Promoting stability in ASEAN's cyberspace

On 15 February this year, the White House, UK’s Foreign Office, Australia’s Home Affairs department and Canada’s Communications Security Establishment publicly announced they hold Russia responsible for the NotPetya ransomware attack.1  The collective attribution is a next step in the growing and deepening international tensions in cyberspace. It’s also a testament of like-minded states drawing a line in the sand about what they no longer find acceptable behaviour.

The NotPetya malware is believed to have been targeted against Ukraine, but it spread far beyond. It impacted the Maersk shipping line, American pharmaceutical Merck, Germany’s Beiersdorf, US Heritage Valley Health System and India’s largest container port JNPT, but also Russia’s own Rosneft oil company. The UK went furthest in its exclamation citing the recklessness of the Russian military in unleashing the malware and the fact that Russia unnecessarily positions itself “in direct opposition to the West”.2

The strained climate is further exemplified by moves by Western states to ban companies like Kaspersky and Huawei from their markets over national security concerns. Not necessarily citing poor performances, Western countries are concerned about the companies’ close affiliation to the governments in Moscow and Beijing and their subjection to legislation that allows authorities to compel companies to either share data or support intelligence operations.3

In the South Pacific, Australia stepped in to build a submarine telecommunications cable to Papua New Guinea and the Solomon Islands in an attempt to put off a Chinese (again Huawei) bid to do the same.4  And cyber security company FireEye reported that territorial disputes across the South China Sea between China and Philippines, Taiwan, Thailand, and South Korea are accompanied with hacking groups “stealing intelligence, including military, political, and financial services information related to the disputes”.5

The international norms debate
The current situation had a long lead-in period. In the late 1990s it was already recognised that the ICT environment may constitute a threat to international peace and security. In 1999 a resolution tabled by Russia was adopted in the UN General Assembly calling for member states “to inform the Secretary-General of their views and assessments” in relation to - inter alia - what “international principles would enhance the security of global ICT systems and help to combat information terrorism and criminality”.6 This resolution eventually formed the basis for a series of UN group of governmental experts (UNGGE)7  which looked at developing such international principles.

A more recent debate is about how international law should apply to cyberspace

The recommendations agreed to in the 2013 and 2015 reports are generally seen as framework for what states should and should not do (“norms”) and for measures that would enhance mutual confidence. The groups’ recommendations relate to, among other items, a joint responsibility for adequate information-sharing, taking responsibility for activities occurring on one’s territory, respect for human rights, and excluding critical infrastructure and computer emergency response teams (CERTs) as legitimate targets.8  A more recent debate is about how international law should apply to cyberspace.

At the level of Regional Organisations, the Organisation for Security and Cooperation in Europe (OSCE) is generally heralded as example of a regional framework for confidence-building and risk reduction in cyberspace. In 2016 the 57 participating states adopted 16 confidence-building measures that seek to minimize the risks of misperception. Building on the experiences with conventional weapons control during the Cold War, it showed consensus could be found between American, Eurasian and European states.

Officials involved at the time assert that the Association of Southeast Asian Nations (ASEAN) wasn’t far off either. In the early 2010s, the ASEAN Regional Forum (ARF) was close to an agreement on cyber confidence building measures (CBMs). The ARF is the structural dialogue between the 10 ASEAN member states9  and 17 regional actors including Russia, China, US, EU and Australia. While the ARF-27 didn’t reach consensus, the ASEAN-10 leaders kept stressing the importance of norms and CBMs. This dialogue, however, never concluded and wholehearted embracement appears to have faded. Reasons that explain this are that:

1. Apart from Indonesia (2012-13 and 2016-17), ASEAN states were never member or part of any of the UNGGEs and have therefore not been engaged in the process of developing norms;
    
2. The norms and CBMs that the UNGGEs have put forward are dominantly framed in a context of ‘international conflict’ and this may not reflect perceived concerns of the ASEAN region;
    
3. Most ASEAN states are careful to engage in international or regional debates feeling a lack of maturity to act comfortably and confidently.

Some regional experts have subsequently avowed that promoting norms and CBMs in ASEAN is like flogging a dead horse. Is that right? Or are changing geopolitical and economic dimensions leading to new calculations?

