Strengthening Cyber Resilience in Southeast Asia

Southeast Asia has experienced a remarkable technological and digital transformation in recent years, driven in part by the exigencies of the COVID-19 pandemic. The transformation has propelled the region’s digital economy to new heights, with projections suggesting that  ASEAN’s digital economy will reach a staggering value of US$1 trillion by 2030. This will make ASEAN the world’s fastest-growing internet market. However, as the region’s digital potential grows, so does the threat of cyberattacks against it.

Cybercrime has surged by an alarming 82 per cent throughout Southeast Asia, with Singapore witnessing a 174 per cent increase in phishing attempts from 2021 to 2022. A recent report from a Singapore-based cybersecurity firm, Cyfirma, revealed that Southeast Asia faced 68 documented attacks out of 86 meticulously monitored global advanced persistent threat (APT) campaigns in just eight months this year. These attacks primarily targeted Singapore, with 26 organisations there falling victim, followed by Thailand, Vietnam, and Indonesia.

Despite the high number of serious cyberattacks, the region’s cyber resilience, defined as the ability “to prepare for, respond to and recover from cyberattacks”, remains relatively low. Achieving effective cyber resilience requires a holistic approach, encompassing governance, risk management, a clear understanding of data ownership, active regional and international cooperation, and the continuous refinement of infrastructure and institutional capabilities. Although there have been notable advancements in enhancing cybersecurity across Southeast Asian nations and the region, persistent variances (Table 1) in national cyber readiness and the absence of harmonised cybersecurity standards persist as hurdles.

Singapore and Malaysia rank first and second in regional cyber capabilities and have significantly strengthened their cybersecurity strategies. Singapore has its Cyber Security Agency (CSA) and enacted key laws including the Cybersecurity Act, Personal Data Protection Act, and Computer Misuse Act. Similarly, Malaysia has enacted laws such as the Personal Data Protection Act and Computer Crimes Act and established its National Cyber Security Agency (NACSA) and CyberSecurity Malaysia.

Both countries have demonstrated exemplary crisis response capabilities in addressing malware attacks. For instance, Singapore’s CSA conducted the fifth edition of Exercise Cyber Star (XCS23), a nationwide cyber crisis management exercise in September, while Malaysia has conducted six annual cybersecurity exercises, known as X-Maya, to test the nation’s effectiveness in coping with online incidents.

As of 2021, Malaysia surpassed Singapore, emerging as a top performer in the National Cyber Security Index (NCSI) and the ASEAN Digital Integration Index (ADII) for the Asia-Pacific region (Table 1). Both indices assess a range of indicators, including data protection measures; legislative, regulatory, institutional and technical cybersecurity capabilities; and international cooperation. Notably, Malaysia reportedly outperforms Singapore in protecting digital services and demonstrates strong e-identification and trust services, ensuring secure data transfers, and addressing privacy concerns.

Table 1. Cyber Capabilities of the 10 ASEAN Member States Compared

Country	Level of Cyber Readiness	NCSI score (0-100)	NCSI ranking	ADII score on Cybersecurity (0-100; refer to Pillar 2)	ADII ranking
Malaysia	Well-established	79.22	1	91.27	1
Singapore		71.43	2	89.70	2
Thailand	Developing	64.94	3	87.91	3
Indonesia		63.64	4	78.43	4
Philippines		63.64	5	72.49	5
Brunei	Emerging	41.56	6	67.46	6
Vietnam		36.36	7	63.05	7
Cambodia	Limited	23.38	8	24.76	9
Laos		18.18	9	32.58	8
Myanmar		10.39	10	20.41	10

Thailand, Indonesia, and the Philippines are considered developing in terms of their cyber capabilities. These countries have made significant strides in enhancing their cyber resilience. Thailand has implemented the Thailand Cybersecurity Act and established the National Cybersecurity Committee (NCSC), while the Philippines has improved its cybersecurity framework through the Cybercrime Prevention Act and the National Cybersecurity Plan. Indonesia has also taken steps to enhance its legal framework for cyber issues and to improve coordination among government agencies.

Brunei and Vietnam are considered as “emerging” in their cyber capabilities. Vietnam has steadily increased its cybersecurity efforts and introduced the Law on Cybersecurity. However, it still faces challenges in areas such as cyber threat analysis, personal data protection, and cybercrime prevention. Brunei lags in terms of policy development, contribution to global cybersecurity, and cyber crisis management. Cambodia, Laos, and Myanmar have “limited” cyber capabilities and face challenges in improving their cybersecurity standings due to resource availability, technological infrastructure, and national priorities.

We argue that it is vital for ASEAN’s governments, cyber experts, and business leaders to align their perceptions of cybersecurity issues and recognise the urgency for a unified, coordinated approach.

However, regional partnerships and knowledge sharing can help to bridge these gaps. In recent years, the ASEAN framework has made strides in enhancing regional cybersecurity capabilities and fostering trust among member states. Efforts include strengthening computer emergency response teams or CERTs and establishing dedicated platforms for cybersecurity discussions. A notable endeavour is the ASEAN Defence Ministers’ Meeting (ADMM) Cybersecurity and Information Centre of Excellence (ACICE), a hub for confidence- and capacity-building that facilitates information and expertise exchanges to combat transnational cyber threats.

The region’s nascent cybersecurity architecture has primarily been driven by Malaysia and Singapore. Current strategies heavily rely on the commitment and actions of individual ASEAN member states (AMS), which are influenced by their diverse economies and digital disparities, and complicated by different regulations, including varying definitions of legal obligations for domestic actors in cybersecurity events. This results in different country priorities in addressing cybersecurity issues. Furthermore, timely information-sharing of sensitive data poses significant challenges as AMS prioritise their national security and sovereignty. This lack of transparency among some AMS hinders collective progress in managing cyber threats.

Given the inherent diversity in the approaches towards cybersecurity within ASEAN, it is inevitable that there is a lack of interoperability among AMS. The regional cybersecurity architecture remains fragmented. Such an absence of an overarching cybersecurity governance strategy poses a significant challenge for ASEAN.

We argue that it is vital for ASEAN’s governments, cyber experts, and business leaders to align their perceptions of cybersecurity issues and recognise the urgency for a unified, coordinated approach. ASEAN has an opportunity to foster more cohesion for cyber resilience through promoting trust and transparency, supporting the less developed economies, and integrating cyber resilience with the digital economy.

ASEAN could work towards standardising communication practices and even establishing a centralised independent decision-making committee akin to the European Commission (EC) in the European Union (EU). The EC, empowered by Article 5 of the General Data Protection Regulation (GDPR), ensures the application and upholding of principles for processing personal data by EU member states. These principles include lawfulness, fairness and transparency, purpose and storage limitations, and accountability. It is worth considering whether ASEAN could establish a similar authority with a limited mandate to increase AMS’ adherence to regional rules and standards in cybersecurity.

2023/265