The Role of Cyber Defense Technologies in Modernizing US Treaty Alliances within the Framework of the 2022 Indo-Pacific Strategy

Anthony J. Tokarz is a graduate student at Columbia University, where his research focuses on the disruptive potential of emerging technologies and their impact on geopolitics and financial systems. Prior to Columbia, his career spanned community organizing in the Midwest, banking, and political consulting in the European Union.

Abstract: This research paper aligns with the 2022 US Indo-Pacific Strategy and examines how to revitalize existing treaty alliances between the US and key Asia-Pacific partners to build cyber capacities while deepening their economic relationships to balance China in the region. Current US policy in collaboration with these five treaty partners– namely Australia, Japan, South Korea, the Philippines, and Thailand– prioritizes traditional military capacity over holistic security arrangements. By assessing trends in cybersecurity, foreign direct investment, and technology manufacturing, the study aims to optimize these alliances to bolster allies' technological capabilities and mitigate vulnerabilities posed by China's increasing technological capacity, regional influence, and geopolitical ambitions.

Introduction

The 2022 Indo-Pacific Strategy prioritizes United States (US) engagement in the region through its five bilateral treaty alliances–Japan, South Korea, Australia, the Philippines, and Thailand. As Andrew Yeo concludes in Asia's Regional Architecture: Alliances and Institutions in the Pacific Century, the US preference for engagement through bilateral relationships has limited the power of multilateral organizations such as the Association of Southeast Asian Nations (ASEAN) and led to a “patchwork” of power dynamics.[1] This has entrenched the US as the central power broker in Asia through a “hub-and-spoke” model– with the US as the hub and Asian countries as the spokes– wherein Asian countries have strong relationships and communication with the US but not so much with each other.[2] Such a structure puts the onus on the United States to initiate and maintain security initiatives. As the US faces proliferating security challenges around the world, from Russia in the European theater to the Israeli-Gaza war in the Middle East, such a model might limit the ability of the US and its allies to respond to emergent challenges in the Indo-Pacific. One way to obviate these constraints is for the US to empower its allies in the region to take the lead on their own defense, especially in the realm of cybersecurity.

The closest security partners of the US in the Indo-Pacific– Japan and South Korea– maintain their own militaries while taking advantage of the American nuclear umbrella, i.e. the American guarantee to use nuclear weapons to defend non-nuclear allies. Mark Fitzpatrick argues that Japan and South Korea, as well as Taiwan, will not develop their own nuclear weapons despite their capacity to do so. He argues that the two countries trust the United States to use them on their behalf should the need arise.[3] However, due to the distributed nature of the internet and the relative ease of severing connections by cutting undersea internet cables or damaging satellites, the US cannot lull its partners into a false sense of cybersecurity by promising to meet their cyber defense needs. Instead, the US must use the economic and political tools at its disposal to help its partner develop cutting-edge capabilities of their own.

Recentering alliances around cyber defense technologies constitute a key dimension of preparing the US and its allies to confront burgeoning security challenges and enhancing resilience, both national and collective, in the Indo-Pacific. By prioritizing cyber capabilities, allies can improve situational awareness,  strengthen deterrence, and raise the costs of aggression. These three planks of a revivified, cyber-driven modernization of US alliances[AH1]  are essential in containing revisionist powers such as China and, to a lesser extent, Russia, in addition to rogue states that thrive on chaos and destabilization, such as North Korea and Iran.

Cybersecurity experts disagree over fundamental questions, such as whether cyber conflict is escalatory or an “off-ramp” for conflicts to remain below the kinetic level, as well as whether offensive cyber operations constitute acts of war. In practice, recent events have shown that aggressor countries deploy their cyber capabilities either as a prelude to traditional offensive operations, as Russia did in the lead-up to its invasion of Ukraine in 2022, or as

As of 19th April 2024, the US House of Representatives is preparing to vote on H.R. 8036, known as the Indo-Pacific Security Supplemental Appropriations Act. The Act represents the latest installment in American investment in the Indo-Pacific region, calling for $542 million to deepen American military capabilities in the region, plus $3.3 billion dedicated to improving the “submarine industrial base.” Additionally, the proposed bill dedicates $2 billion for Taiwan and earmarks $1.9 billion “to respond to the situation in Taiwan and for related expenses.”[4] The bill centers traditional naval power, with minimal emphasis on cyber capabilities, which encompasses the bulk of the attack surface over which US allies remain vulnerable.

