UK–Japan Cyber Partnership

The UK–Japan Cyber Partnership demonstrates the value of targeted engagement driven by operational activities across multiple policy areas. Effort should now be made to ensure that the momentum that has defined the first year of the Partnership is sustained, that challenges are overcome, and that the impact of engagement on cyber continues to grow.

This paper examines the UK–Japan Cyber Partnership and considers the factors that determine how it functions. It recommends further activities for the Partnership to undertake within its existing strategic priorities, and advocates for an expanded scope. The paper makes the following recommendations:

• Capability development. Japan and the UK should expand mutual efforts on personnel development through training, exchanges and exercises. Furthermore, continued dialogue on policies to retain and recruit technical personnel will ensure best practices are mainstreamed. Similarly, establishing trusted and secure processes to share information and intelligence is crucial to driving greater depth and breadth of engagement.

• Public–private partnerships (PPPs). The UK and Japan should amplify cyber engagement led by non-governmental stakeholders: for example, emerging regional cyber clusters should be encouraged to continue developing bilateral partnerships. Efforts should also be made to promote connections between sectoral Information Sharing and Analysis Centres. Both governments should take a more proactive approach to expanding and supporting commercial cyber-security engagement, through facilitating partnerships and identifying areas of competitive advantage. Finally, existing efforts to promote bilateral involvement in national PPPs, such as Industry 100, should be expanded.

• Advancing shared international interests. There is significant opportunity and willingness to expand bilateral cooperation on cyber capacity building across ASEAN and the wider Indo-Pacific, and to provide targeted support to deter adversaries. Japan and the UK should also pursue closer collaboration to promote global rules and norms in cyberspace by working together, conducting joint attributions, and so on. Both should also consider how to align their approaches to providing proactive international cyber crisis support.

• Cyber-resilient ecosystems. The UK and Japan should continue expanding the scope of the Partnership in response to need and opportunity. “Cyber-resilient ecosystems”, understood as cooperation on reforms to government structures, legislation, regulation and resilience, is one such area. The UK and Japan should further explore alignment on cyber-security professional standards, and establish a bi-annual dialogue on standards and interoperability.

Other activities the UK and Japan should undertake include: sufficiently funding engagement activities; trialling deeper cooperation on cyber education; and regularly assessing the progress of the Partnership.

The paper’s findings, which inform these recommendations, are that:

• There is currently momentum, enthusiasm and opportunity to continue and expand the UK–Japan Cyber Partnership.

• Cyber security is both a distinct activity within the bilateral relationship and an enabler for further activities, for example in national security and defence.

• Cooperation can be expanded on reforms to Japan and the UK’s cyber ecosystems, but it must be undertaken as peers.

• Japan’s commitment to reforming government structures, improving information security and developing capabilities will be decisive in deepening the Partnership.

• Persistent challenges and obstacles impact the tempo and scope of the Partnership.

It is important that the Partnership remains on its current trajectory. Stakeholders across both countries believe that the Partnership has positive momentum and that there is space to expand engagement. Seizing this opportunity, while avoiding wasteful or unnecessary activities, can advance the wider bilateral relationship. As Japan and the UK expand their bilateral partnership, cyber security can be a springboard to achieve operational successes and enable broader strategic engagement.

Introduction

In 2012, the UK and Japan signed a joint statement agreeing they were “each other’s most important partners in Asia and Europe, respectively”. Since then, the bilateral relationship has benefited from successive governments in each country prioritising engagement. Shared interests on diverse issues have presented opportunities for cooperation. To reiterate the importance of the Japan–UK relationship and to continue expanding the strategic partnership, the two countries agreed the Hiroshima Accord in May 2023. The Accord provides a strategic framing for the relationship by setting out the following bilateral priorities:

• Economic prosperity underpinned by technology.

• Global resilience against threats such as climate change.

• Defence and security, and within which a specific commitment to a UK–Japan cyber partnership.

The UK–Japan Cyber Partnership is a landmark agreement to pursue a “full spectrum” of cyber cooperation, based on core strategic areas of cooperation:

• Strengthening public–private partnerships (PPPs).

• Enhancing cyber capabilities.

• Advancing shared international interests.

These strategic commitments have informed initiatives pursued under the Partnership, for example the meeting of the Japan Business Federation (“Keidanren”) with the UK’s National Cyber Advisory Board (NCAB), and joint exercises conducted by Japan’s Self-Defense Forces (SDF) and the British armed forces.

Agreed strategic priorities and concrete activities demonstrate that the UK–Japan Cyber Partnership has momentum. They also reflect the commitment of each country to cyber as an international policy area. The progress of the Partnership to date shows the value of bilateral engagement on cyber, not just as one part of broader UK–Japan cooperation, but also as an enabler of other dimensions, such as defence industry cooperation, economic security and resilience. Priorities should be: determining which of the Partnership’s initiatives have been effective; examining why this is; and identifying how to further increase engagement.

To further develop the UK–Japan Cyber Partnership, both countries should regularly reassess existing initiatives and anticipate future opportunities. They should consider the following questions:

• What activities are currently pursued under the Cyber Partnership and how do these contribute to bilateral objectives?

• Could the Cyber Partnership be better leveraged to meet additional national cyber priorities?

• What further activities and areas of strategic engagement should be considered for the Partnership?

This paper proposes a sustainable and deliberate expansion of the breadth and depth of the Cyber Partnership to further address existing mutual strategic priorities. Chapter I provides background on the UK–Japan relationship and the two countries’ respective cyber ecosystems. Chapter II outlines cyber engagement activities, detailing the actors involved and their remits. Chapter III examines how the strategic priorities of the Cyber Partnership align with wider bilateral cooperation, and whether national cyber strategies reveal additional areas for cooperation. Chapter IV offers strategic considerations for the Partnership and recommends further activities across its existing scope, as well as proposing an additional pillar: “cyber-resilient ecosystems”.

Methodology

Research for this paper was conducted as part of the Indo-Pacific Cyber Programme, funded by the UK’s Foreign, Commonwealth & Development Office (FCDO). The programme is delivered by a consortium, of which RUSI is a member.

Research for this paper was conducted between November 2023 and February 2024. It consisted of qualitative research methods: a rapid evidence assessment; semi-structured interviews; and a roundtable.

• Rapid evidence assessment: Researchers conducted a short review of open source academic and grey literature published in the past 15 years.

• Semi-structured interviews: Researchers conducted 29 semi-structured interviews, both online and in person in London and Tokyo, with UK and Japanese stakeholders in the public, private and civil society sectors. The interviews took place between November 2023 and February 2024. All interview data has been anonymised.

• Roundtable: Researchers ran one data-gathering roundtable for stakeholders to discuss relevant thematic issues, including respective approaches to cyber governance and PPPs on cyber security. There were more than 15 participants, primarily from the Japanese private sector. The roundtable was held as an in-person event in London on 18 January 2024.

