Japan’s Cybersecurity Capacity-Building Support for ASEAN – Shifting From What to Do to How to Do It

This year marks the 50th anniversary of the Association of Southeast Asian Nations (ASEAN), which is expected to become the world’s fourth-largest economy by 2030. As Information and Communications Technology (ICT) is integral to ASEAN’s industrial platform, cybersecurity has become more crucial than ever. ASEAN held the first Ministerial Conference on Cybersecurity in October 2016. In his opening remarks, Dr. Yaacob Ibrahim, Singapore’s minister for communications and information and minister-in-charge of cybersecurity, emphasized that ASEAN needs to promote cybersecurity technical capacity-building.

ASEAN is a rapidly growing market with a population of 620 million, and its GDP has tripled over the last decade. ASEAN is also the second-largest trade partner for Japan (after China) at 14.7 percent. The association considers Japan its third-largest external trade partner – coming in at 9.1 percent – after China and the European Union.

Given the borderless nature of cyberattacks, damages and consequences are not necessarily contained in one specific organization, sector or country. Thus, cybersecurity awareness-raising and capacity-building are essential to tackle the varied cybersecurity levels of ASEAN members.

To address this challenge, Japan made two important announcements in 2016. First, at the Japan-ASEAN Summit Meeting in September 2016, Prime Minister Shinzo Abe stated that Japan would continue to help ASEAN by crafting a policy for cybersecurity capacity-building support in line with the Basic Policy described below. The ASEAN Chairman expressed appreciation for Japan’s determination for proactive support on behalf of ASEAN members at the summit. This marked the first time any Japanese Prime Minister had made such a commitment to ASEAN.

Second, the Japanese government issued the Basic Policy to Support Cybersecurity Capacity-Building in Developing Countries in October 2016. The Japanese government aims to reduce cybersecurity vulnerabilities globally to minimize risks; enhance security for the daily lives and business operations of its citizens, who depend on critical infrastructure in those developing countries; obtain understanding of Japan’s basic principle of free information flow and rule of law from developing countries; and create infrastructure to develop the Japanese ICT industry in those countries.

The Basic Policy has three pillars: to enhance capabilities for incident response, such as building computer emergency response teams (CERTs); to help law enforcement to tackle cybercrime; and to obtain understanding and raise awareness of the importance of international norm and confidence-building in cyberspace via the United Nations Group of Governmental Experts. The Japanese government uses Official Development Assistance to provide cybersecurity devices and equipment, as well as training to use them, at a bilateral cooperation level. Furthermore, the Japanese government uses multilateral frameworks to offer training for cybercrime investigation and share expertise via the Japan-ASEAN Cybercrime Dialogue.

Japan and ASEAN hold an annual Information Security Policy Meeting at the Director-General level to discuss how to create a secure business environment and ensure information security. At the first such meeting in February 2009, both parties agreed that Japan would help ASEAN craft information security strategy to enhance its cybersecurity and share best practices between the public and private sectors. Over the last couple of years, the support has shifted from “what to do” to “how to do.” At first, discussions focused on what it takes to craft cybersecurity policy. Since ASEAN countries have developed national CERTs, the agenda has now shifted to how to improve national cybersecurity capability.

In 2009, the Japanese National Information Security Center (NISC, which is now called the National Center of Incident Readiness and Strategy for Cybersecurity) began annually hosting an ASEAN-Japan Government Network Security Workshop to discuss each government’s information security efforts among division chiefs, and an ASEAN-Japan Government Information Security Training in 2010 to train working-level officials on how to craft information security policy and build operational capability. The Tokyo training in August 2010 consisted of two parts: a four-day policy-crafting course to share updates on each country’s policy and joint awareness-raising campaigns; and a five-day operational hands-on course with case studies and a cyber exercise.

In November 2011, the fourth ASEAN-Japan Information Security Policy Meeting (Japanese link) agreed to increase joint efforts to raise cybersecurity awareness. More specifically, Japan started to provide educational videos and brochures in each local language, provide training on information security management for government officials, and additionally began to send experts to seminars and training in ASEAN countries in 2012. The Japanese government provided ASEAN countries with videos, brochures and posters.

In September 2013, Japan and ASEAN held the ASEAN-Japan Ministerial Policy Meeting on Cybersecurity Cooperation in Tokyo to commemorate the 40th anniversary of the Japan-ASEAN relationship. During the event, Japan and ASEAN agreed to collaborate on the Internet Traffic Monitoring Data Sharing Project (TSUBAME Project) to expand cooperation between CSIRTs (Computer Security Incident Response Teams). JPCERT/CC started the project in 2007, and it has 25 members from 21 regions – mainly national CSIRTs – as of September 2015.

Next, Japan agreed to keep providing capacity-building support: Proactive Response Against Cyberattacks Through International Collaborative Exchange (PRACTICE) and Japan-ASEAN Security PartnERship (JASPER). PRACTICE is a project between Japan and other countries to build a network to gather information on cyberattacks and malware, and to research and develop technologies to predict cyberattacks, enabling countries to respond quickly. JASPER comprises the PRACTICE project and infection alerts.

This year has already seen a good start between Japan and ASEAN. The Japan International Cooperation Agency has already provided cybersecurity training twice. The first training, for national CERT and government officials, aimed to increase cyber incident handling capabilities by providing understanding of the current threat landscape, best practices and a series of steps to take to respond to incidents, which consisted of cyber exercises in monitoring, analysis, incident handling and reporting. The second training focused on cybersecurity standardization and information security management, covering ISO/IEC27000 and the information security management system (ISMS). Students were ASEAN government officials, including those from Government CSIRT and national CERT. In this training, they were required to give a presentation to compare Japan and their home country, and subsequently provide recommendations for their governments.

The 10th ASEAN-Japan Information Security Policy Meeting will be held this fall. When the ninth meeting adopted the new Guidelines to Protect Critical Infrastructure Between Japan and ASEAN in October 2016, ASEAN countries began to use the guidelines as a reference to craft and implement their national critical information infrastructure policy (CIIP). The Japanese government issued cybersecurity guidelines for the electric power industry in 2016 and released a new national cybersecurity strategy for CIIP in April 2017. CIIP will be a great area in which Japan and ASEAN can cooperate to help business operations and economic growth.

Japan’s support to date has focused on policy and technical capacity-building, and there will be many more ideas to come. The Japanese CIIP strategy shows that the Japanese government is keen to encourage business executives to invest in cybersecurity and have corporate governance in place, as well as to consider risk assessment and strategic business risk management as parts of their business strategies. This reflects the philosophy of the Cybersecurity Guidelines for Business Leadership. The involvement of business executives is crucial to accelerate successful cybersecurity efforts from a top-down approach, rather than a time-consuming bottom-up approach – especially with only three years left before the Tokyo Summer Olympic Games in 2020. That is why the Japanese Ministry of Economy, Trade and Industry launched the Cybersecurity Center of Excellence (COE), which will offer a short-term course for C-level people to learn about cybersecurity and CIIP later this year.

Critical infrastructure is owned and operated by private companies in most cases. Japan’s lessons learned from the Japanese guidelines and COE would be beneficial to share with ASEAN countries. It will help the Association implement the new Guidelines to Protect Critical Infrastructure Between Japan and ASEAN and urge business leaders to take proactive roles in CIIP and cybersecurity.