I. Cyber Risks in the Indo-Pacific

Cybersecurity threats in the Indo-Pacific encompass a variety of threat actors from nation-states and state-affiliated hacker groups to cybercriminals and even terrorist organizations. Among nation-states in the region, China possesses the greatest overall cyber capabilities, with numerous state-sponsored threat actors such as APT1, allegedly associated with Unit 61938 of the People’s Liberation Army, which specializes in cyber espionage and living-off-the-land clandestine operations. On a smaller scale, North Korea excels at deploying state-affiliated hackers to make money for the Kim regime but has not been known to conduct wide-ranging, long-term operations against major companies and key nodes in the critical infrastructure of rival countries. In addition, Russia possesses advanced cyber capabilities and funds specialized cyber units with connections to the Russian government, such as Sandworm, Fancy Bear—allegedly associated with the GRU, Russia’s military intelligence agency—and Cozy Bear—believed to operate under the auspices of the FSB, Russia’s Federal Security Service, or SVR , Russia’s Foreign Intelligence Service. However, in the aftermath of Russia’s invasion of Ukraine in 2022, it is unlikely that Russia will see the Indo-Pacific as a major theater for systematic operations. Nonetheless, the United States must take every precaution to avoid putting its allies in danger, especially as its rivalry with China intensifies. Such precautions entail bolstering its allies’ defenses to mitigate the risk of cyber espionage, criminal penetration, and state-sponsored attacks against critical infrastructure and industries.

Due to the rapidly evolving nature of cyber capabilities, both offensive and defensive, the US must take a proactive approach toward ensuring that its allies are ahead of the curve. According to the Belfer Center at the Harvard Kennedy School, which compiles a biennial National Cyber Power Index, the US tops the ranking at first place, followed by China and Russia.[5] Among its allies in the Indo-Pacific, Australia ranks fifth and South Korea ranks seventh.[6] In 2022, Australia ranked tenth and South Korea ranked sixteenth. This suggests that Australia and South Korea have prioritized their cyber capabilities and focused on improving their efficacy on that front.  Meanwhile, Japan ranked ninth in 2020 but has since dropped out of the top ten and now ranks sixteenth. Meanwhile, neither the Philippines nor Thailand rank among the top thirty and thus are not even considered in the Index. In the context of American cyber strategy, Australia and South Korea are moving in the right direction while Japan, Thailand, and the Philippines constitute a potential liability. Moving forward, the US ought to work with these three partners to improve their capabilities and can lean upon Australia and South Korea to share expertise and best practices on this front. Yet the fact remains that there exists a gulf between the capabilities of the US, China, and Russia on the one hand and the rest of the world on the other due to the sophistication of their operations and the extensive experience each country’s units have in the field. Until the US can marshall its resources and military to close the distance, the relative underdevelopment of the capabilities of its Indo-Pacific partners will remain a handicap.

II. The Current State of Cyber Capabilities Among US Indo-Pacific Allies

The US State Department, in its fact sheet on the second anniversary of the 2022 Indo-Pacific Strategy, emphasized the centrality of cybersecurity to a free and open Indo-Pacific. A significant portion of the fact sheet merits quoting, as it lays out some of the key efforts and initiatives of the US, stating,

