As far as technology and ministerial events go, the third ASEAN Ministerial Conference on Cybersecurity (AMCC) that met during Singapore International Cyber Week 2018 was relatively low-key. The conference was a major step forward on cyber issues in uncharacteristically quick terms for ASEAN. However, as the regional grouping looks to produce meaningful deliverables for its upcoming summit in November, it will be challenged by parallel developments in a domain that is continually being stress-tested in many ways.
First, the wins. The AMCC endorsed in principle the 11 voluntary, nonbinding norms recommended by the 2015 United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UNGGE). Given that ministers had been earlier tasked to identify for adoption and implementation a concrete list of just such norms, the AMCC’s agreement to subscribe to the UNGGE’s list might seem an unremarkable matter and in some sense, an easy way out.
Yet, this decision was anything but guaranteed given the history of Southeast Asian representation in the UNGGE process, the disparity in cyber maturity levels among ASEAN member states, and the grouping’s general aversion to complex political-security issues.
In the five UNGGEs convened between 2004 and 2017, only two representatives from Southeast Asia were ever part of the process: Malaysia in 2004-2005 and 2014-2015, and Indonesia in 2012-2013 and 2016-2017. It was, in fact, significant that all 10 ASEAN ministers and senior officials attending the AMCC agreed to affirm the 11 norms despite most never having been party to the difficult negotiating and drafting processes of the 2015 UNGGE consensus document.
Two years ago, the norms discussion hardly figured in Southeast Asia. For a long time, the region’s priorities centered around combating cybercrime, and monitoring and grappling with content. The extent to which it considered cyberspace in the context of international security was limited to terrorist use of the internet. Cybercrime, which costs ASEAN member states between $120-200 million a year, and online content, particularly fake news, remain on Southeast Asia’s front burner. However, the seeds of a more strategic conversation on positioning ASEAN within the norm-setting agenda in cyberspace have now finally been sown.
Much of this can be attributed to Singapore’s leadership. Although never a formal part of the UNGGE process, Singapore’s government maintained a keen interest in its goals. As ASEAN chair in 2018, Singapore has driven much of the grouping’s cybersecurity agenda, investing considerable resources in building the region’s operational, policy, and legal capacities in cyberspace, and broadening partnerships with the UN as well as other international, multistakeholder initiatives like the Global Commission on Stability in Cyberspace. Beginning with the conjoined theme of Singapore’s ASEAN chairmanship — innovation and resilience — the region’s most technologically advanced country has persisted in socializing its neighbors to the larger debate on norms, the applicability of international law, and responsible state behavior in cyberspace. Its efforts have been evident over the past couple of years and now appear to slowly be paying off.
If the frequently asked question is whether policy can keep pace with the speed of technology, the more pertinent question here is whether ASEAN can keep up with formulating policy as it aspires to connectivity.
The challenges for ASEAN in maintaining the current momentum are structural and substantive. A considerable structural obstacle to ASEAN cohesion on cyber-related issues is the checkered technological, operational, policy, and legal capacity and capabilities of ASEAN member states across the region. The 2016 Singapore-initiated ASEAN Cyber Capacity Program and the newly launched ASEAN-Japan Cybersecurity Capacity Building Center in Bangkok are both meant to address this in a complementary rather than overlapping manner. The location of the latter in the capital of Thailand, the incoming chair of ASEAN, may not necessarily guarantee the same strategic and international security focus on the cyber agenda but the center’s establishment will at least institutionalize ongoing efforts to build cyber capacity in the region. In any case, the expansion of Singapore’s program to include an ASEAN-Singapore Cybersecurity of Excellence encompassing a Cyber Think Tank and Training Center, a Computer Emergency Response Team (CERT) center, as well as a Cyber Range Training Center will ensure a sustained and multipronged approach to cyber issues in the region.
Substantively, the subscription “in principle” to the 11 UNGGE norms of 2015 is a cautious affirmation of a rules-based cyberspace underlined by ASEAN leaders in their May statement. For smaller ASEAN states often caught in the fray of major power interactions, reliance on international law is a practical matter of statecraft and an imperfect bulwark against political machinations and capriciousness.
ASEAN will have to move beyond the generalities of agreeing on the applicability of norms and international law in cyberspace to translating how those would actually apply to incidents in cyberspace. If a NotPetya or Stuxnet-like incident recurred and targeted a country in Southeast Asia, what recourse would ASEAN have under international law, assuming that attribution to the perpetrator could in fact be made in the first place? Thus far, naming and shaming — a decision involving operational and political considerations — has been the preserve of the “have” countries in cyberspace. What of the “yet-to-haves” with limited technical capacity to definitively attribute attacks and even less political leverage or incentive to do so?
How would ASEAN member states treat advanced persistent threats (APTs) that collect intelligence related to geopolitical tensions such as the South China Sea dispute? Would these count as intelligence preparation of the operational environment, reflected in U.S. military doctrine and methodology that boils down to knowing your enemy before the eruption of conflict? If so, how should targets of these APTs respond? It is one thing for states to call for the prevention of harmful ICT practices that may threaten international peace and security and quite another for them to actually be confronted with attacks of strategic import. For ASEAN, this scenario is no longer hypothetical and has, in fact, been plaguing the region since at least 2012.
Finally, how might ASEAN member states manage online content that threatens to destabilize and undermine political stability, social harmony, or electoral outcomes while “guarantee[ing] full respect for human rights, including the right to freedom of expression” as provided for by one of the 11 UN GGE norms? The answer, of course, is that this and others norms are voluntary and nonbinding. They afford enough wiggle room for states to interpret and adapt policy according to their unique contexts and circumstances.
These are but a few tough illustrations that ASEAN will have to deal with individually as states and collectively as a group. There are numerous others that exist or are currently unforeseen that will no doubt unfold as cyber attacks become increasingly sophisticated and the threat landscape expands with the Internet of Things.
In this regard, ASEAN must be credited for taking a bold first step forward. It will, however, have to continue traversing the information superhighway with agility, pragmatism, and above all, vision.
Elina Noor is Associate Professor, Daniel K Inouye Asia-Pacific Center for Security Studies and Visiting Fellow, Institute of Strategic and International Studies (ISIS) Malaysia. She also serves on the Global Commission on the Stability of Cyberspace. The views expressed in this piece are her own.