Limitations

The research for this paper has made limited use of literature or interviews in Japanese. One researcher, a Japanese speaker, conducted some discussions with relevant stakeholders in Japanese. The research team also used online translation software (Google Translate and DeepL) to review limited Japanese-language literature. Researchers acknowledge the limitations of non-bilingual data-gathering in identifying comprehensive findings and would welcome further research conducted by Japanese think tanks and academia.

I. The Shape of Cyber Ecosystems in the UK and Japan

This chapter provides context on the cyber ecosystems of the UK and Japan, and the factors that shape the UK–Japan Cyber Partnership.

National Cyber Posture and Governance

The UK and Japan score well on international cyber rankings. The International Telecommunication Union’s Global Cybersecurity Index ranked the UK 2nd and Japan 7th globally in 2020. Similarly, the UK is ranked 9th on the e-Governance Academy’s National Cyber Security Index 2016–2023, with Japan ranked 52nd. While Japan has increased its focus on cyber security in recent years, partners have urged the country to move faster. Comments in particular from US Admiral Dennis Blair and then Director of the US National Security Agency, Paul Nakasone, have emphasised Japan’s need to match the capabilities of its allies and partners. The need is recognised in the commitment in Japan’s 2022 National Security Strategy for response capabilities in cyber security to be “strengthened equal to or surpassing the level of leading Western countries”.

Motivating the shared focus on cyber security of both the UK and Japan is the growing cyber threat. Ransomware attacks conducted by cyber-criminals in 2023 included those on the Port of Nagoya in Japan and on the British Library in London, inflicting significant financial and societal damage. It has been estimated that cybercrime against businesses has cost the UK over £30 billion per annum, with interview data suggesting that Japan also experiences significant costs. State-sponsored attackers are a persistent threat. Cyber attackers affiliated to China have been associated with a hack into Japan’s military in 2020, and into the UK Electoral Commission in 2022. Interstate competition, reflecting geopolitical tensions, has driven greater attention towards national cyber defence in both countries.

The UK significantly reformed its national approach to cyber security in 2016 by establishing the National Cyber Security Centre (NCSC) as a central authority. The NCSC is part of GCHQ. The closest equivalent to the NCSC in Japan is the National Center of Incident Readiness and Strategy for Cybersecurity (NISC), which sits within the prime minister’s office. Compared with the NCSC, the NISC has limited cross-government influence or powers beyond convening; moreover, it does not have a permanent staff – officials are seconded from industry and other parts of government. Furthermore, the NISC has many fewer technical personnel than the NCSC. Technical officials sit instead within the Information Technology Protection Agency (IPA) and the National Institute of Information and Communications Technology (NICT). Japan’s 2022 National Security Strategy commits to restructuring the NISC into a new organisation that can “comprehensively coordinate [cyber] policies” – interviewees indicated that the UK’s NCSC may be used as a model.

Both countries have had several national cyber strategies. The UK launched its first strategy in 2009, Japan in 2013. The UK’s current National Cyber Strategy 2022 outlines five central pillars: the domestic cyber ecosystem; national cyber resilience; achieving technological advantage; pursuing global leadership; and countering threats. Japan’s 2021 national cyber-security strategy, Cybersecurity for All, has three pillars: promoting socioeconomic development; safety and security in a digital society; and contributing to international peace and stability. Across their strategies, both countries acknowledge the importance of taking a multi-stakeholder approach – the UK refers to this as a “whole of society” approach, Japan as a “whole of nation” approach.

Drivers of Bilateral Cyber Engagement

Research participants identified several factors that support continued buy-in to the Cyber Partnership across both countries.

First, several participants noted that the Cyber Partnership and the wider bilateral relationship are mutually reinforcing. Activities that build trust in one another’s cyber capabilities reassure each country that wider cooperation is secure. Likewise, cooperation on diverse activities, such as defence and security or standards development, encourages deeper engagement on cyber security. The Global Combat Air Programme (GCAP), the UK–Japan–Italy initiative to build a sixth-generation fighter jet, was regularly cited by interviewees as an example of how cyber-security engagement is a requirement for and enabler of the wider bilateral relationship. Were high-level domestic commitments to the relationship to weaken, there is a risk that the Cyber Partnership would lose the momentum built around the Hiroshima Accord. For example, if a headline activity such as the GCAP experienced significant and public issues, they could undermine other activities. To deepen the Cyber Partnership, it is important to continue making the case for engagement on cyber security, and to entrench operational areas of cooperation that will maintain a close and trusting relationship. Choosing the right framing for activities under the Partnership and adopting a long-term mindset, including bilateral exchanges or multi-year commitments to joint exercises, is thus a valuable way to harness the opportunities the partnership presents.

A second factor identified by participants that drives the Cyber Partnership is geopolitical alignment. Under the late former prime minister, Shinzo Abe, Japan revitalised its approach to defence and security, modifying the interpretation of its right to “collective self-defence” (“集団的自衛権”) and pioneering the vision of a “Free and Open Indo-Pacific”. Japan’s cyber strategy has drawn on these ambitious changes in advocating for a “free, fair and secure” cyberspace, a call supported by various reforms, such as the introduction of “active cyber defence” (ACD – for differences in understandings of ACD, see next section, “Common Misunderstandings”). The UK has committed to supporting a free and open Indo-Pacific, and the country’s Indo-Pacific “tilt”, confirmed as a permanent pillar of UK strategy in the Integrated Review Refresh 2023, emphasises the relationship with Japan. Similarly to Japan, the UK is committed to a “free, open, peaceful and secure cyberspace”. Amid geopolitical tensions, the two countries align on major international security issues, such as supporting Ukraine against Russia’s illegal invasion and engaging with Taiwan on building resilience. The Cyber Partnership has thus far benefited from bilateral alignment and there is little reason to expect this to change in the coming years, with neither the UK Labour Party nor Japan’s Liberal Democratic Party showing signs of reneging on the commitment at the time of writing.

Third, several Japanese research participants remarked that their perception of the UK as a “first mover”, its transparency on various aspects of cyber policy and its comparable size all motivated engagement. The UK was regarded by research participants as a first mover for convening the AI Safety Summit and co-leading the Pall Mall Process in 2023. Compared with the US, the UK was also seen as more similar to Japan in terms of scale, spending power and cultural attitudes, among other things. When discussing transparency on cyber policy, interviewees referred to the UK National Cyber Force’s guidance on “Responsible Cyber Power in Practice”, which outlines how and why the UK conducts cyber operations.

Finally, multiple participants emphasised the importance of trusted in-country representatives as facilitators and enablers of the Partnership. Participants specifically praised the efforts of embassy officials in London and Tokyo who focus on cyber aspects of the bilateral relationship. Their presence ensures that cyber-specific face-to-face meetings can regularly take place. This offsets the obstacle of geographic distance, which can increase the time and financial commitment required for Japan–UK government engagement.

