Canada-Japan Cyber Security Cooperation: Enhancing the Fight Against Cyber Threats
by Karine Pontbriand (feat. Marius Grinius)
Asia Pacific Foundation of Canada
September 8, 2016
n the 21st century, cyberspace has radically changed the way people live, communicate and interact, and is now a catalyst for economic development and prosperity. As defined by Canada’s Cyber Security Strategy, “cyberspace is the electronic world created by interconnected networks of information technology and the information on those networks.” With 20 billion devices forecast to be online within five years, the world is already more interconnected than ever before, for better or worse.
Despite the number of opportunities emerging due to the evolution of cyberspace, the dependence of industrialized societies on the digital world also brings new risks for national security. "As societies become more dependent on networked information infrastructures, they also become more vulnerable to potential electronic catastrophes."  The personal and confidential data of individuals, organizations, businesses, and governments can be corrupted, and malicious activities in cyberspace continue to spread globally. Indeed, terrorists, hackers and cybercriminals, whether acting alone or state-sponsored, are now capable of launching cyber attacks, even against physical targets.
In order to expand its potential, the Internet must be open and secure, but to ensure these attributes international co-operation is necessary. Canada and Japan share many interests, and the cyber sector is not an exception. In fact, as they both wish to enhance the protection of cyberspace, there are at least three important ways for the two countries to deepen their collaboration:
- Improving information sharing between national cyber expert teams
- Becoming advocacy partners in multilateral forums promoting international rulemaking
- Partnering with stakeholders in the private sector, which remains one of the main actors in cyberspace.
Cyber threats against Canada and Japan
Information and communications technologies (ICT) play an important role in Canada’s and Japan’s efforts to be open, democratic societies, and a great number of their critical infrastructures now depend on these new technologies connected to cyberspace, including power grids, water supplies, and financial systems. Both states recognize the tremendous economic development opportunity represented by cyberspace, but also the potential disruption to society as evidenced by the numerous cyber attacks that have targeted Canadian and Japanese facilities in recent years. Canada and Japan are both attractive targets for hackers, because cyber systems have become indispensable to almost all their economic sectors, and also because the two countries equally maintain competitive leadership in high-tech, IT and other advanced industries. Therefore, cyberspace generates numerous possibilities for hackers who wish to cause great damage or steal intellectual property. This is why both countries have made cyber security a priority for national security, but more could and should be done.
In 2010, Canada launched its Canada Cyber Security Strategy, in which the overall objectives were to "strengthen [its] cyber systems and critical infrastructure sectors, support economic growth, and protect Canadians as they connect to each other and to the world." The strategy outlined the importance of cyberspace for the prosperity of the country, and its growth continues at a steady pace. Indeed, according to Statistics Canada, in 2013, Canadian companies sold more than C$136 billion in goods and services on the Internet, up from C$122 billion in the previous year. However, 14% of large companies have reported being victims of an Internet security breach.
In an interview with CBC News, a specialist with the Canadian Advanced Technology Alliance noted that Canada is failing in cyber security, falling behind other countries in fighting cyber crime and hacking. The specialist also stated that cyber security is still not a political issue for Canadian officials. As a matter of fact, it wasn’t raised during the last federal election campaign of 2015, even though many events in recent years have provided evidence that Canada is facing cyber threats. Indeed, in 2011, a cyber attack targeted Defence Research and Development Canada, the Department of Finance Canada, and the Treasury Board of Canada Secretariat, giving foreign hackers access to classified information. In April 2014, the Canada Revenue Agency found that 900 social insurance numbers were compromised by a cyber attack against its systems. And a few months later, the Canadian government revealed that an individual (possibly financed by another country) had penetrated the computer systems of the National Research Council, forcing it to close its technological networks.
