Central Challenge
Myanmar’s large and emerging market has great potential for US tech companies and its geo-strategic location is also central to US security strategies. However, the exponential growth and spread of the Internet has created an environment wrought with privacy and security risks and low user awareness.
Recommendations
- Support the work of current and future U.S. companies working with local institutions to provide data literacy programs and technological assistance that ensures data privacy.
- Encourage ASEAN initiatives in adopting a bloc-wide cybersecurity framework.
- Pressure the Myanmar national government to join regional and global initiatives for data privacy and cybersecurity.
- Encourage the national government to create a central regulatory framework that aligns with the current practices of key U.S. investors.
Myanmar’s ICT sector began to emerge in 2013 with invitations to Ooredoo and Telenor to enter the country in 2014 to develop the infrastructure and services for public mobile technology and data. At that time, key global private sector tech companies began entering and investing in the country as well. While the rapid expansion of mobile accessibility and affordability to the Myanmar public – from approximately 13 percent in 2013 to 80 percent in 2016 [1]– has connected the population to the global Internet and provided new and improved avenues for information access and sharing, the exponential growth and spread of services has created an environment wrought with privacy and security risks and low user awareness.
Several private sector investors contributing to the emerging ICT sector have viewed Myanmar’s lack of existing infrastructure as an opportunity for Myanmar to “leapfrog legacy technology and implement cutting edge infrastructure [2].” For many businesses, particularly local businesses, the desire and ability to provide modern technology has overrun the importance of data protection and privacy policies in regulating and securing the massive amount of user-identifiable information collected, stored, and used by ICT providers [3]. The central role of private sector investors in developing the country’s ICT sector, however, places them at high risk for cyber-attacks and security breaches. This threatens not only the security of the company but more importantly the security and privacy of consumers in Myanmar. Protection policies and collaborative response initiatives as well as user awareness programs need to be established through a strong network of private sector investors and supported by national governments.
During the Obama administration, re-establishing and strengthening relations with Myanmar was a central priority. The positive diplomatic relations between the US and Myanmar have allowed US businesses to thrive in Myanmar’s new market. As Myanmar continues to liberalize, opportunities for investment will expand. Maintaining positive US-Myanmar relations is not only beneficial to US business interests but also in improving regional security. China has historically been a key diplomatic partner with and investor in Myanmar, especially during the previous military rule. Currently, China also has its eyes on several investment opportunities in the country. Maintaining diplomatic relations with Myanmar and continuing to support positive and ethical US investment in the country will balance Chinese physical and digital aggression in the region, in turn promoting practices of good governance and democracy in the country.
However, cyber(in)security is a widespread problem throughout Southeast Asia, particularly in Myanmar. The country is still progressing through a top-down democratic transition and the government still retains the right to control the flow of information and infringe on individual privacy. It has also not yet developed the necessary infrastructure to regulate the storage and distribution of information collected by ICT services. This limits opportunities for effective and quick government-to-government cyber diplomacy to ensure that US businesses and users in Myanmar are protected and national regulation and response bodies are established. To quickly and effectively improve cyber-relations, the U.S. government should turn its attention towards the work of leading U.S. companies with established programs and partners in Myanmar – for example, Microsoft and Cisco – to strengthen security regulations and increase user awareness. The U.S. should simultaneously encourage ASEAN to adopt a bloc-wide cybersecurity framework and persuade the national government to collaborate with US businesses to develop strong central regulations and participate in regional cybersecurity forums.
The Current Environment: A Central Legal Framework, the Right to Privacy, and Low User Awareness
The government provides no framework that defines PII (personally-identifiable information) or stipulates requirements for collection, management, or transfer of personal data. There are also no legal structures to protect companies developing services or their consumers, and the government maintains the legal right to use an individual’s information if they believe their digital activity has undermined the security of the nation or the national government. The 2013 Telecommunications Law and 2004 Electronic Transaction Law codify the government’s unchecked ability to access user-identifiable information collected and stored through ICTs. Articles 75 & 76 of the 2013 Telecommunications Law grant Myanmar law enforcement and government officials the right to access user information from ICT services when they believe that the national security of the country has been threatened through cyber activity. Sections 33a & 33b of the 2004 Electronic Transaction Law allow the government to imprison individuals perceived to be using electronic technologies to engage in activity that undermines state security. Neither law specifies safeguards for the data of companies or individuals [4].
