Quad and Cybersecurity

The Tokyo Summit of the Quadrilateral Security Dialogue, the ‘Quad’, was held on 24 May, 14 months after the first Summit-level meeting held in March 2021. Apart from pledging to advance ‘a common vision of free and open Indo-Pacific through practical cooperation on diverse 21st century challenges’, and ‘uphold the international rules-based order …’, the Quad also highlighted issues like global health security, climate change, critical and emerging technologies, and cyber and space security.1 An assessment of Quad’s cybersecurity initiatives indicate that they are designed keeping into consideration cyber threats from China as well as the Quad’s emphasis on ‘cyber resilience’ rather than on ‘offensive cyber capabilities, which is a more robust way to tackle widespread cybersecurity challenges in the Indo-Pacific.

Quad’s Cybersecurity Initiatives

At the Tokyo Summit, Quad leaders recognised the urgent need for a ‘collective approach to enhancing cybersecurity’ through initiatives like Quad Cybersecurity Partnership guided by the 10 Joint Cyber Principles2 , the first-ever Quad Cybersecurity Day, information-sharing among Quad countries’ Computer Emergency Response Teams (CERTs), and improving software and Managed Service Provider (MSP) security by coordinating cybersecurity standards for Quad governments’ procurement of software.

The Quad’s progress on cybersecurity issues has been encouraging since the September 2021 Summit meeting in Washington, where the members pledged to ‘facilitate public–private cooperation and demonstrate in 2022 the scalability & cybersecurity of open, standard-based technology’. The Quad Senior Cyber Group was also launched then.3 Experts met on 25 March 2022 to discuss strategies to improve cybersecurity in an increasingly digital world with sophisticated cyber threats.4 During the February 2022 Foreign Ministers’ Meeting, Quad members reiterated their support for ASEAN neighbours to ‘build resilience and counter disinformation’ while developing coordinated efforts to assist Indo-Pacific partners to address the growing threat of ransomware and capability-building to counter cybercrime.5

Each of these initiatives indicates implicitly the critical security challenges Quad members face, and an understanding of practical deliverables. The Quad Cybersecurity Partnership aims to build resilience to address cybersecurity vulnerabilities and cyber threats by focusing on critical infrastructure protection (led by Australia), supply-chain resilience and security (led by India), workforce development and talent (led by Japan), and software security standards (led by the US). This targeted approach is coherent with the cyber threat trend and patterns in 2021 where multiple ransomware attacks on critical infrastructure led to supply-chain related disruptions all across the world.6

CERTs are nodal agencies that collect, analyse and disseminate information on cyber incidents; take emergency measures and coordinate handling of cybersecurity incidents; forecast and alert cybersecurity incidents and issue guidelines, advisories, and vulnerability reports of information security. Information-sharing and exchange of best practices will help Quad members’ CERTs to develop a comprehensive and trust-based strategy for all stakeholders.

The US government and the Five Eyes intelligence partners—the UK, Australia, Canada, and New Zealand—issued a joint advisory in March 2022 warning about the ‘increasing cyberattacks by nation-state threat actors’ against managed service providers (MSPs). A MSP is a third-party organisation that maintains a customer’s IT infrastructure and end-user systems from a remote location. Because MSPs have privileged access to their customers’ networks at all times, successful cyberattacks against them can be disastrous.7 Hence, Quad’s attention to MSPs’ security is linked to safeguarding software product supply chains from cyberattacks, especially ransomware attacks as witnessed in 2021.8 Three of the Quad members—India, the US and Japan—were also victims of the 2018 compromise of the MSPs that severely affected the software product supply chains all around the world, an attack that originated from China.9

The Cybersecurity Day campaign is an effort to strengthen cybersecurity awareness and promote action on cybersecurity for countries across the Indo-Pacific and beyond. This will enable Quad members to push for the UN Voluntary Framework for Responsible State Behaviour in Cyberspace for norm-building and the promotion of ‘international peace and stability in cyberspace, and to help build the capacity of regional countries’.10

