US and ASEAN are significant economic, political, and geo-strategic partners. However, cyber insecurity characterizes the region, stifling potential economic and political gains.
- Promote cybersecurity partnerships modeled after the Singapore-US relationship.
- Promote greater intellectual property protection laws to lower malware rates and strengthen the confidence of American technology investors.
- Promote and encourage greater ASEAN integration.
- Achieve recommendations 1-3 through regular cybersecurity dialogue with ASEAN.
The Association of Southeast Asian Nations (ASEAN), a regional organization consisting of ten Southeast Asian countries, is a significant economic and political partner for the United States. ASEAN’s increasingly wealthy and youthful population is an important market for American goods, with ASEAN-US trade valued at over $254 billion in 2014.
Additionally, Southeast Asia is the largest recipient of American foreign direct investment (FDI), receiving over $226 million on an annual basis, an amount that further illustrates the importance of Southeast Asia in American foreign relations. Furthermore, ASEAN’s positioning in the South China Sea makes each nation a valuable geo-strategic ally, especially in light of increasing Chinese aggression – both physical and digital – throughout the region.
However, in spite of its immense financial and political importance, the ASEAN-US relationship is hampered by rampant regional cyber(in)security. Over the past decade, Southeast Asia has experienced rapid gains in connectivity. While connectivity yields growth in e-commerce sectors and provides new opportunities for economic ties with the United States, connectivity has not been accompanied by strong cybersecurity protections for its citizens and businesses. As a result, malware and fraud rates in ASEAN countries are among some of the highest in the world, with large financial costs – Malaysia lost nearly $900 million to cybercriminals between 2007 and 2012, cybercrime costs Indonesia nearly $2.7 billion on an annual basis, and even Singapore, a global cybersecurity leader, has a per capita cybercrime cost of $1,158. As long as these startling cybercrime figures persist, many American businesses are skeptical to fully embrace the region, in spite of its potential for mutual prosperity.
Cyber(in)security in Southeast Asia also has a distinctly political cost for American interests. In March 2015, the American security company FireEye uncovered a decade-long cyberattack designed to attack critical infrastructure and steal data related to the regional political, economic, and military operations of several prominent ASEAN nations, corporations, and individuals interested in China. Perhaps most troubling, FireEye suggests that the Chinese government was responsible for the attacks, and that ASEAN leaders were completely unaware of its intrusion.
The Chinese have also been tied to a number of more tangible cyberattacks throughout the region: after the Permanent Court of Arbitration ruled against China and in favor of the Philippines in the South China Sea, over 60 Filipino government websites experienced a DDoS attack. Chinese hackers have also compromised Vietnamese intelligence networks and overridden airport-messaging systems with pro-China messages.
The political vulnerabilities present in Southeast Asian cyberspace make the region fundamentally less secure and strategic for both the American government and its businesses abroad, even if the region’s geography has to become a bulwark of security against Chinese aggression.
In spite of these challenges, the ASEAN-US economic and political relationship remains one of incredible potential. The United States should work more closely with ASEAN to bolster its cybersecurity, and ultimately foster a more prosperous relationship in the process.
Recommendation 1: Promote cybersecurity partnerships modeled after the Singapore-US relationship
Singapore is a regional cybersecurity leader and its bilateral cybersecurity relationship with the United States is highly productive. Under this agreement, Singapore and the United States share a variety of information, coordinate CERTs, and share initiatives on critical infrastructure protection, cybercrime, cyber-defense, and capacity building. The bilateral Singapore-US cybersecurity relationship puts both nations in regular contact, which allows for greater collaboration and innovative problem solving.
The United States should expand this type of extensive partnership beyond Singapore, and forge stronger bilateral cybersecurity relationships with other ASEAN nations. By doing so, the United States will expand its ability to gather important security knowledge in the South China Sea, and also forge stronger economic ties.
Recommendation 2: Promote greater intellectual property protection laws to lower malware rates and strengthen the confidence of American technology investors.
