Can ASEAN Continue to Improve Cybersecurity in the Region and Beyond?

Caitríona Heinl is an associate fellow under the NTU Singapore Cyber Risk Management Project. This material is an extract from her lecture as visiting fellow with the cyber norms program at the Leiden University Institute of Security and Global Affairs.

In the wake of the inability to achieve consensus in the 2016-2017 UN Group of Governmental Experts (GGE), policymakers are exploring how other multilateral efforts and regional activities can promote cyber stability and security. The Association of Southeast Asian Nations (ASEAN) and ASEAN Regional Forum (ARF) are often identified as venues that could help implement cyber norms, confidence building measures (CBMs), and the like in the Asia-Pacific. With Singapore holding the ASEAN chairmanship this year and its decision to prioritize cyber issues during its tenure, how can it promote this agenda successfully?

Several ASEAN countries have championed the regional process to improve international cyber stability. Malaysia and Indonesia, for example, both participated in UN GGE meetings, and Malaysia has regularly co-hosted ARF workshops focusing on the role of CBMs. Since Singapore established its Cyber Security Agency in 2015, it has become more active in ASEAN, and has launched the ASEAN Cyber Capacity Program to support cyber norms and CBMs in the region. Singapore also launched the first ASEAN ministerial meeting on cybersecurity in 2016 to identify ways to increase cooperation and continue the development of norms in ASEAN states.

The 2017 ASEAN Cybersecurity Cooperation Strategy was then agreed under Singapore’s vice-chairmanship of the ASEAN Network Security Action Council to focus on norms and a cooperation and capacity building framework. The strategy’s aim to coordinate cyber policies across the many forums in ASEAN’s political and security, economic, and socio-cultural community pillars is critical to success. However, it is expected that strategy and international cooperation matters will be examined through the Telecommunications and IT Ministers Meeting (TELMIN)—not necessarily the best venue to make progress on strategic and security issues, like norms development.

Notwithstanding these initiatives, several challenges confront ASEAN member states. First, it is often easier to make progress bilaterally or among likeminded states where ARF, ASEAN or GGE mechanisms are not wholly successful, as evidenced by the numerous memorandums of understanding (MOUs) signed recently. The United States-Singapore joint statement affirms, for example, that international law applies to state conduct in cyberspace and commits both countries to promoting voluntary norms of responsible state behavior in cyberspace. In their trilateral MOU, the United States, Japan and Australia agreed to coordinate efforts in forums like the ARF and UN GGE. Such progress could eventually extend to other parties in the region.

Second, while policymakers in the region have a much better grasp of cyber issues than in the past, their knowledge is unevenly spread, necessitating continuous awareness raising. Moreover, while the increasing number of national perspectives and experts participating in discussions is welcome, it further complicates negotiations by making it harder to find consensus.  

A third issue for ASEAN members’ plans to cooperate is the ongoing need to coordinate policymaking at national level and integrate fast-developing technologies within those policies. This is especially difficult for countries, such as Cambodia, where cybersecurity is not necessarily a major priority. In addition, there is a developmental and digital divide between ASEAN members, and adequate capacity is often lacking. Some member states might believe they do not have the capacity to commit to norms and CBMs; some have committed but are uncertain about their capacity to follow through. These uneven levels of capacity could also affect the consensus required for future progress, affecting ASEAN’s collective ability to inform the global discussion on cyber norms.

More policy-relevant academic research that provides independent analysis on concrete questions could further support this need for capacity building, while also providing potential ideas to forge progress in the region.

A fourth related challenge is ensuring that regional endeavors complement global efforts rather than increasing fragmentation. The Republic of Korea and Thailand have begun to support interregional cooperation between the Organization for Security and Cooperation in Europe (OSCE)—which already has a series of agreed upon cyber CBMs—and Asia; Thailand has also been supportive of strengthening relations between the EU and ASEAN, which could include exchanges on cybersecurity. Other examples of cooperation could include promoting more synergies between the OSCE, ARF and the Organization for American States, or an EU-ASEAN working group that could explore dual-use export controls on malware, a priority identified in their 2018-2020 action plan.

However, among other initiatives, some interregional and bilateral capacity building efforts could be hampered by incompatible state views on cyberspace governance since ASEAN states often hold different perspectives on internal stability, content control and sovereignty. This may further shape their interpretation of international cybersecurity commitments. It is unlikely that such views would affect intra-ASEAN cooperation or engagements with countries like China which continues to promote its notions of cyber sovereignty. Rather, such views could impede capacity building efforts with the EU, for example, or bilaterally with countries like Australia. Moreover, as the United States pursues a more isolationist foreign policy, China may have a freer hand to promote its views within the ASEAN region.   

Finally, another challenge is the expansion of information sharing and practical exchanges between government officials in the ASEAN region. Table top exercises, or similar practical initiatives on cyber crisis mechanisms, should become a more regular feature in ASEAN and ARF cyber events to foster trust and improve collaboration. Other activities, such as practical defense collaboration, and Singapore’s development of an online training course for policymakers with the UN Office for Disarmament Affairs, could also build capacity in the region and beyond.

Singapore is clearly committed to ASEAN members becoming more involved in the development and implementation of norms and CBMs. At the end of 2017, Singapore presented the ASEAN statement to the United Nations and it has continued its regional capacity building efforts. Although ASEAN is seized of the importance of cyber issues and the Singapore chair has ambitions for an ASEAN Single Digital Market and Smart Cities Network, there is little doubt they have their work cut out to improve cybersecurity cooperation in a fraught regional and international security environment.