Common Misunderstandings

The UK–Japan Cyber Partnership is impacted by different uses of terminology and a low awareness of respective capabilities.

Misunderstanding can arise where key concepts are used differently, for example ACD. In the UK, ACD is a programme of interventions led by the NCSC to tackle high-volume commodity attacks. In its 2022 National Security Strategy, Japan committed to its own version of ACD, consisting of three activity areas:

1. Advancing information sharing from the private sector to government in the event of cyber attacks, and improving incident response.

2. Working with domestic telecommunications providers to identify and block malicious activity.

3. Establishing required authorities for government to “penetrate and neutralize attacker’s servers and others in advance” of cyber attacks.

From this definition, some members of Japanese civil society understand ACD as creating expanded scope for surveillance and permitting extra-territorial offensive cyber operations. This has raised questions about whether ACD violates the constitutional right to privacy and secret communications, and about Japan’s application of the principle of self-defence. Political sensitivity about ACD has delayed its implementation and created scepticism among potential private sector partners. ACD has also created some confusion in the bilateral relationship, as the UK and Japanese definitions and approaches differ. Some interviewees reported that translations of Japanese ACD activity areas have been confusing. For example, one interviewee remarked that “侵入・無害”, translated in the English language version of the National Security Strategy as to “penetrate and neutralize”, does not necessarily include the “and” in Japanese.

The language barrier has meant that difficulties in aligning understandings of strategic and policy frameworks are reproduced to some extent at an operational level – neither the UK nor Japan has a strong reputation for linguistic aptitude. In some cases, slightly different Japanese phrases are used for the same term in English. For example, the broad English term “information sharing” is translated as “情報交換” (which has connotations of exchange), but also as “情報共有” (which has connotations of common ownership). In other cases, terminology is imported into Japanese discourse from English through transliteration, rather than translation. For example, the transliteration of “attribution” as “アトリ ビューション” introduces a degree of uncertainty as to whether this is best represented in Japanese as “特定” (“specify”) or “帰属” (“attribute”). Awareness of nuanced differences and attention to precise detail in communication will mitigate such problems and help manage expectations in the Partnership.

Research participants generally reported that Japan’s cyber-security capability is low in all areas. They frequently cited well-known issues about Japan’s information security, particularly in the defence sector, as evidence. Nonetheless, there are also capabilities which are often overlooked. Multiple Japanese ministries have had PPPs since the early 2010s. The Ministry of Economy, Trade and Industry (METI) has the Initiative for Cyber Security Information-Sharing Partnership of Japan, the Ministry of Defense (JMoD) has the Cyber Defense Council, and the National Police Authority (NPA) has the Japan Cybercrime Control Center. Additionally, Japan’s International Cooperation Agency (JICA), which sits under the Ministry of Foreign Affairs (MOFA), has established a cyber-security capacity-building centre with ASEAN to train government and critical national infrastructure professionals. Concerns about Japan’s cyber-security capabilities, particularly related to information security, are well founded and widely acknowledged. Nonetheless, a one-dimensional understanding of Japan’s cyber capability discounts the progress that has been made and implies that peer-to-peer engagement is out of reach. No country has a perfect record. A mature and sustainable UK–Japan cyber partnership should honestly acknowledge where each country needs to improve, while appreciating how the other’s existing and emerging strengths can improve mutual resilience.

II. Cyber Engagement: Progress So Far

This chapter provides an overview of UK–Japan cyber engagement activities and assesses their composition and intent.

Partnership Activities and Engaged Actors

Table 1 shows cyber engagement activities between the UK and Japan. Listed activities are linked with relevant actors, assigned a type of engagement, and assessed as to whether they align with the themes of the UK–Japan Cyber Partnership.

The activities outlined in Table 1 were identified through interviews and from open source information. As far as the authors are aware, Japan and the UK do not maintain a shared list or overview of all activities under the Partnership. By collecting activities which can reasonably be linked to bilateral cyber cooperation and assigning them a theme, type and responsible actors, the table provides a snapshot of the Partnership. This snapshot is not an authoritative list of activities under the Partnership, as it is not confirmed by either government, nor did the research take place at a classified level. Assumptions based on the list of activities must therefore be made with caution and with the awareness that the list may not be conclusive.

▲ Table 1: Overview of Cyber Partnership Activities, 2023–24. Source: The authors, based on interviews and open source information. Notes: For acronym meanings, please refer to the Abbreviations list at the start of the paper. “Themes” include specific priorities of the UK–Japan Cyber Partnership – PPPs, capability development and advancing shared international interests – as well as governance and miscellaneous other themes.

As the Partnership matures, more transparency on implementation and resourcing should be considered. For example, there is currently little public communication about how it is monitored and resourced. Publicly agreed milestones, for example, could emphasise the importance of appropriate resourcing to meet Partnership commitments. While too much transparency carries the risk of watered down or vague commitments, the UK and Japan should nonetheless consider clearer communication on the details of the Partnership.

Activity Themes

Table 1 shows that cyber engagement activities broadly align with the priority areas of the Partnership.

Partnership themes with the most activity were “advancing shared international interests” and “capability development”. This aligns with statements by research participants that assigned the most significance to cooperation in these areas. Participants explained this in the following terms: that these areas have multiple implementing actors with clear remits and motivations to engage, and increased resourcing on each side to implement these commitments. For example, Japan and the UK have worked closely in forums where they are both members, for example the Counter Ransomware Initiative and the OEWG, but – perhaps more importantly – they have prioritised participating in and supporting each other’s minilateral initiatives, such as the Pall Mall Process and the Keio International Cybersecurity Symposium. Similarly, data gathering indicated a particular focus on joint exercises to develop and refine capabilities, and initiatives for skills building.

Activities to advance shared international interests through multilateral platforms have built on existing engagements and reflect that the Partnership does not take a zero-sum view of cooperation. UK–Japan cooperation on cyber does not preclude engagement with other countries, nor can it. Efforts on capability development have concentrated on defence and security. Joint teaming on Exercise Locked Shields was particularly emphasised as an activity that built capabilities, reinforced trust and signalled alignment internationally. Nonetheless, select UK government officials expressed uncertainty that they would continue to pursue joint teaming in exercises, explaining that it is difficult to over-commit personnel in operational roles. Concerns about resourcing were not frequently raised by research participants. Researchers concluded that this was either because top-down prioritisation of the Partnership made for fewer resourcing obstacles, or because the activities were not excessively costly. If ambitions for the Partnership continue on their current trajectory, resourcing activities may become more challenging due to limited cyber workforces.

