The Association of Southeast Asian Nations (ASEAN) member countries have emerged among the world’s leading economies. The member states—Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar (Burma), Philippines, Singapore, Thailand, and Vietnam—have made the region a rapidly growing place to do business. However, this success has made the ASEAN countries especially vulnerable to cyber attacks. For instance, FireEye recently discovered that the hacker group Advanced Persistent Threat (APT30) had access to critical informational infrastructure in the region for years (FireEye 2015).
ASEAN countries are vulnerable to cyber attacks because ASEAN’s current cybersecurity initiatives are largely ineffective due to the absence of compliance mechanisms and intra-bloc divergences in security priorities and capabilities. This disconnect closely reflects the politically disjointed nature of ASEAN, which has spent the majority of its nearly 50 year history functioning primarily as a collaborative economic institution and regional discussion forum rather than as a cohesive political actor.
Despite this current environment, there is room to be cautiously optimistic about ASEAN’s cybersecurity future. Sound regional cybersecurity practice requires legal harmonization and coordinated policies that transcend differing national priorities and capabilities. Documents such as the 2007 ASEAN Charter and two recent Conventions illustrate an organizational evolution to a polity with the type of unified political, legal, economic, and cultural elements necessary for effective regional policy. As cybersecurity becomes more and more pertinent to ASEAN’s organizational operations and economic success, perhaps it will become a Convention topic in the near future. ASEAN member states have both the motivation and now the tools to enact meaningful supranational legislation—and now is the time to do so.
In 1967, Indonesia, Malaysia, the Philippines, Singapore, and Thailand signed the Bangkok Declaration, founding the Association of Southeast Asian Nations (ASEAN). ASEAN’s creation in the midst of the Cold War marks an attempt by its five founding members to build strong economies, curb the rise of regional communist expansion, and encourage social progress. In this political context, nations put aside their differences (such as the Indonesia-Malaysia confrontation in the 1960s) to commit to principles of regional compromise, consensus, personal diplomacy, and solidarity–a set of practices now referred to as the “ASEAN Way.”
Today, ASEAN has expanded its membership to include Brunei, Cambodia, Laos, Myanmar, and Vietnam. ASEAN’s membership is diverse considering the small geographic space it occupies. Citizens in ASEAN states represent a variety of religions, speak a multitude of different languages, practice different traditions, and exhibit different levels of development. For example, they represent a wide range on the human development index, which combines life expectancy at birth, mean number of years of schooling for adults 25 and older and expected years of school for children, and gross national income (UNDP). Singapore has a human development index (HDI) of .912, Indonesia a HDI of .685, and Myanmar a HDI of .536—for comparison, the US is ranked eighth in the world with an HDI of .918 (UNDP 2014). ASEAN states also have divergent political and economic systems, including socialist systems to military dictatorships to more or less liberal democracies to various forms of monarchies.
One of ASEAN’s enduring successes is its ability to foster peace among these diverse states. For instance, ASEAN is a nuclear weapons-free zone and it has not seen conventional warfare between member countries since its inception. ASEAN also plays a key role in maintaining stability beyond its borders. In 1994, ASEAN began holding Regional Forums (ARFs), talks comprising the 27 member states including the United States, China, the EU, and Russia, which serve as a forum for peace and security discussions in the Asia-Pacific region. While ARFs have minimal institutionalization and do not produce international, legally binding resolutions, they have been credited with the reduction of geopolitical tensions through dialogue.
ASEAN’s other enduring success is its biggest – economic growth. At its founding, most ASEAN populations were impoverished. In 2013, ASEAN’s economy was the world’s seventh largest with a combined GDP of $2.4 trillion. ASEAN has a current global economic share of 3.2%, a percentage that is slated to increase considerably to 4.7% and a combined GDP of $6.2 trillion by 2023 (Fensom 2015).
