What the world can learn from ASEAN’s cyber cooperation

By Amit Roy Choudhury

ASEAN Ministers meet at the Singapore International Cyber Week amidst calls for more cooperation to tackle sophisticated cyber threats.

International cooperation in cybersecurity has been recognised as the only long-term solution to the global menace of malicious hacking that has, over the past year or so, claimed several high-profile victims. Ransomware, advanced persistent threats (APT) and distributed denial of services (DDoS) attacks, to name a few, have gone up exponentially with the rapid digitalisation induced by the ongoing Covid-19 pandemic.

Multilateral efforts, under the auspices of the United Nations (UN), to craft binding international laws against cybercrime have been ongoing for close to 20 years. While some progress has been made, there is still no light at the end of the tunnel due to geopolitical reasons.

Talked about in hushed tones for many years, there is greater acknowledgement today that the biggest impediment to a UN convention on the safe use of cyberspace, similar to, for example, the Law of the Sea Convention (LOSC), is that many countries see cyberattacks as a potential tool of state policy. They are hence reluctant to commit to binding agreements on law enforcement action against hackers who may be identified as operating from their soil.

In such circumstances, many countries have decided that, instead of getting into waiting for Godot situation for a comprehensive worldwide agreement to curb cyber attacks, it would better concentrate on regional and bilateral agreements on cyber cooperation. Singapore has been an active proponent of this approach and so has ASEAN.

Cyber cooperation in ASEAN

Over the past few years, the ASEAN region has shown the way forward on how to build a regional cybersecurity cooperation framework. ASEAN is the only regional organisation to have subscribed, in principle, to the UN’s 11 voluntary, non-binding norms of responsible state behaviour in cyberspace.

It is within this backdrop that this year’s ASEAN Ministerial Conference on Cybersecurity (AMCC), held as part of the Singapore International Cyber Week (SICW) and GovWare event, earlier this month, elicited considerable interest among cybersecurity industry watchers around the world. Many global experts think that the ASEAN cybersecurity cooperation model can be a good benchmark for other regional groupings to follow.

Regional training centre

One of the highlights of this year’s AMCC was the opening of a training centre in Singapore for ASEAN national teams responding to cyber-security incidents. This is part of the ASEAN-Singapore Cybersecurity Centre of Excellence (ASCCE) which seeks to strengthen cybersecurity strategy development, legislation and research capabilities of all ASEAN nations.

In her keynote address at the AMCC, Josephine Teo, Singapore’s Minister for Communications and Information, noted that with increased digitalisation and reliance on digital services, it has become very important to safeguard the resilience of national networks.

Pointing to the spate of high-profile cyberattacks in recent months, the Minister stressed the need for international cooperation to build a consensus on the “rules, norms, principles and standards governing cyberspace”.  She added that such efforts would help in ensuring that nations behave responsibly in their use of tech, “so we can achieve an open, secure, and interoperable ICT environment”.

Teo added that Singapore welcomed the successful conclusion of two UN processes this year – the Open-Ended Working Group (OEWG) and Group of Governmental Experts (GGE) as these processes have contributed to the rules-based order, “which we all benefit from”.

Noting that despite all this, malicious cyber threat actors will continue to enhance their modus operandi to bypass defences, she added: “We cannot afford to lose momentum”.  In this context, the Minister called on the ASEAN Member States (AMS) to work together on three tracks – cyber strategy, cyber ops-tech collaboration, and cyber capacity building.

Teo noted that the first ASEAN Cybersecurity Cooperation Strategy from 2017-2020 provided a roadmap for regional cooperation to achieve a safe and secure ASEAN cyberspace. There was a need to update that strategy to address the evolving challenges, the Minister said and added that Singapore was happy to take the lead in this.

Updated strategy

According to the Minister, the updated strategy should place a stronger focus on initiatives to support the establishment of the rules-based order in cyberspace and ASEAN’s Digital Masterplan 2025.

This would involve moving forward on five action-oriented aspects: advancing cyber readiness cooperation; strengthening regional cyber policy coordination; enhancing trust in cyberspace; enhancing regional capacity building; and strengthening international cooperation.

Talking about the cyber ops-tech collaboration, Teo noted that recent global supply chain attacks (like the SolarWinds cyberattack) have shown that the compromise of trusted software can affect many users downstream.  “Swift sharing of threat information is essential so that we gain a head-start to mitigate cyber-attacks,” she said.

The Minister also mentioned that another way to safeguard systems and networks was through technical standards development and implementation.  “Often, we are forced into a reactive position when dealing with cyber incidents. We would rather be proactive on cybersecurity, by making our systems, networks, and devices secure by design”, she said.

This can be done, the Minister explained, by working with countries and the private sector to develop and implement technical, objective cybersecurity standards in technologies like 5G and IoT devices.

The Minister added capacity building has to be a priority for the region as this was the bedrock supporting States toward the implementation of the norms of responsible State behaviour in cyberspace.

Embracing transformation

The ASEAN Secretary-General, Lim Jock Hoi, said the region will have to embrace digital transformation and work towards building a regional community. To do that, he added, there was a need for a coordinated approach to cybersecurity.

Echoing the points raised by Minister Teo, Lim added that the development of a regulatory and policy framework on cybersecurity for the ASEAN region was essential. This would entail the development of cybersecurity standards and best practices that ensure interoperability across the region, and further support the secure and trusted use of digital technologies. This would then help in the integration of the ASEAN economy, he shared.

Lim said ASEAN would collaborate with the international community and play its role in developing rules-based cyberspace. Minister Teo added that AMS should actively contribute to the cyber stability framework and collectively identify key issues of regional interest to value-add to the UN conversation.

Amit Roy Choudhury, a media consultant, and senior journalist writes about technology for GovInsider.