U.S.-Japanese Cyber Collaboration Needs to Include the Private Sector

May 9, 2019

by Larry Clinton

While much of the attention on President Trump’s upcoming visit to Japan will focus on North Korean nuclear issues, a critical, if under-reported, element of the visit will be to bolster U.S.-Japanese cyber defenses.

In a speech to the Hudson Institute last week, U.S. Ambassador to Japan William Hagerty acknowledged the importance of the issue, noting that a Chinese cyber-attack on Japan could evoke the U.S. Commitment to respond. “it’s a statement whose time has come,” Hagerty said.

As with U.S. cyber defense, Japanese and international cyber defense strategies must operate on a partnership model with both the government and private sectors.

The necessity of maturing the cyber partnership model is critical for several reasons, including the fact that both government and industry cyber systems are, for the most part, the exact same networks.

Moreover, as North Korea proved in its attacks on Sony and the Bank of Bangladesh, the targets of nation-state cyber-attacks are not necessarily traditional military installations but privately held critical infrastructure like hospitals or banks – and even less critical structures like movie studios.

This is one reason why representatives of several major Japanese trade groups met with the Internet Security Alliance here in DC this week to initiate a partnership aimed at developing a program to educate senior Japanese executives on effective cyber strategies, modeled on the program developed originally by the National Association of Corporate Directors.

The NACD Cyber Risk Handbook for corporate boards was originally developed by ISA in 2014 and updated in 2017 and has been endorsed by both DHS and DOJ. In 2018, a German edition was unveiled at NACD’s first global forum on board-level cybersecurity, and the German government’s cyber agency, BSI, endorsed that effort.

Later this year, a Latin American edition is scheduled to be released, this time endorsed by the Organization of American States.

The hope and expectation is that the ISA talks with the Japanese trade groups will lead to a similar program tailored to the unique needs and environment of Japanese business and culture.

A key feature of the Cyber-Risk Handbooks in the U.S., Germany, and Latin America is that it takes a common set of cyber principles and adapts them to the unique environments of the various countries, thus allowing for boards globally to approach cyber issues in an internationally coherent fashion. The discussions this week suggested these principles would be equally appropriate in the Japanese context.

Another key feature of these programs is that they are among the very few cyber initiatives that have been independently assessed as improving cybersecurity. PricewaterhouseCoopers, in a recent edition of its Global Information Security Survey, found that organizations that use the NACD model have better cyber-risk management, better cyber budgeting, closer alignment with cybersecurity and overall business goals, and are able to create a culture of security within their organizations.