This level of rapid economic growth is made possible by a steadfast commitment to liberalization and the deconstruction of economic borders, enabling a freer flow of goods and people throughout the region. The bloc created a free trade area involving the abolishment of import and export duties between member states (a few duties remain in Myanmar, Cambodia, and Laos, but are scheduled for cancellation). Mutual Recognition Agreements (MRAs) have also been agreed upon for certain professions such as physicians, dentists, engineers, and accountants, enabling the free flow of skilled labor throughout the region. Furthermore, ASEAN has plans to increase economic growth by integrating into a single market in the immediate future (Asian Development Bank 2015).
ASEAN’s economic growth is further supplemented by free trade agreements with its neighbors, including India, Australia, New Zealand, and South Korea. These agreements reduce over 90% of all tariffs and make ASEAN nations attractive business partners (VietnamNet 2015). The China-ASEAN Free Trade Agreement, negotiated in 2002 and put into effect in 2010, has moved a number of Chinese manufacturing companies to ASEAN soil (Heath 2015). Labor costs in ASEAN countries are lower than in China, and ASEAN has a larger working population eagerly awaiting incorporation into the global economy.
Liberal business regulations accompany free trade agreements in many ASEAN states, resulting in high foreign direct investment (FDI) that has helped to propel regional economic growth. In 2014, Singapore topped the World Bank’s “Ease of Doing Business Report,” with Malaysia and Thailand trailing close behind. European investors distributed a net FDI of $75 billion between 2011 and 2013, with Japanese, American, and Chinese investors following suit (Fensom 2015).
Taken together, ASEAN’s political stability and commitment to free trade has made the bloc an economic powerhouse. However, ASEAN’s very strengths make it exceptionally vulnerable to cybersecurity breaches. In recent years, both the volume of economic capital and Internet penetration rates for both mobile and fixed broadband have skyrocketed across the bloc. In other words, as ASEAN has become richer, its population has become increasingly reliant upon the Internet for the provision of goods and services. When paired with the billions of dollars invested in the ASEAN economy, the bloc is a profitable target for cybercriminals.
Vulnerable to Attack
Cybercrime has a high economic cost for ASEAN countries. Between 2007 and 2012, Malaysia reportedly lost nearly $900 million to cybercriminals with an average 30 individuals falling victim to cybercrime every day (Qing 2012), while over 70% of all crimes in the country are considered cybercrimes (Yao 2015). Additionally, cybercrime costs neighboring Indonesia $2.7 billion on an annual basis (Norton 2012). In 2013, Singapore had the highest per capita losses to cybercrime in the world at $1,158 (Yao 2015).
Nefarious cyber activity can also be measured by computer cleaned per mille (CCM) and encounter rates, numbers that provide a perspective on the global spread of malware. In Malaysia, Indonesia, and Myanmar, both rates spiked considerably between 2013 and 2014, illustrating the growing insecurity of cyberspace in these countries.
Piracy is also a considerable threat to regional cybersecurity, as pirated software often lacks the traditional security mechanisms of purchased programs and can further contribute to the spread of malware. Cambodia has a piracy rate of over 95%, and Vietnam and Indonesia follow with piracy rates over 80% (BSA Global Software 2011). It is currently estimated that regional consumers will spend $10.8 million dealing with malware issues related to pirated programs (Luces 2014).
Cybercrime occurring within ASEAN’s borders also has financial implications for the increasingly interconnected global economy. In 2013, Thai authorities arrested an Algerian national whose banking Trojan horse SpyEye infected over 1.4 million computers and emptied thousands of bank accounts (Hatuqa 2015). That same year, Indonesian police arrested over 35 individuals involved in an e-mail scam targeting overseas victims. At the time of their arrest, the suspects had collected over $2.6 million (Perdani 2013). In the Philippines, the police arrested nearly 400 people in one day for online fraud charges aimed at Chinese and Taiwanese victims (Gomez 2014).
The APT30 Attacks and China
In April 2015, the American security company FireEye exposed the political cost of ASEAN’s cyber-insecurity. FireEye obtained information that a sophisticated hacker group named Advanced Persistent Threat (APT30) had been attacking critical informational infrastructure in Southeast Asia and India for nearly a decade (FireEye 2015). APT30 hackers created over 200 versions of malware designed to steal data related to regional political, economic, and military issues. Thus, unlike other cybercriminals who seek to exploit financial gain, APT30 hackers appeared primarily interested in data theft for the purpose of political gain (FireEye 2015).
