An ASEAN way of cybersecurity

From incident response training to technical cyber capacity building, the new ASEAN-Singapore initiative might be a good venue to promote a common understanding of cybersecurity in the region and beyond, Caitríona Heinl writes.  

The new Singapore-ASEAN Cybersecurity Centre of Excellence (ASCCE), due to launch in 2019, will reflect its founders’ conviction that cyber diplomacy efforts must align with operational issues such as incident response and information sharing. The new centre is expected to cover policy, strategy, legislation, and operations.

This approach will likely mirror the structure of Singapore’s proposal for an ASEAN mechanism that aims to enhance cyber coordination across the group’s forums in hopes to introduce stronger state coordination and unified ASEAN perspectives.

More on this: Lessons from Brexit: ASEAN's survival cannot be guaranteed even with Asia's ascendancy

The ASCCE itself will be based on three pillars: strengthening strategy development among ASEAN states through training and research, enhancing Southeast Asia’s resilience with more national Computer Emergency Response Team (CERT) training, and promoting open-source information sharing among these CERTs.

Since establishing the ASEAN Cyber Capacity Programme (ACCP) in 2016, Singapore has continuously invested in strengthening regional cybersecurity expertise in line with its decision to become more proactively engaged in broader international discussions. These in-region commitments also mean that ASEAN member states may have less incentive for outside investment at the risk of growing third-party influence.

Building upon prior and ongoing regional projects by other ASEAN states, Dialogue Partners and non-governmental research bodies, these initiatives recognise that cyber incidents can severely impact Southeast Asia’s interconnected critical infrastructure, economic and digital economy plans. In particular, the potential to undermine political stability and public trust in government is of grave concern.

Some visible wins so far include much enhanced understanding of cyber-related questions within the cyber community. ASEAN workshops and training on cyber norms and international law have informed states on their own international position. They have also helped to foster consensus leading to ASEAN’s first statement to the UN as well as the group’s decision to subscribe in principle to the 11 global non-binding norms of the 2015 UN Group of Governmental Experts consensus report.

As a next step, ASEAN will need to explore how to implement these principles and establish even deeper common understanding within the ASEAN context, including the application of international law. ACCP and ASEAN Dialogue Partners have already run initiatives ranging from incident response to confidence and technical cyber capacity building in order to support such policy alignment. As a result, the ASCCE can provide a mechanism to sustain and further harmonise ongoing policy and operational endeavours within the region.

More on this: Is cyberwar perhaps politics by other means?

In strengthening state cooperation, it is likely that the ASCCE will address key limitations in ASEAN such as low coordination of regional cyber capacity building efforts, the actual implementation of confidence building measures, and following up after expert meetings. The centre can also facilitate the more concrete engagement between ASEAN members and Dialogue Partners. Other strategic areas that it could potentially address concern diplomatic responses to malicious activity, including measures developed in other regional bodies such as the European Union’s cyber diplomacy toolbox.

Overall, the ASCCE could support ASEAN states in building regional cooperation and allow them to project global influence at international discussions with more strategic clout as a regional group. The centre will also most likely continue to work together with ASEAN states to increase their individual involvement in shaping the wider regional and global cybersecurity agenda.

As a result, in line with the ASEAN way, the centre will aim to ensure ASEAN’s centrality, supporting strong intra-ASEAN collaboration, and engaging effectively with all Dialogue Partners – such as China and the United States – that often hold diverging views. Such ASEAN principles of inclusiveness and working pragmatism have become even more evident in recent months at the UN level where a number of Southeast Asian nations did not consider two competing United States and Russia proposals as incompatible.

In the long term, the ASCCE could even, if welcomed, turn into a venue to promote common understanding beyond ASEAN and among its partners in the Asia Pacific that hold contesting views. It could potentially enable serious cross-regional policy coherence and technical cooperation, and even work to bridge major differences in cultural and political values – such as the diverse understandings of what constitutes cybersecurity/ information security and cyber threats.

The centre could also contribute to reducing fragmentation across regions and support international stability by working with similar research entities such as the NATO cyber defence centre of excellence and the European Union’s newly established Cyber Education, Training, Evaluation and Exercise platform. It will likely also assist the work of ASEAN to continue sharing lessons and good practices with other regional bodies such as the Organization for Security and Cooperation in Europe and the Organisation of American States.

While there is an extensive list of limitations for successful cyber cooperation in Southeast Asia, these challenges also present an opportunity for the ASCCE. For example, its efforts to secure concrete future cooperation in ASEAN will become even more complex with a rise in diverging perspectives on more nuanced policy questions and more knowledgeable actors.

More on this: Beyond 50 - how Australia can reimagine its relationship with Southeast Asia

While ASEAN states will continue to be challenged by rapid technological change, the ASCCE can continue to collaborate closely in addressing the unique regional cyber threat and geopolitical landscape, including their infrastructure needs, potential exchanges with third countries for geopolitical support, and regime changes.

It will have to find ways for ASEAN states to cope with varying levels of cyber maturity and the lack of policy coherence across domestic government stakeholders. The new Singapore-UN Cyber Programme also aims to address these gaps by supporting ASEAN states to coordinate their national cyber policies, strategies, and operational practice.

The new centre will be challenged by working with countries where cyber issues may not even be a top priority, which in turn can hinder regional consensus and ASEAN’s ability to collectively secure its own interests. It will likely address the region’s need for more research initiatives that support such policy coherence, which will require an environment for disruptive and independent thinking to earn global credibility.

Ultimately, the ASCCE is another opportunity to provide a sustainable ASEAN mechanism for stronger regional and international engagement, particularly where the ASEAN secretariat is not equipped to achieve these goals.