As for Japan, it is certainly a high-value target for intellectual property thieves, given its technological and economic stature on the international stage. However, like Canada, despite significant investment in cyber security over the past years, Japan is still not adequately prepared to deal with major cyber threats, whether from foreign state actors or local criminals. Japan’s Council on ICT Strategy and Policy for Growth, established in 2013, outlined four tasks for the Japanese government to undertake in order to create the right environment for ICT development, and one of them was the strengthening of cyber security. The vulnerability of Japanese computer networks has come to light in recent years with events such as the April 2012 cyber attack against the Ministry of Agriculture, Forestry and Fisheries of Japan that resulted in the theft of 3,000 documents, including twenty classified documents concerning the negotiations of the Trans Pacific Partnership (TPP). More recently, in June 2015, 1.25 million personal data files of the Japan Pension Service were disclosed following a cyber attack against its systems. Actually, every hour, all year long, abnormal accesses to the Japanese government’s organizations are being detected, or communications about events are being issued, ten times a minute, by the Government Security Operation Coordination team (GSOC).
With Cabinet approval, Japan adopted its second Cyber Security Strategy in September 2015. It outlines the country’s approach to cyber security for the next three years, looking towards the 2020 Olympic Games in Tokyo. This updated strategy recognizes that cyberspace is an innovative source of sustainable economic growth and the need to protect it. It also makes clear that Japan is open to deepening its international cyber efforts, especially through bilateral dialogues with the United States and the European Union, but there is no mention of a possible co-operative arrangement with Canada. This should change.
Towards a greater co-operation?
Cyberspace security has become an urgent global priority, and given the cross-border nature of cyberspace, no state alone can protect itself against the threats it faces. Canada and Japan already have a significant relationship in terms of political and economic co-operation, bolstered by "common values and mutual positive perceptions". They are partners in numerous multilateral and regional groups, including the G7, the G20 and the Organisation for Economic Co-operation and Development (OECD). Japan is also Canada's fifth-largest partner in bilateral merchandise trade (second in Asia after China).
During their meeting in April 2016, foreign ministers Fumio Kishida and Stéphane Dion pledged to strengthen and expand their co-operation in peace and security. Kishida stated “that he intends to strengthen bilateral relations, including co-operation in security” and they both agreed “to advance security co-operation as an important pillar of Japan-Canada co-operation.” Cyber issues also featured prominently in discussions during the May 2016 G7 Leaders’ Summit held in Ise-Shima Japan. The Declaration of Leaders issued before the closing of the summit stressed the importance of supporting an accessible, open, interoperable, secure and reliable cyberspace as a foundation for economic growth.
Given the mutual interest of Canada and Japan to improve their partnership on security and defence issues, co-operation in cyber security would add a new dimension to the bilateral relations. A report by the Asia Pacific Foundation of Canada indicated that by 2020, 35% of the global market for cyber security would belong to Asia. By participating in the stability and security of the Asia Pacific, Canada will secure better access to opportunities offered by this new burgeoning market. As stated by Marius Grinius of the Canadian Global Affairs Institute, “Canada’s own ‘Asian paradox’ is how to maximize its considerable economic and social interests in the Asia Pacific region while contributing to its long-term stability and security architecture.”
Co-operation on cyber security will enable states to share the cost of protecting cyberspace. Since 2010, Public Safety Canada has spent $245 million on cyber security. In its 2016 budget, the federal government has proposed to invest another $77.4 million over five years from 2016-17 for the implementation of new measures to improve the security of government computer networks and information technology systems. Japan has also announced the allocation of additional resources to improve its cyber security measures. In Asia, Japan is one of the states that invests the most in cyber security. A co-operative, interoperable approach and a sharing of expertise could reduce costs associated with research and development, while increasing mutual capabilities and effectiveness. But of course, the relationship needs to be built on trust.
Information sharing between cyber teams is the first step in enhancing security co-operation. Experts recognize that sharing information about potential threats is essential, but that the best protection depends on obtaining information rapidly. Canada and Japan have put in place cyber security response teams, respectively known as the Canadian Cyber Incident Response Centre (CCIRC) and the Japan Computer Emergency Response Team/Coordination Center (JPCERT/CC). Co-operation between these two teams could improve capacity to detect potential or actual cyber incidents as well as develop effective countermeasures. The Information Security Policy Council of Japan emphasizes in its International Strategy on Cyber Security Cooperation that, “an effective way of developing advanced countermeasures that can appropriately respond to cyber attacks is to combine each country’s technological strengths organically and develop them.” This report also stated that Japan would need to promote research and development through international co-operation. In February 2016, Ministers Dion and Kishida underscored “that the finalization of the Canada-Japan Acquisition and Cross-Servicing Agreement (ACSA) will be a key component in expanding bilateral peace and security relations.” This agreement, considered a milestone for bilateral defence relations, doesn’t however address co-operation in the cyber arena. A new agreement specifically addressing cyber security should be considered.
