The Quadrilateral Security Dialogue (QUAD) is a security partnership between Australia, India, Japan, and the United States. Its recent plans on cyber security have gained attention, specifically the development of common software security standards and information sharing among its members. This article delves into these measures and their potential outcomes: in addition, it investigates the merits of using the QUAD to address cyber security in comparison to another major security dialogue in the region, the ASEAN Regional Forum, and briefly discusses the path forward for Japan.

QUAD’s Leaders Meeting in Tokyo, 2022 (Source: Prime Minister of Japan and His Cabinet

A brief history of the QUAD

The QUAD was formally established in 2007 but was paused in 2008 for two main reasons: the members' diverging perceptions of the QUAD's importance[1], and Australia's withdrawal due to fears that participation in a strategic partnership excluding China would hurt the two countries' economic ties[2] The QUAD was then revamped in 2017 at the initiative of the United States and Japan, driven by re-converging interests among its members on matters like freedom of navigation, particularly in light of China's perceived growing coercive behavior in the region[3]. In 2021, the QUAD adopted cooperation objectives in key areas such as global health, strengthening of regional infrastructure, climate change, people-to-people exchanges and education, critical and emerging technologies, cybersecurity, and space[4]. While institutional declarations can often remain abstract, recent developments in the QUAD's cyber security cooperation seemingly show a growing intent to translate these aspirations into concrete initiatives.

Cybersecurity cooperation in the QUAD

The 2021 QUAD Summit Declaration planned, among other measures, the creation of a QUAD Senior Cyber Group (QSCG), formed by leader-level experts in cyber security who would "meet regularly to advance work between government and industry" with four objectives in mind: adopting and implementing shared standards in the cyber security field, developing secure software, building workforce and talent in cybersecurity, and promoting the growth and safety of digital infrastructure[5]. Since then, the QSCG has been meeting yearly and promoting various initiatives under the QUAD Cybersecurity Partnership: one example is the Quad Cyber Challenge, which first took place in April 2023 with the aim to promote cyber awareness across the Indo-Pacific[6], and has been reprised in fall 2024 with a focus on cyber-security education[7].

Two recent QUAD initiatives in cyber security are the focus of the following discussion. The first is the 2023 "Joint Principles for Secure Software." The Principles aim to "reduce the number and potential impact of software vulnerabilities" that can be used to carry out cyber-attacks. To achieve this, the QUAD is drafting guidelines for governments to follow in the development, procurement, and use of software. These guidelines ensure that software safety is continuously monitored, starting from the creation stage[8].

This agreement has drawn attention for its possible anti-China nature. Indeed, Chinese software (alongside Russian software) is often considered unsafe among the QUAD members: it is associated with increased chances of misuse of sensitive user data[9] and malicious software injection[10], and debates have emerged on the safety of Chinese products in Internet of Things (IoT) devices (that is, physical objects connected to the internet), particularly for critical fields such as medicine and police work[11], or solar power systems[12]. The Principles' emphasis on software security can thus be interpreted as a response to China's perceived assertiveness in cyber space[13] and as a way to prevent Chinese software from entering the QUAD markets. However, it must be noted that the QUAD's initiative on software security is happening alongside individual national efforts in member countries. Recommendations such as the American "Secure by Design" pledge[14] and "Secure Software Development Framework[15]" or the Australian Signals Directorate's "Choosing Secure and Verifiable Technologies[16]" are already influencing national manufacturers, as compliance with such guidelines is increasingly necessary for domestic sales. Hence, improvements in software security are already happening outside the QUAD and affect all products, not just Chinese ones. Furthermore, much of the world's software is produced in India, whose presence in the QUAD can thus be considered very important for the successful implementation of software security measures[17].

The second QUAD initiative that has garnered attention is the 2023 plan to develop a system to exchange information on cyberattacks or critical infrastructure damage among the cyber sections of the QUAD governments[18], a plan that finds its origins in the 2022 QUAD Cybersecurity Partnership principles[19]. This measure is important because information sharing is crucial to cyber security. On one hand, knowledge of cyber incidents improves one's cybersecurity posture by allowing learning from others' experiences and facilitating accurate risk assessment[20]. On the other, information sharing is often hindered by factors such as privacy concerns, legal barriers, and fear of reputational damage stemming from appearing inadequately protected against cyber threats[21]. Thus, this QUAD measure could help ease barriers to information sharing and foster a climate more favorable to it.

