Regional Cybersecurity
Moving Toward a Resilient ASEAN Cybersecurity Regime

EXECUTIVE SUMMARY

MAIN ARGUMENT

Although the importance of the ASEAN region for global cybersecurity is growing, few analyses have examined the extent of regional-level efforts to counter cross-border cyber-related incidents or addressed whether more might be done to complement national measures and facilitate international cooperation. To date, national and regional efforts to adopt comprehensive cybersecurity strategies have been slow and fragmented, reducing the security of the ASEAN region and undermining the proper functioning of markets. This article envisages greater collaboration on cyber-related challenges among ASEAN members through the adoption of new structures and novel ways of thinking that complement national initiatives and international efforts, especially in light of the creation of the ASEAN Community in 2015.

POLICY IMPLICATIONS

• The digital divide is narrowing, and the absolute number of Internet users in developing countries is now largely greater than that in developed countries. Less digitally developed countries can apply lessons from other states’ experiences. Varying levels of development and adoption of information and communications technology across ASEAN should not deter cooperation.
• Because of regional sensitivities concerning national security, cybersecurity measures supporting the aims of the ASEAN Economic and Socio-Cultural Communities are more likely to be achieved in the shorter term. Comprehensive measures would be in the shared interest of ASEAN members, benefit wider Asia-Pacific initiatives, and complement future international cooperation. Specifically, they would support the establishment of a single market and production base, bolster connectivity, and strategically enhance ASEAN’s position in the regional architecture.
• ASEAN members should develop a flexible framework to coordinate regional cooperation and further strengthen relations with dialogue partners, the international community, and the private sector on cybersecurity. Measures for consideration include a permanent coordinating mechanism, improved computer emergency response team cooperation among ASEAN members, additional training and capacity building, efforts to secure the supply chain, and deeper defense cooperation.

A number of international and regional organizations, bodies, and forums are working on cybersecurity issues. [1] Given that international cooperation is to some extent required to deal effectively with the cross-border nature of cyber-related threats, this article examines efforts in the Association of Southeast Asian Nations (ASEAN) region to counter these challenges. To date, national and regional efforts to adopt comprehensive cybersecurity strategies have been slow and fragmented. Similarly, the efforts of the ten ASEAN member states to adopt both national and comprehensive regional frameworks for cybersecurity have so far been piecemeal. [2] Because governments and institutions will be required to foresee emerging trends and adapt quickly to new realities in order to preempt cyber incidents, this article envisages greater cooperation on cybersecurity among ASEAN and its members through the adoption of new structures and novel ways of thinking that complement national initiatives and international efforts. Further, regional cooperation efforts could encourage both collective security and the greater development of national cybersecurity measures.

Cyber-related threats are creating increasingly serious risks for the global economy as well as for national and international security. The European Union (EU), for example, considers cyber threats as having the potential to reduce stability and competitiveness, [3] while the U.S. intelligence community’s worldwide threat assessment for 2013 ranks cyber threats first, ahead of terrorism, transnational organized crime, and the proliferation of WMDs. [4] This marks the first time since September 11 that international terrorism does not rank first in the U.S. intelligence community’s assessment of global threats to national security. [5]

This article finds that the current lack of cohesiveness in ASEAN’s approach to cybersecurity detracts from regional security and undermines the proper functioning of a single market. Given the body’s goal to establish the ASEAN Community by 2015, cohesive efforts to comprehensively tackle cybersecurity issues are crucial and in the shared interests of ASEAN members. The article concludes that the digital divide between developed and developing countries need not delay regional cooperation; rather, it is essential for ASEAN to enhance its overall resilience to serious cyber-related threats and collectively tackle common global cybersecurity challenges. Doing so would complement ASEAN’s ambitions to create a successful single market and production base, buttress connectivity, and strategically enhance the body’s position in the evolving regional architecture. In addition, it would support both wider regional and international cooperation on cybersecurity.

Although the ultimate objective of a comprehensive framework is a more resilient regional architecture for cybersecurity, given the limitations of ASEAN, the measures that are more likely to be attained in the shorter term are those that complement the aims of the ASEAN Economic Community and ASEAN Socio-Cultural Community.

This article is organized as follows:

pp. 135–37 examine why ASEAN is significant in terms of global cybersecurity issues.

• pp. 137-40 examine the increasing probability of cyber threats in Asia.
• pp. 141-45 address the digital divide both between ASEAN members and between ASEAN and other states.
• pp. 146-49 outline current official ASEAN documents and measures on cybersecurity.
• pp. 149-55 offer several policy options for ASEAN to create a more robust regional cybersecurity regime.

The appendices provide non-exhaustive lists of cyber incidents in the ASEAN region since 2012, official ASEAN documents related to cybersecurity, and ASEAN national computer emergency response teams (CERT).

Endnotes

[1] These organizations include the Organisation for Economic Co-operation and Development (OECD), the Organization for Security Co-operation in Europe, the EU, the Council of Europe, BRICS countries (Brazil, Russia, India, China, and South Africa), the Organization of American States, the African Union, the Asia-Pacific Economic Cooperation (APEC), the Shanghai Cooperation Organisation, the group of seven (formerly the group of eight) and the group of twenty, the United Nations, the Internet Governance Forum, the Internet Corporation for Assigned Names and Numbers, NATO, and the World Economic Forum.

[2] The ASEAN member states are Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, the Philippines, Singapore, Thailand, and Vietnam.

[3] European Parliament Committee on Foreign Affairs, “Draft Report on Cyber Security and Cyber Defence,” June 2012, 4.

[4] James R. Clapper, “Worldwide Threat Assessment of the U.S. Intelligence Community,” statement for the record to the Senate Select Committee on Intelligence, March 12, 2013.

[5] Mark Mazzetti and David E. Sanger, “Security Leader Says U.S. Would Retaliate Against Cyberattacks,” New York Times, March 12, 2013.