The spate of cyberattacks in the region last year was definitely more than enough reason for the Association of Southeast Asian Nations (ASEAN) to level up their game in cybersecurity. In 2017 itself, Singapore saw three major cyberattacks namely the MINDEF Cyber Breach in February, WannaCry Ransomware in May – which spread throughout the region like wildfire and attacked the Philippines, Indonesia, Malaysia, Vietnam and Thailand as well – and Petya Ransomware in June.
While ASEAN’s digital economy is projected to grow to US$1 trillion to GDP over the next 10 years according to a 2017 report by Cisco and A.T. Kearney titled ‘Cybersecurity in ASEAN: An Urgent Call to Action,’ there is much still to be done to get cybersecurity up to par across the region.
As ASEAN states go through a digital evolution with mobile banking systems, e-commerce trading and cyber linkages on the rise, the risk of cyberattacks could hamper user confidence and challenge the resilience of the digital economy. This in turn, could prevent the region from realising its full digital and economic potential.
A game of risk
Currently, the entire region is at risk in a variety of ways. Some of the risks include limited threat intelligence sharing, diverging national priorities, increasing interconnectedness and rapid technological evolution. According to the ‘Cybersecurity in ASEAN: An Urgent Call to Action’ report, these factors could lead to the top 1000 ASEAN companies losing up to US$750 billion in market capitalisation.
“Malaysia, Indonesia, and Vietnam are global hotspots for major blocked suspicious Web activities—up to 3.5 times the standard ratio, indicating that these countries are being used to launch malware attacks,” stated the report.
This indicates that cyber resilience – which is the ability to prepare for and adapt to changing conditions and recover rapidly from cyber disruptions - in the region is generally low. The above-mentioned report also found that ASEAN countries have varying levels of cyber readiness in terms of strategic mindset, policy preparedness and institutional oversight relating to cybersecurity.
What is ASEAN doing about this?
The ASEAN Political-Security Community Blueprint 2025 addresses the need to combat cybercrimes through regional collaboration. The blueprint advocates for the strengthening of cooperation between all 10 ASEAN member states in battling cybercrimes, taking into account the need to develop or improve appropriate laws to address cybercrimes as well as fortifying public-private partnerships to enhance information sharing.
At the moment, only Singapore, Malaysia, Thailand and Vietnam have drafted cybersecurity bills, while the rest of ASEAN is yet to do so. Some member states have executed data protection or privacy laws, but the ‘Cybersecurity in ASEAN: An Urgent Call to Action’ report says not all countries in ASEAN have made progress.
Another concern is the lack of spend for cybersecurity by ASEAN countries. Based on the same report, ASEAN cybersecurity spend was estimated to be US$1.9 billion last year which only makes up around 0.06% of the total GDP.
Singapore is currently leading the pack with 0.22% of total spend, but when compared to other countries in the world, it still lags behind. Spending across Southeast Asia on cybersecurity is not constant with Lao, Cambodia, Myanmar and Brunei still lagging behind the rest of ASEAN.
What else needs to be done?
The entire ASEAN bloc needs to cooperate and work together in order to bolster the potential it has in growing the regional digital economy.
In order to strengthen regional cybersecurity defence, the ‘Cybersecurity in ASEAN: An Urgent Call to Action’ report suggests four steps. Firstly, ASEAN must “…elevate cyber security on the regional policy agenda” through implementing a Rapid Action Cybersecurity (RAC) framework. The RAC comprises of a 12-point action agenda for governments to address rifts in policies, strategies and legislation related to cybersecurity.
Secondly, ASEAN should “…secure a sustained commitment to cybersecurity – this includes reducing the regional cybersecurity spending gap; and by using a cyber-hygiene dashboard to define and track metrics.” Thirdly, both the government and private sectors must form an alliance to “…encourage the corporate sector to foster a risk-centric mindset; create a threat sharing intelligence culture and bring cyber resilience to the supply chain.”
Last but not least, the region must address the skills shortage for security professionals as well as enhance global-local partnerships within the cybersecurity industry. Research and development around innovative technologies is also essential so that unforeseen threats can be tackled seamlessly. Through greater cohesion and swift action, ASEAN will be able to achieve greater cyber resilience.