Activities on PPPs show promise for closer cooperation but have thus far been focused on Japanese firms operating in the UK. Researchers believe this can be explained in part by the smaller number of UK firms active in Japan.

Researchers created an additional theme of “cyber-resilient ecosystems” to categorise activities that support national reforms and concern standards and regulations. This theme recognises activities that already exist or are ongoing, and reflects insights from research participants who stressed the value of Partnership in this area. Discussions between counterparts on areas including structural reforms, secure AI, standards and so on are particularly important. Neither the UK nor Japan is part of a supranational regulatory body such as the EU, nor do they have the market power of the US or China. More dialogue on regulation and approaches would provide opportunities for Japan and the UK to influence global headwinds, share learnings and best practices, and deepen the partnership.

Activity Types

This paper assigns 12 different types to identified activities. These types attempt to group and rationalise activities to support the Partnership in structuring further cooperation. Again, while the list of activities may not be definitive, the diversity of types reflects positively on the Partnership’s ambition to be diverse and broad based. The sub-section below discusses the most salient of these activity types.

As expected, there is significant depth and breadth of activity focused on government-to-government (G2G) dialogue. These discussions span a variety of issues, including sensitive topics such as defence and security. Regular substantial dialogue is important to ensure mutual understanding and to identify further opportunities for cooperation. Regular G2G and multi-stakeholder dialogue also facilitates other activities. Research data noted that activities, such as joint agreements on standards or product security, often emerge from initial wide-ranging conversations, such as between the UK’s Department of Science, Innovation and Technology (DSIT) and Japan’s METI.

Activity types where research participants indicated there was good opportunity for more cooperation are:

• Technical. Participants identified the opportunity to accelerate the technical assurance and accreditation of cyber-security companies, for example by the UK’s NCSC. Existing activities facilitated market access for Japanese firms and provided benefits for UK consumers. Further activities could build on this work, including improving access for UK companies in Japan.

• Deterrence/international norms. UK stakeholders placed significant importance on this type of activity. The UK sees joint attributions with close partners as highly impactful. Japanese officials are aiming to expand attribution activities and consistently emphasise the importance of accuracy. Some research participants believed that Japan has little capacity to conduct technical assessment to support attributions, and are wary about sharing data due to information security concerns. While Japanese officials acknowledged that they would like access to more information and intelligence, they do receive inputs from the NPA, the NISC, the Japan Cyber Emergency Response Team Coordination Center (JPCERT/CC) and the IPA, which can inform political decision-making. Expanding cooperation on this type of activity is more likely to be a political question than one of technical capacity.

• Devolved engagement. Researchers were surprised by cooperation between regional cyber clusters in the UK and Japan, specifically Cyber Hiroshima and Cyber Wales. This included sharing best practices and trailing joint activities. Both organisations demonstrated significant enthusiasm for the Partnership, and this model offers a clear value case for both sides.

• Commercial. Japan and the UK both have advanced digital economies with substantial high-tech sectors, including robotics, smart cities and AI. Cyber security is significant for these industries and data gathering indicates that companies from both countries have opportunities to work with counterparts, and to export and purchase products and services. Data gathering did not include in-depth market research, but researchers would recommend that government trade ministries produce and publish such information to support companies.

• Cyber capacity building (CCB). Research participants from both the UK and Japan emphasised CCB as an area of opportunity. JICA and the FCDO each have a good international reputation for CCB. The UK-funded training course delivered through the ASEAN-Japan Cybersecurity Capacity Building Centre (AJCCBC) in February 2024 is consistent with Japan’s focus on personnel development and demonstrates the ability to cooperate on this type of activity.

Researchers believe it is also likely that a rather low level of current activity on the above areas informed research participants’ belief that there is opportunity in these areas.

Actors Involved

The variety of actors involved in activities listed in Table 1 demonstrates that cyber cooperation is decentralised, and that organisations often establish and maintain relationships with bilateral partners independently. Multiple officials validated this perception, including one who argued that decentralised, whole-of-government engagement is preferable for Japan in advance of expected reforms to the NISC. While a central coordinating actor can be beneficial, if Japan and the UK aspire to have a high tempo of engagement across multiple areas, diverse government actors will need direct points of contact with their counterparts. Determining how centralised cooperation should be is important. Too much centralisation can create barriers to engagement, leading to delays, too little can result in siloed activities that are unaligned with bilateral strategic priorities. Moreover, too few centralised initiatives that facilitate engagement can result in some government entities not being involved in bilateral cooperation: for example, Japan’s IPA featured infrequently in research participants’ accounts of the UK–Japan Cyber Partnership.

A challenge to cooperation is that some counterpart organisations do not have the same roles and responsibilities. For example, the coordination of public attribution in Japan sits with the National Security Secretariat, fed by technical information from the NPA and other members of the intelligence community, and advice from the MOFA on the diplomatic consequences. This contrasts with the UK, where the FCDO holds political responsibility and the NCSC provides technical advice. In practice, a ministry or agency may have different counterparts on different policy or operational issues.

The need for effective conveners who can facilitate bilateral connections between counterpart organisations is a key dependency for the Partnership. In their absence, there is a risk that an inability to identify and connect with relevant counterparts will undermine engagement.

Cross-institutional and departmental career paths can be beneficial to enhance dialogue between actors working on various aspects of cyber policy in different governmental departments. This avoids government departments working in silos on overarching topics such as cyber. This is already practised in the UK, where civil servants move within cyber-relevant institutions, for example from positions in the National Crime Agency (NCA) to the NCSC or the National Cyber Force. While temporary secondments are common in Japan, dedicated cyber career paths could further strengthen the government’s cyber workforce and international engagement, with officials developing trust and competence over multiple posts.

Additional Considerations

This section outlines additional considerations that have shaped the development and prioritisation of activities.

• Informal networks drive activity take-up. Primary data gathering indicated that several activities happened because officials had personal connections with counterparts and together identified opportunities for cooperation. Participation in annual cyber dialogues was identified as a particularly important way to build these relationships. Reports that some government stakeholders were unable to join dialogues because of funding restrictions are therefore worrying. While governments should ensure value for money, bilateral cooperation benefits from personal relationships. The geographical and linguistic distance between the UK and Japan therefore presents obstacles. The resources required for officials to engage can be prohibitive, especially in a context of limited budgets. Given the scale of resources required, whether these are provided will likely depend on political will – if there continues to be high-level commitment to the Partnership, sufficient funding is likely to follow.

• Cooperation is complex. The activities identified in Table 1 are summarised and organised into delimited categories. While this offers a snapshot of the Partnership, some areas of engagement cannot be understood as discrete activities. For example, while few activities were assigned under the cyber-resilient ecosystems theme, several senior decision-makers conveyed that this area was their primary priority. While this could show that prioritisation had been ineffective, data gathered instead indicates that engagement on this theme can proceed without distinct activities – demonstrating a limitation of assessing a partnership solely through listing activities. Multiple Japanese stakeholders referred to the UK’s structures and legislation as a model, and explained this was because of similarities between the two countries, and the depth of wider cooperation. Further, in addition to activities identified under “advancing shared international interests”, other informal, ad-hoc and small-scale cooperative efforts regularly take place in multiple forums not listed.

