Promoting stability in ASEAN's cyberspace
Analysis Security & Defence

Promoting stability in ASEAN's cyberspace

23 Aug 2018 - 12:40
Photo: Flickr - West Point
Back to archive

On 15 February this year, the White House, UK’s Foreign Office, Australia’s Home Affairs department and Canada’s Communications Security Establishment publicly announced they hold Russia responsible for the NotPetya ransomware attack.1  The collective attribution is a next step in the growing and deepening international tensions in cyberspace. It’s also a testament of like-minded states drawing a line in the sand about what they no longer find acceptable behaviour.

The NotPetya malware is believed to have been targeted against Ukraine, but it spread far beyond. It impacted the Maersk shipping line, American pharmaceutical Merck, Germany’s Beiersdorf, US Heritage Valley Health System and India’s largest container port JNPT, but also Russia’s own Rosneft oil company. The UK went furthest in its exclamation citing the recklessness of the Russian military in unleashing the malware and the fact that Russia unnecessarily positions itself “in direct opposition to the West”.2

The strained climate is further exemplified by moves by Western states to ban companies like Kaspersky and Huawei from their markets over national security concerns. Not necessarily citing poor performances, Western countries are concerned about the companies’ close affiliation to the governments in Moscow and Beijing and their subjection to legislation that allows authorities to compel companies to either share data or support intelligence operations.3

In the South Pacific, Australia stepped in to build a submarine telecommunications cable to Papua New Guinea and the Solomon Islands in an attempt to put off a Chinese (again Huawei) bid to do the same.4  And cyber security company FireEye reported that territorial disputes across the South China Sea between China and Philippines, Taiwan, Thailand, and South Korea are accompanied with hacking groups “stealing intelligence, including military, political, and financial services information related to the disputes”.5

The international norms debate
The current situation had a long lead-in period. In the late 1990s it was already recognised that the ICT environment may constitute a threat to international peace and security. In 1999 a resolution tabled by Russia was adopted in the UN General Assembly calling for member states “to inform the Secretary-General of their views and assessments” in relation to - inter alia - what “international principles would enhance the security of global ICT systems and help to combat information terrorism and criminality”.6 This resolution eventually formed the basis for a series of UN group of governmental experts (UNGGE)7  which looked at developing such international principles.

A more recent debate is about how international law should apply to cyberspace

The recommendations agreed to in the 2013 and 2015 reports are generally seen as framework for what states should and should not do (“norms”) and for measures that would enhance mutual confidence. The groups’ recommendations relate to, among other items, a joint responsibility for adequate information-sharing, taking responsibility for activities occurring on one’s territory, respect for human rights, and excluding critical infrastructure and computer emergency response teams (CERTs) as legitimate targets.8  A more recent debate is about how international law should apply to cyberspace.

At the level of Regional Organisations, the Organisation for Security and Cooperation in Europe (OSCE) is generally heralded as example of a regional framework for confidence-building and risk reduction in cyberspace. In 2016 the 57 participating states adopted 16 confidence-building measures that seek to minimize the risks of misperception. Building on the experiences with conventional weapons control during the Cold War, it showed consensus could be found between American, Eurasian and European states.

Officials involved at the time assert that the Association of Southeast Asian Nations (ASEAN) wasn’t far off either. In the early 2010s, the ASEAN Regional Forum (ARF) was close to an agreement on cyber confidence building measures (CBMs). The ARF is the structural dialogue between the 10 ASEAN member states9  and 17 regional actors including Russia, China, US, EU and Australia. While the ARF-27 didn’t reach consensus, the ASEAN-10 leaders kept stressing the importance of norms and CBMs. This dialogue, however, never concluded and wholehearted embracement appears to have faded. Reasons that explain this are that:

  1. Apart from Indonesia (2012-13 and 2016-17), ASEAN states were never member or part of any of the UNGGEs and have therefore not been engaged in the process of developing norms;
  2. The norms and CBMs that the UNGGEs have put forward are dominantly framed in a context of ‘international conflict’ and this may not reflect perceived concerns of the ASEAN region;
  3. Most ASEAN states are careful to engage in international or regional debates feeling a lack of maturity to act comfortably and confidently.
ARF Workshop on cyber security for the ASEAN-countries. Source: Flickr / Ministry of Foreign Affairs Malaysia

Some regional experts have subsequently avowed that promoting norms and CBMs in ASEAN is like flogging a dead horse. Is that right? Or are changing geopolitical and economic dimensions leading to new calculations?

The ASEAN region
Evidently, the global power struggle does not escape the ASEAN region and countries in South-East Asia are being pulled in different directions. Economically, they embrace the liberal economic order of free trade with growth prospects looking quite positive. The Economist notes that with an average growth rate of 5% GDP the region’s 625 million people are “growing richer and better educated; they will live longer, healthier and more prosperous lives than their parents”.10  Other projections for 2050 show Indonesia becoming the 4th largest economy and ASEAN’s economy growing to the size of the EU’s.

China’s political vision of cyber sovereignty is particularly attractive to many ASEAN countries

Yet, ASEAN’s economic growth, and in particular the digital economy, is greatly influenced by external forces: capital from China, Japan, US, Japan, Korea, EU-28 and Australia.11  These market forces come with certain values over expected behaviour in cyberspace.

