Cyberspace Cooperation

Crimes committed in and through cyberspace continue to increase in number and severity. Annual economic losses exceed $375 billion with several hundred million individuals and companies falling victim. Yet prosecution and conviction of the perpetrators is rare, encouraging more criminals to engage in this kind of activity. 

As part of the EastWest Institute’s Global Cooperation in Cyberspace Initiative, the EWI Breakthrough Group on Modernizing International Procedures against Cyber-enabled Crimes is working to combat crime and criminals in cyberspace by improving cooperation among law enforcement agencies and with the private sector on a global basis. In 2015, the group has focused on:

1. Increasing the transparency of corporate policies responding to information requests from law enforcement.
2. Promoting a standard format for international information requests under mutual legal assistance procedures.

Japan's relationship with its armed forces was once a defining characteristic of the nation. Indeed, "Fukoku kyohei [Enrich the state, strengthen the military]" was the battle cry of the reformers who founded modern Japan during the so-called Meiji Restoration beginning in the 1860s.

In the first decades of the 20th Century, Japan, rather than a state with a military, the island nation slowly transformed into a military with a state - "one hundred million hearts beating as one", as a wartime propaganda slogan boasted.

That all changed after the World War Two.

From offence to defence

The country's complete defeat, not to forget the deaths of 2.7 million Japanese men and women, ended Japan's love affair with its military.

A new constitution, written by the victorious occupying Americans, outlawed the creation of any regular armed forces. Japan was to be a "heiwakokka [peace nation]".

However, after the outbreak of the Korean War in 1950, the United States, fearing Communist expansion in Asia, pushed Tokyo to rearm.

To fight off "Red China", the US established the Japan Self-Defence Forces, a military that to this day has not fired a single shot in anger.

Unable to prove their worth in battle and confronted by an almost cult-like anti-militarism, throughout the Cold War, the JSDF suffered from public ridicule and disdain.

Just watch any of the early Godzilla movies showing the JSDF as an unimaginative and - more importantly - ineffective group of men incapable of defending Tokyo from the monster's wrath, and you can capture some of the public sentiments during that time.

Service members walking city streets in uniform in the early days of the JSDF were even pelted with stones.

Accidental heroes

At the end of the Cold War, in the 1990s, Japan's armed forces were finally able to polish up their image - not on the battlefield of course, but as an international peacekeeping force.

The JSDF deployed briefly in southern Iraq as part of the US "coalition of the willing", although they had to rely on others, including the Iraqis, for protection. Indeed, the JSDF are so adverse to violence that when a machine gun went off by accident, it made national headlines.

They also won plaudits for their role in rescue and relief missions after, for example, the Kobe-Awaji earthquake in 1995 and the 2011 Fukushima nuclear disaster.

To this day, this is how the majority of Japanese see the JSDF - a disaster relief force.

Fast forward to 2015, where things appear to be changing under the leadership of Japanese Prime Minister Shinzo Abe and his Liberal Democratic Party.

Two controversial security bills that passed the upper house of the Japanese Diet - Japan's parliament - this September, will allow the JSDF to come to the defence of its allies even when Japan itself is not under attack.

Formidable fighting force

Despite much domestic and international hysteria that Japan could now be drawn into foreign conflicts, and potentially even launch a war, closer scrutiny reveals it still has a long way to go to cast off its pacific post-War legacy.

For one thing, under the new legislation, the JSDF can only come to the aid of an ally under three conditions:

• Japan's survival is at stake
• All other non-military options have been exhausted
• The use of force is limited to the minimum necessary to deter aggression

In addition, the JSDF can come to the rescue of other UN peacekeeping troops and Japanese civilians in danger and would be allowed to use their weapons first, not just strictly for self-defence.

Notwithstanding the narrow circumstances of action, the JSDF at least have the potential to become a formidable fighting force.

For one thing, the Japanese culture with its traditional emphasis on group cohesion, careful planning, and attention to detail - particularly important in today's hi-tech military environment- is an ideal for modern soldiering.

Indeed, American sailors, soldiers and marines who train with the JSDF and participate in various joint military exercises every year to increase operability are generally impressed by the competence of their Japanese counterparts.

The JSDF also sport some of the most modern military equipment in all of Asia, including modern fourth-generation main battle tanks, licence-built Apache attack helicopters, modern reconnaissance drones, and will soon receive new fifth-generation fighter jets.