The ASEAN region
Evidently, the global power struggle does not escape the ASEAN region and countries in South-East Asia are being pulled in different directions. Economically, they embrace the liberal economic order of free trade with growth prospects looking quite positive. The Economist notes that with an average growth rate of 5% GDP the region’s 625 million people are “growing richer and better educated; they will live longer, healthier and more prosperous lives than their parents”.10  Other projections for 2050 show Indonesia becoming the 4th largest economy and ASEAN’s economy growing to the size of the EU’s.

China’s political vision of cyber sovereignty is particularly attractive to many ASEAN countries

Yet, ASEAN’s economic growth, and in particular the digital economy, is greatly influenced by external forces: capital from China, Japan, US, Japan, Korea, EU-28 and Australia.11  These market forces come with certain values over expected behaviour in cyberspace.

China’s political vision of cyber sovereignty is particularly attractive to many ASEAN countries. This concept rests on the state’s prerogative to, within its own borders, forego the internet’s free, open and secure character for national security reasons; the deliberate manipulation of internet industries for political-security objectives; and advocating a central role for the United Nations in global internet governance.12

If we assume that South East Asia may be the battleground for the future direction of cyberspace13 , it is worthwhile looking at the region’s fractures. This then may present a compelling case for stepping up investments in norms and CBMs.

Factors of cyber instability
The annual Cyber Maturity in the Asia-Pacific Region report by the Australian Strategic Policy Institute provides for one of the few metrics that assesses individual countries’ cyber capabilities. An aggregation of the 2017 country profiles for the 10 ASEAN countries suggest several drivers of instability:14

1. Governments in South-East Asia rely on legislation that compounds overall freedom of expression and free media with the aim of suppressing popular dissent and political opposition as well as fake news, hoaxes and spread of (violent) radicalism. Given the region’s interconnectedness, censorship issues could easily transcend physical and digital borders.
    
2. With the region’s populace coming online at great speed, the intensified access to, and use of social media outlets will continue to challenge content controllers. Moves to stronger controls may clash with popular demands for more transparency and availability of information.
    
3. States recognise the potential that cyberspace brings for economic growth. One national digital growth strategy trumps the other in ambitions and expectations of GDP growth. With scarce human and financial resources, the ASEAN countries may well end up in competition with one another for foreign investments.
    
4. Infrastructure and connectivity still greatly diverge between states like Singapore, Malaysia and Philippines, and Lao, Cambodia and Myanmar. The same schism can be observed in connectivity terms: 86% in places like Singapore, Brunei and Kuala Lumpur and only 26% for Lao and Myanmar.15  The data breach of one of Singapore’s main health provider this July serves as one of the latest examples.16
5. On the military front, some states have taken deliberate and accountable steps towards developing military capabilities (Singapore, Malaysia, Thailand, Philippines); others haven’t disclosed any information but are suspected of using military cyber tools for domestic purposes (Myanmar, Vietnam); and a few have not yet stepped into this area at all (Lao, Cambodia, Brunei). Different expectations can easily fuel distrust and fear.
    
6. In fighting cybercrime, the level-playing field is more equal with capabilities emerging across the region. Some local police forces are effectively taking part in international operations but cybercrime as a multi-billion business is ramping up across the region.
    
7. CERT capabilities17  have matured over the last years. Technical teams have been stood up with support from actors like Japan, China and Singapore.

To sum up, the ASEAN region is vulnerable on a few fronts. These identified fractures could be levered by greater powers to pull ASEAN nations into their camp.

How is ASEAN responding?
In 2016, Singapore took the initiative for a meeting of ministers responsible for ICT and cyber security. Up until then, cyber issues were dealt with in siloes, like cybercrime issues in the ASEAN Ministerial Meeting on Transnational Crime (AMMTC), cyber defence issues in the ASEAN Defence Ministerial Meeting (ADMM) and regulatory, censorship and standards issues in the ASEAN Telecommunications and IT Ministers Meeting (TELMIN).

The 2017 meeting of ICT and cyber security ministers, during Singapore Cyber Week, produced a chairman’s statement (though not a collective declaration or Ministers’ statement) highlighting “the need for ASEAN to take a holistic and more coordinated approach”. It also states that “the promotion of international voluntary cyber norms of responsible State behaviour was important for cultivating trust and confidence and the eventual development of a rules-based cyberspace”. The participants also noted (and thus not embrace, endorse or commit to) the UNGGE recommendations of 2015.

