Asia needs regional cybercrime center

A dedicated pan-Asia online security agency will provide more effective protection for governments and companies, but heterogeneous legal landscape and enforcement regimes are challenges.

Asia lacks a central, governing cybercrime center resembling the agency created by Europe last week, which would provide a more effective unit to protect governments, businesses, and end users against cybersecurity threats.

However, there are many hurdles to overcome before such an agency will become a reality, since Asia is more heterogeneous and the legal frameworks are more varied, industry watchers noted.

Myla Pilao, director of core technology at Trend Micro's TrendLabs, said that since most of today's online crimes are becoming borderless, Asia-Pacific will need a centralized agency to help examine the crimes that have taken place and supply necessary threat information across member states.

Such a cross-region agency will also provide the impetus for Asian governments to adopt stronger legislations encompassing various crimes committed online so as to deter cybercriminals, Pilao added.

There is a lack of a cybercrime institution such as Europe's Cybercrime Center in the region, even though there are agencies that have more limited focus and remit, said Ngair Teow Hin, CEO of SecureAge.

One such example is the Malaysia-based International Multilateral Partnership Against Cyber Threats (IMPACT), which is the cybersecurity arm of the United Nations. It provides the 193 member states access to expertise, facilities, and resources to address online attacks, said Ken Low, Asia-Pacific director of enterprise security at Trend Micro.

Singapore's Interpol Global Complex is also in the pipeline and expected to be operational in 2014, noted Ngair. He said the new center will bring in sophisticated and more comprehensive security processes and systems, but it is not enough since cybersecurity is not the sole focus for Interpol.

A dedicated cybersecurity agency in Asia will be more effective in protecting governments, businesses, and end users against cybersecurity threats, he pointed out.

Their comments come after Europe announced its Cybercrime Center last week. The new agency aims to coordinate cybersecurity activities by all the 27 states in the region, strengthen ties with US law-enforcement agencies, develop new technologies, and encourage private sector organizations to share threat information.

Challenges with heterogeneity
Unlike Europe, though, Asia will face challenges in the coordination of law-enforcement activities should there be a similar regional cybercrime center, observed Leon Perera, CEO of Spire Research and Consulting.

This is because Asia is far more heterogeneous than Europe, what with its different legal regimes and differences in how laws are interpreted in each regime. By contrast, Europe has a common legal framework, court of law, parliament, and bureaucracy, Perera said.

This means information sharing and alignment of law-enforcement activities will be severely hampered, he said.

Implementing cybercrime capabilities for the center will also need to be more diversified, given the presence of non-Roman alphabet-based languages in Asia and the need for the right software tools to operate in those languages, the executive added.

The crime-fighting tools will need to be stronger and more focused too, as the volume of Internet transactions is growing faster than the ability to police the online space. This requirement is further amplified given the strong economic growth and weaker law-enforcement structures in many countries in Asia compared to Europe, Perera stated.

Define role, recruit cybersecurity talent
In order to create a successful cybercrime headquarters in Asia, its role will need to be defined clearly and adequate legal support from member organizations need to be forthcoming, Low advised.

Ngair agreed that such an agency will need to have a clear area of focus. To justify its continued existence and funding, the measurement should be based on its ability to reduce cybersecurity threats to governments and companies, he added.

He warned against simply combining the existing talent at each state's computer emergency response team (CERT) though. This is because some of these units are very involved in private sector work, while others are more focused on government security.

"Recruitment should, hence, include all cybersecurity talents from all member countries," he said.