• Limited scope for impact in some areas. More cooperation does not guarantee more impact. The introduction of initiatives in areas of cyber not well suited to UK–Japan cooperation could be inefficient or disadvantageous. An example of this is formalising operational cooperation on cybercrime investigations. In practice, very few of the cases covered by the UK’s NCA and Japan’s NPA overlap. In the rare cases that are linked, agencies engage on an ad-hoc basis to meet operational objectives. Any well-intentioned move to formalise this limited engagement would neither be a good use of resources nor create efficiencies. The difference in each country’s cybercrime threat landscape is mirrored to some extent in state threats. Japan is focused on cyber threats from China and North Korea, whereas the UK often prioritises Russian threat actors. This could mean that information sharing is less relevant – however, multiple research participants framed the difference as complementary. Where information sharing can take place, it could bolster each country’s national cyber defence. Officials from the UK and Japan should be on the lookout for areas where there is modest scope to expand valuable engagement.

III. Strategic Alignment

This chapter contextualises existing activities and assesses how existing Partnership commitments align with wider bilateral priorities, and considers whether national strategies point to further opportunities for cooperation.

Aligning the Cyber Partnership and the Hiroshima Accord

The UK–Japan Cyber Partnership focuses on:

• Strengthening PPPs.

• Enhancing cyber capabilities.

• Advancing shared international interests.

As detailed above, these priorities broadly correspond with cyber cooperation activities identified in this paper. The only exceptions are activities that the authors associate with a new area (“cyber-resilient ecosystems”) and several others that fall into the “Other” category – entirely G2G dialogues.

The UK–Japan Cyber Partnership was set out under the Hiroshima Accord. The Accord commits to:

1. “Strengthening our shared security capabilities to help safeguard global peace and stability”.

2. “Deepening our economic relationship to create shared prosperity and increase trade and investment”.

3. “Leading international efforts to deliver a better and more sustainable future for all”.

The Cyber Partnership is mentioned within the first of these three categories, implying that the Partnership focuses on defence and security. This is reflected in activities identified in Table 1, for example the combined SDF and UK armed forces exercises. Nevertheless, other activities have addressed, for example awareness and skills building and aligning standards and regulations, thereby suggesting that the Partnership is broader than defence and security. Discussions with officials have supported this conclusion. While the Partnership was founded with a focus on defence and security, it now also addresses – albeit informally – other Hiroshima Accord priorities: shared economic prosperity and leading international efforts for global resilience.

The shift to pursuing activities across the Partnership that align with all three Accord priorities has shown some signs of success, but prospects for a higher pace of engagement are uncertain.

Positive signals have been sent by both governments on deepening economic ties through cyber security. Japan has contracted a British company to provide cyber-security training to SDF and JMoD officials, and the NCSC has invited Fujitsu UK to join its Industry 100 scheme and accredited Nihon Cyber Defence as an incident response provider. Nonetheless, the growth in trade and investment in cyber has been slow. Private sector stakeholders are wary about the difficulties of entering foreign markets, with several anticipating high costs and, in the defence sector, expressing anxiety about the ability to acquire required clearances. The lack of a common language is a significant challenge. Translation software, which is increasingly AI-enabled, partly mitigates language differences, but these still present a barrier. Market structures also present challenges. Japanese companies often procure cyber-security products and services from a small number of large vendors. Vendors are risk averse, and slow to integrate small- and medium-sized-enterprise (SME) products and services. This disadvantages both Japanese and British SMEs. Larger UK cyber-security companies are less likely to use a vendor, and while they have sufficient resources to set up offices locally, there is a significant time and cost investment. UK companies reported significant difficulties in hiring qualified and bilingual Japanese employees, who were seen as essential to business operations. Research participants from Japanese companies similarly reported anxiety about entering the UK market, but were able to identify fewer specific concerns. Officials in the UK and Japan are enthusiastic about deepening the economic Partnership through cyber, although data gathering indicates there are outstanding challenges.

The third priority of the Cyber Partnership already aligns somewhat with the third pillar of the Hiroshima Accord. It is possible to advance shared interests – building influence, countering adversaries and so on – while simultaneously delivering a better and sustainable future internationally. For example, both the UK and Japan undertake CCB to support cyber resilience, awareness and security in recipient countries. In addition to building recipients’ capacity to mitigate cyber harms, CCB can also meet influence, security and economic objectives. The UK has several global CCB programmes, including the Indo-Pacific Cyber Programme, while Japan currently focuses on Indo-Pacific countries – JICA intends to expand its activities in Oceania and Africa. Additionally, Japan has established the AJCCBC as an axis for CCB in the Asia Pacific region. As detailed in Table 1, the UK has deployed CCB through the AJCCBC. The UK and Japan each have ambitions for CCB, and further alignment could act as a multiplier for their efforts. The extent to which the UK and Japan can coordinate their CCB efforts will depend on strategic and practical considerations. Do the countries agree on where, how and when to expend resources on CCB? Further, can they effectively work together on an operational level – are their ways of working, processes for information sharing and so on aligned? While the UK and Japan are like-minded partners, diverse individual factors shape their respective foreign policies.

National Strategic Alignment and Additional Overlaps

The UK and Japan each have an overarching national cyber-security strategy, the pillars of which are shown in Table 2.

The UK and Japan share a strategic commitment to increasing the security and resilience of their digital societies. Japan’s overarching stated objective is to ensure “a free, fair and secure cyberspace”, while the UK vision is for a “free, open, peaceful and secure cyberspace”. The strategies echo one another, and the two countries have similar priorities in cyber policy. Both recognise the necessary role of the private sector, are increasingly prioritising standards and regulations, and are committed to using cyber to pursue international objectives. Additionally, they share an understanding of the nature of the threat. These points of convergence provided the impetus for the Cyber Partnership and have driven its first year, focused on PPPs, advancing shared international interests and capability development.

▲ Table 2: Pillars of UK and Japan National Cyber Strategies. Source: HM Government, “National Cyber Strategy 2022”; Government of Japan, “Cybersecurity for All”, January 2021.

There are several areas where the UK and Japan have strong strategic crossovers, but which present more difficulties for cooperation. These include: interoperable standards; cyber threat intelligence sharing; joint hunt forward operations; and research and academic partnerships. Chapter IV discusses the benefits and challenges involved in these areas.

