Author: Mihoko Matsubara, Pacific Forum CSIS
In July 2014, the Shinzo Abe cabinet took an epoch-making decision to change its interpretation of the Japanese constitution to recognise the right to collective self-defence. The Japanese government’s traditional interpretation of the constitution prohibited Japan from exercising the right to help the US, or Japan’s defence partners, in the case of an armed attack, even though Article 51 of the Charter of the United Nations authorises this.
The cabinet decision carries symbolic importance for Japan’s alliance with the US and defence partnerships with other countries, including Australia and the UK, as it signals Japan’s strong will to be a more proactive partner.
But the practical implications of the reinterpretation remain unclear, especially in cyber security cooperation. There are two reasons for this.
First, there is no internationally agreed upon definition of ‘armed attack’ in cyberspace to base the right to collective self-defence on. The North Atlantic Treaty Organization (NATO) agreed to extend Article 5 (on collective self-defence) of its Washington Treaty to include cyberspace. But NATO members have not reached an agreement on how the article should be applied.
This arises from the complicated nature of cyber-attacks. While some types of cyber-attacks such as distributed denial of service attacks and website defacements are hard not to notice, for others it is difficult to detect and identify the culprit in a timely manner due to their stealthy and borderless nature. It is challenging to provide an overarching, clear threshold of the duration, intensity and scope in which cyber-attacks would fully or partially constitute ‘armed attack’ to enable countries to respond under international law. An official, clear-cut definition to the public could prompt adversaries to launch cyber-attacks under the threshold and could hamper allies from responding collectively and swiftly when a new type of cyber-attack appears. It is also difficult to choose an appropriate counteroffensive measure — whether cyber, non-cyber or a combination of both — in the case of a stealthy attack when the government cannot necessarily identify the true cause quickly.
Second, although the July 2014 cabinet decision acknowledges increasing risks which prevent countries from ensuring free access to cyberspace, it does not specifically cover cyber security cooperation. The 15 scenarios where the right to collective self-defence can be exercised that were provided by the Japanese government do not include any cyber components.
The cabinet decision reflects a report submitted by an advisory panel to Prime Minister Abe in mid-May 2014, which recommended that the interpretation of the Japanese constitution allow Japan’s Self-Defense Forces to execute the right of collective self-defence when necessary. The advisory panel discussed whether collective self-defence could be applied to cyberspace in 2013, but the 2014 report avoided making any conclusions.
The report only observes that so far cyber-attacks have not been categorised as constituting an ‘armed attack’ but some cyber-attacks do satisfy the three necessary conditions for Japan to use force in its self-defence. These conditions are, first, that there is an imminent and illegitimate act of aggression against Japan; second, that there is no appropriate means to repel this incursion other than the use of force in self-defence; and third, that the use of force is confined to the minimum level needed to repel the attack. Following the cabinet decision in July 2014, the Japanese government redefined the first condition to cover not only Japan but also in some cases its ally and defence partners.
But these constraints do not mean that the reinterpretation of the Japanese constitution prohibits Japan from contributing to other countries’ cyber defences. Collective self-defence would require allies or defence partners to conduct more joint exercises to enhance their crisis communications and interoperability. Since military operations and critical infrastructure such as energy supplies, finance and medical services are increasingly reliant on computers and the internet, any alliance or defence partnership needs to consider cyber security to make their ties resilient. Accordingly, it is crucial to include cyber components in joint exercises to make them realistic.
Joint exercises are key to making joint operations seamless and increasing the capability of cyber defences. The Japanese and US governments have committed themselves to revise the US–Japan Defense Cooperation Guidelines by the end of this year and to include bilateral cooperation on cyber security in the revision. Holistic joint exercises and relevant information-sharing could make up an important part of the revision.
As military operations depend on the reliable operation of critical infrastructure, joint exercises should not be limited to military personnel. The involvement of industry is indispensable. When Abe met with UK Prime Minister David Cameron in London in May 2014, the two leaders signed the UK–Japan Sports Host to Host Agreement to share lessons learned from the London Olympic Games for the upcoming Tokyo Olympic Games in 2020. Since the Olympics demands multilayered public–private partnerships to ensure safety and security, this will prompt Japan and the UK to launch bilateral public–private partnerships for cyber security. Such cooperation may help to create a template for effective cyber security collective self-defence in the future.
Mihoko Matsubara is a senior cyber security analyst and adjunct fellow at the Pacific Forum CSIS. Views expressed here are her own.