“With the Partners in the Blue Pacific, the United States launched an annual Pacific Cyber Capacity and Coordination Conference (P4C) in the Pacific Islands.  We have also held cyber dialogues with ASEAN, Japan, the ROK, and India.  We continue to train ASEAN Member States on cyberspace policy with Singapore and supported strategic planning for Thailand’s National Cybersecurity Agency through the Digital Connectivity and Cybersecurity Partnership (DCCP), we have worked closely with the governments of Timor Leste, India, and the Philippines to strengthen cyber resiliency.”[7]

The fact sheet recognizes the differences in cybersecurity capabilities between US partners and signals the intention to close these gaps through new, targeted initiatives, such as the DCCP in Thailand. As Yeo notes, “Among the different spokes in the US bilateral alliance system, the alliance consensus operated most thinly in US-Thailand relations…in contrast to some other Asian bilateral partners for whom the US alliance had become more firmly rooted in the institutions and foreign policy ideas of political elites, the alliance consensus in Thailand remained “thin.”[8] Initiatives such as the DCCP are necessary to root US security standards in Thailand’s domestic institutions and engaging the US National Cybersecurity Agency (NCA) through a multiyear partnership marks progression on this front. Furthermore, the US understands that cyberspace is uniquely permeable and that a threat actor operating within the networks and assets of one US partner can more easily penetrate the defenses of others. That explains the American commitment to expanding its network of partners and engaging multilateral institutions in the region. Although SEATO and ASEAN play a limited role in US security policy in the region, the countries engaging with each other in these multilateral fora overlap with the hub-and-spokes structure that the US uses as its primary mode of engagement, which has the potential to further domesticate and normalize cybersecurity priorities in partner states across the region.

III. Policy Recommendations for Strengthening Alliances

The United States remains the world’s greatest cyber power, especially in terms of intelligence capabilities and economic innovation. Through layered partnerships in the Indo-Pacific, the US has erected a strong scaffolding for enhanced collaboration in building up cyber defense technologies. Joint efforts in technological innovation, supply chain resilience, and infrastructure protection will further empower allies to leverage each other's strengths through existing regional architecture such as ASEAN as well as new fora such as P4C. China’s increased assertiveness in the region, especially its grey zone operations in the South China Sea, has further incentivized states to partner to mitigate vulnerabilities and form a united front to deepen overall security in the Indo-Pacific.

Cyber defense technologies are essential to protecting the supply chains of critical technologies and ensuring the resilience of critical infrastructure against cyber threats, both at home and in the Indo-Pacific. Securing digital networks and systems through military means is a necessary but not a sufficient condition for greater cybersecurity in the Indo-Pacific. The other component is economic: US treaty allies must lean into the interconnectedness of the global economy to build resilient supply chains that safeguard economic assets, maintain operational continuity, and mitigate the risk of disruptive cyber-attacks.

Among the five American treaty partners, Australia took the lead in banning the Chinese tech manufacturer Huawei from its 5G networks, after Prime Minister Malcolm Turnbull bought and studied a manual on the ins and outs of such networks.[9] Japan and New Zealand soon followed suit. Yet Chinese-manufactured components in critical infrastructure extend well beyond 5G networks. For example, the Biden Administration launched an investigation into Chinese-made cranes at US port facilities over concerns that hackers could gain remote access and thereby slow the flow of goods into and out of the US.[10] The US can begin the work of replacing Chinese-made components such as cranes by engaging the substantial manufacturing capacities of its allies in the Indo-Pacific, such as South Korea and Japan, which are global leaders in manufacturing large-scale technologies. High-tech partnerships between American and South Korean companies date back to the fierce competition between Silicon Valley and Japanese technology companies in the 1970s. Intel had partnered with Samsung to mass-produce semiconductors, then sold Samsung-made chips under its own brand to help the South Korean upstart claw market share away from rival Japanese manufacturers.[11] In this way, the economic cost of de-risking critical infrastructure by replacing, or at least matching, components made by Chinese firms with links to the Chinese regime, will be shared by allies. Moreover, such an investment will catalyze economic integration across the Pacific region. South Korea and Japan are facing the prospect of an economic slowdown, but the demand generated by the US and other partners such as Thailand, the Philippines, and Australia will invigorate their respective defense industries while keeping resources within the alliance.