Japan's navy, the Japanese Maritime Self-Defence Force (JMSDF), is considered to be technologically more advanced, more experienced, and more highly trained than its likely adversary - China's the People's Liberation Army Navy (PLAN). It also has its own highly trained special forces outfit - the Special Boarding Unit.

However, major, cultural, legal and budgetary restrictions remain.

For example, Japan continues to ban "offensive" weapons such as bombers, aircraft carriers, and long-range ballistic missiles and has no plans to acquire them in the foreseeable future, since they remain unconstitutional.

In addition, despite some improvements, the JSDF continue to enjoy a somewhat dubious reputation as a pool for "ochikobore [drop-outs from the regular school system]" and "inakamono [country bumpkins with strong regional dialects from Kyushu in the south and northern Honshu]".

How would the JSDF do in a military conflict with China over let's say the disputed Senkaku/Diaoyu islands - a scenario that the US and Japan are practising every other year?

The JSDF would probably suffer initial setbacks under the chaotic conditions of the battlefield like any other force with no experience in combat, but - given their penchant for constant drill and exercises for such a contingency as well as their excellent planning ability - would do very well on the defence.

Godzilla can rest easy

However, the truth is that Japan's military would not be able to defend Japan alone in the long-run nor go on the offensive, primarily because of its lack of offensive weapons, limited manpower and equipment pool.

Behind the JSDF stands the US, and therein lies any strength it might wield.

Japan still has no obligation to support the United States in a conflict - the two countries, despite public impressions to the contrary, still have no mutual defence pact.

Japan can pick and choose whether it would like to support the United States in a conflict or not. In reality, this means that Japanese support for the United States in any future conflict is not a foregone conclusion.

This undermines their bilateral defence cooperation.

So what are the chances that the JSDF will fire a shot in anger anytime soon? Unless, China attempts an invasion of the Land of the Rising Sun, or North Korea launches one of its missiles against Tokyo, I'd say chances are as high as Godzilla re-emerging in the Sea of Japan.

To read this article at BBC NEWS, click here.

On September 25, 2015, the White House and the Chinese government issued parallel statements explaining the various agreements Presidents Obama and Xi reached during Xi’s state visit. On the cyber and technology front, the agreements break no new policy ground, but do create a much-needed umbrella under which concrete, practical steps can be taken to reduce conflict in cyberspace and tensions in the bilateral relationship. This is the most positive development in the cyber-related aspects of the bilateral relationship since the two Presidents’ Sunnylands meeting in June 2013. Seven aspects bear mentioning: 

1.    The agreement not to “conduct or knowingly support cyber-enabled theft of intellectual property . . . with the intent of providing competitive advantages to companies or commercial sectors” restates the existing positions of both governments not to concede that they “conduct or knowingly support” such activity. This agreement sets an explicit norm in place, but, without work on compliance, it would be merely window dressing.

2.    Compliance begins to be addressed, however, in the agreement that “timely responses should be provided to requests for information and assistance concerning malicious cyber activities.” Both countries agree to cooperate with requests to “mitigate malicious cyber activity emanating from their territory.”

3.    This agreement is made more practical by the establishment of a “high-level joint dialogue mechanism,” led by the Departments of Homeland Security and Justice on the U.S. side. Chinese participation will likely be led by the Cyberspace Administration of China (Minister Lu Wei) with participation by the Chinese Ministries of Public Security, State Security, Justice, and the State Internet and Information Office. The joint dialogue mechanism “will be used to review the timeliness and quality” of requests for information assistance. It effectively replaces the defunct government-to-government working group established at Sunnylands and suspended by China after the U.S. indicted five active duty Chinese army officers for alleged cyber thefts of U.S. intellectual property. 

4.    There will be a cyber incident hotline that will ring at DHS or Justice.

5.    More broadly, the governments “welcome” (this is a moderate level of support, higher than “note” but a long way from “endorse”) the July 2015 report of the UN Group of Governmental Experts on cyber matters.¹ A senior expert group will be created for bilateral discussions on this topic, presumably led by the U.S. Department of State and the Chinese Ministry of Foreign Affairs. 

6.    On trade, the two nations agree to moderate their use of cybersecurity as a criterion for evaluating the “purchase sale or use” of ICT products by commercial enterprises, and, further, to limit the scope of their respective national security reviews of foreign investments (i.e., the CFIUS² process on the U.S. side, and recently proposed Chinese national security and technology regulations). 

