On April 5, 2017, the US and Indonesian member committees of the Council for Security Cooperation in the Asia Pacific (USCSCAP and Indonesia CSCAP, respectively) co-hosted a one-day workshop on cyber security. Thirty officials and experts from 15 countries, economies, and institutions, all attending in their private capacity, discussed the regional cyber security environment, progress that has been in ASEAN since articulation of the ASEAN Cyber strategy, and confidence building measures that can help the ASEAN Regional Forum (ARF) achieve a safer regional cyber security environment. Key findings from this discussion include:
Cyber threats pose an increasingly serious challenge to regional security. One study estimates cyber crime did $81 billion in damage to the Asia Pacific during a 12-month period and the number of such incidents is growing. Governments are increasingly concerned by the threat of online radicalization and other content-related issues. In addition, there is growing recognition that ICT networks and servers themselves, including those that support critical infrastructure, are vulnerable to cyber attacks. Because of the global nature of cyberspace, the mitigation of cyber vulnerabilities or cyber attacks often requires transnational cooperation. In many ways, ASEAN’s future growth and prosperity are threatened by proliferating cyber threats.
There is growing awareness of those threats among the government and private sectors. The 2015 ARF Work Plan on Security of and in the Use of Information and Communications Technologies and the 2016 ASEAN Ministerial Conference on Cyber Security are important milestones in regional efforts to tackle these problems.
There is also consensus that more must be urgently done and a more muscular policy is needed at the national and regional levels. The ARF Work Plan put forward many recommendations but, despite this consensus, implementation has been limited. In addition to enhanced government-to-government engagement, dialogue among all stake-holders should be strengthened. There must be conversations between business and governments, and the technical community as well. States must also address cyber security from a strategic level, as well as from a holistic perspective that includes all key constituencies.
Regional cyber security confidence building measures are needed. A valuable first step would be inauguration of the ARF ICT Security ISM and/or ARF Study Group on Confidence Building Measures and compilation of the ARF Directory of Cyber Points of Contact.
It was also recommended that:
- ARF member governments develop and share national cyber strategies that reflect whole-of-government role and responsibilities.
- ARF member governments compile and compare national assessments of cyber threats, their consequences, and the priority they assign those threats.
- stakeholders aggressively promote the idea that cyber security promotes confidence and facilitates economic growth and development.
- stakeholders share lists of key cyber terms to improve regional communication.
- stakeholders utilize maturity frameworks or other best-practices models to assess national status of and progress in the implementation of cyber security policies. Establishing a more robust baseline of the status of national cyber security efforts is imperative.
- countries and organizations offering assistance in capacity building coordinate to minimize duplication. Donor countries could develop a template that identifies the assistance they can provide and maintain them in a single repository. At the same time, such efforts must be tailored to recipients; there is no “one size fits all” formula for capacity building. A standard template for assistance could also be developed and maintained with the assistance offers.
- meetings of regional cyber security stakeholders be regular and routinized to promote habits of dialogue, information sharing, and cooperation.
- ARF member governments support ongoing cooperative cyber efforts in specific sectors, including mutual legal assistance and CERT cooperation.
- study the possibility of cross-regional engagements on cyber security, such as OSCE-ARF.
The ARF is the best Asian regional security venue to promote such efforts. Organizations such as CSCAP are ready to assist in their realization.
ASEAN could become a model for regional cyber security cooperation. The distinctive “ASEAN way” of international cooperation, the region’s cultural and political diversity, and the opportunity to “build-in” cyber security as it develops its connectivity initiative and various ASEAN communities all afford ASEAN a chance to lead in the articulation of multilateral efforts to promote cyber security.