The city-state clearly positions itself as a leader in fostering a rules-based cyber order in the region, without taking a too prominent role and avoiding choosing sides between major powers such as India, China, Russia and the US. More recently, Malaysia, Thailand and Indonesia started looking for their place in the debate. While these states seem impeded by contested domestic situations at the moment and a historical hesitance to take strong positions, their leadership is critical for a regional framework for cyber stability. The ARF seems currently bogged down in a process of an “open-ended study group” studying and discussing potential confidence-building measures.

A way ahead for Cyber CBMs in the ASEAN region?
Is promoting stability in ASEAN’s cyberspace flogging a dead horse? The conclusion here is that it’s not and that it can’t be. If ASEAN governments want to capitalise on emerging opportunities that the digital environment brings, preserve stability in the region and be a constructive global actor, a few things need to happen:

• The ASEAN states need to be included in the ongoing global debates about international cyber norms. The region may be well placed to bridge the Sino-Russian efforts and those of the West. It’s in the interest of all to enable ASEAN to play its role;
   
• But first, the ASEAN states need to develop an understanding of how the UNGGE recommendations address the concerns and issues of the region in order to make a stronger business case for their application in South-East Asia;
   
• And then, a discussion needs to start on how ASEAN’s guiding principle of non-interference can be matched with demands for considerations of sovereignty in cyberspace on the one hand and principles of a free, open and secure plus neutral and global internet on the other hand.

All of this may be fostered when a far larger constituency of government experts, civil society advocates, academic researchers and think-tankers are enabled to bring alternative sources of policy, examine political, economic and tech developments, and provide on-the-ground support where needed.18

• 1ZDNet: "Australia also points finger at Russia for NotPetya" (15 February 2018) 
• 2Gov.uk: "Foreign office minister condemns Russia for NotPetya attacks" (15 February 2018)
• 3See ASPI:"Huawei lessons from the United Kingdom (25 July 2018)  and ASPI: "Huawei highlights China's expansion dilemma: espionage or profit" (15 June 2018)
• 4ABC: "PNG to get new Australia-funded undersea internet cable" (13 November 2017)
• 5 Report by FireEye: Territorial Disputes Lead to Cyber Attacks
• 6United Nations, Resolution adopted by the General Assembly: "Developments in the field of information and telecommunications in the
  context of international security"
• 7Since its 2006 mandate, there have been three conclusive UNGGE groups (2009-10; 2012013l 2014-15) and two inconclusive (2004-5; 2016-17). Each group had varying memberships. Initially participation was limited to 15 States, it later expanded to 20 in order to equitably represent the UN’s global membership. Experts sitting on the GGE tend to come from the State’s diplomatic services (often the International Security departments) and ministries for ICT or Telecommunications.
• 8The UNGGE reports, including the 2013 and 2015 reports, can be found here
• 9ASEAN Member States are: Indonesia, Philippines, Thailand, Malaysia, Myanmar, Singapore, Lao, Vietnam, Cambodia and Brunei Darussalam.
• 10Economist, "South-East Asia's future looks prosperous, but illiberal" (22 July 2017)
• 11Top ten ASEAN trade partner countries/regions, 2015
• 12Foreign Brief, Cyber sovereignty: the Sino-Russian authoritarian model (15 September 2017) and Council on Foreign Relations, Year in Review: Chinese Cyber Sovereignty in Action 8 January 2018
• 13See for example: Stratfor Worldview, China's Tech Giants Are Racing the West Into Southeast Asia (20 March 2018)
• 14ASPI, Cyber Maturity in the Asia Pacific Region 2017 (12 December 2017)
• 15Broadband Broadband Infrastructure Infrastructure in the ASEAN-Region[/fn>
• A general lack of transparency in data security leads to complacency among government and business leaders, while at the same time exposure to vulnerabilities increases.Marsh & McLennan Companies, Cyber Risk in Asia-Pacific, the case for greater transparency (2017)
• 16The Straits Times, Personal info of 1.5m SingHealth patients, including PM Lee, stolen in Singapore's worst cyber attack (20 July 2018)
• 17CERTs (Computer Emergency Response Teams) refer to teams of computer security experts tasked with handling incidents. Most states have a national (government) CERT, but each larger organization tends to have its own computer response team. CERTs work together internationally without political, cultural or religious imperatives.
• 18Sydney recommendations on Practical Futures for Cyber Confidence Building in the ASEAN region. ASPI 2018 (forthcoming).