Executive Summary
South-East Asian countries are taking huge strides in improving the region’s cybersecurity through the Association of Southeast Asian Nations (ASEAN), creating collective resilience and protecting critical infrastructures, while being conscious the differences in countries’ maturity and capacity. The region is an important partner for the European Union (EU) in creating global stability in cyberspace, as it balances several geopolitical perspectives on what stability means. Voting behaviour of South-East Asian states in international fora has reflected this balancing exercise, brokering between proposals that reflect a state-centric view on cyber security governance and a market-based multi-stakeholder view on cyberspace, which they do not see as necessarily contradictory.
Key takeaways
- ASEAN member states created a Ministerial Conference on Cybersecurity (AMCC), which developed a regional strategy on cybersecurity and resilience protection. A coordinating committee on cybersecurity (ASEAN Cyber-CC) is mandated to work cross-sectorally with relevant representatives from sectoral bodies on cybersecurity issues.
- The region lacks a general overarching regulation on cybercrime, even though there is serious cooperation on cybercrime between ASEAN member states, with a dense network of bilateral mutual legal assistance treaties. Discussions in the ASEAN Regional Forum show that as yet there is no common understanding on the definition of cybercrime, nor a common approach to address this issue. Many ASEAN states’ policy on cybercrime is focused more on avoiding social disruptions and controlling the spread of disinformation than on technology issues.
- Conversations on confidence-building in the ASEAN Regional Forum have fostered renewed cooperation between major global actors that have a stake in South-East Asia. The conversation on confidence-building measures (CBMs) shows a promising avenue to exchange perspectives. There is, however, a lack of trust in the information-sharing infrastructure, and there are some major differences in national perceptions regarding cyberspace threats and challenges.
- Digital single market aspirations encounter some barriers, such as the digital divide of the region and data protection regulations of some countries that require data about their citizens to be stored on local servers. There is knowledge exchange with the EU on the creation of digital single markets.
- ASEAN member states have subscribed in principle to the 11 voluntary, non-binding norms set out in the 2015 report by the UN Group of Governmental Experts (UNGGE) instead of developing new norms, and are cooperating towards practical implementation of the UNGGE norms. How exactly ASEAN member states will observe the norms they have adopted when actual incidents occur is as yet unclear. ASEAN states have so far refrained from ‘naming and shaming’ as they lack the means to accurately attribute the true source of cyberattacks. Apart from a general statement that international law is applicable in cyberspace, the region lacks a perception of the application of international law.
- ASEAN tries not to choose between exclusive state-centric cybersecurity governance and an unsupervised, market-based multi-stakeholder approach, but elects to be a ‘broker’ between the Chinese and American styles of cybersecurity governance. The 2018 Comprehensive and Progressive Trans-Pacific Partnership (CPTPP) is an important tool of digital autonomy in the US–China trade war. It reduces the dependency of ASEAN members on both Chinese and US trading and manufacturing, while strengthening ties with Latin America.
- The EU regards support of ASEAN’s inclusive multilateral architecture in the region as an important objective, as it sees ASEAN as a peaceful influencer in the region. The EU has crystallised cybersecurity as a priority in its cooperation with all Asian countries. In a 2019 joint statement on cybersecurity cooperation, the EU and ASEAN committed to contribute to the advancement of an open, secure, stable, accessible and peaceful information and communications technology (ICT) environment. While this is a notable effort, the EU is challenged by cultural differences when it comes to the exact interpretations of these terms. The EU’s policy initiatives mostly focus on supporting capacity-building efforts in states that are at a low maturity level, and on working and increasing cooperation in multilateral fora.
