.
The second challenge is the difficulty of deciding on countermeasures against cyberattacks. Cyber operations can be conducted remotely by individual hackers, and detection and attribution capability is insufficient so far to remove any shadow of a doubt. Unlike conventional armed attacks, it is difficult to identify who is responsible for a cyberattack and adequately evaluate the effect of the attack. Gauging the scale of the attack and damages incurred to justify self-defense that involves military counteraction — establishing a “red line” — is therefore extremely challenging.
The third challenge is the circumstances under which cyberattacks take place. Cyberattacks are not only combined with conventional wars, but also are easy to conduct during gray-zone situations or in peacetime. Since no cyberattack has been reported to directly cause injuries or deaths so far, it’s difficult to determine whether it is appropriate to use kinetic means against cyberattacks, especially in situations short of armed conflict. Kinetic counteraction might be criticized as escalating the situation needlessly, but if a target cannot take appropriate action in response, it becomes defenseless.
Given these challenges, especially when Japan limits the use of force more strictly than the United States, despite receiving enormous amounts of cyberattacks, further discussion of the criteria for collective self-defense is critically important for Japan and the U.S. in the framework of the alliance.
The United States and Japan should focus on mitigating these three problems together. For the legislation and decision-making problem, for instance, the U.S. and Japan should accelerate conferences and case studies to encourage international consensus in this area. Even if it is difficult to clarify all ambiguities at the strategic level, at the operational level, between the U.S. military and the Japan Self-Defense Forces, experts and researchers can consider many cases and create doctrine or mechanisms to support decision-making.
They should also increase regional coordination with other allies and partners in the Indo-Pacific region. Coordination with NATO during the process is important, but it should be kept in mind that NATO tends to focus more on cyberattacks from Russia. Therefore, the U.S. and Japan should coordinate with their partners in the Indo-Pacific region including Taiwan, South Korea, Australia, and India to exchange information and improve resilience.
The issue of proportional countermeasures against cyberattacks is perhaps the most difficult to solve, due to the ambiguity of the red line itself and the divergence in notions of such red lines between the United States and Japan. Even so, the U.S. and Japan should discuss what kind of support they can expect from each other. To bridge this gap, they should also expand multilayered cooperation not only in defense but also between the governments, academia, and private sectors. This cooperation will enable multiple approaches to a wide range of cyberattacks. In that sense, a bilateral cybersecurity agreement would be a good first step to promote U.S. and Japanese resilience and interoperability against cyberattacks.
Sonoko Kuhara is a Research Intern with the Japan Program at the Stimson Center in Washington, D.C.