APT30 is unique in its targeting of a regional institution as a whole instead of individual nation states, illustrating the transnational nature of cybercrime. APT30 was designed to steal data relating to bloc-wide events, customizing malware most active around the time of summits (Gady 2016). Additionally, APT30 appears to have registered domain names close to asean.org (such as asean.com), hoping to steal data from Internet users seeking ASEAN information.
Both FireEye and regional experts tend to place the Chinese Communist Party (CCP) at the center of the APT30 operation. These actors believe that the CCP seeks insight into ASEAN political mechanisms as a way to gain an upper hand into territorial disputes in the South China Sea. The disciplined, systematic, and collaborative nature of APT30 suggests a significant commitment to long-term espionage operations on the bloc, and is in line with what many believe to be China’s regional strategies. With a better understanding of ASEAN politics and cooperation, China seeks to divide the bloc and advance its own political and security interests.
The very existence of the APT30 attacks highlight ASEAN vulnerability while the longevity and simplicity of the operations illustrate its security shortcomings. For the ten years of its existence, APT30 employed the same tools, tactics, and procedures (Horowitz 2015). This is in marked contrast to the behavior of other cybercriminals and groups, which very regularly alter their behavior in order to evade detection. APT30’s ability to dodge identification even without changing their behavior suggests an ASEAN cybersecurity regime that was either not paying attention or incapable of a response, and possibly unwilling to report their susceptibility.
The implications of cybercrime are clearly very serious for the bloc. ASEAN must bolster its cybersecurity if it wishes to continue to operate from a position of economic strength and political stability. The financial costs of cybercrime have the potential to erode investor confidence in the ASEAN economy, and the threat of cyber espionage has the potential to derail ASEAN’s political standing. Moving forward, ASEAN must find a way to provide both basic economic and political securities for its international companies and for itself.
Existing Cybersecurity Initiatives and Political Challenges
ASEAN’s existing cybersecurity initiatives are plentiful in name but sparse in potency. Official cybersecurity and information and communication technology (ICT) policies primarily function as mechanisms to either aid ASEAN’s growing economy or limit crimes that hinder the further development of legal business channels. This economic orientation illustrates ASEAN’s historic function as a regional trade group rather than a cohesive political and legal body. Strong cybersecurity policy in and of itself has never been adequately prioritized, leaving member states vulnerable to cybercrime through a lack of compliance mechanisms, institutional disconnect, and uneven national legal capabilities.
ASEAN’s cybersecurity and ICT policies often function as means of growing the bloc economy through e-commerce. The 2000 e-ASEAN Framework aimed to grow electronic commerce, liberalize trade in ICT products and services, and build capacity, focusing on building ICT infrastructure in less developed member nations and bolstering e-Government services in developed member nations (Durongkaveroj 2002). This Framework had ambitious goals to streamline economies, governments, and digitally integrate the bloc, but lacked adequate discussion of security provisions.
Other cybersecurity-related initiatives have emerged as a reaction to the pervasive and disruptive nature of regional crime, although these initiatives have had a limited effect in curtailing malicious activity. By 1997, the frequent trade between ASEAN member states necessitated action on transnational crime. In response, ASEAN produced the Declaration on Transnational Crime, and added cybercrime to its definition of transnational crime in 2001. This Declaration aimed to better streamline ASEAN-wide policing and enact mutual legal assistance agreements to better prosecute regional criminals that interrupted legitimate economic activities. Yet the Declaration has done little to curtail crime’s illicit economic behavior. In April 2013, the United Nations Office on Drugs and Crime reported that transnational crime in the ASEAN bloc has only increased since the 1997 Declaration, and now costs roughly $90 billion on an annual basis (Nuansyah 2015).
A successful ASEAN cybersecurity initiative was spearheaded at the 2003 Telecommunications and IT Ministers Meeting (TELMIN). This meeting concluded that each member state should set up its own Computer Emergency Response Team (CERT) by 2005 (ASEAN Secretariat 2013). Although this goal was not completed on time, today all member states have their own CERTs. The effectiveness of each national CERT is reliant heavily upon individual national resources and capabilities, further perpetuating intra-bloc asymmetry instead of cultivating political and legal harmonization.