Intellectual property (IP) laws in Southeast Asia are underdeveloped, and existing laws are poorly enforced due to a lack of resources. Although some ASEAN countries have recently worked to improve their IP laws, IP theft continues to proliferate, bringing malware and diminished profits for technology companies, many of which are American.
Pirated software often does not receive the security updates that licensed software does, making users vulnerable to hacking and theft. Promoting stronger IP laws and increasing local capacity to catch violations will reduce the amount of pirated software in Southeast Asia, thus reducing the amount of costly malware that takes dollars from consumers and companies.
Additionally, as IP laws are strengthened, it is important to also promote greater cyber-awareness. Many citizens in developing Southeast Asian nations are data illiterate, which may actually exacerbate regional cyber(in)security. A region with stronger IP laws and a more educated populace offers a solution that may also attract greater technology investment, giving American businesses a large, receptive market and providing millions of Southeast Asian consumers with valuable new technologies.
Recommendation 3: Promote and encourage greater ASEAN integration
Currently, ASEAN countries are at very different stages of development. On one end of the spectrum is Singapore, whose economy, technology sector, and cybersecurity policies are highly developed and similar to that of most Western nations. On the other end of the spectrum are countries such as Cambodia and (Myanmar, where digitalization and development are still underway and national regulatory frameworks have yet to emerge). This diverse landscape is often difficult for investors and politicians to navigate in spite of a desire to engage with the region as a whole.
If ASEAN countries were to engage in greater social, economic, political, and legal integration, they could jointly improve regional cybersecurity while minimizing costs to individual nations – for example, if ASEAN were to adopt a bloc-wide cybersecurity framework, nations such as Cambodia and Myanmar would not have to create their own, allowing their governments time and resources to focus on other aspects of development.
Essentially, a more integrated ASEAN could improve the ease with which the United States expands its critical cybersecurity partnerships throughout the region, fostering a more prosperous and geopolitically stable region for American economic and political investments.
Recommendation 4: Achieve recommendations 1-3 through regular cybersecurity dialogue with ASEAN
The best mechanism with which to encourage stronger cybersecurity partnerships, greater IP protection laws, enforcement, cyber-awareness, and ASEAN integration is dialogue, particularly in the form of ASEAN Regional Forums (ARFs) and joint workshops.
ARFs are annual security dialogues held by ASEAN countries and their regional partners to discuss common challenges, share best practices, and promote collaborative solutions. The United States co-chaired its first cybersecurity-related ARF in 2015 on cybersecurity confidence-building measures, and in 2016 held a joint ASEAN Cybersecurity Workshop with Singapore. Additionally, the United States should continue to encourage and engage with bloc-level security organs, especially the newly formulated ASEAN Defense Ministers Meeting Plus (ADDM) and its Cybersecurity Working Group.
While both workshops are a step in the right direction, the United States should increase the frequency of its cybersecurity involvement in the region in order to consistently promote transparent and cooperative solutions, especially as ASEAN nations grow increasingly authoritarian. The rise of authoritarianism in Southeast Asia means that the majority of cybersecurity laws do not adequately protect consumers and businesses from malware and fraud, and instead bolster the power of the state while infringing upon individual privacy rights. It is essential that the United States continue to push for more resilient policies respectful of fundamental human freedoms; cybersecurity policies that recognize individual rights to privacy and expression are more effective at protecting economies and critical infrastructure than restrictive policies designed to preserve the state alone.
While dialogue alone cannot overhaul cybersecurity policy in a nation, continuous engagement through ARFs and workshops can model best practices and build stronger bilateral partnerships that will increase local cybersecurity capacities, and ultimately increase opportunities for joint prosperity.
 Medina, Sara, and Kai Zhang. 2014. “Intellectual Property Rights in Southeast Asia.” SEA-EU-NET. Sociedade Portuguesa de Inovação (SPI).
 “Fact Sheet: U.S.-ASEAN Relations.”
 Hung. “Confronting Cybersecurity Challenges Through US-Singapore Partnership – Analysis.”
Medina, Sara, and Kai Zhang. “Intellectual Property Rights in Southeast Asia.” SEA-EU-NET. Sociedade Portuguesa de Inovação (SPI), January 22, 2014.