The United States published its new International Cyberspace & Digital Policy Strategy on May 6. The strategy portrays China as “the broadest, most active, and most persistent cyber threat” and affirms that the mutual defense treaties that the U.S. has with its allies apply in cyberspace. It challenges the vision of cyberspace, including the notion of digital sovereignty, that China set out in its Global Initiative on Data Security.
As countries in the Association of Southeast Asian Nations (ASEAN) worry about the impact of major power competition on regional stability, they should also reflect on what they could do to address growing tensions in the arena of cyberspace.
Multi-dimensional Competition
During the 5th RSIS Trilateral Exchange forum, which the S. Rajaratnam School of International Studies (RSIS) hosted in April 2024, scholars from China and the United States met in Singapore to discuss issues that bedevil relations between the two major powers. At the forum, it was observed that the divide between China and the U.S. remains wide.
The differences that the two major powers have over geopolitical, trade, and technological issues are structural. To the Americans, maintaining U.S. pre-eminence amid the changing strategic environment is a goal far more important than better relations with China. From the Chinese perspective, the evolving global order should accommodate its interests and regional stability requires a strong China.
The forum did not discuss cyberspace or the conduct of cyber operations between the two major powers. Nonetheless, cyberspace has a horizontal dimension such that competition in the military, economic, and technological domains entails cyber elements.
For example, Dr. John F. Plumb, the United States’ assistant secretary of defense for space policy and principal cyber advisor to the secretary of defense, alleged that “China has used its cyber capabilities to steal sensitive information, intellectual property and research from U.S. public- and private-sector institutions, including the defense industrial base.”
Anne Neuberger, deputy national security advisor for cyber and emerging technology, said that China’s cyber operations have shifted from espionage to pre-positioning in U.S. critical infrastructure systems. And this is concerning as China may be able to disrupt military operations during a crisis.
On the other hand, China’s Ministry of State Security (MSS) has accused the United States of “breaking into Huawei’s servers, stealing critical data, and implanting backdoors since 2009.” According to the Chinese government, this breach was part of the United States’ longstanding conduct of using cyber capabilities to spy on other countries, especially China, Iran, North Korea, and Russia.
In April 2024, China re-organized the People’s Liberation Army (PLA) Strategic Support Force to create the Cyberspace Force and Information Support Force. Possible reasons for this re-organization could be to improve the integration of cyber and information capabilities in the PLA’s joint operations if conflict happens. China may also be responding to cyber defense exercises that the United States had with its Indo-Pacific allies – such as during Exercise Balikatan and Cyber Flag.
Cyberspace Security Dilemma
These tit-for-tat accusations and reconfiguration of cyber and information forces by geopolitical rivals point to a security dilemma in cyberspace. When countries build cyber capabilities or conduct cyber activities to ensure cyber defense, their geopolitical rivals may see these moves as aggressive posturing or a precursor of conflict. The development of offensive cyber tools may require advanced penetration into other countries’ networks, and forward defense in cyberspace may also require penetration.
This cycle, which appears to be happening between China and the United States, perpetuates distrust. Furthermore, the general lack of transparency on the motivation of cyber capability development and its potency, coupled with concerns by China and the U.S. about each other’s military buildup and power projection, creates uncertainties that undermine stability in cyberspace globally and in the Asia-Pacific region.
While it is true that China and the U.S. are making moves to stabilize their relations to reduce uncertainties, both sides continue to be deeply suspicious of each other and are talking past each other. For example, top Chinese and U.S. military officials met virtually in December 2023 for the first time in over a year and physically in Washington in January 2024. However, the resumption of military-to-military communications and current high-level contacts may not necessarily progress to substantive dialogue on critical issues, such as preventing a miscalculation that could lead to cyber conflict.
More recently, in April 2024, U.S. Secretary of State Antony Blinken visited China. Shortly after Blinken arrived in Shanghai to begin his trip, U.S. President Joe Biden signed a bill that could compel China’s ByteDance to divest TikTok by 2025. At the meeting with Blinken, Chinese President Xi Jinping said that the U.S. should “honor words with actions rather than say one thing but do another.”