The exponential growth of mobile data services has occurred in absence of parallel user awareness initiatives. Digital users are, thus, unaware and uneducated on the extension of their online data footprint. For these reasons, the current state of Myanmar’s ICT sector poses numerous risks to the public and companies. The US must make user security and awareness its top concern in Myanmar throughout the next administrative term to protect its business interests in the region and to ensure that the ethical practices of its companies supersede the practices of other regional investors, namely China, as the market becomes a vacuum of opportunity and centralized policies emerge from existing precedents.
The liberalization of the ICT sector in Myanmar has created lucrative opportunities for companies to provide services during this high demand for mobile technologies; however, the need to match these demands with the necessary education for users has been largely neglected. The prominent role of third parties in the distribution of devices and services squanders the efforts of those companies accompanying their services with user awareness initiatives. Individuals and civil society organizations in Myanmar are working to fill the needed user awareness gap, but their efforts are slow to penetrate the public given the growth of mobile accessibility and affordability and companies’ interest to continue new services to meet demand and increase revenue. The US government must continue to support the efforts of prominent US investors partnering with local institutions to provide the necessary services and support for responsible data management and public information opportunities while ensuring that new investors parallel their ICT services with initiatives for user mobile literacy.
Bridging Governments with the Private Sector: Microsoft and Cisco as U.S. Leaders
The US is committed to the privacy of digital users around the globe. The nation has an interest in establishing global data protection policies to safeguard data shared in diplomatic transactions. The previous administration set a number of priorities regarding cybersecurity; the protection of critical infrastructure from cyber threats, engagement with international partners to build an open and secure global cyberspace, the protection of privacy, and public-private collaboration in strengthening cybersecurity are a few key points [5].
The US recognizes that there are already cyber leaders within the private sector implementing strong cybersecurity controls and policies and that it is important to work directly with these actors to shape the best international practices. Executive Order 13636, “Improving Critical Infrastructure Cybersecurity” signed on February 12, 2013, recognizes the central role of the private sector in increasing capabilities of infrastructure to manage cyber risk and in establishing the best practices for information sharing, privacy, and cybersecurity practices between the US and foreign partners [6]. The previous administration established strong relations with key private sector investors to develop public-private collaboration that strengthens cybersecurity domestically and internationally. For these reasons, reinforcing collaborative private-sector initiatives led by US companies should remain the central concern of US government interests in Myanmar’s ICT sector. The US should specifically focus on supporting the existing initiatives and programs of Microsoft and Cisco, two US companies who have invested long-term mobile information projects in Myanmar that practice high standards of data privacy and support local initiatives for data literacy.
Microsoft entered Myanmar in 2013 and has since been committed to several projects and collaborative partnerships [7]. Microsoft is a founding member and current board member of the Global Network Initiative (GNI), a collaborative effort between ICT companies, human rights groups, socially responsible investors, and others that “provides a set of principles and implementation guidelines regarding practical steps and policies that ICT companies can adopt to respect and advance freedom of expression and privacy rights to users [8].” The company is also a founding member of the US-Myanmar ICT Council (2014), an industry-led initiative with the support of USAID to maximize the ways in which technology can support Myanmar’s national development (the other four founding members are Google, HP, Microsoft, and Qualcomm) [9]. Given the lack of capacity within the national government to ensure data privacy and protection, this collaborative network between the private sector and civil society groups is an important initiative, led by major US companies.
In addition to a central role in the GNI and the US-Myanmar ICT Council, Microsoft has established two important local partnerships to improve these companies’ competitiveness against foreign businesses and ensure that local companies maintain high standards of data protection. Within a span of three months in 2015, Microsoft established partnerships with Kanbawza Group (KBZ) and Shwe Taung Group. Microsoft’s partnership with Kanbawza improves their ability to provide secure cloud and mobile-focused services. Microsoft’s commitment to strong principles of data privacy, protection, and regulation ensures that the agreement with KBZ, Myanmar’s largest bank, will protect the personal data of clients while also providing a strong example for local companies [10].