IV. Strategic Considerations and Recommendations

This paper finds that there is valuable momentum in the UK–Japan Cyber Partnership across multiple areas, driven by shared challenges and opportunities. Nonetheless, the Partnership is still in its infancy and there is significant space to grow. While current strategic priorities are appropriate for the bilateral Partnership, further activities can be pursued, and areas of focus expanded.

This chapter makes recommendations for the UK–Japan Cyber Partnership, highlighting strategic considerations and suggesting practical activities as the Partnership moves into its second year.

Strategic Considerations

In approaching the recommendations outlined below, Japan and the UK should consider the following:

Stay the course: The UK–Japan Cyber Partnership, and the Hiroshima Accord within which it sits, are relatively new initiatives. Bilateral relations between the two countries have been warming over the past decade, but domestic political priorities can divert attention. It is important that the achievements of the Partnership to date are properly communicated and that the areas of cooperation it has identified are entrenched. Continued attention to the Partnership will provide benefits across the wider relationship.

The Partnership as one piece of the puzzle: Viewing bilateral cooperation in isolation is unhelpful. The UK and Japan are like-minded partners which sit within a latticework of other multilateral and minilateral agreements. While the importance placed on bilateral activities is understandable, neither country should be discouraged from pursuing initiatives that involve other partners within groupings, such as Five Eyes, AUKUS and the Quad, that have aligned strategic interests. Nonetheless, opportunities for bilateral cooperation to drive comparative advantage for both the UK and Japan should be pursued where possible.

Successful cooperation on cyber reforms is a two-way street: Japan’s cyber legislation and structures are undergoing significant reforms. Japan’s international partners, including the UK, are keen to provide input and assistance to this process, and Japanese stakeholders want to learn from international best practices. Nonetheless, the Partnership should not be framed as a capacity-building initiative. Engagement between the UK and Japan, for example the GCAP, takes place on peer-to-peer terms. Thus, the Partnership should continue to frame itself as a peer-to-peer initiative. While Japan is looking to “catch up” with the UK on cyber, there are still learnings to share in the near term and, as Japan’s capabilities quickly improve, significant opportunities for in-depth cooperation in the medium to long term.

Cyber security as an enabler and an activity: Increased trust and cooperation on cyber security open the way for deeper engagement on diverse areas of partnership. This is especially important as the UK and Japan prioritise defence and security cooperation. Equally, cyber-security engagement should be seen as an end in itself. Assessing and appreciating the value of the Partnership in these terms is important to determining how much resource to assign to it.

Anticipate delays and dead ends: The UK–Japan Cyber Partnership has achieved good momentum in its first year, despite several challenges and obstacles that are unlikely to disappear in the near term. These issues have been highlighted throughout this paper, across strategic risks such as domestic political commitment and conflicting international priorities; tactical obstacles including resourcing, language, information security, different threat landscapes and geographical distance; and the lack of a common implementation plan. While this paper raises these challenges, it focuses on outlining the strategic motivation for the Partnership and identifying bilateral activities. Further research is required to better understand the significance and breadth of challenges to the Partnership.

Recommended Activities

1. Capability Development

There is a global shortage of cyber skills. Governments are struggling to train and retain skilled officials, which impacts their ability to assess, develop and implement technical solutions. Shortages of skilled personnel have downstream effects on governments’ access to cyber-security products and services that contribute to national cyber defence. Internal capability gaps within governments and non-specialist companies have led to a greater reliance on cyber-security providers and implementers. The following recommendations detail how the UK and Japan can continue to cooperate to develop and improve capabilities.

Recommendation 1: Establish repeatable and department-neutral personnel development cooperation activities.

Coordinating agencies, national technical authorities and ministries of foreign affairs should establish limited and distinct personnel development activities. Such activities should be relatively reproducible by different parts of government and should encompass:

• Training. Technical training is an important way to upskill personnel and provide a non-financial incentive to remain with an organisation. For Japan, the scale of the training required will necessitate private sector assistance – Japan’s MoD intends to have around 4,000 cyber core personnel of SDF units by the end of Japan’s Financial Year (JFY) 2027, up from around 890 in JFY2022, and around 20,000 cyber-related personnel in the ministry, including the cyber core personnel of the SDF units. The UK cyber-security sector has many companies that conduct this kind of training: they should be incentivised and facilitated through the Partnership to bid for Japanese government contracts. Non-technical training should also be included in this offer – there is a particular opportunity for interactive sessions on defence doctrine, although this should likely involve direct participation from the MoD.

• Exchanges. Japanese and UK agencies, departments and ministries that engage regularly and have clear areas of overlap should pursue personnel exchanges. DSIT, METI and other organisations focused on cutting-edge cyber and technology regulation would especially benefit. This activity will likely be impacted by the language barriers outlined throughout this paper. Creative solutions, including intensive language training, may limit the impact of this obstacle but can be resource intensive. Participating agencies could instead link exchanges to language upskilling opportunities offered to officials.

• Exercises. Joint teams at international exercises and participation in each other’s national exercises builds operational familiarity, develops participants’ skills and signals partnership internationally. These benefits should, however, be managed against understandable concerns about trade-offs in resourcing exercises.

Where the private sector is involved in these activities, Japan and the UK should encourage partnerships involving companies from both countries.

Recommendation 2: Continue informal discussions on retention and recruitment policies.

The MoD and JMoD should continue to discuss retention and recruitment efforts. They should commit to sharing learnings with other parts of government that employ cyber operators, such as the police. This could also include proposals for cooperation initiatives between UK and Japanese cyber reservists. Including reservists in cooperation efforts brings strong expertise to the table and can limit demand on limited personnel.

Recommendation 3: Establish processes for more effective sharing of information and cyber threat intelligence.

To achieve a higher tempo of cooperation, Japan and the UK should more effectively and actively share information. Information must include cyber threat intelligence but should not be limited to it – for example, intelligence about the organisation of threat actors is also important.

To share information, better processes are required. Practices to enable cyber threat intelligence sharing are an example of where reforms are underway to balance the need for equivalence with country-specific demands. Reform of Japanese policy and processes on information security, security clearances and classifications are proceeding at the same time as the UK security establishment is refining its understanding of how to approach a satisfactory level of equivalence. Sustained bilateral dialogue through the channels of cyber-security cooperation facilitates convergence.

The GCAP has driven efforts to converge approaches to information security. The timeline to achieve an operational capability by 2035 is tight, and there is pressure to accelerate information-sharing questions at all classifications. In the absence of streamlined information sharing, the concern is that GCAP will be less efficient, and a delayed timeline will mean it offers a less effective response to increasing threats from adversaries. Currently, the commitment to establishing a secure digital platform enabling GCAP partners to work together and share information in a real-time collaborative environment is still in the process of delivery. A sixth-generation fighter cannot be designed with first-generation techniques. Solving information sharing is a technical problem, but it is also a political one. The primary responsibility at present sits with government officials, who are understandably risk sensitive. To ensure significant and timely progress is made on information sharing – which is necessary for GCAP and across the wider Partnership – political decision-makers will likely need to engage more actively to drive implementation. Part of this will involve making tough decisions about trust and information security.