Much ado about nothing?

The actual amount of progress on these initiatives remains to be seen, as no concrete implementation has been undertaken yet. Nevertheless, it might be helpful to look at similar measures in other countries to infer what results and obstacles the QUAD might encounter.

Concerning the "Principles for Secure Software," the most recent QUAD meeting held in the United States only reconfirmed that the members are partnering with various stakeholders to pursue their commitments[22], without describing any tangible progress. However, an approach similar to the Principles was taken by the United States' 2021 "Executive Order on Improving the Nation's Cybersecurity," aimed at improving the country's overall cyber security stance. One of its sections focused on strengthening the security of the software supply chain through a series of steps with clear deadlines: identifying "critical" (i.e. essential) software, establishing security guidelines for it, creating lists of compliant software, and giving government agencies deadlines to adopt secure software[23]. Non-compliant software vendors would likely be excluded from contracts, and government agencies would eventually be unable to purchase unsafe software. While the measures in the Order were mostly implemented, challenges persisted in creating a comprehensive list of "critical" software[24], and deadlines for agencies had to be extended[25]. This example highlights that practical implementation of software security measures can be difficult even in the most developed nations. Thus, aligning software security rules across nations with different political, administrative and legal systems might prove even more challenging for the QUAD, making prompt and specific work on the Principles crucial.

Concrete developments on information sharing among QUAD members have also been scarce. At the July 2024 Tokyo QUAD, the members agreed to establish a Quad Cyber Ambassador meeting that would explore capacity-building initiatives and promote responsible state conduct in cyber space[26], but details on this meeting remain scarce, and it is unclear if this initiative is part of the information-sharing efforts envisioned in 2023. Once again, looking at similar efforts in other countries, a few points of reflection emerge. In the European Union, where Computer Emergency Response Teams (CERTs) often share information across countries, uncertainty around legal boundaries remains an issue, worsened by uneven implementation of European Law across areas[27]. In the United States, a 2020 review of national information-sharing efforts under the Cybersecurity Act found limited progress in the quality of shared information, attributed to a small number of program participants, delays in receiving intelligence standards, and insufficient staffing[28]. Building an effective information-sharing network also requires addressing additional factors, such as agreeing on what information to share and how[29], and ensuring comparable security clearances across countries to access sensitive data[30]. Therefore, well-intended measures such as information sharing may face implementation challenges due to differing legal systems, policies, and budgets across QUAD countries. Again, promptly addressing these issues is essential for the QUAD's success.

QUAD versus ARF

Despite these limitations, the QUAD's pace in cyber security cooperation looks encouraging in comparison with other regional dialogues such as the ASEAN Regional Forum (ARF), focused on security and led by the Association of Southeast Asian Nations (ASEAN). While the ARF has reached concrete goals in other fields, such as disaster management[31], for cyber security the record is still scarce. This should not come as a surprise. Cooperation on disaster relief is beneficial to everyone and rarely controversial: conversely, the 27 ARF members include countries like China, Russia and North Korea which are often viewed by others as primary sources of cyber security threats, and even agreeing on basic ideas in cyber security cooperation has proven difficult[32].

Thus, to make progress, the ARF must prioritize confidence-building measures (CBMs), i.e. actions to reduce suspicion and distrust among parties, which are mostly implemented as workshops and discussions[33]. While CBMs are important, particularly in a field ripe with distrust like cyber security[34], it will take time before they lead to concrete results. In addition, the ARF decision-making system is based on consensus, which requires a general agreement to proceed. Together, differences among the members and consensus-based ruling make it difficult to reach concrete decisions and force the pace to a slow speed accommodating everyone. In comparison the QUAD, while diverse, has a much smaller membership of democracies, which makes it easier to agree and coordinate. In addition, all members share a common interest in software safety and information sharing as essential measures to reduce cyber-attacks from a variety of threat actors external to the QUAD. Finally, while there are still differences in the levels of technological development and adoption among the four countries, the gap is much smaller than in the ARF, which includes small countries such as Myanmar alongside major actors like China and the United States.

