Internet penetration and the rapid digitization of Southeast Asian economies have ushered in growing cybersecurity risks, whose trans-border nature requires inter-governmental collaboration. However, ASEAN countries have not been able to craft a multilateral framework to complement existing mutual assistance treaties. Whether ASEAN countries can achieve a collaboration mechanism against cyber crime will have profound implications for building regional cyber resilience and strengthening ASEAN’s global impact in its second 50 years.
Cyberspace not only brings new types of crimes targeting the confidentiality, integrity, and availability of data, but also exacerbates traditional trans-border crimes, such as human trafficking, drug dealing, and piracy. Cyber crime investigations cannot proceed without expedited access to needed information. Cyber criminals often launch attacks through machines in third countries, thus exploiting the uneven landscape of cyber laws across countries.
The only existing multilateral treaty addressing computer crime is the Budapest Convention on Cybercrime, proposed by the Council of Europe in 2001. Despite the Philippines’ having committed to the treaty, none of the ASEAN countries has signed. Russia, China, India, and Brazil also refused to sign, citing the inappropriateness of Article 32, which permits extraterritorial searches. A dense network of bilateral mutual legal assistance treaties exists, but often turn out to be dreadfully inconvenient due to the difficulty of extradition and trans-border investigations.
ASEAN countries have made other efforts to address cyber threats. Singapore has committed S$10 million in the next five years to the new ASEAN Cyber Capacity Program to help the region build cybersecurity capacities. ASEAN’s Telecommunications and Information Technology Ministers Meeting (TELMIN) in 2016 also marked a leap forward in taking collective actions to address cyber threats. ASEAN unity was evident in the TELMIN joint statement. The ministers praised ongoing programs between ASEAN and observer states on capacity building, information sharing, and cybersecurity awareness. However, these measures focused on non-legal means, and fell short of establishing credible deterrence against cyber crime through legal cooperation.
The grouping’s consensus-based principle and personal diplomacy — the “ASEAN Way” — ensured ASEAN solidarity in overcoming Cold War geopolitical challenges. Yet, as the organization moves from geopolitical and economic partnerships to an supranational polity, ASEAN will need to overcome intra-bloc differences. The decline of charismatic leadership, embodied in past leaders like Lee Kuan Yew of Singapore and Suharto of Indonesia, will demand a higher degree of ASEAN institutionalization over personal diplomacy. The 2007 Convention on Counterterrorism and the 2015 Convention against Trafficking in Persons are positive signs of ASEAN’s institution-building efforts. In the next 50 years, collective efforts may be extended to address a well-defined set of cyber crime issues.
Pursuing an ASEAN-initiated multilateral regime on cybercrime will bring tangible benefits, operationally and strategically, to Southeast Asia and beyond. The first is to mitigate negative externalities of U.S.-China strategic competition. As Kishore Mahbubani and Jeffery Sng warned in their book, The ASEAN Miracle, great power competition may tear ASEAN apart, if not handled wisely. This great power competition extends to the cyber realm.
China tenaciously upholds cyber sovereignty and aims to push cybersecurity pacts through inter-governmental bodies; the United States champions a multi-stakeholder model with significant private sector participation. It would be unwise if ASEAN countries have to pick a side on questions as ideologically divided as cyber sovereignty. Instead, ASEAN could play an active role in brokering a legal cooperation framework on certain types of cyber crimes, such as online child pornography and cyber attacks that erode public trust in financial systems.
China has increasingly resorted to cyber operations to convey political messages. However, ASEAN countries should understand that, despite cyber-military and cyber-espionage disputes, China has vested interests in protecting its businesses overseas, which will incentivize Beijing to support a multilateral treaty — provided it does not conflict with their notion of cyber sovereignty. It would be in China’s interests to participate in negotiating a treaty less intrusive than the Budapest Convention, which China took no part in negotiating.
Moreover, an ASEAN-initiated treaty may fix mismatched priorities between Western and Asian developing countries. The Budapest Convention emphasizes the protection of human rights and liberties in cyberspace, pursuant to the European Convention on Human Rights. The treaty may have difficulty finding its way through domestic legislation of many ASEAN countries. Instead, ASEAN countries and their neighbors can unite around pragmatic considerations of how cyber issues connect to economic prosperity. A prime example is pirated software that lacks security protection and post-sale vulnerability patches. ASEAN consumers spend $10.8 million dealing with malware issues caused by insecure, pirated softwares. For the same reason, China was hit hard in the recent WannaCry ransomware attack.
The lack of streamlined procedures for cyber cooperation presents an opportunity for ASEAN to further establish its political and legal unity. ASEAN leaders may find it desirable to envision an anti-cyber crime regime that ASEAN countries, China, and the United States can all agree on. Taking an active role in global cyber governance will help ASEAN alleviate negative consequences of great power competition, enhance its reputation as peace maker, and facilitate its institutionalization efforts in the next 50 years.
Qiheng Chen holds a B.A. degree in international relations and computer science from Brown University. He researches cybersecurity and cyber governance. Follow him on Twitter @QihengC.