From the defense perspective, the U.S. is concerned that TikTok poses a cyber threat as an app that could enable surveillance and information operations, weaken personal data security, and support China’s goal to achieve information dominance. As the TikTok bill is part of the package to provide aid to Israel, Taiwan, and Ukraine, China may regard the TikTok ban as a cyber-related instrument of the United States’ hybrid warfare toolkit.
What Could ASEAN Do?
The implications of China-U.S. cyber competition in Southeast Asia would be profound, given the region’s economic and security relations with both major powers at the bilateral and ASEAN levels. A major power conflict could create spillover effects, including cyber disruptions and more contestation in the information environment.
ASEAN should be more proactive in its cyber diplomacy efforts for the good of the region and ASEAN centrality. These efforts include promoting the implementation of the United Nations’ 11 norms of responsible state behavior in cyberspace among its member countries and dialogue partners like China and the United States, a necessary step to dissuade more powerful countries from dictating the rules of the digital road or use norms discourse to exert influence.
The ASEAN Cybersecurity Cooperation Strategy has a plan of action for implementing norms as part of regional cyber policy coordination. However, ASEAN could reflect whether the pace of norm implementation should pick up including in the areas of (i) political endorsement of cyber norms at the international, regional and national levels; (ii) building capacity to integrate the norms in national policies; and (iii) highlighting how their cyber capabilities and actions follow the norms. This is an issue that the ASEAN Ministerial Conference on Cybersecurity (AMCC) could examine.
Furthermore, the ASEAN Regional Forum Inter-Sessional Meeting on Security of and in the Use of Information and Communications Technologies should maintain the momentum of dialogue on norms especially as discussions at the U.N. level see limited progress and are becoming more contentious due to growing geopolitical disputes.
However, to sustain the promotion of cyber norms in the region and to the major powers, ASEAN needs to address internal issues. These issues include different levels of digital maturity and different perceptions of cyberspace and its threats vis-à-vis state interests. There have also been criticisms about Myanmar’s participation in the ASEAN Defense Ministers’ Meeting (ADMM)-related activities, including cybersecurity. If these issues remain unaddressed, ASEAN’s voice may be less compelling when urging the major powers to behave responsibly in cyberspace.
ASEAN could explore how it may leverage its new initiatives, particularly the Malaysian-led ASEAN Cyber Defense Network (ACDN) and the Singapore-led ADMM Cybersecurity and Information Center of Excellence (ACICE), to engage the major powers on cyber norms and the application of international law in cyberspace. This effort is crucial for four reasons: (i) there is growing militarization of cyberspace, (ii) norms and international law are mutually reinforcing, (iii) Malaysia and Singapore co-chair the working committee for implementation of cyber norms in ASEAN, and (iv) current cyber-related frameworks, including ASEAN’s, on the responsible use of artificial intelligence exclude the military and cyber warfare. However, the question is whether the major powers are willing to leverage these initiatives for constructive cyber dialogue and confidence-building.
Realistically, it is an arduous task for ASEAN to promote the U.N. cyber norms in the region, particularly to ensure that the major powers behave responsibly in cyberspace even as they compete. The major powers have been at loggerheads over which cyber norms should be universally accepted. They also show double standards in their positions on cyber norms and international law. For example, while Russia is rightfully criticized for its cyberwarfare tactics in Ukraine, there is less attention in the West on how Ukraine’s “patriotic hacking” may have violated cyber norms.
As there are no means to ensure compliance with cyber norms, it is unsurprising that more countries are increasing investments in cyber capability to defend their interests. Within ASEAN, the militaries have been building up their cyber defense capabilities. However, ASEAN countries would prefer not to be drawn into a cyber conflict. Therefore, even as they enhance their cybersecurity postures, they should do what they can in the diplomatic space to promote cyber norms to prevent the region from becoming a theater for cyber conflict between the major powers.