The key policies for strengthening US Indo-Pacific alliances through cyber defense technologies thus include joint research funding mechanisms, technology transfer agreements, and cybersecurity training programs. Coordinated efforts such as these must follow the hub-and-spokes model: radiating out from the US but empowering individual states to take ownership of projects and capacities at home and working with neighbors to achieve interoperability between their specialized task forces across government, the military, and the private sector. The extensive use of public-private partnerships– as well as private-sector-led initiatives, such as the Cyber Defense Assistance Collaborative (CDAC) that supplies cyber assistance to Ukraine’s military on a volunteer basis– will prove indispensable to partners’ military readiness and effectiveness in addressing shared security challenges.

The establishment of joint research funding mechanisms will facilitate collaboration and innovation in cyber defense technologies.[12] By pooling resources and expertise, allies can accelerate the development and deployment of cutting-edge solutions to address shared security challenges.

IV. Japan as a Model for Defense-Driven Engagement

Japanese Prime Minister Fumio Kishida’s state visit to Washington, D.C., in April 2024 marks a departure from Japan’s traditional posture of reliance on the United States for its security needs. Indeed, Kishida joined US President Joe Biden in announcing closer military ties predicated upon larger US investment in Japan’s defense sector. When the Japanese Diet approved its 2023 budget, it agreed to a sizable 26.3% increase in defense spending over its 2022 budget, with an emphasis on investing in unmanned aerial drones, missile defense systems, a joint fighter-jet development project with Italy and the UK, as well as investment in cybersecurity.[13]

In Japan Prepare for Total War: The Search for Economic Security, 1919-1941, author Michael A. Barnhart examines how Imperial Japan came to equate economic security with the capacity to wage total war and chronicles the process by which Imperial Japan reworked its economic policies to prioritize the building up of its industrial base.[14] Today, Japan’s defense sector has grown complacent as the country relies on American military assets in the region to serve as deterrence against Chinese ambitions in the region. Such a posture might have worked before the advent of information technology, but even the most powerful military equipment cannot deter conflict in cyberspace because cyber conflicts rarely escalate into kinetic confrontations. Instead, the recent pattern has been that cyber conflict serves as an off-ramp from escalation, as evinced by Stuxnet—a sophisticated computer worm jointly developed by the US and Israel to exploit vulnerabilities in the operational technology used in Iranian nuclear facilities—and subsequent American intervention in Iran.[15]

As Takatoshi Ito, a former economics advisor to former Japanese Prime Minister Shinzo Abe, noted, pacifism is not only part of Japan's formal constitution but also part of its informal political culture.[16] He goes on to note that an emboldened North Korea and an ascendant China pose geopolitical risks for which Japan’s postwar focus on peace and soft power diplomacy will no longer suffice. Japanese policymakers have awakened to the threat; indeed, Prime Minister Fumio Kishida’s budget calls for much higher defense spending.

Public opinion shows that the Japanese public backs the increased defense spending, with 55% in support and 36% opposing the changes. Furthermore, it appears that the swing toward greater defense spending is driven by Japan’s younger generations. Anecdotally, the author visited Japan in March 2024 and observed a protest against increased defense spending. Interestingly, the author did not see a single young person protesting– it seemed that all the hundred or so protesters were elderly, belonging to the generation that was raised to be skeptical of militarism.

V. Potential Criticisms

Critics of American power in the Indo-Pacific tend to conflate the position of the US with that of Japan, its closest ally in the region. Brad Glosserman takes up this criticism and argues in Peak Japan that,

“When the global financial crisis hit in 2007, the G8 recognized the rising importance of emerging powers in the global system and elevated the Group of Twenty (G20)— formerly a technical forum to address international financial issues– to a leader-level meeting to provide global guidance. Not only does the very existence of the G20 undermine the significance of the G7…but it also threatens Japan’s ‘identity-defining position as Asia’s representative in the mechanisms of global governance… as the G20 now includes China, India, Indonesia, South Korea, and even Australia as Asian members.”[17]

This analysis fails to consider that even if Japan loses influence and prestige in Asia in the near future, the countries best positioned to gain influence at its expense are also US treaty partners. Therefore, while the form of US power projection might change, the fact of US dominance will not, so long as it modernizes its five treaty alliances in the Indo-Pacific to evolve alongside the threat posed by the rise of China.