In sum, unlike the QUAD, the ARF avoids the risk of an anti-China stance but is unlikely to progress beyond basic CBMs anytime soon. Conversely, pursuing cyber security cooperation through the QUAD may provoke Chinese protests, but its nature as a small and informal group of nations with converging interests and stronger trust bonds makes practical results more achievable and in turn future progress more likely.

The way forward for Japan

Japan is a member of both the ARF and the QUAD. This should not come as a surprise, as the country has often taken a "multi-layered" approach to institutions, trying to cumulate the effects of various cooperative frameworks[35]. Thus, Japan's best bet is to continue pushing for progress on cyber policies in both institutions simultaneously. However, given its characteristics, the QUAD appears as a better choice for tangible short-term results. While the QUAD's future actions are highly dependent on the policies of the newly elected Trump and Ishiba administrations, there is potential for an active Japanese role. For example, Japan's experience in leading the cyber-related G7 Hiroshima AI process[36] could help in building the basis for the QUAD's regulatory efforts in software security, and Japan's expertise in joint cyber exercises with various militaries and multilateral bodies[37] could help broaden the QUAD Cyber Security Partnership's scope beyond educational initiatives, while necessitating careful handling of potential sensitivities from China. Finally, working multilaterally on intelligence sharing also aligns with Japan's current efforts to enhance its security clearance system and thus enable smoother information exchange internationally[38]. However, definite measures and specific deadlines must soon be put into place if the QUAD's lofty dreams are to be turned into reality.

(2024/12/11)