2. PPPs

Private companies are critical actors in cyber and technology. Japan and the UK have acknowledged a need to work with the private sector, each developing multiple PPPs. Building cooperation on PPPs between the UK and Japan, however, presents significant challenges. There is no common language, business cultures differ, motivations to engage with two governments rather than one vary, and so on.

Recommendation 1: Enable partnerships between regional clusters.

Devolved administrations working with trade ministries should encourage partnerships between regional cyber clusters. The support of Cyber Wales in establishing Cyber Hiroshima and their continued partnership is a non-governmental success story for the Cyber Partnership. As more Japanese municipalities look to establish cyber clusters, trade and digital ministries from each country should facilitate introductions with existing UK clusters.

Recommendation 2: Promote connections between sectoral Information Sharing and Analysis Centres (ISACs).

Relevant ministries and agencies, including the NCSC, NISC and IPA, which work closely with national sectoral ISACs, should facilitate discussions with their bilateral counterparts. Agencies should then encourage and partially support cooperation between sectoral ISACs where there is clear interest, such as nuclear, finance and automotive. This activity should be careful not to duplicate existing international ISAC cooperation, nor unnecessarily promote engagement where there is no clear need and interest. One opportunity is to build additional cooperation on the foundation of the existing good relations between the UK’s Cyber Defence Alliance and Japan’s Cybercrime Control Center – non-profits that work with the private sector and law enforcement to combat cyber threats.

Recommendation 3: Take a more proactive and targeted approach to expanding commercial cyber engagement.

Japan’s METI and the UK’s Department of Business and Trade (DBT) should determine a strategic approach, in partnership with their respective private sectors, to promote market access in the UK and Japan. This could include: encouraging and facilitating partnership with UK/Japanese firms; enabling SMEs and primes to present a consolidated UK/Japan offer; and identifying and promoting relevant niches where UK/Japan industry has a relevant comparative advantage. These principles should continue to be supported by regular trade missions. These activities are important to lower the perceived barriers to trade in cyber security, as well as creating opportunities for companies to explore partnership.

METI and the DBT should further explore providing a landing-pad function for the UK’s and Japan’s cyber-security companies. This would complement other efforts, for example the Industry 100 scheme including Japanese firms with a UK presence, to demonstrate the opportunities for British and Japanese businesses. Non- or quasi-governmental organisations, especially trade and industry bodies (for example, Keidanren, the Confederation of British Industry and the National Cyber Advisory Board – NCAB), should also be facilitated to support bilateral commercial opportunities.

Recommendation 4: Explore further opportunities to expand national PPPs to include UK or Japanese companies.

Government organisations operating national PPPs should assess whether they can expand these schemes to include foreign (Japanese/UK) companies. This should include multiple types of initiative, such as cyber threat intelligence sharing and personnel secondments. The UK has begun to take this approach through the Industry 100 scheme, admitting two Japanese companies with a UK presence. Japan could consider a similar approach in the Cyber Defence Council (a defence industry PPP) through the Cybersecurity Council, or by inviting secondees from UK companies with a Japanese presence into the NISC. For this to happen, however, UK companies would need to expand their presence in Japan.

3. Advancing Shared International Interests

The UK and Japan are like-minded liberal democracies that share many geopolitical concerns and ambitions. Both support a “Free and Open Indo-Pacific”, value a responsible approach to cyber, and face common adversaries. The UK–Japan Cyber Partnership provides an effective channel through which cooperation to achieve shared international interests can be expanded.

Recommendation 1: Promote the AJCCBC as a hub for CCB in ASEAN, use it as a model in the Indo-Pacific and develop cooperative offerings.

JICA and the FCDO should develop joint CCB projects leveraging existing initiatives. These projects should use current products/services such as CYDER (Cyber Defense Exercise with Recurrence) trainings delivered by the MIC, and Cyber Security Capacity Maturity Models developed by Oxford University. The FCDO should also consider expanding its deployment of CCB activities in ASEAN via the AJCCBC.

JICA should explore linking the AJCCBC more closely with other Indo-Pacific centres of cyber excellence on CCB and other topics, for example the ASEAN Singapore Cybersecurity Centre of Excellence and the Global Forum for Cyber Expertise’s Pacific Hub. This would involve building on existing regular exchanges between the AJCCBC and these organisations. The FCDO should offer to support this effort, drawing on its experience of coordinating and implementing CCB activities and its commitment to Indo-Pacific security.

Annual UK–Japan cyber dialogues should commit to discuss and, where possible, strategically align decision-making about CCB. This alignment should entail deconfliction at a minimum. More ambitious alignment would include coordinating efforts to improve regional partners’ cyber resilience and defence to deter, deny and disrupt adversaries. The 2024 UK–Japan cyber dialogue should consider Mongolia and Taiwan as high-priority partners for trilateral engagement on CCB. In the latter case, this is more likely to involve peer-to-peer-type activities, such as joint exercising.

Recommendation 2: Pursue closer collaboration to promote international rules and norms.

Japan and the UK should expand and continue to align structural and activity-based cooperation on international rules and norms. The FCDO, MOFA and other ministries participating in international structures, such as the Counter Ransomware Initiative or the UN Open-Ended Working Group, should, where possible, adopt consistent positions. They should further work cooperatively to advocate for a free, fair, responsible and open cyberspace among countries that have not committed to this principle, particularly in ASEAN.

The FCDO, MOFA and relevant technical agencies should continue to actively identify opportunities for joint attribution or statements that reiterate their positions on international rules and norms in cyberspace. An example of this is Japanese support for the UK’s attribution of APT31, a Chinese state-sponsored cyber threat actor, in March 2024. Reforms to clearances and increased information sharing will enable more joint statements, as will focusing attribution efforts on less sensitive adversaries. Nonetheless, both partners should appreciate the other’s specific thresholds and willingness to make public statements.

Recommendation 3: Align proactive international cyber crisis support efforts.

Ministries of defence and foreign affairs and relevant technical agencies should explore cooperation on proactive international cyber support to third countries at high risk of experiencing large-scale cyber incidents. Engagement on proactive international cyber crisis support should include identification of cooperation activities and alignment on strategic priorities.

Cooperation activities could include joint deployment in initiatives in the style of hunt forward operations. Additionally, relevant government departments should share lessons identified through providing international crisis support to, for example, Ukraine. From this, the UK and Japan should discuss involvement in a jointly funded mechanism to respond to large-scale incidents in third countries.

When expanding cooperation on international cyber crisis support activities, the UK and Japan should clearly set remits, thresholds and priorities for these activities.