Furthermore, the continued rise of China is not inevitable. The rhetoric around China’s rise, centered on concerns over China’s leverage over the global economy as the world’s manufacturing hub , [AH8] [A9] echoes the concerns over the power of Japan in the 1970s and 1980s. Yet, as is well documented, Japan’s economy– and, consequently, its geopolitical position– ran into trouble due to its aging population, stagnant labor productivity rates, and reduced pace of innovation. Nonetheless, if the same trends that weakened Japan take root in China, that might encourage Xi Jinping to act aggressively in the near term while Beijing possesses its demographic and economic advantages. In this, cybersecurity will prove of paramount importance.

Conclusion

In conclusion, the United States cannot abandon its indispensable role as the guarantor of Indo-Pacific security. However, the US must adapt its strategy in light of China’s economic rise and increasing technological sophistication. American policymakers can fulfill the 2022 Indo-Pacific Strategy by committing American forces and assets to modernizing the five key treaty alliances in the region and prioritizing the development and dissemination of cyber defense technologies. By engaging strategic partnerships and multilateral institutions in the region to catalyze the development and sharing of intelligence, technological expertise, and operational best practices, the United States has created favorable conditions for its bilateral partners to entrench cyber resilience, secure supply chains, and achieve digital sovereignty. All the ingredients for stability and prosperity in the Indo-Pacific region are in place, but the success of the Indo-Pacific Strategy hinges on the initiative and dedication of its partners.

Although critics might point to the weakening relative position of key allies such as Japan and wring their hands over the destabilizing security environment engendered by Russian revanchism and Chinese assertiveness, these same threats have already spurred American treaty allies to commit to modernizing their cybersecurity capabilities. As the prospect of multipolarity looms over the world, the position of the US as the incubator of critical technologies and catalyst for their deployment in achieving digital sovereignty in the Indo-Pacific remains unshakeable. Thus, greater connectivity in economics, geopolitics, and technology has not diluted American power around the world but put it at the ready disposal of those states that are most serious about achieving digital sovereignty and securing prosperity for generations to come.

 Bibliography

Barnhart, Michael A. Japan Prepares for Total War: The Search for Economic Security, 1919-1941. Ithaca: Cornell University Press, 1987.

Chang, Felix K. "Japan’s Bigger Defense Budget: Getting to Effective Deterrence." January 31, 2023. Accessed April 9, 2024. https://www.fpri.org/article/2023/01/japans-bigger-defense-budget-getting-to-effective-deterrence/

 Cybersecurity and Infrastructure Security Agency. Strategic Plan. PDF. Last modified September 12, 2022. Accessed March 23, 2024. https://www.cisa.gov/sites/default/files/2023-01/StrategicPlan_20220912-V2_508c.pdf.

Fitzpatrick, Mark. Asia’s Latent Nuclear Powers: Japan, South Korea and Taiwan. London: Routledge, 2017.

Fruhlinger, Josh. "Stuxnet Explained: The First Known Cyberweapon." CSO Online. August 31, 2022.https://www.csoonline.com/article/562691/stuxnet-explained-the-first-known-cyberweapon.html

Glosserman, Brad. Peak Japan: The End of Great Ambitions. Georgetown University Press, 2019.

