On April 28 during the 32nd ASEAN Summit held in Singapore, Singapore’s Prime Minister Lee Hsien Loong noted the importance of cooperation and coordination in cybersecurity at the regional level. His remarks were supported by an ASEAN-issued statement at the end of the summit, which demonstrated a concurred view among ASEAN leaders that cybersecurity issues should and will be allotted greater priority in the coming years. With the rapid pace of technological evolution, the increasing digitization of the region, and its rising prominence in the digital economy, the elevation of cybersecurity to the regional economic agenda points to the increasing awareness that in this current reality, cyber risk isn’t just an IT risk. It is also an economic and business risk.
Currently, ASEAN member-states remain vulnerable to cyber threats due to inadequate infrastructure and awareness as well as the growing complexity of cyber risks. A report by AT Kearney stresses that the need for action is urgent. At the regional, national, and organizational levels, ASEAN cybersecurity is highly lacking. The risks of cyber-attacks and data breaches will only continue to multiply as the region grows in economic strength and solidify its relevance in the wider international economy. Laying down foundations in policy and frameworks now could prevent up to a $750 billion loss in market capitalization (as a result of data breaches) in the future.
Fragmented Progress in Cybersecurity Strategy
The development of cybersecurity strategies vary across Southeast Asia, with Philippines, Thailand, Malaysia, and Singapore faring relatively better than Laos, Brunei, Cambodia, Myanmar, Vietnam, and Indonesia. Malaysia, Singapore, and the Philippines, for example, have set up national cybersecurity agencies. However, wide the interconnectedness of the region means that vulnerabilities in any given country can have spill over effects on other economies and institutions, including public health, safety, national security, and so on. Currently, countries such as Malaysia, Indonesia, and Vietnam have been used as hosts to launch spam botnets, malware attacks, and the like due to weaknesses in security.
Through regional initiatives and summits such as the ASEAN Summit, there have been agreements made to increase cooperation and knowledge-sharing. However, the lack of a legally-binding, unifying framework for the region still leaves ASEAN as a whole underprepared for cyber threats. One of the challenges is that the digitization of ASEAN countries are occurring at varying rates – Indonesia, for example, still faces a vast digital divide in their population. This could hinder efforts at coordination and the standardization of practices.
According to AT Kearney, ASEAN is underspending on cybersecurity compared to the countries with best practices. To reach global benchmarks, each ASEAN country should be spending between 0.35 to 0.61% of their GDP – amounting to a collective spend of approximately $171 billion.
Human Resources and Cybersecurity Capability
At the same time, no matter how comprehensive the frameworks and regulations, they will not provide much benefit without the necessary competence to implement or build on them. Currently, those seeking to enhance their cybersecurity are finding that there is a lack of talent to meet the need.
Efforts to fill the gap in talent have often been organizations-led through the implementation of short-term skills development programs. However, both governments and organizations have to continually have a forward-thinking approach in order to anticipate future trends, technologies, and demand. Government legislation and regulation has to keep up with evolving and new technologies. With cryptocurrency still relatively unregulated, for example, there have been an uptick in cyber-attacks on cryptocurrency mining operations in ASEAN member states.
The current underinvestment in cybersecurity has been attributed to a lack of awareness as well as a lack of talent and resources. Government-led initiatives to develop the next generation of cybersecurity professionals, R&D programs for innovative technologies, and deliberate moves to leverage on existing global expertise and knowledge are required not just to keep up with the current landscape, but to promote future growth.
A Holistic Approach to Cybersecurity
Given the underdeveloped nature of this area, moving into cybersecurity can be included as part of a long-term strategic plan, not just to protect critical infrastructure, but also as a way to increase revenue. Recognising the long-term value it could provide, corporations in telecommunications, manufacturing, and oil and gas industries in particular have been making deliberate moves into cybersecurity. At the same time, countries such as UK and Israel use cybersecurity as a competitive advantage – robust cybersecurity measures on a national level can potentially be an added value to foreign investors and businesses.
On the regional, national, and organizational level, leaders can draw on a wealth of expertise through partnerships or alliances, as well as established global practices and standards such as the NIST Cybersecurity Framework and ISO 27001. A risk centric approach to cybersecurity can also allow governments and organizations to identify emerging threats while also anticipating, and using, disruption to their advantage.
All in all, cybersecurity needs to be addressed in relation to governance, strategy, culture, and operations. While the establishment of policy and regulation is vital, those alone will not foster the effective implementation of cybersecurity strategies across the region. The reality of digital is already here, and cybersecurity can no longer be just an afterthought.