The partnership with Shwe Taung Group also works to strengthen the capacity and competitiveness of a major Myanmar corporation in providing secure cloud and mobile services [11]. Shwe Taung Group provides software that respects intellectual property rights and helps Myanmar protect against cyber threats [12]. Microsoft embodies the ideal image of good corporate governance and contributes significantly to positive U.S. relations in the country. Microsoft is fully invested in and committed to improving the capacity of local organizations dedicated to improving the efficiency, productivity, and security of services through providing technology infrastructure and training.
Cisco is another major U.S. company involved in Myanmar’s ICT sector. Cisco partnered with USAID and World Learning to establish the Cisco Networking Academy Program in Myanmar, a program that promotes networking systems training with computer schools [13]. Cisco is also one of five founding members of the US-Myanmar ICT Council with Microsoft [14]. Cisco ensures that its business activities and investments do not contribute to human rights abuse and social conflict through abidance to a company-wide global human rights policy and appoints a chief compliance officer and general counsel to ensure those working for the company comply with the principles laid out in this policy.
Conclusion
Maintaining positive diplomatic relations with Myanmar should remain a key foreign policy concern of the new administration to ensure that Myanmar’s political transition continues smoothly and to balance regional aggressions and poor security practices that could hinder or reverse progress. The development of an ICT sector that meets the demands of the Myanmar population while remaining committed to high standards of data privacy and protection is a major component of this transition. The rapidly expanding market also provides plentiful opportunities for new US investment in Asia and avenues for increasing commitment to US practices of privacy protection and regulation. This not only ensures that US companies and investors are protected but that security measures are developed to benefit local businesses and consumers.
The lack of capacity in the Myanmar national government to develop the ICT sector and their lack of concern for strong legal policies that safeguard the privacy of their citizens are strong indicators that the US administration should invest time and money in supporting the established and new initiatives of US companies in Myanmar. The government should start with Microsoft and Cisco, two respected companies in the country. Working with and through the initiatives of these companies will be the most effective means through which to improve standards of data privacy in Myanmar and target user awareness. These companies are also in central positions to develop industry-led collaborative initiatives for security policies in absence of a central national framework.
Although the US government should center its focus on the work of large US companies, there are also avenues through which it can engage the national government and regional institutions to encourage and support regulation and response frameworks for digital data. As Stacia Lee highlights, ASEAN is a significant economic and political partner for the United States and ASEAN’s growing and youthful population is an important market for American goods. This relationship, however, is hampered by regional cyber(in)security, particularly with multiple countries lacking national regulatory frameworks. ASEAN is reliant on positive US relations for increased access to economic and political opportunities and protection from Chinese aggression. ASEAN’s reliance on US relations, thus, puts the US in an advantageous position to influence the organization to establish a bloc-wide cybersecurity framework, as Lee also recommends. The US government should also initiate discussions with the Myanmar national government to incentivize participation in international and regional ICT and data privacy initiatives, such as the Asia-Pacific Economic Cooperation (APEC) Telecommunications and Information Working Group [15]. Participation incentivizes the Myanmar government to establish national data security and privacy policies in line with the standards of these institutions.
The establishment of a central national regulatory and response body will take time to development, implement, and maintain; it is not a realistic short-term development goal. Therefore, supporting the initiatives of US investors and engaging the private sector is the best option for ensuring regulations are established and maintained in the short term. This means of diplomacy not only confirms that privacy protection mechanisms are established but also increases opportunities for US investment in the growing market and counters Chinese regional aggression.
Lastly, the US government should directly support and strengthen the work of Burmese civil society organizations working to educate the public on responsible and proper mobile data usage. These organizations have the highest potential to reach a large target audience but require the financial support and technical assistance of large international providers. The new administration must address these issues and continue the positive work of the previous regime in improving relations with Myanmar within both the private and public sector. Only then can the US protect its strategic economic position in the country, its positive political influence, and facilitate ethical local development.
Recommendations
As a result of Myanmar’s recent political transition and the efforts of the Obama administration to reinstate diplomatic relations, there is incredible potential for the US to better cybersecurity policies and increase user-awareness while simultaneously taking advantage of investment opportunity and countering Chinese behavior in the region. The United States should continue to maintain positive diplomatic relations and assert its influence in the country’s ICT sector through supporting the work of major US companies, encouraging regional initiatives for cyber regulation, and pressuring the national government to establish a central regulation framework in line with US standards.
