Asean has championed the region's efforts in cybersecurity and pledges to drive further collaboration amongst member states, including plans to adopt common standards and best practices. It also urges the need for participation from the international community, particularly as digital transformation continues to accelerate amid increasing cyber threats.
To date, Asean is the only regional organisation to have subscribed, in principle, to the United Nations' (UN) 11 voluntary, non-binding norms of responsible state behaviour in cyberspace, according to Singapore's Minister for Communications and Information and Minister-in-charge of Smart Nation and Cybersecurity, Josephine Teo.
Asean advocated the need to implement the international cyber stability framework and was making good progress on the roadmap to guide adoption of the norms, said Teo, who was speaking Wednesday at the Asean Ministerial Conference on Cybersecurity, held in conjunction with Singapore International Cyber Week.
Pointing to the Asean Regional Action Plan, she said Singapore and Malaysia recently organised a workshop with other member states. The region was expected to officially endorse the action plan at the Asean Digital Ministers' Meeting on December 1, 2021.
There currently are 10 Asean member states including Singapore, Indonesia, Thailand, Malaysia, and the Philippines. The region in September 2018 agreed on the need for a formal framework to coordinate cybersecurity efforts, outlining cyber diplomacy, policy, and operational issues.
Members states had underscored the importance of "a rules-based cyberspace" to drive economic progress and improve living standards. Internal laws, voluntary, and non-binding norms of state behaviour, as well as practical "confidence-building" measures were essential to ensure the stability of cyberspace, they said.
They added that such plans would include the region's efforts to observe the 11 norms recommended in the 2015 Report of the UN Group of Governmental Experts. The 11 norms outline what the the international organisation deemed necessary for to create a "free, open, peaceful, and secure cyberspace", including global cooperation to develop and apply "measures to increase stability and security in the use of ICTs" and to "not knowingly allow their territory to be used for internationally wrongful acts using ICTs".
Speaking virtually at the Asean Ministerial Conference, Asean Secretary-General Lim Jock Hoi said the global pandemic underscored the need for a coordinated approach to address address cyber threats.
Noting that digitalisation had accelerated, Lim said Asean--ready or not--would have to embrace digital transformation to maximise its benefits and work towards building a regional community. Here, he added that the region had kicked off various initiatives including digital economy agreements and the 2019 Asean Agreement on Electronic Commerce, which aimed to facilitate collaboration and growth of e-commerce transactions in the region.
With increased digital adoption, though, came higher exposure to cybersecurity threats that could cause significant damage, he said. He noted these included ransomware, phishing, and Distributed Denial of Service (DDos) attacks that had disrupted business operations, impacted individuals, and threatened the stability of Asean communities.
Such threats and cybercrimes were becoming widespread across the region, targeting critical information infrastructures (CII) such as oil, energy, and e-commerce. Without "resolute action" within Asean member states, Lim said these challenges would significantly undermine the resilience of and trust in the region's digital economies and prevent them from realising their full potential.
He said member states already were working to enhance the region's cybersecurity posture, including efforts to strengthen partnerships amongst the respective CERTs (Computer Emergency Response Teams) to build "mutual trust" in dealing with security incidents. The Asean CERT was established to improve the region's knowledge and capacity to respond and mitigate the impact of cyber attacks, he noted.
The development of a coherent regulatory and policy framework on cybersecurity also was essential in Asean, he added, which he said could be accomplished through regional frameworks for cybersecurity maturity assessment and CII security.
There also should be cybersecurity standards and best practices to drive interoperability across the region, which would further support the secure and trusted use of digital technologies and drive an integrated Asean economy, he said.
International communities should build cyber norms, rules
With cybersecurity a global issue, Lim said Asean would collaborate with the international community and play its role in developing a rules-based cyberspace with cyber norm behaviours.
Further stressing the importance of global cooperation, Teo said supply chain and ransomware attacks were increasing in frequency, scale, and impact. She cited the SolarWinds breach, the US Colonial Pipeline attack that posed real-world consequences, and the Kaseya breach, which forced more than 800 Swedish Coop supermarkets to close.
"These examples show the importance of strengthening our cybersecurity. They also highlight the need for international cooperation to build consensus on the rules, norms, principles, and standards governing cyberspace," she said. "Such efforts will help to ensure that states behave responsibly in their use of ICT, so we can achieve an open, secure, and interoperable ICT environment. In doing so, we can also strengthen the rules-based multilateral order."
According to Teo, Asean currently was laying the groundwork to drive its updated Digital Masterplan 2025, which involved five key objectives including advancing cyber readiness cooperation, strengthening both regional and international cyber policy coordination, and enhancing regional capacity building.
She said recent global supply chain attacks also highlighted the need for swift exchange of threat information to mitigate the spread of such attacks. This emphasised the importance of "cyber ops-tech collaboration" such as the Asean CERT, and through the development and implementation of technical standards.
"Often, we are forced into a reactive position when dealing with cyber incidents. In fact, we would rather be proactive on cybersecurity, by making our systems, networks, and devices secure-by-design," she said. She pointed to Singapore's efforts here with the introduction of the Cybersecurity Labelling Scheme for IoT devices, enabling consumers to identify the level of cybersecurity of such devices.
Teo said Asean member states could collectively raise the cyber hygiene level in the region by working towards a common baseline cybersecurity standard for IoT devices.
Singapore on Wednesday also announced the official opening of the Asean-Singapore Cybersecurity Centre of Excellence campus. Announced in 2019 to facilitate cyber capacity building efforts in the region, the centre aimed to conduct research and provide training in areas that included international law, cyber norms, and various cybersecurity policy issues. The facility also would offer CERT-related technical training, conduct virtual cyberdefence training and exercises, as well as drive the exchange of best practices, cyber threat, and other related cyber threat information.
The centre comprises two training labs that can hold up to 100 in-person participants, conference rooms, and amenities to facilitate capacity building efforts, CSA said.