The internet has come a long way since Vint Cerf and Bob Kahn developed the Transmission Control Protocol/Internet Protocol (TCP/IP) and made the pivotal decision not to put an upper limit on the number of networks that could be connected. Design choices matter; they define what is and isn’t possible, and, in this instance, set the rules for the hardware, products and services that connect to the modern internet. They also have the potential to give economic and political advantage to any party that can alter them. This potential has seen the technology and standards that underpin the consumer-focused internet become a new focus for geopolitical rivalry.
Japan and the UK – both G7, G20 and OECD members – have each struggled to cope with the capricious, sometimes aggressive behaviour of their strongest ally, the US, while not being able or willing to take a hard line with respect to China on issues like 5G. As China continues to rise as a technological power, and as the risk grows that the internet’s architecture fragments, it will be vital for like-minded allies such as the UK and Japan to continue to advocate the benefits to trade and social well-being of a single, open interoperable internet.
This essay builds on the discussions at Chatham House’s ‘Security at the Frontier’ event and explores the need for closer collaboration between the UK and Japan on cyber issues, particularly in the field of technical standards, 5G and norms for responsible state behaviour in cyberspace. At stake is the need to avoid fragmentation, and to preserve the original vision of a single, open, interoperable internet in the face of authoritarian alternatives.
Background – close allies with shared values
The UK and Japan are close allies and have deeply connected military alliances and defence industry supply chains.
In October 2020, the UK and Japan signed a Comprehensive Economic Partnership Agreement (CEPA). Although CEPA represents a necessary post-Brexit replication and adaption of the EU–Japan economic partnership, its contents reflect the extension of the UK–Japan bilateral coordination on cyber that has been taking place for more than 12 years. In 2018 the total value of trade between the two countries was £29 billion. Under CEPA, trade between the two nations is projected to increase by £15.2 billion.
The interconnectedness of the two nations’ economies generates shared interests and challenges. For instance, the UK holds an enormous interest in the cybersecurity of big Japanese industrial companies that play an important role in the UK’s critical national infrastructure including the energy, transport and financial sectors. Simultaneously, London and the UK are an important hub for Japanese businesses operating in the Europe, Middle East and Africa (EMEA) market.
With global spending on cybersecurity at $145 billion annually and predicted to grow to $1 trillion by 2035, the UK and Japan have the potential to take advantage of this growth by virtue of the complementary strengths of each of their economies. For instance, Japan’s highly developed manufacturing base is complemented by the UK’s decades of global leadership in intelligence and signals intelligence, and its strong bases of intellectual property and talent development in advanced cybersecurity capabilities (such as artificial intelligence and machine learning), threat intelligence, and identifying insider threats.
With global spending on cybersecurity at $145 billion annually and predicted to grow to $1 trillion by 2035, the UK and Japan have the potential to take advantage of this growth by virtue of the complementary strengths of each of their economies.
These complementary strengths present opportunities for Japan and the UK to work together on joint commercial projects and towards a common vision for the internet. This is particularly important in the field of supply chain assurance in telecommunications, including in space technology, where there is a pressing need to ensure a diversity of products and services in the market, such as in the supply chain for 5G equipment.
Today, both governments find themselves working to meet the connectivity, skills and research and development (R&D) needs of their increasingly technology-focused economies, while becoming uncomfortably wedged between the US and China, unable to completely meet the demands of either party and risking compromise of their own national interests. Fortunately, the two nations’ deeply intertwined economic interests, their shared interest in an open digital economy, and mutual security dependencies present a number of natural opportunities to collaborate. These opportunities hold the potential to help both nations to navigate an increasingly tense geopolitical dynamic as natural partners in promoting a free, open, peaceful, fair and secure cyberspace.
Shared interests, shared opportunities
Responsible state behaviour in cyberspace
The UK and Japan’s shared interests have led to high-level recognition of each other as natural partners in promoting a rules-based international order in cyberspace and as each other’s ‘closest security partners respectively in Asia and Europe’.
There is close bilateral communication between the two governments in the areas of cybersecurity and international law (as it relates to cybersecurity and stability), and the countries coordinate in multilateral forums, including the United Nations Group of Governmental Experts (UNGGE) on advancing responsible state behaviour in cyberspace and the Open-Ended Working Group (OEWG). Both Japan and the UK have historically supported the applicability of existing international law to cyberspace. Now that UN states have agreed that international law applies to cyberspace, the debate has moved to resolving the question of how it applies.
In recent years, discussion on the application of existing international law to cyberspace tended to focus on use of force (and armed conflict). But cyber operations rarely reach the required threshold to be considered a use of force under international law. This has re-emerged as a pressing issue in the context of the COVID-19 pandemic, which has seen a dramatic increase in the number of cyberattacks on critical national infrastructure, medical facilities and vaccine research centres.
