How ASEAN is driving global cyber security efforts

The ASEAN region is leading the global pack in terms of cyber security efforts, with the collective being the first and, to date only, regional organisation to subscribe in-principle to the United Nations’ (UN) 11 voluntary, non-binding norms of responsible state behaviour in cyber space.

This is according to Josephine Teo, Singapore’s Minister for Communications and Information, who lauded ASEAN’s efforts in the area of cyber security during a presentation at the ASEAN Ministerial Conference on Cybersecurity.

In 2018, ASEAN members reached a landmark decision when all member states subscribed, in-principle, to the UN norms of responsible state behaviour, agreeing to focus on regional capacity building on implementing the norms.

The UN’s 11 non-binding norms of responsible state behaviour in cyberspace include interstate cooperation on security, a commitment to not damage critical infrastructure and instead protect it, respond to requests for assistance, ensure supply chain security and report ICT vulnerabilities.

In addition to being the first such group of countries to sign up to the UN’s list of cyber norms, the region is making further progress through the development of the ASEAN Regional Action Plan, which will guide regional norms implementation, Teo noted.

But are these efforts enough?

Teo warned that malicious cyber threat actors continue to enhance their modus operandi to bypass ASEAN’s defences. As such, the region could not afford to lose momentum, she claimed.

Fortunately, ASEAN member states are collectively taking additional steps to protect the region from cyber threats, according to Teo, specifically working together on three tracks: cyber strategy, cyber ops-tech collaboration and cyber capacity building.

On the cyber strategy front, for example, Teo noted that the first ASEAN Cybersecurity Cooperation Strategy from 2017-2020 provided a roadmap for regional cooperation to achieve a safe and secure ASEAN cyber space.

“Since its adoption, we have seen much progress in policy coordination and incident response as one ASEAN,” Teo said. “It is timely to update the strategy for the next bound to address evolving challenges.

“Singapore is happy to take the lead and we will discuss this as one of the agenda items later. The updated strategy places stronger focus on initiatives to support the establishment of the rules-based order in cyber space and ASEAN’s Digital Masterplan 2025.

“This involves moving forward on five action-oriented aspects: advancing cyber readiness cooperation; strengthening regional cyber policy coordination; enhancing trust in cyber space; enhancing regional capacity building; and strengthening international cooperation. We hope for AMS’ [ASEAN member states’] support of the updated strategy,” she added.

In terms of cyber ops-tech collaboration, Teo stressed that the swift sharing of threat information was essential to gain a head start to mitigate cyber attacks. To this end, the region is establishing the ASEAN CERT and the ASEAN CERT Information Exchange Mechanism.

“These build on our existing partnerships and trust accrued over the years. The initiatives will strengthen our region’s resilience against cyber threats,” Teo said.

As for cyber capacity building, Teo noted that this element was a priority for the region as capacity building is the bedrock supporting member states toward the implementation of the norms of responsible state behaviour in cyber space.

Work is being done in this area too, Teo suggested, pointing to the 2019 launch of the ASEAN-Singapore Cybersecurity Centre of Excellence (or ASCCE) to support cyber capacity building efforts in the region, with the minister announcing the official, if virtual, opening of the ASCCE campus on 6 October.

“The ASCCE adopts a coordinated regional effort to deliver capacity building programs for ASEAN senior officials, through a ‘4M approach’: multi-disciplinary, multi-stakeholder, modular and measurable,” Teo said. “I look forward to the support from AMS [ASEAN member states], our dialogue partners, industry, academia and international organisations, as we gradually resume in-person programs.

“A core focus of our capacity building efforts is to take a regional approach. We aim to share experiences most relevant to our region and to establish a strong network of cyber officials in ASEAN,” she added.

Teo’s comments come amid a week of reflection on Singapore and the wider ASEAN region’s cyber security capabilities, with the Singapore government releasing its Cybersecurity Strategy 2021 on 5 October as part of the sixth edition of the Singapore International Cyber Week (SICW) held this week at the Marina Bay Sands.

In the words of the Cyber Security Agency of Singapore (CSA), the new strategy outlines Singapore’s plans to take “a more proactive stance” against threats, raise the overall level of cyber security across the nation and advance international norms and standards on cyber security.

Just days before the launch of the 2021 strategy, Singapore’s Permanent Secretary for Communications and Information, Yong Ying-I, said she wanted to see updated policies and processes, and the adoption of security technologies by design, to help the country fend off emerging operational technology (OT) cyber threats.

“I believe that we stand a better chance of thwarting cyber attacks on OT systems if we work together,” Yong said in a speech during the CSA’s inaugural Operational Technology Cybersecurity Expert Panel (OTCEP) Forum on 29 September. “I suggest that we update our policies and processes, adopt security technologies by design and grow talent.

“We should share information and learn from each other so that we can benefit from the collective expertise and efforts in all these areas,” she added.