Support the work of current and future U.S. companies working with local institutions to provide data literacy programs and technological assistance that ensures data privacy
The US is in a strategic position to benefit from welcomed political and economic partnerships in the country. The US should continue open and positive diplomatic relations with Myanmar, particularly within the emerging ICT sector. The capacity and authority to ensure data privacy and security as well as improve user awareness rests in the hands of the private sector. US companies such as Microsoft and Cisco are just two of the leading companies committed to improvements in this sector. The US should continue to support their efforts and expand similar support to other US tech companies to establish similar footprints in Myanmar. The US government should also ensure that companies partner with key local organizations that can reach larger target audiences and provide the necessary technical support and training to guarantee these partnerships abide by high standards of data privacy.
Encourage ASEAN initiatives in adopting a bloc-wide cybersecurity framework
ASEAN is a major US partner in the Asia Pacific and the US maintains positive influence in the affairs of the organization. The US should support and encourage ASEAN in adopting a bloc-wide cybersecurity framework. This would standardize security practices across the region, in turn protecting US business interests in member states and providing the necessary infrastructure for ensuring PII and IP are protected in countries without national frameworks, like Myanmar. This also ensures that the US beats China to any ASEAN-wide incentives on regional cybersecurity practices.
Pressure the Myanmar national government to join regional and global initiatives for data privacy and cybersecurity
Given that the national government has yet to establish a central regulatory framework and response body that protects the information of suppliers and clients, the US should pressure the regime to join regional and global organizations for cybersecurity and data privacy. The US can pressure the Burmese government to establish a framework in line with expectations outlined in the Telecommunications and Information Working Group of APEC and ASEAN’s cybersecurity initiatives.
Encourage the national government to create a central regulatory framework that aligns with the current practices of key U.S. investors.
While supporting the efforts and initiatives of US companies and investors in the country, the new administration also needs to utilize its positive diplomatic relations with the Myanmar government to encourage it to create a central regulatory framework that aligns with the current practices of key US investors. The new administration should emphasize how this is in the best political interests of the Myanmar government if they want to guarantee their long-term authority over the development and direction of Myanmar’s emerging ICT sector. If they fail to do so, they will continue to succumb to the control and authority of international private sector providers. In the long term, a whole of government approach to ensuring high standards of data security and privacy in Myanmar and in the international arena requires the cooperation and leadership of the national government in providing a safe, secure, and reliable space for cyber exchange.
Endnotes
[1] World Bank, “Mobile Cellular Subscriptions (per 100 People)” (World Bank, n.d.).
[2] Myanmar Centre for Responsible Business, Institute for Human Rights and Business, and Danish Institute for Human Rights, “Myanmar ICT Sector-Wide Impact Assessment,” September 2015.
[3] Ibid.
[4] Ibid.
[5] U.S. Government, “Foreign Policy Cyber Security.”
[6] U.S. Government, Foreign Policy Cyber Security, EO-13636 (Washington, DC, 2013).
[7] Catherine Trautwein, “Microsoft Inks Second Deal with Myanmar,” The Myanmar Times, November 26, 2015.
[8] Business & Human Rights Resource Centre, “Information & Communications Technology Sector: Myanmar Foreign Investment Tracking Project,” accessed December 3, 2016.
[9] Trautwein, “Microsoft Inks Second Deal with Myanmar.”
[10] Catherine Trautwein, “KBZ and Microsoft Sign Tech Deal,” The Myanmar Times, September 22, 2015.
[11] Microsoft Asia News Center, “Myanmar Conglomerate Shwe Taung Group Eyes Higher Efficiency, Productivity and Security with Microsoft,” Asia News Center, November 26, 2015.
[12] Trautwein, “Microsoft Inks Second Deal with Myanmar.”
[13] Business & Human Rights Resource Centre, “Information & Communications Technology Sector”; “Corporate Social Responsibility (CSR) at Cisco,” accessed December 3, 2016.
[14] Department of State, U.S. Embassy Rangoon, Press Release: Myanmar ICT Council, December 19, 2014.
[15] Asia-Pacific Economic Cooperation, “APEC Telecommunications and Information Working Group,” accessed December 3, 2016.