In recent years, ASEAN countries have made progress in cyber capacity-building, establishing and expanding research centres and pursuing training projects. With the accession of the Philippines, the Convention on Cybercrime gained a foothold in Southeast Asia. ASEAN is closely watching the global cyber norms development process, especially the Open-Ended Working Group at the UN.
Southeast Asia was widely affected by the WannaCry attack in 2017. Since then, the region has come under attack from North Korea’s cryptocurrency-raising activities. According to a report by FireEye, Southeast Asia has been a target of Advanced Persistent Threat (APT) attacks for a decade. In 2018 there was cyber meddling in the Cambodian Election and a “most serious breach of public data” in SingHealth, the largest group of Singapore’s health care institutions, in which the personal data of 1.5 million patients were leaked. These are just a few examples. For these reasons, Southeast Asia has been in pressing need of cyber capacity-building.
As reported in a previous INCYDER article on ASEAN, Singapore has been proactive in cyber capacity-building in ASEAN, as it is the ASEAN Voluntary Lead Shepherd on cybercrime. Singapore announced that it would allocate SG$30 million (approximately US$22 million) in 2019 to establishing the ASEAN Singapore Cybersecurity Centre of Excellence (ASCCE), as an extension of the ASEAN Cyber Capacity Programme (ACCP) launched in 2016. The centre is expected to have three primary missions: to conduct training and research, to train national CERTs in ASEAN, and to promote information-sharing between national CERTs.
Singapore has also signed bilateral agreements on cybersecurity cooperation with Australia, Canada, Estonia, France, Germany, India, Japan, the Netherlands, the UK and the US. These countries are working together through ACCP to enhance cyber capabilities in Southeast Asia.
At the 17th ASEAN Telecommunications and Information Technology Ministers Meeting (TELMIN) held in December 2017, ASEAN ministers chose Thailand as the host country for the ASEAN-Japan Cybersecurity Capacity Building Centre (AJCCBC). Since its opening in September 2018, the AJCCBC has engaged in projects for human resource development in the region, with assistance from the private sector.
Between 2016 and 2018, INTERPOL Global Complex for Innovation in Singapore conducted the ASEAN Cyber Capacity Development Project (ACCDP), holding training, seminars and workshops for more than 380 participants from across the ASEAN region. INTERPOL was also part of the GLACY+ described below.
Russia and China also have a keen interest in cyber capacity-building in ASEAN. For instance, in 2018 they agreed with the Cambodian government to train Cambodia’s police in tackling cybercrime.
Cybercrime Convention in ASEAN
The accession of the Philippines to the Budapest Convention on Cybercrime in March 2018 was remarkable, but not surprising, given that the country has received training through the Global Action on Cybercrime Extended (GLACY+) since 2014. The Philippines held a training course on cybercrime and electronic evidence for prosecutors and state attorneys from ASEAN countries in November 2018. Other ASEAN countries may find motivation for joining the Budapest Convention after learning at the course, provided that they receive an invitation from the Council of Europe.
ASEAN may still choose its own path for combating cybercrime. In November 2017, it adopted the Declaration to Prevent and Combat Cybercrime. As a next step, drafting an ASEAN convention on this matter might be on the agenda. Experts estimate that this is possible in light of the past experience of the ASEAN Convention on Counter-Terrorism of 2007 and its unique ‘ASEAN Minus X’ approach, instead of its usual consensus decision-making process.
A discussion on cyber norms is ongoing in ASEAN, having started in 2016. At the ASEAN Ministerial Conference on Cybersecurity (AMCC) held during the Singapore International Cyber Week (SICW) in October 2016, ASEAN states agreed to develop ‘a set of practical cybersecurity norms of behaviour in ASEAN’. This agreement was repeated at the 2nd AMCC held in 2017 and the ASEAN Leaders’ Statement on Cybersecurity Cooperation was issued at the 32nd ASEAN Summit held in April 2018. In September 2018, the 3rd AMCC agreed to ‘subscribe in principle to 11 voluntary, non-binding norms recommended in the 2015 Report’ of the UNGGE, although the 2015 UN GGE recommended not only voluntary, non-binding norms, but also ‘rules or principles’ of responsible behaviour for states (III. para. 13).
ASEAN states also accept that international law is applicable to the use of ICT by states, as seen in statements on cooperation on that area with Russia and the US, but how it applies is yet to be clarified.
As is the case with cyber crimes, some may hope for cyber norms in ASEAN. However, ASEAN states seems to show their interest in participating in norm discussions at the UN, as they suggest that ‘the UN should play a leading role in promoting dialogue on the security of ICTs in their use by States and stress the importance of adopting rules, norms and principles of responsible behaviour of States in the use of ICTs’ (the ASEAN-Russian Statement on Cooperation in the Field of Security of and in the Use of ICT, para. 6).
At the Open-Ended Working Group (OEWG) that will be started this year, and in the GGE, Russia and China will be pleased with more sympathetic countries appearing at the meetings. At least some ASEAN states may support the concept of cyberspace sovereignty and state-led internet governance, as they have recently been tightening their regulations over online speech, particularly ‘fake news.’ Thailand, Vietnam, and Singapore have all adopted new domestic laws for this matter over the past two years. Cambodia has also prepared a bill on cybercrime law,1 and in Malaysia the previous government-drafted the Anti-Fake News Act (AFNA) of 2018 which is waiting to be repealed or amended by the Pakatan Harapan government.
A Way Ahead
Tackling cyber threats in ASEAN cannot be accomplished only within ASEAN. Following the establishment of the Experts’ Working Group (EWG) on Cybersecurity in the ADMM-Plus framework in 2016, the 24th ASEAN Regional Forum (ARF) Ministerial Meeting agreed to set up the Inter-Sessional Meeting on the Security of and in the Use of Informational Communications Technology (ISM on ICTs Security) in 2017. It is reported that Japan is preparing a proposal on a new confidence-building mechanism on cybersecurity for the upcoming ARF Ministerial Meeting in August. The proposal is modelled on the OSCE, in which consultation mechanisms over cyber incidents and a platform for exchanging views are provided to member states. The ARF includes many Asia-Pacific states including Australia, China, India, Japan, North Korea, Russia, South Korea and the US. This inclusive and holistic approach must promote further cooperation across the region, thereby enhancing cybersecurity resilience within and outside ASEAN.
Author: Keiko Kono, NATO CCD COE Law Branch
This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.
- Thailand, Vietnam, and Cambodia are parties to the International Covenant on Civil and Political Rights of 1966 (ICCPR). [↩]