China’s political vision of cyber sovereignty is particularly attractive to many ASEAN countries. This concept rests on the state’s prerogative to, within its own borders, forego the internet’s free, open and secure character for national security reasons; the deliberate manipulation of internet industries for political-security objectives; and advocating a central role for the United Nations in global internet governance.12

If we assume that South East Asia may be the battleground for the future direction of cyberspace13 , it is worthwhile looking at the region’s fractures. This then may present a compelling case for stepping up investments in norms and CBMs.

Factors of cyber instability
The annual Cyber Maturity in the Asia-Pacific Region report by the Australian Strategic Policy Institute provides for one of the few metrics that assesses individual countries’ cyber capabilities. An aggregation of the 2017 country profiles for the 10 ASEAN countries suggest several drivers of instability:14

  1. Governments in South-East Asia rely on legislation that compounds overall freedom of expression and free media with the aim of suppressing popular dissent and political opposition as well as fake news, hoaxes and spread of (violent) radicalism. Given the region’s interconnectedness, censorship issues could easily transcend physical and digital borders.
  2. With the region’s populace coming online at great speed, the intensified access to, and use of social media outlets will continue to challenge content controllers. Moves to stronger controls may clash with popular demands for more transparency and availability of information.
  3. States recognise the potential that cyberspace brings for economic growth. One national digital growth strategy trumps the other in ambitions and expectations of GDP growth. With scarce human and financial resources, the ASEAN countries may well end up in competition with one another for foreign investments.
  4. Infrastructure and connectivity still greatly diverge between states like Singapore, Malaysia and Philippines, and Lao, Cambodia and Myanmar. The same schism can be observed in connectivity terms: 86% in places like Singapore, Brunei and Kuala Lumpur and only 26% for Lao and Myanmar.15  The data breach of one of Singapore’s main health provider this July serves as one of the latest examples.16
  5. On the military front, some states have taken deliberate and accountable steps towards developing military capabilities (Singapore, Malaysia, Thailand, Philippines); others haven’t disclosed any information but are suspected of using military cyber tools for domestic purposes (Myanmar, Vietnam); and a few have not yet stepped into this area at all (Lao, Cambodia, Brunei). Different expectations can easily fuel distrust and fear.
  6. In fighting cybercrime, the level-playing field is more equal with capabilities emerging across the region. Some local police forces are effectively taking part in international operations but cybercrime as a multi-billion business is ramping up across the region.
  7. CERT capabilities17  have matured over the last years. Technical teams have been stood up with support from actors like Japan, China and Singapore.

To sum up, the ASEAN region is vulnerable on a few fronts. These identified fractures could be levered by greater powers to pull ASEAN nations into their camp.

How is ASEAN responding?
In 2016, Singapore took the initiative for a meeting of ministers responsible for ICT and cyber security. Up until then, cyber issues were dealt with in siloes, like cybercrime issues in the ASEAN Ministerial Meeting on Transnational Crime (AMMTC), cyber defence issues in the ASEAN Defence Ministerial Meeting (ADMM) and regulatory, censorship and standards issues in the ASEAN Telecommunications and IT Ministers Meeting (TELMIN).

Cybersecurity council in the ASEAN-region. Source: Flickr / Anton Muhajir

The 2017 meeting of ICT and cyber security ministers, during Singapore Cyber Week, produced a chairman’s statement (though not a collective declaration or Ministers’ statement) highlighting “the need for ASEAN to take a holistic and more coordinated approach”. It also states that “the promotion of international voluntary cyber norms of responsible State behaviour was important for cultivating trust and confidence and the eventual development of a rules-based cyberspace”. The participants also noted (and thus not embrace, endorse or commit to) the UNGGE recommendations of 2015.

The city-state clearly positions itself as a leader in fostering a rules-based cyber order in the region, without taking a too prominent role and avoiding choosing sides between major powers such as India, China, Russia and the US. More recently, Malaysia, Thailand and Indonesia started looking for their place in the debate. While these states seem impeded by contested domestic situations at the moment and a historical hesitance to take strong positions, their leadership is critical for a regional framework for cyber stability. The ARF seems currently bogged down in a process of an “open-ended study group” studying and discussing potential confidence-building measures.

A way ahead for Cyber CBMs in the ASEAN region?
Is promoting stability in ASEAN’s cyberspace flogging a dead horse? The conclusion here is that it’s not and that it can’t be. If ASEAN governments want to capitalise on emerging opportunities that the digital environment brings, preserve stability in the region and be a constructive global actor, a few things need to happen:

  • The ASEAN states need to be included in the ongoing global debates about international cyber norms. The region may be well placed to bridge the Sino-Russian efforts and those of the West. It’s in the interest of all to enable ASEAN to play its role;
  • But first, the ASEAN states need to develop an understanding of how the UNGGE recommendations address the concerns and issues of the region in order to make a stronger business case for their application in South-East Asia;
  • And then, a discussion needs to start on how ASEAN’s guiding principle of non-interference can be matched with demands for considerations of sovereignty in cyberspace on the one hand and principles of a free, open and secure plus neutral and global internet on the other hand.

All of this may be fostered when a far larger constituency of government experts, civil society advocates, academic researchers and think-tankers are enabled to bring alternative sources of policy, examine political, economic and tech developments, and provide on-the-ground support where needed.18


Bart Hogeveen
Analyst working with the International Cyber Policy Centre in Australia