Notes

  1. 1 Kevin Rudd, "The Convenient Rewriting of the History of the 'Quad'," Nikkei Asia, March 26, 2019.
  2. 2 Grant Wyeth, "Why Has Australia Shifted Back to the QUAD?," The Diplomat, November 16, 2017.
  3. 3 Patrick Gerard Buchan and Benjamin Rimland, "Defining the Diamond: The Past, Present, and Future of the Quadrilateral Security Dialogue," CSIS Briefs, March 16, 2020.
  4. 4 The United States White House, "Fact Sheet: Quad Leaders' Summit," September 24, 2021.
  5. 5 Ibidem
  6. 6 The United States White House, "Quad Joint Statement on Cooperation to Promote Responsible Cyber Habits," February 7, 2023.
  7. 7 The United States White House, "Fact Sheet: 2024 Quad Leaders' Summit," September 21, 2024.
  8. 8 Ministry of Foreign Affairs of Japan, "Quad Cybersecurity Partnership: Joint Principles for Secure Software," December 2023.
  9. 9 Sapna Maheshwari and Amanda Holpuch, "Why the U.S. Voted to Force TikTok to Be Sold or Banned," The New York Times, April 20, 2024; Office of the Senator Mike Gallagher, "Gallagher Introduces Bipartisan Legislation to Protect American Networks," November 6, 2023 (archived).
  10. 10 James Andrew Lewis, "TikTok and National Security," Center for Strategic and International Studies, March 13, 2024.
  11. 11 Dave Altavilla, "Securing The IoT From The Threat China Poses To US Infrastructure," Forbes, September 3, 2023; Charles Parton, "Dealing with the threat of Chinese cellular (IoT) modules," Britain's World, May 10, 2023.
  12. 12 Jun Osawa, "Securing Electric Power Infrastructure from Cyber Threats during a Contingency: Lessons from Australia," International Information Network Analysis, January 15, 2024.
  13. 13 Tobias Scholz, "Quad Vadis? A Risk Assessment of the Quad's Emerging Cybersecurity Partnership," Observer Research Foundation, August 17, 2023.
  14. 14 Cybersecurity and Infrastructure Security Agency, "Secure by Design Pledge."
  15. 15 NIST Computer Security Resource Center, "Secure Software Development Framework," July 30, 2024.
  16. 16 Australian Signals Directorate, "Choosing Secure and Verifiable Technologies," May 9, 2024.
  17. 17 Nick Bonyhady, "Australia to lean on Quad to fix ‘wantonly unsafe' software," The Australian Financial Review, September 19, 2023.
  18. 18 Rieko Miki, "Quad countries to bolster cyber defense with information-sharing," Nikkei Asia, April 25, 2023.
  19. 19 Ministry of Foreign Affairs of Japan, "Quad Cybersecurity Partnership: Joint Principles," March 24, 2022.
  20. 20 Konstantinos Rantos, Arnolnt Spyros, Alexandros Papanikolaou, Antonios Kritsas, Christos Ilioudis and Vasilios Katos, "Interoperability Challenges in the Cybersecurity Information Sharing Ecosystem," Computers 2020, 9(1), 18; March 2020.
  21. 21 Ibidem; United States House Of Representatives, Committee On Homeland Security, Subcommittee On Cybersecurity And Infrastructure Protection, "Maximizing The Value Of Cyber Threat Information Sharing," Committee Hearing, One Hundred Fifteenth Congress, First Session, November 15, 2017.
  22. 22 The White House, "Fact Sheet: 2024 Quad Leaders' Summit," September 21, 2024.
  23. 23 The United States White House, "Executive Order on Improving the Nation's Cybersecurity," May 12, 2021.
  24. 24 United States Government Accountability Office, "Implementation of Executive Order Requirements Is Essential to Address Key Actions," April 2024.
  25. 25 Executive Office of The President, "Memorandum For The Heads Of Executive Departments And Agencies," June 9, 2023.
  26. 26 U.S. Department of State, "Joint Statement from the Quad Foreign Ministers' Meeting in Tokyo," July 29, 2024.
  27. 27 Neil Robinson, "Information Sharing for Cyber-Security: Evidence from Europe," The Asan Institute for Policy Studies Issue Brief, No. 72, October 8, 2013.
  28. 28 Office of Inspector General, "DHS Made Limited Progress to Improve Information Sharing under the Cybersecurity Act in Calendar Years 2017 and 2018," September 25, 2020.
  29. 29 Konstantinos Rantos et al., Interoperability Challenges.
  30. 30 This has recently been a matter of discussion in relation to sharing information between the United States and Japan. James L. Schoff, Douglas E. Rake, and Joshua Levy, "A High-Tech Alliance: Challenges and Opportunities for U.S.-Japan Science and Technology Collaboration," Carnegie Endowment for International Peace, July 29, 2021; "Japan plans to create 'security clearance' system in 2024," The Japan Times, September 17, 2023.
  31. 31 For example, the ARF regularly hosts a large scale disaster drill, the Asean Regional Forum Disaster Relief Exercise (ARF DiREx). Resilience Library, "ASEAN Regional Forum Disaster Relief Exercise (ARF DiREx)."
  32. 32 Tim Maurer, "Cybersecurity And Asia," New America, September 24, 2015.
  33. 33 Global Forum for Cyber Expertise, "Overview Of Existing Confidence Building Measures As Applied To Cyberspace," June 3, 2020.
  34. 34 James Andrew Lewis, "U.S.-Japan Cooperation in Cybersecurity," CSIS Strategic Technologies Program, November 5, 2015.
  35. 35 Tsuyoshi Kawasaki, "Layering Institutions: The Logic of Japan's Institutional Strategy for Regional Security," in "The Uses of Institutions: The U.S., Japan, and Governance in East Asia," edited by John G. Ikenberry and Takashi Inoguchi, Springer Link, 2007, 77-102.
  36. 36 Inge Odendaal, "The Hiroshima AI Process: Japan's Role in Shaping Global AI Governance," Stellenbosch University Japan Centre, November 7, 2023.
  37. 37 Ministry of Defense of Japan, "Defense of Japan 2023- Part III Chapter 1: Responses in the Cyber Domain," March 5, 2023.
  38. 38 The Japan Times, "New security clearance system to bring Japan in line with other G7 nations," July 9, 2024.