As a second step toward achieving a more secure cyberspace, the private sector must be included in any national or international cyber strategy. The private sector is the creator and the operator of the hardware and software. Considering the prevalence of cyberspace for economic development and that big data, cloud computing and IoT (Internet of Things) are key factors in determining national competitiveness, the public and private sectors must work together to enhance the protection of corporate intellectual property. Moreover, the mobile industry and industrial control systems (ICS) are also two areas where the private sector could make valuable contributions. Nowadays, IT systems are used in a variety of industries (energy, transportation, health, manufacturing, food, water, etc.) to improve the management of ICS that perform essential mechanical functions. But this increased connectivity also means potentially increased vulnerabilities. The private sector could develop more secure control systems, and also assess the vulnerabilities of its businesses. Canada and Japan both recognize the importance of establishing public-private cyber security co-operation and have already started to implement the foundations of such a partnership on a national level. However, an analysis of the private sector’s investments in cyber security has revealed that up to now, firms and corporations have underinvested in cyber security. 
To strengthen bilateral economic ties, Canada and Japan should collaborate in technology development and innovation, which includes the cyber security space. This can be achieved through the creation of stronger linkages between the two innovation ecosystems. The key to any technological development is private sector involvement and investment. Special government incentives could certainly encourage private sector engagement.
Furthermore, a study by the Center for Strategic and International Studies (CSIS) and Intel Security on the international shortage in cyber security skills showed that governments should invest more in education and training programs that include private sector internships to grow their cyber security workforces. The study indicated that many people with advanced degrees in cyber security have international backgrounds. As Canada and Japan are signatories to a visa waiver program, collaboration via student exchange programs including post-graduate internships could easily be facilitated offering invaluable opportunities for nascent experts to gain international experience.
Finally, as promoted by the Global Commission on Internet Governance, both countries should increase their collaboration in the international arena to advocate for an agreement to prevent the use of cyber technology to attack the core infrastructure of the Internet. Japan’s National Information Security Center (NISC) has already reiterated the importance of “promoting international rulemaking for ensuring stable use of cyberspace.” Indeed, only global co-operation between states can assure a secure Internet, and Canada and Japan would make excellent advocacy partners as they share many policy orientations and are both committed to multilateralism. Accordingly, they could use international forums, such as the United Nations, the G20, and regional organizations, to advance key elements of their cyber agenda, which includes promoting the applicability of international law in cyberspace to ensure Internet freedom, essential for economic growth. A key challenge faced by policy-makers is to actually translate policy directions into concrete work, so it is essential for like-minded countries such as Canada and Japan to work together to enforce concrete change. Canada, as a respected member of a number of regional security forums and dialogues in the Asia Pacific, and with its legacy as a leader in international peacekeeping, can help Japan in its efforts to influence key regional partners to work together to achieve a more secure cyberspace, which would also facilitate the achievement of peace and security in the region.
As Japan is one of Canada’s most stable and reliable partners in the Asia Pacific, the establishment of a bilateral agreement to co-operate on cyber security could help to refocus and bolster the relationship, which has become a bit too complacent in recent years.
 Deibert, R 2002, ' Circuits of Power: Security in the Internet Environment ', in J.N Rosenau & J.P Singh (eds.). Information Technologies and Global Politics. State University of New York Press, Albany, p. 115.
 Gordon, L.A, Loeb, M.P, Lucyshyn, W & Zhou, L 2015, ‘Increasing cybersecurity investments in private sector firms’, Journal of Cybersecurity, 1(1), 3–17, Doi: 10.1093/cybsec/tyv011