7.    The most measurable commitment is that the high-level dialogue will meet in 2015. 

Everyone will be watching in the months ahead to see if the level of attacks, which appear to come from Chinese territory declines from historic levels. If it does, that will be viewed as a sign of Chinese good faith by the U.S. However, if it does not, the U.S. will need to present evidence of the Chinese government’s involvement in order to claim a violation of the first of Xi-Obama agreements listed above. 

More broadly, there is a two-way argument to be made regarding attacks that appear to come from the other’s territory. To date, neither side has had much success getting help from the other with requests for assistance. Now the “high-level dialogue mechanism” will work to bring the two sides together for assistance cooperation. If China and the U.S. cooperate better on cyber incident response, that will show real progress in the bilateral cyber relationship. 

Click here to read the post on China-US Focus.

_

^1. The July report concludes a multi-year set of meetings among cyber foreign affairs officials of 20 countries, including China, Russia, the U.S. and several EU countries. The principal accomplishments were agreements that international law is applicable to cyberspace and that certain norms (e.g., mutual assistance on cyber incidents, no cyber attacks on critical infrastructure) should guide state behavior in cyberspace during peacetime. The agreements are completely non-binding.

^2. Committee on Foreign Investment in the United States. 

If you can’t lock your door, you can’t maintain the privacy of your home. If you can’t encrypt your phone, you can’t keep your personal data private, either. As tech companies and law enforcement agencies clash over encryption, security and privacy, a former Bush administration official is coming down forcefully on the side of technology that supports civil liberties rather than erodes them.

Michael Chertoff, who served under President George W. Bush as the nation's second Secretary of Homeland Security, suggested to The Huffington Post that using encryption to keep your data or messages personal is like having a quiet, private conversation between friends.

"If I pull you off into a corner and talk to you privately about something, it’s not recorded," he said. "We don’t record conversations in public places so that people can’t whisper to each other and then not tell the authorities what they talked about. That’s not our culture."

Law enforcement and intelligence agencies do, of course, record other conversations. Warrantless surveillance of phone records and the Internet significantly expanded under Bush and then President Barack Obama, until former NSA contractor Edward Snowden leaked information about the secret programs, galvanizing reforms of the Patriot Act. 

The U.S. government experienced its own security breach earlier this year, when the Office of Personnel Management disclosed that China-based hackers had reportedly stolen clearance information for millions of federal employees, including more than 5 million fingerprints. 

Now, the Obama administration is facing growing pressure to support strong encryption in the United States, with a broad coalition of civil liberties and privacy advocates petitioning the White House to make a strong public statement in favor of improved security to protect personal information, mobile devices and business secrets from hacking or loss. In a recent episode of HuffPost Live, advocates discussed the issues and points of contention.

HuffPost spoke with Chertoff, who now runs a risk management and security consulting firm, this September. The following interview, which touches on technology, spying, privacy and legislative reforms, has been edited for length and clarity.

We've seen huge data breaches in the private sector, but the hack of the Office of Personnel Management looks like the most serious breach of confidential data I can recall. What fallout are you seeing from it? 

As to the OPM breach, I agree with you. A number of commentators think that this is less about criminality and more about trying to do, essentially, a database of American citizens, which should be useful for intelligence purposes. That is a huge step forward, in terms of the kind of espionage that they do traditionally.

Beyond that, there’s an emerging ability to corrupt or destroy data, or interfere with the operation of control systems which goes far beyond getting your personal information erased. It is actually potentially disruptive for physical objects or the death of human beings. 

I think it is a much broader problem than just the data breach privacy discussion that we’ve been having. As we multiply the number of devices that are connected, often without much consideration of security, I think it’s only going to become a bigger and bigger issue.

Is there a proportionate response to this kind of espionage, in terms of China? Do you support enacting economic sanctions for such actions?

First of all, separate the two types of espionage. I’m very traditional in taking the view that commercial espionage by government is inappropriate. I think the administration talked about some kind of sanctions for companies that benefit from intellectual property, and that’s an unusual approach.

It gets trickier when you get to national security espionage. You protest against it. If you find someone who does it, it’s appropriate to prosecute them. Frankly, that really worked in the Cold War. The Russians did it to our spies, too. 

It’s a little hard to get worked up into a moral outrage, because what the Chinese have done with respect to OPM, at least in my view, is a variation on a traditional theme of gathering intelligence, but they’ve been able to scale it up.

Our biggest response has got to be to protect our assets. I think the most serious disappointment in the OPM breach is it appears people didn’t even take the steps that they were told to take to reach a minimum level of security. They utterly missed the fact that they were holding very valuable information. They viewed themselves as if they were like a great big HR department.

