The growth of cyber operations over the last decade has led to an increased interest towards state activities in cyberspace. Headlines featuring cyber espionage campaigns between the United States and China or disruptive Russian operations against the Ukraine has become a mainstay of discourse for both academics and policy-makers. While the cyber interactions between great powers garner significant attention, events in Southeast Asia continue to remain understudied. Recent regional initiatives to develop an expert’s working group on cybersecurity and the emergence of national cyber strategies reflect cyberspace’s growing policy relevance within Southeast Asia.

Cyber interactions in Southeast Asia are categorized as either intra-regional or extra-regional. Intra-regional interactions involve cyber operations that occur between states in Southeast Asia, a heterogenous collection of states that vary in their economic, political, and technological maturity. In contrast, extra-regional events include states located outside of the region, namely the United States, Japan, South Korea, and China. These interactions are often enabled by the presence of enduring rivalries, the lack of clarity regarding norms governing state behavior in cyberspace, and the perceived advantages offered by cyberspace. Cyber interactions in Southeast Asia are often extensions of conflicts in Northeast Asia and great power rivalry between the United States and China. The density of these linkages is unique within the context of regional interactions in cyberspace and raises the significance and centrality of ASEAN in addressing these issues.

Cybersecurity trends in the region

Cybersecurity Incidents

The prevalence of cybersecurity incidents in Southeast Asia is a response to the uncertainty caused by different geopolitical tensions in and around the region—particularly territorial disputes, great power rivalry, and historical animosities. While regional militarized conflicts are rare, Southeast Asian governments have continued to increase their activities in cyberspace, such as enhancing their operational capacity for cyber defense, enacting new cybersecurity legislation, establishing a regional centre of excellence in cybersecurity, and collecting intelligence to gain strategic advantages over their rivals. Publicized incidents are typically executed using advance persistent threats (APTs), an attack method that uses a combination of distinct types of malicious software (malware) to evade detection and infiltrate companies and government agencies. These facilitate backdoors and enable attackers to compromise the security of target systems. Furthermore, prominent industries are strategically targeted with APTs as well and include media, financial services, and telecoms. Media outlets are essential when attempting to shape public opinion. Financial services are attacked because these are involved in managing the resources of a state while telecoms are also affected given their responsibility for computer networks and critical information infrastructure.

Methods, Target, and Attribution

Intra-regional interactions are characterized by disruptive operations framed by enduring rivalries. Target selection, in these cases, appears to be opportunistic in that readily accessible vulnerabilities are exploited; and the lack of complexity points to the involvement of non-state actors. Except for Singapore and Malaysia, the region lacks the technological and organizational capabilities required to engage in complex cyber operations that extend beyond disruption. However, restraint is likely to be observed in spite of these capabilities. Disputes involving issues such as territory are (politically) sensitive within the region. That being said, the introduction of cyber operations in these contexts will likely be tuned to minimize escalatory risks.

Extra-regional interactions, in contrast, manifest themselves as espionage operations and are often attributed to China. Targets often include government systems that provide an informational advantage in support of political (or military) objectives. Targets such as technology companies with an established or emerging regional presence are also in scope of Chinese cyber-espionage operations. This reflects China’s preference for exploiting information asymmetries to its advantage – consistent with its activities beyond the region.

Policy Responses

Developing cybersecurity strategies

Policy responses to cyber threats are implemented at the state-level rather than collectively (i.e. ASEAN) through the development of national cybersecurity strategies. Most of these were released over the last five years and reflect the urgency for a more systematic approach to counter sophisticated cyber intrusions. In terms of scope, Brunei, Cambodia, Laos and, Myanmar have broader strategies that address different aspects of information and communications technology, including connectivity, human resources, and e-governance. On the other hand, those of Indonesia, Malaysia, Philippines, Singapore, and Thailand are focused, prescribing specific cybersecurity measures to enhance their responses to computer network attacks and the resilience of their critical infrastructure. An important state in the region that has not released a national cybersecurity strategy is Vietnam. This disconcerting in light of its continued use of cyber operations against neighboring states.

Based on a cursory survey, the national strategies reveal three areas of focus: protecting critical infrastructure, building capacity (institutional and human), and strengthening resilience against cyber intrusions. The logic behind these priorities seems to be self-reliance, given the considerable challenges that prevent the implementation of a collective approach to cybersecurity in the region.

Prospects for Cybersecurity Norms

The establishment of region-wide cybersecurity norms first surfaced following the ASEAN Ministerial Conference in Cybersecurity (AMCC) in October 2016. During this event, representatives of ASEAN states moved to establish of “a set of practical cybersecurity norms of behavior in ASEAN.” This was reaffirmed in September, 2018 with the commitment to subscribe to the 11 voluntary norms laid out by the 2015 report of the UNGGE on cybersecurity. Support for the institution of a normative regime within ASEAN is not wholly unexpected given the value the organization places on Information and Communication Technologies (ICT) as a catalyst for economic development and its corresponding security requirement.

The establishment of region-wide norms, however, presupposes the existence of a shared view of cybersecurity and its corresponding threats among member states. Unfortunately, there is variation in this regard as demonstrated by Tran Dai and Gomez. Although ongoing capacity and confidence building measures – such as the ASEAN CERT Incident Drill (ACID) – attempt to alleviate these constraints, the formation of region-wide norms is unlikely to take place in the near future.

Afterthoughts

The past two decades have seen a growth of interest in interstate behavior in cyberspace. Increased dependence (i.e. economic, political, and military) corresponds with the adoption of cyber operations as a new instrument of statecraft. That said, scholars and policy specialists alike continue to investigate the behavior of established powers at the cost of smaller powers such as those in Southeast Asia. This dearth of scholarship in the region is troublesome given the complex strategic environment in which cyber interactions take place. Moreover, it leads one to question whether current initiatives pursued by regional actors (e.g. national strategies, norms, etc) are best suited to address threats to and from cyberspace. Consequently, it has been the goal of this article to provide readers with insight into the dynamics of interstate cyber interactions within Southeast Asia in the hope of currying interest from those interested in the region.

Miguel Alberto Gomez is a senior researcher at the Center for Security Studies, ETH, and a doctoral candidate at the Universität Hildesheim, Germany. He holds a master’s degree in international security from the Institut Barcelona d’Estudis Internacionals (IBEI). He has worked previously as a lecturer at both the De La Salle University and the College of St. Benilde. His area of research is centered around cybersecurity and tackles the cognitive and affective factors that influence decision-making concerning

Cyberspace.

Francis C. Domingo is Assistant Professor of the International Studies at De La Salle University. He completed a Ph.D. in International Relations from University of Nottingham in 2018. He was also a Teaching Fellow in Cybersecurity and International Relations at Victoria University Wellington in 2016. His research explores the utility of cyber capabilities for weaker states in the international system.