Author: Tim Scully, ANU
ASEAN is at the moment drifting aimlessly in cyberspace. But it could take advantage of its own rapid growth in internet penetration and the harsh cyber-security lessons of other nations, to create an inclusive, coordinated and adaptive ASEAN Cyber-Resilience Blueprint — one that could be an international exemplar.
Information technology innovation, particularly on the internet, is possibly the fastest developing phenomenon humans have faced, yet after a generation online there are no effective national, regional or international rules for living and working in cyber-space.
The downside of irrevocable online dependency is the vulnerability to malicious actors and other digital catastrophes. National interests in cyberspace, namely national security and economic prosperity, are at risk.
Unfortunately, discussion of ‘national security’ and cyberspace often gravitates towards government, military and intelligence actors with a remit for cyber operations. Excluded from the discussion, key government, industry and academia stakeholders who create economic wealth are left both vulnerable to cyber threats and unable to contribute their capabilities to the national effort.
The evocative notion that engagement in cyberspace transcends nation states in a borderless world is illusory. In reality, interactions in cyberspace remain within sovereign borders where national laws and regulations still apply.The cyber threat has existed for over a decade, but policymakers have been slow to address it, nationally and internationally. While each nation should continue to contribute to the formulation of international norms, priority should now be given to getting it right at home.
These considerations need to be taken into account when addressing a cyber-resilience blueprint for ASEAN.
ASEAN members would be better served individually and collectively by prioritising national and regional cyber-resilience policy settings and capabilities.
Internet penetration (the percentage of a nation’s population with Internet access) varies widely among ASEAN member nations with Singapore the highest at 73 per cent and Myanmar the lowest on 1.2 per cent. This is a big gap, but the average annual growth in access has been a very fast 10.3 per cent since 2008 (that is, over 60 million people in ASEAN nations gained access to the internet annually).
Rather than being an impediment, the disparity in information and communication technology (ICT) development and internet penetration among ASEAN members presents an important opportunity for ASEAN to develop a template to build a coordinated, common and flexible approach to cyber-resilience.
As ASEAN nations rapidly develop ICT capabilities, they can draw upon the lessons of other nations’ efforts to develop policies and build capability to counter cyber threats. Those with nascent or immature ICT infrastructure can, with other members’ and dialogue partners’ help, build cyber-resilience into their national systems from the outset, including exploiting IPv6 technology, rather than retrofitting them as many other nations have been forced to do because the internet, after all, was not built with security in mind.
Numerous cyber-security or resilience plans are being developed by regional organisations (for example, the European Union, APEC, OSCE, the SCO, the OIC) upon which ASEAN could build, but those organisations’ diversity and unwieldy size makes consensus elusive, which should signal caution to ASEAN. ASEAN’s small size will be an advantage when contemplating a regional approach to cyber-resilience.
While ASEAN should evaluate others’ plans, shoe-horning them into an ASEAN plan should be avoided; assessing cyber-resilience is not a one-size-fits-all exercise. ASEAN members have unique circumstances that must be scrutinised and rationalised as a first step in creating an ASEAN Cyber-Resilience Blueprint.
The blueprint’s second step would entail a comprehensive stocktake of its members’ existing ICT and cyber-security infrastructure and capabilities to identify strengths and weaknesses. It would also test the assumption that existing national government institutions, policymaking apparatus and operational agencies are ‘fit for purpose’ when dealing with the cyber threat.
Importantly, the blueprint would assess the ideological, political, economic, social and cultural factors that would influence the blueprint and subsequent strategic plan.
ASEAN would develop the blueprint using an expansive engagement model that moved beyond the usual government inter-agency and departmental remits to embrace all elements of national leadership and capability including government, industry and academia. It is not a matter that should be left solely to the government or military and intelligence agencies.
So, these relatively late starters have an opportunity to get cyber-resilience policy and implementation right from the outset using an adaptive, ASEAN-developed template. Their ability to do so puts ASEAN in a good position to create an ASEAN cyber-resilience blueprint that could be an international exemplar.
Tim Scully is a PhD candidate at the Strategic and Defence Studies Centre, The Australian National University.
This article summarises the author’s presentation to the ASEAN-Australian-NZ Dialogue on 20 November 2014 addressing the topic ‘Evolution in Cyber Affairs: National Security and International Law’.