We need to have a bigger understanding of the value of data, so that people understand that it’s not just credit cards that matter. There’s all kinds of information that can be useful to an adversary or competitor that needs to be protected. 

What steps should average businesses and citizens take, with respect to protecting their own information? What tools should we have available to us?

Obviously, encryption of data in motion and data at rest is a very useful tool. Not everything needs to be connected to everything else. How do you handle administrative privileges? Who gets to set conditions of access and things of that sort? How do you internally monitor the perimeters or anomalous behavior, or something that’s happened that’s inexplicable?

Use a number of different techniques. You’re not totally eliminating the risk, but you’re reducing the risk and you’re managing it. That mitigates a lot of that potential damage from these kinds of attacks.

Risk is an important word, in this context. The FBI and the Justice Department are asking citizens to accept the idea that we should put ourselves at more risk through weakening encryption so that they can access our mobile devices if they have a warrant. What’s your position?

I think even with [strong] encryption, there would be plenty of other ways that law enforcement and judges can use to protect us. That’s always been the case traditionally. In the old days, back when I was doing cases as a prosecutor, they didn't talk very much. We were still able to make cases using other techniques.

I understand what the motivation of the FBI and the law enforcement people is, but I think it’s misguided for a number of reasons. To believe that if you have a law to require a duplicate key or a key escrow, that bad people wouldn’t find another way to make their messages disappear, even if they had to go to technologies and providers from other parts of the world? Frankly, that’s the world we’ve always lived in.

Would bills like the Cybersecurity Information Sharing Act of 2015 or the Cyber Intelligence Sharing and Protection Act, both designed to promote voluntary information sharing between the private sector and government, help with these kinds of issues?

There are a couple areas where I think legislation would be useful. One, I think it would be promoting information [sharing] by creating liability protection for people who share information in an appropriate way both with the government and also among themselves, making sure that what they share is confidential so that they don’t feel constrained about giving information about attacks. 

Updating the Electronic Communications Privacy Act will eliminate an anomaly between how we treat interception of email that’s current versus stored email, which is a distinction that maybe made sense when the statute was passed many years ago, but has lost its logic. That would go some way in promoting a greater sense of reassurance about privacy, and that’s certainly an important part of the discussion.

The Computer Fraud and Abuse Act also poses issues for the security research community. People are concerned, with some justification, that if they do research on government or commercial websites, they could be held liable or even prosecuted. Should there be any reform of the law, in your view?

I’m not aware anybody has been prosecuted for doing research, so I don’t know how much of a problem that is. I think, in general, with newer technology, statutes that are 10 years or 20 years old often make no sense, simply because they were drafted at a time when the architecture was radically different from what we have today. These things ought to have an expiration date. 

What frustrates you about what Congress and the press say about technology and security?

To me, the most frustrating thing is when people treat privacy and security as if they are trade-offs. I think you can’t have privacy without security. If by privacy we mean, "you give me your information, and I’m gonna make sure it’s treated in a proper way," that promise is meaningless if I can’t enforce it. If somebody can hack into my data, it doesn’t matter what I promised you. It’s going out the door anyway.

At the same time, without privacy, we can’t be secure. Security is to be able to keep data, to keep control of data that you’ve generated that is relevant to you.

I would like to see less of an oppositional approach and more taking a view that these things are actually interdependent and mutually reinforcing.

To read the interview at The Huffington Post, click here. 

To learn more about the event, click here.

Bruce McConnell was quoted in Politico's September 25 article "Obama, Xi vow not to steal each others' secrets."

"...Bruce McConnell, senior vice president at the EastWest Institute, said that from a Chinese policy perspective, the agreement merely amounts to an affirmation of the status quo. The Chinese government’s position has been that it neither conducts nor knowingly supports such activities, he said.

Nonetheless, McConnell said he’s optimistic that the agreement marks progress on the issue. China isn’t acknowledging that it’s stolen intellectual property, allowing Beijing to take action without directly taking responsibility for any previous attacks."

To read the full article at Politico, click here.

Bruce McConnell was quoted in Reuters' September 16 article "UPDATE 2-Obama warns China on cyber spying ahead of Xi visit.

"In referring to nuclear arms control regimes, Obama was most likely thinking about "norms," rather than governance, since the U.S. has not advocated creating an agency like the International Atomic Energy Agency to monitor cyber weapons, said Bruce McConnell, a former Department of Homeland Security cyber security chief."

..."I don't think the president was talking about the structure - I think he was talking about the ideas," added McConnell.

To read the full article at Reuters click here.