Cyber Cooperation in Northeast Asia

An Interview with James Lewis

By Julia Oh
March 17, 2015

Two developments in 2014 complicated the regional cybersecurity environment in Northeast Asia. In May, five Chinese People’s Liberation Army (PLA) officers were indicted by the U.S. Department of Justice for cyberespionage. In November, the hacker group Guardians of Peace attacked Sony Pictures Entertainment, and reports indicate that North Korea was very likely behind this cyberattack as retaliation for Sony’s recent film The Interview.

In this Q&A, James Lewis, senior fellow at the Center for Strategic and International Studies (CSIS) and director of the Strategic Technologies Program, examines the current status of cyber cooperation in Northeast Asia and assesses the political and security implications for U.S. foreign policy.

Northeast Asian countries have actively adopted the newest computer technology and developed high-speed Internet infrastructure. But there have not been significant efforts made to establish a basis for safe use of cyberspace. What is the region’s significance for international cybersecurity, and what is the current status of cyber cooperation in Northeast Asia?

Northeast Asia, along with the Persian Gulf, is one of the flashpoints for cybersecurity. All six major parties in this region—China, South and North Korea, Japan, the United States, and Russia—use cyber technics in some way. However, the lack of a regional security mechanism hinders progress toward greater security.

While in Southeast Asia there is the ASEAN Regional Forum and in Europe there is the Organization for Security Co-operation in Europe (OSCE), no similar organization exists in Northeast Asia, which hampers regional countries’ ability to cooperate on cybersecurity.

There have been some efforts toward cooperation with mixed outcomes. The Asia-Pacific Economic Cooperation (APEC) has done a good job on business-related issues, such as privacy and data protection, but has not done as much work on security-oriented issues.

In October 2014, South Korea introduced an initiative to create a Northeast Asia security framework, but it has not made much progress. Additionally, there has been a trilateral effort by Japan, China, and South Korea to get their computer emergency response teams to communicate, which has had moderate success but is very technical.

Likewise, efforts at the political level to foster trilateral and quadrilateral cooperation between Japan, South Korea, China, and the United States have not succeeded in creating a permanent mechanism for discussion of cybersecurity issues. People have been striving for 30 years to create a security framework for Northeast Asia. These efforts haven’t produced a framework on any other security issue, and I don’t think cybersecurity will be different.

What is the most likely scenario for cyber cooperation in the region—for example, reaching a formal agreement with rules and binding results or establishing a regional institution—and what kind of steps should the regional players take?

A formal agreement on cyber cooperation in Northeast Asia is not possible given the number of uncertainties and the level of mistrust.

Basically, the biggest hurdle is that two groups of countries hold very different attitudes toward the Internet. On the one hand, the three Communist or former Communist countries—Russia, China, and North Korea—do not support a free Internet. On the other hand, South Korea, Japan, and the United States are democracies that tolerate free speech. In addition, there is real tension because China, Russia, the United States, and North Korea have all developed military cyberattack capabilities and are reluctant to talk about them. Lack of mechanisms, political disagreements, and secrecy all make the problem very complicated.

A possible scenario for cyber cooperation in Northeast Asia could begin with a document on a global level. The discussion on information and telecommunications at the United Nations includes all five permanent members of the UN Security Council as well as South Korea and Japan. A formal agreement in Northeast Asia could be built on these discussions and applied in a regional context.

However, there are two problems with this approach. First, Russia may not agree to cooperate due to the fallout with Western countries over Crimea. Second, North Korea has never agreed to sit down and discuss these issues—the regime is not going to be cooperative on cybersecurity any more than on the nuclear issues. Although there won’t be a replay of the six-party talks for cybersecurity, it is not a bad goal to have in mind for some time far in the future. Serious obstacles exist that explain why others who have been attempting for the last few years to get some sort of cooperative arrangement have failed to achieve any results. Political differences, competition for regional influence, and a general desire to undermine the U.S. position in Asia all work against cooperation with Russia and China.