The inadequacy of ASEAN cybersecurity initiatives is rooted firmly in its institutional shortcomings, including a lack of legal authority and coordination procedures across ASEAN and national organizations. This may be a function of the “ASEAN Way”—the bloc’s consensus-based decision-making process. The “ASEAN Way” is a nice example of a commitment to cooperation, but renders the bloc unable to create rapid and effective responses to a quickly changing geopolitical environment (Jakarta Post 2007). With ten member states at different levels of development, types of governance, and political attitudes, it is extraordinarily difficult to produce unanimously approved legislation. So while initiatives such as e-ASEAN, the Declaration on Transnational Crime, and the 2003 TELMIN Conference appropriately discussed the need for stronger, integrated cybersecurity and ICT development, the lethargic lawmaking process holds the details and implementation of these initiatives captive.
Some ASEAN nations are wary of supranational organizations and are hesitant to cede elements of sovereignty to a regional body, resulting in political organs ill equipped to achieving their goals. For example, the ASEAN Ministerial Meeting on Transnational Crime (AMMTC) was created to oversee the implementation of the 1997 Declaration on Transnational Crime. But, the AMMTC lacks compliance mechanisms that could force individual member states into updating national law and policing to more adequately address transnational crime (OECD 2005).
Bodies such as the AMMTC also lack effective coordination capabilities critical to the prosecution of transnational crime and cybercrime. The AMMTC has little contact with ASEANPOL and ASEAN drug officers, both of which have separate mandates from AMMTC (Nuansyah 2015), and an even harder time collaborating with national police and defense agencies. Additionally, although the 1997 Declaration called for the enactment of mutual legal assistance agreements, these agreements were not put in place until 2004. However, the 2004 ASEAN Mutual Legal Assistance Treaty in Criminal Matters does not apply to the transfer of persons on custody to serve sentences or the transfer of proceedings in criminal matters (Nuansyah 2015). There is no doubt that the incomplete and uncoordinated AMMTC and Mutual Legal Assistance Treaty process is plagued by intra-bloc differences over sovereignty that are not easily resolved in an organization relying upon consensus.
Obstacles to successful cybersecurity practice and policy implementation lie even beyond the ASEAN decision-making process. ASEAN relies upon individual national governments to institute and uphold crime law and enact coherent, effective police procedures, yet each national government is different in its ability and desire to do so. Countries in the upper echelons of ASEAN development such as Singapore, Brunei, and Malaysia, have different governance capacities and priorities than countries that are still developing their economies and such as Cambodia, Laos, and Myanmar.
Reliance upon national implementation of laws and procedures and the absence of compliance mechanisms create an environment that perpetuates intra-bloc asymmetry. To a developed country such as Singapore—an important global financial center—the proliferation of cybercrime is a threat to its large business sector. In this case, Singapore’s government may be extremely receptive to the enactment of stronger crime laws and increasing police capacity to respond to cyber attacks. Meanwhile, poorer member states such as Myanmar face a different type of cybersecurity threat and different governmental attitudes toward bloc policy. Cybercrime is definitely a problem in Myanmar, but for a nation struggling with basic electrification and the expansion of ICT services, it is easy to imagine how enhancing police capacity and passing cybercrime laws are of a lesser importance than they are in Singapore.
Asymmetry is certainly a problem for ASEAN, but it also yields unique knowledge-sharing opportunities between member states. ASEAN member states complement cybersecurity and ICT policy initiatives with cybersecurity-related capacity-building programs. Statements at 2006 and 2012 ASEAN summits have yielded a series of seminars, conferences, and workshops for regional ICT professionals. In this setting, knowledge sharing between states has been a crucial means of enhancing ASEAN-wide cybersecurity. Singapore has a five-year national cybersecurity plan in place, promotes cybersecurity on the bloc agenda by hosting and leading the 2014 Senior Officials Meeting on Transnational Crime (a meeting tasked with the creation of a roadmap to combat cybercrime) and 2014 ASEAN-Japan Cybercrime Dialogue, and fosters public-private partnerships to share best cybersecurity practices (Tao 2015). Singapore serves as a model for its fellow member states to emulate, and ASEAN capacity-building exercises are a prime opportunity for this expertise to proliferate.