Critical and Emerging Technologies Initiatives

While there is a different working group for Critical and Emerging Technologies, many of its initiatives on 5G supplier diversification, semiconductor supply chains, and global technical standards have a direct impact on cybersecurity. At the Tokyo Summit, Quad members launched the Common Statement of Principles on Critical Technology Supply Chains to enhance supply chain resilience.11

The push for having a diverse, competitive and reliable market for semiconductors is due to the complexity of the semiconductor supply chain management, which increases the chances of tampering.12 While China accounts for only 6 per cent of the total value of the global semiconductor supply chain,13 it is China’s manufacturing base and hold on Rare Earth Metals14 which is troublesome for the safety of the semiconductor supply chain.

Further, for the pursuit of ‘open and secure telecommunications technologies’ in the Indo-Pacific, the Quad members have committed to Open Radio Access Network (O-RAN) Track 1.5 dialogues with the industry stakeholders. These dialogues will also include a Memorandum of Cooperation in 5G Supplier Diversification, cooperation between Quad for ‘technical exchanges and testbed activity to advance interoperability and telecommunications cybersecurity’.15

The Prague Proposals on Telecommunication Supplier Diversity16 recognises the need for a successful transition to 5G and beyond. This can be achieved through O-RAN interfaces where interoperability standards between suppliers’ equipment are supported, and network flexibility is provided at a lesser cost. The O-RAN standards aim to break the RAN market’s monolithic nature, where a handful of RAN suppliers offer exclusive equipment and software.17

While there are some cybersecurity concerns pertaining to 5G,18 in comparison to previous generation networks, O-RAN 5G networks might offer greater security and subscriber privacy. As the technology shifts from centralised core and RAN to distributed, virtual networks, security will become more agile and layered.19 Quad’s focus on 5G Supplier Diversification and Open RAN is due to the security threat from Chinese telecommunications companies like Huawei and ZTE that have invested heavily in the development of global 5G standards and have a sizable number of 5G patents.20 It is pertinent to note that many countries have banned Huawei and ZTE 5G equipment.21

While standardisation and promotion of open-source technologies in 5G technologies is the Quad’s focus, it is also committed to cooperation in international standardisation organisations like International Telecommunication Unit (ITU) and Telecommunication Standardization Bureau (TSB) through the newly established International Standards Cooperation Network (ISCN).22 Quad’s attention to this initiative is due to China’s assertive international standards promotion strategy and its China Standards 2035 project,23 which has cybersecurity implications. China’s advocacy for cyber sovereignty has aided the country’s elevation as a ‘great cyber power’ as it focuses on controlling norms, information, data, next-generation technology and standards.24

Recognising that the above-discussed initiatives require collaboration with academia and the industry to foster innovation in these technologies, Quad has launched the Quad Fellowship and Quad Investor Network. The Quad Fellowship intends to bring 100 students from Quad countries to the US each year to pursue graduate degrees in STEM (Science, Technology, Engineering and Mathematics) subjects. This will help develop a talented cohort of next-generation STEM leaders who will lead in cutting-edge research and innovation.25 The Quad Investor Network aims to seek funding for critical and emerging technologies within and across the Indo-Pacific, by engaging with an independent consortium of investors.26

Conclusion

While many cyber threat actors are operating in the Indo-Pacific, the attacks from China are particularly politically motivated. Chinese-based actors have indulged in nearly 200 cyber operations since 2005, primarily against the US.27 China has also perpetrated cyber-espionage operations against all Quad members to gain access to critical information. Due to China’s Civil–Military Fusion initiatives, select Chinese universities and research centres in association with Chinese military have been directly involved in these aggressive and successful cyber-espionage operations.28

The Quad’s approach to strengthen cyber resilience through its various initiatives is essential to mitigate such threats. Quad’s ‘practical cooperation’ approach is an attempt to solve existing cybersecurity challenges that affect millions of people in the region and beyond. The Quad has indeed cautiously carved out a practical and cooperative agenda on issues of cyber security.

Views expressed are of the author and do not necessarily reflect the views of the Manohar Parrikar IDSA or of the Government of India.