Strengthening ASEAN-Japan Cybersecurity Cooperation

Amid the rising threat of cyberattacks and the contingent need for enhancing cyber defences, Japan and ASEAN can drive initiatives to tackle such threats and, in some cases, even initiate a more collaborative and two-way approach to cybersecurity.

There is strong rationale for such cooperation. Across Asia, a significant rise in cyberattacks has been observed in recent years due mainly to the rapid growth of the digital economy and the accompanying vulnerabilities. ASEAN member states (AMS) and Japan were among the most-targeted locations in the region, particularly from state-sponsored actors in China, Russia and North Korea.

In 2023, AMS reported a 28 per cent surge in cyberattacks. From March 2022 to March 2023, the average cost of a data breach reached an all-time high of US$3.05 million, a 6 per cent increase year-to-year.  In Japan, there has also been a continued increase in cyber threats, from 150 cases in 2021 to 230 reported cases in 2022. In 2023, Japan’s National Centre of Incident Readiness and Strategy for Cybersecurity (NISC), charged with the nation’s defence against cyberattacks, was reportedly infiltrated by the Chinese military.

There have been several key initiatives to drive collaboration between AMS and Japan to tackle the scourge of cyber threats.  Earlier this year, the  1^st ASEAN-Japan Cybersecurity Working Group Meeting was held to reiterate the importance of building on ongoing collaboration initiatives to enhance cybersecurity measures, capacity building, and information sharing in order to ensure a secure and resilient digital environment in the Indo-Pacific region.

Key structures have been established. This includes the ASEAN Japan Cybersecurity Community Alliance (AJCCA), which aims to promote information sharing, and the ASEAN-Japan Cybersecurity Capacity Building Centre (AJCCBC), which aims to develop a strong cybersecurity workforce in ASEAN. These institutions have conducted regular training exercises and workshops for AMS. The Project on Cyber Building for Cyber Security in Vietnam (2019-2024), for instance, which is funded and facilitated by the Japan International Cooperation Agency (JICA), enhanced cyber capacity building in Vietnam. Under this project, certification training courses were conducted to enhance cyber threat intelligence and policy planning on Vietnam’s cybercrime investigations. Distributed Denial of Service (DDoS) attack mitigation systems were installed in Vietnam to strengthen cyber defence capabilities.

… AMS show strengths in certain areas of cyber resilience that surpass Japan’s capabilities. Thailand and Vietnam have outperformed their AMS neighbours and Japan in cyber incident response capabilities, including specialised national-level cyber incident detection and response units.

However, despite these initiatives, most AMS and Japan are not ready to deal with cyber threats. Building on a previously published cyber readiness table, an updated analysis that ranks countries based on three key indices (the National Cyber Security Index (NCSI), Global Cybersecurity Index (GCI), and ASEAN Digital Integration Index (ADII)) shows that Malaysia and Singapore are the only countries in the region that can be classified as cyber ready.

Intriguingly, Japan’s NCSI score falls into the “developing” category rather than “fully ready” to deal with their own cyber threats, placing it fifth in the NSCI ranking with a score of 63.74 (after Thailand in third place and Indonesia in fourth).  Japan has vested interests in rushing to catch up with the rise of cyber threats. The Kishida administration has highlighted the need to establish a more “active cyber defence” system to safeguard its cyberspace. As part of its interests to secure its cyber space, Japan has also sought to establish a stronger regional cyber defence network through partnerships with the Quadrilateral Security Dialogue  and AMS. With close economic, security, and business ties between AMS and Japan, there is an interest to develop a strong regional cybersecurity workforce across these fronts. With the rise of cyber threats, Japan could help secure the region against such vulnerabilities, not only to safeguard its national interests but also to uphold the broader stability of the Indo-Pacific region.

The future of Japan-ASEAN relations can be fortified by not only enhancing technological defence but also by encouraging a collective and inclusive two-way approach to cybersecurity. While Japan can provide skills transfer in some areas, cooperation can extend from a one-sided assistance programme towards a deeper, more collaborative partnership aimed at enhancing collective resilience against cyber threats. AMS can contribute diverse regional perspectives, experiences, and shared localised threat intelligence with Japan — enriching the overall understanding on cyber threats and response strategies. This approach serves multiple purposes: reinforcing Japan’s central role as a proactive contributor to regional security, strengthening integration partnerships between Japan and AMS, honing regional cyber capabilities, and enhancing collective communication in defending against potential cyberattacks that could disrupt economic growth and regional peace. Moreover, by facilitating a united front with ASEAN on cybersecurity issues, Japan would help foster a cohesive response to cyberattacks, thereby promoting a safer, rules-based international order in the Indo-Pacific.

When analysing the 2023 NSCI, several areas emerge where Japan and AMS can collaborate to enhance their cyber resilience. Japan, having developed a robust cybersecurity strategy, is well-positioned to provide essential guidance to ASEAN countries on strengthening their cybersecurity policy frameworks. Meanwhile, AMS show strengths in certain areas of cyber resilience that surpass Japan’s capabilities. Thailand and Vietnam have outperformed their AMS neighbours and Japan in cyber incident response capabilities, including specialised national-level cyber incident detection and response units. Similarly, Indonesia, Malaysia, and Singapore have also surpassed Japan in protecting essential services against cyber threats. Another report, the 2024 Cisco Cybersecurity Readiness Index, which is based on a survey of over 8,000 cybersecurity leaders in businesses, benchmarked enterprises on five different criteria that reflect how well they can defend themselves against cybersecurity threats.  The report revealed that Japan had a significant percentage of companies (24 per cent) rated as having only a “beginner” level of readiness whereas Singapore, the Philippines, Malaysia, Vietnam, Thailand and Indonesia all have 11 per cent or below of their enterprises rated as “beginner” level.  Indonesia, Thailand and Vietnam, in fact, have the highest percentage of enterprises in the “mature” category for overall cybersecurity readiness. 

By emphasising shared responsibilities, reciprocal knowledge exchange, and joint capacity-building efforts, Japan and ASEAN can go beyond existing initiatives and leverage individual nations’ strengths to create a more robust cybersecurity ecosystem and thus contribute to a more secure and stable Indo-Pacific.

2024/252