In a statement following the Sony attack, Secretary Kerry mentioned the importance of partnering with other nations to resolve cybersecurity issues, and the United States and South Korea are planning to strengthen their security alliance again early this year at the second Cyber Cooperation Working Group. What has the United States done to date in terms of partnering with Northeast Asian countries on this issue? What is the impact of bilateral cooperation between the United States and its allies in the region?

The bilateral cooperation between United States and its allies in Northeast Asia follows a traditional pattern and uses bilateral mechanisms because there is no equivalent to the North Atlantic Treaty Organization (NATO). NATO as an organization works with all of its members to create better cyberdefenses. In Asia, the United States works bilaterally with all of its treaty allies to add cybersecurity to their mutual defense arrangements and has added cybersecuirty to its defense agreements with Australia and Japan. These bilateral efforts make China and Russia a little nervous, because they think these maneuvers are directed against them, so that complicates things somewhat. Ultimately, however, such bilateral cooperation is a good thing because it makes clear what mutual defense means in cyberspace.

It seems that cooperation between the United States and China is essential for further regional cooperation on cybersecurity. What are the challenges for greater cooperation between these two countries with advanced cyber capabilities?

It’s been a very difficult relationship. Both sides would like to cooperate, and are well aware of the importance of cybersecurity, but the differences between them have been a factor in slowing progress. In my recent discussions with Chinese diplomats, one official said that “the only reason you asked us to help you with the Sony attack was to complicate our relationship with North Korea.” So the level of distrust is very high, and it will take long time to build cooperation.

Different economic structures are another challenge. Both China and the United States have been very active in cyberespionage; we object to what they do to us, and they object to what we do to them. The difference is that China engages in economic espionage, while the United States does not. In this context, the U.S. demands for China to observes it WTO obligations and protect intellectual property will add problems for cyber cooperation in Northeast Asia. Although some people say that similar intellectual property issues emerged when South Korea and Japan were developing, the case of China is different, if only because the Internet makes obtaining intellectual property in quantity so much easier. Advanced Internet infrastructure is closely linked to cyberespionage. Addressing the Chinese problem on intellectual property protection is crucial for Northeast Asian security but is very difficult. You are basically asking the PLA to stop making money, and that will never be popular.

Has any progress been made on increasing the transparency of cyber cooperation negotiations to build more cohesive measures?

The United States and China have made fair progress on increasing transparency in both formal and informal discussions on cybersecurity doctrine and policy. CSIS and its Chinese counterpart—the China Institutes of Contemporary International Relations—recently held their ninth round of Track 1.5 talks, which was attended by more than a dozen officials on each side. The United States and Russia also have made some good progress on transparency. In 2012, the two sides began talking about bilateral cooperation on cybersecurity, and they were able to agree as a first step on confidence-building measures, including exchange of documents, regular meetings, and a hotline for cybersecurity incidents. This is pretty basic, but at least it is a step in the right direction.

No other countries in Asia are this far along, so that is a dilemma. The risk here is that unless there is an agreement on what state responsibility is, countries will feel free to do whatever they like in cyberspace.

In your book Cyber Security: Turning National Solutions into International Cooperation, you wrote that   ”although cyber security is often presented as a national security issue, it could be better addressed as an economic and law enforcement issue.” Is there any room for private-sector or nonstate actors to contribute to cybersecurity cooperations?

It might be easier for nonstate actors to begin discussions because negotiations between government officials can be very difficult. So if you can involve universities, research institutions, or private groups in discussions, it could be easier to get people together. Ultimately, government actors must join discussions, but at least starting with nonstate actors might be very valuable. In Northeast Asia, universities and research institutions can play an important role as a mechanism for people to talk seriously about these issues.

There has been an effort to involve the private sector in the United States. It is absolutely crucial that the private sector take the lead on issues such as privacy, trade, commerce, and critical infrastructure protection, while the government should take the lead on issues of warfare and diplomacy.

Julia Oh is an Atlas Corps Fellow with the Political and Security Affairs group at NBR.

