What ASEAN Governments Can Learn from the Russian State-Backed Attacks on Amazon Web Services

A recent Amazon Web Services (AWS) threat intelligence report highlighted that Russian state-backed cyber operations have been targeting critical infrastructure of Western countries, particularly energy infrastructure, by pivoting their tactics to exploit misconfigured customer network edge devices to gain initial access into the infrastructure. Such edge devices included routers, VPN gateways, and remote-access consoles hosted in AWS environments. By targeting the “low-hanging fruit” of misconfigured customer devices that exposed management interfaces, the attackers could achieve the same strategic objectives of gaining persistent access to critical infrastructure networks and harvesting credentials for accessing online services. All at significantly less cost and risk of exposure.   

This development should alarm governments and enterprises globally, including those in ASEAN, especially when many ASEAN public sector agencies use cloud services like AWS for e-government services, national data repositories, and possibly even to support essential service delivery. The AWS case demonstrates that vulnerabilities in critical infrastructure today are often not a function of advanced malware, but of organisational capacity and governance in the public sector.

Several ASEAN states have, in fact, introduced cybersecurity laws intended to protect critical information infrastructure (CII) or functionally equivalent systems, whose failure or disruption would affect essential public services. However, these regimes remain unevenly developed across the region. At present, only four out of eleven ASEAN member states, namely, Singapore, Malaysia, Thailand, and Vietnam, have enacted statutory frameworks that explicitly identify and regulate CII or systems essential to national security and public services.

Singapore’s Cybersecurity Act establishes a detailed CII regime supported by sector-specific codes of practice and mandatory risk assessments. Malaysia’s Cyber Security Act 2024 introduces a National Critical Information Infrastructure (NCII) framework, while Thailand’s Cybersecurity Act empowers authorities to designate CIIs and impose compliance obligations. Vietnam’s cybersecurity laws regulate “information systems critical to national security”, which functionally serve a similar role, albeit within a more state-centric model. By contrast, the majority of ASEAN countries, including Indonesia, the Philippines, Brunei, Cambodia, and Laos, do not yet have dedicated CII statutes. Instead, cybersecurity governance in these states relies on general cybercrime laws, ICT regulations, and personal data protection acts (PDPAs). In practice, this has resulted in PDPA compliance becoming a proxy for cybersecurity governance, not because PDPAs are well suited to protecting infrastructure, but because they are often the most mature, enforceable, and institutionally embedded digital regulations available.

Singapore remains a notable outlier in this respect. Among ASEAN states, Singapore is the only jurisdiction where cybersecurity and CII laws clearly and consistently extend enforceable obligations and liability to private-sector service providers, including cloud companies supporting public-sector critical services, rather than relying primarily on contractual arrangements or data protection law as proxies for accountability. Its cybersecurity framework reflects a level of regulatory coherence, enforcement capacity, and technical resourcing that few ASEAN states currently match, as most ASEAN governments face fiscal and institutional constraints that limit their ability to replicate Singapore’s model in the near term. As a result, while cybersecurity and CII laws exist on paper in some jurisdictions, their operationalisation remains inconsistent.

Existing critical information infrastructure regimes tend to assume clearly bounded systems under direct organisational control, whereas modern critical services increasingly rely on cloud platforms, outsourced service providers, and shared-responsibility models.

The AWS incident exposes a common regional vulnerability arising from this uneven landscape. Existing CII regimes tend to assume clearly bounded systems under direct organisational control, whereas modern critical services increasingly rely on cloud platforms, outsourced service providers, and shared-responsibility models. Misconfigured customer-controlled components, such as edge devices and access gateways, often fall into a grey zone where legal responsibility is formally assigned but operational oversight is weak. Attackers are increasingly exploiting this gap, especially when the services are provided by private companies.

As ASEAN governments are actively pursuing digital transformation through smart cities, e-government platforms, and cross-border data flows, these initiatives risk expanding the attack surface of critical sectors without corresponding investments in cybersecurity skills and regulatory clarity. Cybersecurity readiness surveys have repeatedly shown that many state agencies lack personnel with deep operational expertise in cloud security and network engineering, even where formal compliance roles such as Data Protection Officers (DPOs) exist. Given this vulnerability, governments in the region could consider the following steps for stronger cybersecurity, especially in the public sector.

First, governments could raise cybersecurity leadership standards in critical sectors beyond the narrow area of compliance with data protection requirements. Cybersecurity and infrastructure resilience roles should be clearly distinguished from data governance functions, with regulators requiring demonstrable technical competence for those responsible for securing critical systems.

Second, regulators would have to shift from point-in-time audits towards continuous configuration monitoring and risk assessment, particularly for internet-facing and cloud-hosted infrastructure. Static compliance checks are poorly suited to environments that change rapidly and could be targeted by adaptive adversaries.

Third, governments need to invest in cybersecurity workforce development to make these standards achievable. National training schemes, scholarships, and public–private partnerships are essential to building a sustainable talent pipeline. National cybersecurity agencies should also arrange for regular upskilling and recertification of DPOs and IT officers in government, reducing recruitment pressures on local agencies while promoting consistent professional standards.

Fourth, ASEAN could consider deepening regional threat-intelligence sharing. The AWS case shows the value of timely, actionable information on how intrusions occur and how attackers operate. Strengthening cooperation through the ASEAN Regional Computer Emergency Response Team (ASEAN-CERT) would allow member states to improve collective preparedness for cross-border threats.

The AWS incident is a strategic alarm bell for ASEAN governments. As cyber actors refine their methods to exploit basic operational oversights, ASEAN countries must equip themselves not just with rules, but with people, skills, and practical security practices that close the gap between compliance and resilience.

2026/38