These circumstances have brought concepts such as the relationship between sovereignty and cyberspace, legal mechanisms for attribution to states, and the applicability of due diligence obligations to cyberattacks to the top of policymakers’ agendas. Japan and the UK have slightly differing interpretations on the application of international law to cyberspace, with the UK being more cautious about admitting the existence of violation of sovereignty beyond the principle of non-intervention. In general, however, the two states are well aligned on the importance of striking the right balance between freedom and regulation. Moving forward, there is an opportunity to create a closer dialogue between the UK and Japan across all stakeholder groups, including legal, technical, security and trade experts as well as civil society.
Norms for responsible state behaviour in cyberspace
Over the past five years, there has been intense activity by states in internet governance dialogues as well as extensive forum shopping – i.e. picking which conventions to respect – by a number of states that are developing and promoting different visions for the internet.
The UK–Japan joint declaration on security cooperation highlights cyberspace as a key area for collaboration and emphasizes the importance of common ground. The slight differences between the UK and Japan on the application of international law to cyberspace do not override the fact that these are democratic allies able to work together to promote responsible state behaviour, based on shared values and voluntary actions to foster peace and stability in cyberspace.
Data governance and the free flow of data
The UK and Japan have been working in concert for 12 years to sustain an open digital economy. Central to these efforts has been their collaboration in international forums to maintain the free flow of data. Both Japan and the UK have been working to support the global market in digital products and services by continuing the work of the G20 Osaka Track in ensuring the free flow of data across international borders. The two countries also work together through the G7 to promote best practice cyber regulation, through the UNGGE to agree norms for responsible state behaviour in cyberspace, and through the Regional Forum of the Association of Southeast Asian Nations (ASEAN).
Although the 2020 CEPA bears a striking resemblance to the EU–Japan Economic Partnership Agreement, there are substantial differences between the two agreements in promoting the free flow of data. The CEPA has introduced provisions to facilitate the cross-border flow of data, a prohibition on unjustified data localization requirements, commitments to net neutrality, and provisions for source code protections. The agreement is meant to provide clear rules on the cross-border transfer of data and to grant greater protection of trade secrets related to algorithms and encryption. As trends for data sovereignty and data localization laws continue, it will be vital to maintain strong advocacy for the free flow of data across borders.
Additionally, there is close cooperation between both countries’ regulatory bodies: the Bank of England works closely with the financial services payments agency of Japan on financial cybersecurity regulation. Both countries share a view on the importance of ensuring interoperability between different regulatory regimes across the world to promote low-friction trade in both products and services. They will also be looking to further this in relevant forums, such as in the Kyoto symposium on IoT security standards, while building on work that has been undertaken on the topic by the EU.
Huawei and 5G
For the past two years, what would previously have been a purely technical decision over procuring 5G infrastructure has been blown into a hotly contested political issue, elevated even to the level of heads of state. US concerns about the inclusion of 5G technology supplied by Huawei in critical national infrastructure, combined with a lack of choice of providers in the 5G marketplace has placed both the UK and Japan in a difficult position.
By denying Huawei access to part or the whole of a country’s telecommunications infrastructure, countries are denying themselves access to functionality at a highly competitive price and putting themselves in the position of having to spend hundreds of millions of dollars to replace the legacy Huawei technology that is already in their infrastructure. Neither the UK nor Japan wishes to alienate China, which could jeopardize extensive business relationships and inward investment. Yet each country must balance short-term and long-term security interests with their ongoing need for cost-effective industrial development.
When the controversy over 5G started to emerge in late 2018, both the UK and Japan were unable to commit themselves to an immediate outright ban, given the existing Huawei technology in their legacy systems (2G, 3G and 4G, on which the 5G infrastructure depends).
Opportunities for closer collaboration
Diversification of 5G equipment
The market for 5G equipment has three competitors currently with the proven capacity and capability to build out an entire country’s network. The UK’s ban on Huawei has reduced the market to two competitors, Nokia and Ericsson, and thus introduces a different kind of cybersecurity risk in the event that one of those suppliers fails.
The complementary industrial bases of the UK and Japan present a unique opportunity to collaborate to encourage diversification in the 5G supply chain – as demonstrated by the UK’s recent trial with the Japanese supplier NEC to test their equipment in the UK market. The UK government has also brought forward publication of a diversification strategy for the 5G supply chain. However, it is recognized that the market has significant barriers to entry and that existing customers (mobile operators) are understandably risk-averse in their purchasing behaviour.
While there is the potential to reduce vendor lock-in through the adoption of interoperable components using Open RAN, recent evidence indicates that Open RAN, although exciting, is not yet ready to build out at sufficient scale to be a viable alternative to Nokia and Ericsson and that ‘there is more promise potentially from the vendors that are somewhat established, the Samsungs and the NECs’.
Increasing divergence in technical approaches to internet governance in international forums is forcing many nation states to re-examine previous assumptions that the internet’s basic infrastructure will remain the same.
A further opportunity to make an impact could arise from leveraging UK–Japan cooperation in the financial sector, to ensure that promising start-ups have access to finance and to minimize the risk of early buy-out by potentially hostile states.
