Countries in the Asia-Pacific are becoming increasingly vulnerable to cyber threats – organizations in Asia are 80 percent more likely to be targeted by hackers – and yet, it takes almost twice as long as the global median dwell time for countries in the region to detect a security breach following a network compromise. According to the Internet Society’s survey on Policy Issues in Asia-Pacific in 2018, internet users around the region are also growing more concerned with cybersecurity. Further, a recent report on cyber resilience in the region found that almost half of Asia-Pacific states do not have national cybersecurity strategies in place.
During the 2018 ASEAN Ministerial Conference on Cybersecurity (AMCC), member states from the Association of Southeast Asian Nations (ASEAN) agreed to subscribe in principle to the 11 voluntary, non-binding norms recommended by the 2015 Report of the U.N. Group of Governmental Experts (UNGGE), joining other Asia-Pacific UNGGE members to better regulate states’ behavior in cyberspace. However, progress on the implementation of UNGGE recommendations has since stalled due to the inability of states to reach a consensus on how international law applies to the field of information and communication technologies. The differences in states’ interpretation of the norms have led to norm fragmentation between dueling narratives of sovereign control of the internet and free flow of information. There has also been several multilateral cyberspace norm development efforts that have diluted the focus on the UNGGE recommendations. These include the Open-Ended Working Group (OEWG), the Global Commission on the Stability of Cyberspace and the Paris Call for Trust and Security in Cyberspace.
The lack of a breakthrough in the implementation of global cyber norms highlights the need to focus on the implementation of existing norms at regional levels. Norm-building, capacity-building and confidence-building measures constitute the three pillars of UNGGE cyber norms. By working on capacity-building and confidence-building measures, cyber norms can be better realized and a consensus could emerge on areas of regional commonality with the cascade of norm adoption from the less contentious to the more contended norms. For example, one of the UNGGE norms states that “the secure use of ICTs should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet”; confidence-building measures could help to improve the overall climate for regional cooperation, and the establishment of country-level focal points could provide assistance on investigations in this area.
Regional organizations provide the ideal platform for consolidating efforts in capacity-building and confidence-building. They function as incubators of new ideas, such as the Organization for Security and Cooperation in Europe’s “adopt a CBM initiative” where states propose how to advance implementation of their respective confidence-building measures. Regional organizations also have better knowledge of the regional and national cybersecurity landscapes of member states. Cyber norm implementation should be prioritized in regional organizations through a multi-stakeholder approach that also involves non-state actors, such as civil society organizations. Hence, increasing norm fragmentation need not be a given; regional efforts that complement global processes should be put in place. For instance, regional endeavors should enhance cooperation with relevant capacity-building organizations, such as the Global Forum on Cyber Expertise (GFCE), to focus on the common themes that have received broad support in both the OSCE and UNGGE processes – protection of critical infrastructure, information sharing and reduction of conflict risks.
This approach toward cyber norm implementation is urgently needed, since countries in the Asia-Pacific are plagued with uneven levels of cyber maturity and a transparency deficit, which in turn undermine trust in information-sharing as well as the ability to cooperate effectively. Depending on the extent of adoption and implementation of cyber norms, ASEAN member states can be categorized into three distinct groups. For example, Singapore is ranked as one of the top countries on the Global Cybersecurity Index (GCI) and is investing $1 billion over the next three years to build up its government’s cyber and data security capabilities. At the other end of the spectrum, there are countries with relatively low awareness of cyber threats and poor protection of civilian rights in cyberspace. For example, although Cambodia has paid more attention to cybersecurity issues in recent years, the Draft Cybercrime Law has been noted as continuing to infringe on internet freedoms.
The lack of transparency in the region is difficult to address without adequate cybersecurity talent and procedures in place. According to a study by Frost & Sullivan carried out on industries from various sectors in several Asia-Pacific countries, the region has a shortage of trained cybersecurity professionals, while staff retention remains an issue. Moreover, a cursory overview of the global state of cybercrime legislation conducted by the Council of Europe shows that despite having substantive criminal law provisions at least partially in place, Asian countries lag behind in terms of specific digital forensics capacity.
Nonetheless, there have been recent developments in the Asia-Pacific that point toward the direction of a multi-stakeholder approach through regionalization. For instance, the Pacific Cyber Security Operational Network (PaCSON), established in April 2018, enables cooperation and collaboration across the region through sharing cybersecurity threat information and tools between the member states. In addition, the newly established Singapore-ASEAN Cybersecurity Centre of Excellence (ASCCE) helps to foster a common understanding of cybersecurity through technical capacity-building. The center seeks to enhance regional cyber coordination through the promotion of training and open-source information sharing among the national Computer Emergency Response Teams (CERTs). Inter-regional strategic synergies are also found between the EU and ASEAN. One these is YAKSHA, which is an EU-ASEAN partnership that develops cybersecurity solutions “tailored to specific national needs leveraging EU Know-How and local knowledge.”
Given the growing geopolitical tensions in the Asia-Pacific, it is more practical to reinforce efforts in cyber norm implementation at the regional level with a multi-stakeholder approach, instead of trying to bridge the divide in narratives between nations. More importantly, through capacity-building and confidence-building, a consensus in cyber norms could potentially be reached in areas that have already gained broad support.
Christy Un is a visiting research assistant with the Cyber Resilience project at the United Nations University Institute in Macau. She holds a bachelor’s degree in Politics and International Relations from the London School of Economics and Political Science.