May 9, 2018
Last month, heads of state gathered in Singapore for the 32nd annual ASEAN Summit to discuss a wide variety of issues—from the Code of Conduct on the South China Sea and the humanitarian crisis in Myanmar’s Rakhine State, to advancing regional economic integration and navigating geopolitical power shifts. At a time when domestic political transformations, international security flashpoints, and growing protectionism are challenging ASEAN’s unity and centrality, the leaders added a new urgent agenda issue: how the region can better collaborate on cybersecurity.
ASEAN is the world’s fastest growing internet region, with the user base forecasted to reach 480 million people by 2020. In 2016, this figure was 260 million, which translates into four million new users coming on line each month. Social media is being used by half of ASEAN’s population of 630 million, making it one the world’s largest social media markets. Of the 10 countries that are the largest users of Facebook in the world, four are in ASEAN: Indonesia, the Philippines, Vietnam, and Thailand.
Digitalization in Southeast Asia has important economic implications. By 2025, online spending could rise more than six-fold to $200 billion. Most of this consumption will be in the areas of electronics, clothing, household goods, and increased travel across the region and elsewhere. This all bodes well in terms of building a middle class and fostering job growth in the region. At the same time, there are negative sides to the transformation to a digital economy, with cyberterrorism, cyber fraud, and identity theft increasingly threatening its potential. Bad actors are working fast and creatively to wreak havoc on countries, businesses, and people. Today, the quality of a nation’s technology backbone is likely to influence its economic success.If cybersecurity is threatened, investor confidence in the ASEAN Economic Community (AEC) will begin to decay. This begs the question: Are ASEAN nations investing enough in their own cybersecurity?
A recent report from AT Kearney indicates that ASEAN states collectively spend 0.06 percent of their GDP, or just $1.9 billion, on cybersecurity. The global average is double at 0.13 percent of GDP. The report recommended that ASEAN states increase spending on cybersecurity by 0.35 to 0.61 percent of its collective GDP ($171 billion) between 2017 and 2025. It also warned that failure to make such a significant investment could end up costing the top 1,000 companies in Southeast Asia as much as $750 billion from cyber-attacks. Singapore, this year’s ASEAN chair, invested 0.22 percent of its GDP on cybersecurity in 2017, leading ASEAN and ranking third globally. By comparison, Malaysia invested 0.08 of its GDP, with the rest of ASEAN investing less than 0.04 percent.
Southeast Asia’s strategic relevance and rapidly expanding digitalization make it a prime target for cyber-attacks. ASEAN countries have already been used as launchpads for attacks, either as vulnerable hotbeds of unsecured infrastructure or as well-connected hubs from which to initiate attacks. There is also a deficiency in skilled talent to deal with cyber threats. For example, Malaysia has 6,000 cybersecurity professionals, but experts project it will need as many as 10,000 in 2020.
Given how cybersecurity threats can easily transcend national boundaries, no one country or company can counter such threats on their own. Under Singapore’s chairmanship, ASEAN is beginning to elevate cybersecurity on its regional policy agenda. But this will require addressing the right problems, investing in the right technology, and forming the right partnerships among different stakeholders.
On April 19-20, The Asia Foundation, in partnership with the United States Embassy in Singapore, convened a “Practitioners Workshop on Cybersecurity in ASEAN.” The workshop brought together representatives from civil society, the private sector, academia, and government to discuss potential solutions to the most pressing problems of regional cybersecurity cooperation in ASEAN. Participants identified discrete gaps in ASEAN’s cybersecurity landscape and opportunities for a combination of stakeholders to address them in both domestic and regional arenas. Below are four key findings and recommendations that emerged from the workshop:
- Practitioners collectively identified the ongoing problems related to measuring tangible progress on cybersecurity and the need to formulate commonly accepted global benchmarks to evaluate progress as important next steps. Since the successful prevention of potential cybersecurity attacks involves the absence, rather than the presence, of the attack, it becomes difficult to delineate a country’s progress in prevention. Similarly, there is a need for consensus on specific benchmarks and evaluative techniques to assess the methods by which a country’s cybersecurity agencies and Computer Emergency Response Teams (CERTS) are responding to cybersecurity threats. Moreover, without a common understanding of the appropriate legal punishments for criminal offences in cyberspace, the same criminal offenses are being handled in strikingly different ways by different ASEAN member states.
- Despite the inability of the fifth round of the United Nations Group of Governmental Experts on Information Security (UN GGE) to clarify norms of state behavior in cyberspace in 2017, practitioners generally agreed that formulating and adhering to agreed norms can foster greater regional cooperation and lead to a more transparent global consensus on cybersecurity threats and responses. In the absence of a UN GGE consensus document, regional actors and nation-states must continue to advance the need for and foster discourse around norms of state behavior in cyberspace. Practitioners were also cognizant of persistent cultural and intellectual misperceptions between Western countries and countries in the Asia-Pacific regarding the importance of cybersecurity and the specific methods needed to achieve progress. To this end, fostering discourse not only among Asia-Pacific governments but to bridge this East-West divide was posited as a potential way to alleviate misperceptions and facilitate common understandings regarding cybersecurity threats and responses. There may also be opportunities for governments and the private sector to craft norms governing discrete and specific cybersecurity areas such as banking or finance as the broader norms discourse evolves.
- Participants emphasized the need for greater cyber awareness and digital literacy, highlighting the milestone cyber awareness methods employed by Singapore and Malaysia, and urged leaders to consider more regional campaigns across ASEAN. For example, targeted methods such as cyber awareness comic books for children and road shows for the elderly which have been employed by Singapore’s Cybersecurity Agency, could be replicated across the region.
- Addressing the important human resource dimension of the issues, Malaysia is working to foster a new generation of cybersecurity professionals through the creation of university degrees and curricula on cybersecurity. Educational innovations of this kind—coupled with greater collaboration among universities in ASEAN member states on cybersecurity—would enhance the security of ASEAN’s digital economy and its ability to address cybersecurity risks. As the threat landscape evolves at an alarmingly rapid pace and the discourse around state norms stalls, enhanced cyber awareness and the need for cybersecurity experts in the region becomes increasingly urgent. Adopting best practices around cyber hygiene and cybersecurity education should become an immediate priority for ASEAN member states. In addition to raising the awareness and commitment of internet users, these measures will raise public confidence in the measures taken by ASEAN members states and ASEAN as a whole.
Cybersecurity attacks are very expensive for companies and countries alike. The cost of protecting data is expensive, but failure to invest sufficiently and to develop regulatory policies to counter data breaches is far more expensive in the long run and can result in a significant loss of trust in society. Despite disparities in Southeast Asian nations’ political and economic development, ASEAN must prepare itself for the challenges and economic costs associated with potential cybersecurity breaches.
John J. Brandon is senior director for The Asia Foundation’s International Relations programs in Washington, D.C. The views and opinions expressed here are those of the author and not those of The Asia Foundation or its funders.