Long accused of complacency over the economic toll of cyber breaches, Southeast Asian governments are starting to make all the right noises on enhanced safeguards – but there are still few signs that the vulnerable business sector is getting the message.
Telecommunications ministers from the Association of Southeast Asian Nations (Asean) agreed on the need for increased regional dialogue, more effective regulatory systems and improved resources at talks hosted by Singapore in September.
Singapore called the Conference on Cybersecurity in the hope that the 10 member-states would agree on a basic system of cyber norms – voluntary rules governing online behavior – to help secure critical infrastructure as more markets become digitally integrated.
“Just as we had addressed security imperatives in the past, Asean will need to address cybersecurity challenges to reap the full dividends of our future digital economy,” said Yaacob Ibrahim, the island republic’s minister for communications and information.
Asean’s digital economy is expected to be worth about US$200 billion within a decade, including US$88 billion for electronic commerce, according to data released at the Singapore gathering.
It is one of several priority pillars for market integration under the Asean Economic Community (AEC) and a blueprint for securing information infrastructure by 2025. Financial and electronic customs payments systems are getting the most attention.
Cyber watchdogs say that many of these systems have little or no defense against criminal actions, information theft by foreign governments and a host of other online intrusions, which cost businesses at least US$80 billion annually in Asia as a whole.
Singapore and Malaysia were ranked first and third among 193 countries for their response to online threats in the latest International Telecommunication Union Cyber Security Index. Thailand (20), the Philippines (37) and Brunei (53) also did well.
But Indonesia, which will soon have the biggest digital economy in Asean, came in at a lowly 70th, while Laos was 77th, Cambodia 92nd, Myanmar 100th and Vietnam 101st. All countries were assessed for their legal frameworks, technical and organizational abilities, capacity building and internal and external cooperation.
Cambodia, Indonesia, Laos, Myanmar, the Philippines, Thailand and Vietnam all have organizational issues. The same seven countries have insufficient levels of cooperation either internally or with other countries, while Brunei, Indonesia, Vietnam, Laos, the Philippines, Myanmar and Cambodia were identified for having significant technical problems.
Training is an issue for most emerging economies, often due to a lack of resources. In 2016, for example, the Philippines had only 84 certified information systems security specialists, Indonesia 107, Thailand 189 and Malaysia 275, compared with 1,000 in Singapore. There are only a few dozen such experts in underdeveloped Cambodia and Myanmar.
A 2015 survey by antivirus software company ESET Asia found that 78% of internet users in Southeast Asia had not received any formal education on cybersecurity. Another study by specialist insurer Beazley technology group revealed that Asia-Pacific companies spent 47% less on information security than North American firms in 2015.
Interpol reported in April that it had identified cyber threats to nearly 9,000 command and control servers in Asean and about 270 websites in an investigation with specialists from Malaysia, the Philippines, Singapore, Vietnam, Indonesia, Thailand and Myanmar.
Security breaches were found in eight countries, including malware planted on several government portals.
Microsoft said in August that Cambodia and Indonesia were the Asean countries with most malware attacks in the first quarter of this year: 25% of computers running Windows were attacked. In Myanmar, Thailand and Vietnam more than 20% of computers were targeted, compared with the global average of 9%.
Cyber raiders are becoming more brazen and their attacks more sophisticated. In February the personal data of 850 personnel was stolen from Singapore’s defense ministry portal; 68 government websites in the Philippines were attacked simultaneously in 2016, with personal details of 70 million people taken in one incident.
Security firm FireEye said in its annual Asia-Pacific study that the financial sector reported 36% of cyber breaches in 2016, energy 10%, telecommunications companies 9%, retail/hospitality 7%, high technology groups 7%, manufacturers 7% and media and entertainment 7%. There was also a notable rise in attacks on ATMs.
Governments are attracting more attention because of tensions over geopolitical issues like contested sovereignty in the South China Sea and the North Korean nuclear standoff. Targets include sensitive information on alliances, diplomatic exchanges, foreign policies and territorial disputes.
“We continue to observe China-based cyber threat groups targeting regional militaries — especially navies and coast guards — almost certainly because of Beijing’s concerns about sovereignty in the region,” FireEye’s report noted.
Singapore set up an Asean Cyber Capacity Building Program last year that aims to develop the region’s ability to withstand these attacks, and will fund the training of incident responders and cyber operators. There is also an Asean Cyber Collaboration Center that aims to link national security operations centers.
Most of the additional capacity will be for the region’s emerging economies, which have admitted they are struggling to cope.
“Cyberspace, with its different subsystems, is such a complex phenomenon that practically no government in this world can control the cyber world on its own,” said Indonesia’s coordinating minister for political, legal and security affairs Wiranto at the Singapore cybersecurity meeting. “Collaboration and partnership is the best path forward.”