Technical standards in the UN and the risk of fragmentation
At the announcement of the Osaka track of the G20 in 2019, the then director-general of the World Trade Organization (WTO), Roberto Azevêdo, stated, ‘A fragmentation would hurt us all’.
Increasing divergence in technical approaches to internet governance in international forums is forcing many nation states to re-examine previous assumptions that the internet’s basic infrastructure will remain the same. To date, the internet’s architecture has served its global community of users well. Even during the pandemic, when traffic is estimated to have gone up by 30 to 50 per cent, the internet has remained stable and resilient, supporting mass uptake, bandwidth-hungry video-conferencing and streaming applications.
Given the UK and Japan’s shared interests in supporting the continuing free flow of data, there are growing concerns over China’s proposals, made within the International Telecommunication Union (ITU), to standardize alternative architectures for the internet. If adopted, the proposals would create a new vision and architecture for the internet and would replace the lightweight, interoperable protocols that hold the internet together and make it work.
The choice of forum is significant, as the ITU standards enjoy protections under WTO rules, in that equipment bearing those standards cannot be barred in international trade. So, there could be no repeat of the trade bans implemented against Huawei by several countries over the past five years.
Many commentators are sceptical that China’s vision for a new internet would ever be successful, or that its proposals answer a real technical need. However, it is foreseeable that there could be an appetite for a different kind of internet from some countries, one that is optimized for the surveillance of its users. China’s existing trade relationships through the Belt and Road Initiative, combined with its generosity towards developing countries in terms of providing technical infrastructure and equipment, could assist in creating a de facto ‘splinternet’.
It is important for like-minded states with advanced technology capabilities – such as the UK and Japan – to work cooperatively to reduce geopolitical tensions and to promote shared values and the benefits of a single, interoperable internet based on openness and democratic values. Closer coordination on shaping the agendas of international institutions and encouragement of their respective private-sector technological innovators to participate more actively in standards bodies could help to achieve these goals.
Challenges – language and cyber preparedness
While there is an urgent need to strengthen UK–Japan collaboration, and further opportunities for closer cooperation to address pressing issues, there are also challenges.
Language remains a barrier in UK–Japan relations and may limit access to technologies even for prosperous and sophisticated users. While the internet has collapsed distance and enabled the free flow of data across borders, the web and domain name systems continue to favour the English language and Latin scripts.
For example, Japan has roughly twice the population of the UK, a GDP of $5 trillion compared to the UK’s $2.8 trillion, and similar rates of GDP per capita (~$40,000). Yet, while the .uk domain registry has more than 10 million registrations, Japan’s .jp recently announced that it had reached 1.6 million, a long way short of the top 10 country code top-level domains. Cooperation between engineers in Japan, China and South Korea in the early 2000s resulted in technical standards to support their shared character sets. Yet, so-called ‘internationalized’ domain names are still poorly supported and do not work well in key applications like email, as unique identifiers for customer accounts in social media or even in some web browsers, inhibiting their uptake. English is the language of 60 per cent of web content, a proportion that has been growing year-on-year. Japanese represents just 2 per cent of web content.
In the cybersecurity field, the language issue has accentuated an existing divide. The UK, sharing a common language with the US, has been subjected to large-scale cyberattacks both from states and non-state actors for many years. As a result, the UK has developed significant capabilities in the cybersecurity industry as well as in its signals intelligence agency GCHQ and its public-facing National Cyber Security Centre. Meanwhile, Japan has been relatively shielded to date, perhaps due to its language. This has translated into a comparatively low level of cyber resilience and preparedness in comparison with international partners. As a result of its experience, the UK government and its agencies are in a unique position to work with the Japanese government and private sector to enhance existing capacities and share cybersecurity best practices. Furthermore, the UK’s universities and commercial cybersecurity sector is well placed to work with Japanese multinationals to improve their cyber resilience. This work may be especially useful if the Tokyo Olympics go ahead in 2021, as they are likely to attract significant cyber activity by hostile parties, as previous events have experienced.
Conclusions
The UK–Japan relationship on cybersecurity highlights shared values, mutual respect and goodwill, and an appetite to do business together. At the same time, there exists a sense of unfulfilled potential, perhaps because of language barriers, physical distance and limitations in the abilities to understand one another fully.
This essay has briefly summarized the areas where the two states could harness untapped potential for closer cooperation in matters of cybersecurity: diversification of the 5G equipment market; coordination over technical standards to maintain the free flow of data across borders and avoid fragmentation; and in developing norms for responsible state behaviour in cyberspace.
As we stand on the threshold of a new decade that is likely to see the dominance of an authoritarian technological superpower, it will be all the more important for states such as Japan and the UK, with similar values on communication, to find and extend common ground. Together, the two states can advocate for a positive vision of a single, global, interoperable internet, which improves language diversity, and removes barriers to the free flow of data across borders.