4. Cyber-Resilient Ecosystems

Cyber-resilient ecosystems rely on clear, well-assigned roles and responsibilities across government. Since establishing the NCSC in 2016, the UK has made few changes to its cyber governance; Japan is in the midst of major reforms to its cyber governance. The UK and Japan are both actively considering how, where, and when to regulate cyber security. Both countries are outside the orbits of the largest regulators: the EU; China; and the US. Cooperation on governing cyber security is important as each country navigates a complex global regulatory environment. With the UK planning a new Cyber Security Resilience Bill and Japan committed to the reforms discussed above, cooperation on cyber-resilient ecosystems and the necessary reforms should be seen as a “two-way street” as the Partnership progresses.

Recommendation 1: Provide consolidated learnings from the development of government structures and processes.

In partnership with other relevant government departments and former officials, the NCSC should provide a consolidated summary of UK cyber structural and legislative reforms since 2016. Areas of importance within this summary are: responsibly using investigatory powers; the creation of structures to integrate confidential and non-sensitive intelligence; the expansion of PPPs from operational to strategic functions; and the development of products to support whole-of-society cyber security. Japan’s Cybersecurity Strategic Headquarters and the NISC could use this resource to inform their reorganisation, while also providing feedback to British counterparts.

Recommendation 2: Discuss learnings from the development of military cyber functions and enabling processes.

The National Cyber Force, the MoD, armed forces and intelligence services should continue to conduct bilateral dialogues with Japan’s SDF and JMoD, including its Cyber Defence Group and Defence Intelligence Headquarters. There should be a focus on discussions of processes to declassify and share information and the development of cyber capabilities in a responsible and transparent manner – each was considered a priority concern by several Japanese government interviewees.

Recommendation 3: Pursue mutual recognition of cyber professionals.

DSIT, METI and relevant national bodies, such as the UK NCSC, should explore mutual recognition of cyber professional standards. This effort should aim to integrate with the existing Cyber Skills Partnership between the UK and Singapore.

Recommendation 4: Create a bi-annual dialogue to explore standards alignment and interoperability.

DSIT and METI should lead and coordinate bi-annual dialogues to promote alignment on cyber security and related standards. These should reinforce existing efforts on app security, AI and the Internet of Things, by addressing areas such as software supply chain security and industrial control systems. The UK Department of Business and Trade and METI should also work with industry to identify where interoperability is most important to promote trade, including schemes such as Cyber Essentials, which are required to compete for UK government contracts.

5. Other

While the priorities of the UK–Japan Cyber Partnership should determine most bilateral cyber cooperation, actors should not be closed to other opportunities. Dispersed cooperation with multiple points of contact between the governments presents many opportunities, but may be hard to track centrally and could draw resources from priority areas.

Recommendation 1: Continue supporting enabling engagement.

Sufficient funding should be committed to ensure proper cross-government representation at annual cyber dialogues. Maintaining person-to-person relationships is crucial to achieve mutual ambitions for an increased tempo of bilateral engagement on cyber.

Continued visits by senior officials and government representatives should also be pursued. Top-down pressure provides government officials with motivation and authority to prioritise bilateral efforts.

Recommendation 2: Deepen partnership on cyber education.

Japan’s Ministry of Education, Culture, Sports, Science and Technology, the UK’s Department for Education, and relevant higher education authorities should explore measures to encourage university-level partnerships on cyber security. These should include promoting joint degree programmes between universities and exploring special exemptions or allowances for language tests to encourage higher-education mobility.

Relevant departments should assess the effectiveness of the pilot Japan Cyber Fellowship and Cyber First competition, and determine whether to expand the programme. Further activities should be trialled across all stages of education to test whether bilateral engagement can promote better safety and skills outcomes.

Recommendation 3: Produce a report every two to three years assessing the UK–Japan Cyber Partnership.

Primary responsible organisations (likely the FCDO, MOFA, the NISC or the NCSC) should continue to regularly review the progress of the Cyber Partnership to assess areas of success, learning and further opportunity. This assessment should also be used to examine whether the existing remit of the Partnership is sufficient. Within the assessment, both countries should commit to an approach to implementing the objectives of the Partnership that can be measured against agreed milestones. While aspects of this assessment cannot be made public, the UK and Japan should commit to releasing a progress report similar to those issued by the Japan–UK Digital Partnership.

Conclusion

Cooperation on cyber security between Japan and the UK effectively furthers mutual interests through specific operational activities, and enables the wider partnership. The UK–Japan Cyber Partnership should aspire to continue the momentum of its first year and expand the depth and breadth of cooperation.

This paper has provided an overview of the activities and strategic priorities of the Partnership and has set out recommendations for its development. Current priorities within the Partnership are appropriate and provide opportunities to develop further activities. Furthermore, engagement outside the remit of set priorities represents an opportunity to expand the scope of the Partnership. Cooperation on cyber-resilient ecosystems would recognise existing efforts while also creating more space for engagement, particularly on digital government, technology standards and structural reform.

There is significant space to expand activities across existing priorities. Japan and the UK both face challenges in scaling, developing and retaining cyber capabilities. Exchanging knowledge, identifying opportunities to cooperate, and sharing information can help to strengthen capability. Promoting commercial cooperation is a priority for the Partnership. Issues such as differences in language present challenges, but platforms to lower barriers to entry exist for companies, and there is a clear value case for users and providers. Worsening geopolitical tensions present concerns for both countries. Increasing cyber cooperation to advance shared international interests should include a focus on CCB, closer alignment on rules and norms, and consideration of international cyber crisis response efforts.

The Partnership can expect to continue benefiting from key drivers. Japan and the UK are closely aligned, exist within a network of common partners and face similar challenges and opportunities from cyber security. They share long-term joint initiatives, such as the GCAP, which provide a platform for close engagement over the long term. Japanese partnership with Pillar II of the AUKUS programme on advanced technologies would add to this. Nevertheless, the Partnership faces speedbumps which, if unresolved, could impede the pace and scope of activity. These include the need to tackle issues relating to information sharing and ensuring that the Partnership is sustainably resourced in a context of competing priorities.

Joseph Jarnecki is a Research Fellow in RUSI’s Cyber research group. His research focuses on cyber and technology-enabled conflict, cyber-security capacity building, and the opportunities and risks to economic security posed by advanced technologies.

Philip Shetler-Jones is a Senior Research Fellow in RUSI’s International Security research group. His current research is concentrated on Indo-Pacific security. His recent publications have focused on the defence policy of Japan, China’s attitudes to NATO, and narratives about the defence of Taiwan. Philip has served as an officer in the UK Royal Marine Commandos.

Pia Hüsch is a Research Fellow in RUSI’s Cyber research group. Her research focuses on the impact, societal risks and lawfulness of cyber operations and the geopolitical and national security implications of disruptive technologies such as AI.