Toward a Cybersecurity Convention
ASEAN’s existing cybersecurity initiatives are simply not enough to combat the widespread and ever-increasing amount of cybercrime that plague ASEAN member states. Dialogue, in the form of seminars, knowledge transfers, and conferences, are necessary but not sufficient conditions for a resilient bloc-wide cybersecurity regime. An organization as diverse and large as ASEAN needs legal coordination and uniform capacities across the bloc to complement dialogue in order to facilitate the continued success of the regional economy.
While political unity is currently absent from ASEAN’s cybersecurity efforts, there is room for cautious optimism on the matter. The 2007 ASEAN Charter and recent passage of two supranational, legally binding conventions suggest an organizational evolution. The bloc is suggesting its desire to move from functioning as a primarily regional economic organization toward an organization with a distinct cultural identity. As ASEAN expands its identity, perhaps so too will political and legal harmonizations follow.
ASEAN’s early focus on economics has proved so successful that it necessitates this evolution. In effect, ASEAN is a free trade zone with closely integrated economies but little political cohesion to facilitate this union. In 2007, the ASEAN Charter redefined and refocused bloc organization. The ASEAN Charter gives it an official legal personality and defined its pillars of operation as political and security, economic, and sociocultural. The goals accompany this charter include acting as a unified actor in regional political and security matters, a single market (and perhaps currency), and a developed ASEAN cultural identity.
Since then, two legally binding Conventions have been passed. The legal framework of Conventions demonstrate ASEAN’s progression from fragmented and uncoordinated policy toward sets of universal bloc-wide laws, a factor which bypasses the asymmetrical nature of different national legal priorities and imposes uniform law from above. The 2007 Convention on Counter Terrorism defines criminal acts of terrorism to empower local law enforcement and justice departments to better prosecute crimes (Hafidz 2009). Conventions can also bypass the slow consensus-based ASEAN decision-making process, since they need ratification by only six member states before being enacted into law, a feature that enables much faster political change than ASEAN has experienced thus far. The 2007 Convention on Counter-Terrorism provides legal definitions for went into force in April 2011, after a sixth country, Brunei, ratified it. The Convention was ratified by all member states in 2013.
A second Convention, the 2015 Convention Against Trafficking in Persons, Especially Women and Children, was signed late last year. This convention has received ratification from Singapore and Cambodia and awaits four more ratifications before it is enacted into law.
The ASEAN Charter and subsequent Conventions are far from perfect. Conventions take years to draft, sign, and ratify, but their supranational nature has the potential to affect meaningful change for the region. ASEAN has already made small steps toward tackling cybersecurity as a unified polity, perhaps suggesting that a cybersecurity convention could be in the bloc’s future. It has begun working with regional partners on cybersecurity matters as an organization instead of individual member states, as reflected by the ASEAN-Japan and ASEAN-China annual Network Security summits. Cybersecurity provisions are mentioned in the bloc’s ICT Masterplans and Master Plan on Connectivity, and the bloc’s Network Security Action Council imagines coordinated CERTs and joint cybersecurity-related trainings in the near future.
A resilient ASEAN cybersecurity regime is unlikely to occur in the immediate future. Political evolution of a regional organization—particularly one as diverse as ASEAN—takes considerable time and experience. But ASEAN’s leaders are certainly taking a step in the right direction by recognizing the need for ASEAN to transform from a primarily economic bloc to taking on political, legal, and cultural identities, and acting in unison across all fronts. In an increasingly interconnected world, no policy can be successful in isolation. ASEAN’s continued economic success is heavily reliant upon the smooth operation of the political and cultural processes that guide its market flows.
This publication was made possible in part by a grant from Carnegie Corporation of New York. The statements made and views expressed are solely the responsibility of the author.