Ito, Takatoshi. "The Will, but Not the Way, to Increase Japan’s Defense Budget." June 30, 2023. Accessed April 10, 2024.https://www.project-syndicate.org/commentary/japan-defense-spending-increase-new-strategic-outlook-by-takatoshi-ito-2023-06

McLaughlin, Jenna. "Chinese-made Cranes at U.S. Ports May Pose a National Security Threat." NPR, February 21, 2024. Accessed April 12, 2024. https://www.npr.org/2024/02/21/1232998691/chinese-made-cranes-at-u-s-ports-may-pose-a-national-security-threat.

 Miller, Chris. Chip Wars: The US-China Race to Dominate the Global Microchip Market. London: Simon & Schuster UK Ltd, 2022.

 United States. Congress. House. Indo-Pacific Security Supplemental Appropriations Act, H.R. 8036. 118th Cong., 1st sess. Introduced in the House April 19, 2024. https://www.congress.gov/bill/118th-congress/house-bill/8036.

US Department of State. "The United States’ Enduring Commitment to the Indo-Pacific: Marking Two Years Since the Release of the Administration’s Indo-Pacific Strategy." State.gov, February 9, 2024. Accessed April 20, 2024.https://www.state.gov/the-united-states-enduring-commitment-to-the-indo-pacific-marking-two-years-since-the-release-of-the-administrations-indo-pacific-strategy/.

Voo, Julia, Irfan Hemani, and Daniel Cassidy. National Cyber Power Index 2022. Cyber Project, Belfer Center for Science and International Affairs, Cambridge. Accessed January 20, 2024.https://www.belfercenter.org/sites/default/files/files/publication/CyberProject_National%20Cyber%20Power%20Index%202022_v3_220922.pdf. 

Yeo, Andrew. Asia's Regional Architecture: Alliances and Institutions in the Pacific Century. Stanford, CA: Stanford University Press, 2019.

ENDNOTES

[1] Andrew Yeo, Asia's Regional Architecture: Alliances and Institutions in the Pacific Century (Stanford, CA: Stanford University Press, 2019).

[2] Ibid.

[3]Mark Fitzpatrick, Asia’s Latent Nuclear Powers: Japan, South Korea and Taiwan (London: Routledge, 2017).

[4] United States. Congress. House. Indo-Pacific Security Supplemental Appropriations Act, H.R. 8036. 118th Cong., 1st sess. Introduced in House April 19, 2024.

[5] Julia Voo, Irfan Hemani, and Daniel Cassidy. National Cyber Power Index 2022. Cyber Project, Belfer Center for Science and International Affairs, Cambridge. Accessed January 20, 2024.

[6] Ibid.

[7] US Department of State. "The United States’ Enduring Commitment to the Indo-Pacific: Marking Two Years Since the Release of the Administration’s Indo-Pacific Strategy." State.gov, February 9, 2024. Accessed April 20, 2024.

[8] Yeo, Asia's Regional Architecture, 48-52.  

[9] Chris Miller, Chip Wars: The US-China Race to Dominate the Global Microchip Market (London: Simon & Schuster UK Ltd, 2022), 312.

[10] Jenna McLaughlin. "Chinese-made Cranes at U.S. Ports May Pose a National Security Threat." NPR, February 21, 2024. Accessed April 12, 2024.

[11] Miller, Chip Wars, pp 130-132.

[12] Cybersecurity and Infrastructure Security Agency. Strategic Plan. PDF. Last modified September 12, 2022.

[13] Felix K. Chang "Japan’s Bigger Defense Budget: Getting to Effective Deterrence." January 31, 2023. Accessed April 9, 2024.

[14] Michael A. Barnhart. Japan Prepares for Total War: The Search for Economic Security, 1919-1941. Ithaca: Cornell University Press, 1987.

[15] Fruhlinger. "Stuxnet Explained: The First Known Cyberweapon." CSO Online. August 31, 2022.

[16] Takatoshi Ito. "The Will, but Not the Way, to Increase Japan’s Defense Budget." June 30, 2023. Accessed April 20, 2024.

[17] Brad Glosserman, Peak Japan: The End of Great Ambitions (Washington, D.C.: Georgetown University Press, 2019).