The ASEAN Outlook on the Indo-Pacific (AOIP), which focuses on four areas of collaboration spanning maritime, connectivity, Sustainable Development Goals, economic, and other prospective sectors of cooperation, was launched by the regional bloc in Bangkok in 2019.
The focus of the outlook is maritime cooperation, which the Association of Southeast Asian Nations emphasizes further in the inaugural edition of the ASEAN Maritime Outlook (AMO) released in early August.
AMO – arguably ASEAN’s next step in making its Indo-Pacific moves more decisive – is a neatly drafted policy document covering maritime issues in sync with ASEAN’s institutional architectures and serves as a policy directive for the regional bloc’s leaders, policymakers, sectoral bodies, and dialogue partners in evaluating the current and upcoming challenges managed by various sectoral bodies.
With AMO, ASEAN makes clear its commitment to dive deeper into maritime cooperation and explore avenues for technical and financial aid to enhance capacities of its member states. As if fitting into a puzzle, ASEAN’s needs reverberate with the security arrangement of one of its strategic partners, the European Union.
The EU in the most recent update of its Maritime Security Strategy (EUMSS) focuses on six enhanced objectives. One of them is to boost hybrid and cyber security qualifications among civilians, especially among its non-EU partners, by educating and training them in specific training programs.
After all, the EU has quite an outstanding reputation for maintaining and contributing to maritime security in the Asian hemisphere thanks to the success of its “Operation Atalanta” launched in 2008 to fight pirates in the Gulf of Aden alongside the North Atlantic Treaty Organization and other East Asian countries through joint exercises, diplomacy, and capacity-building.
Second, if cyber-maritime cooperation were to get more institutionalized between the two most important regional organizations, it would not be the first time that both delved into cyber-related collaboration in the cybersecurity domain.
The EU and ASEAN previously launched the 2019 EU-ASEAN Statement on Cybersecurity Cooperation, marking the long-term commitment of both sides to shore up cybersecurity development, exchange of best practices and promote cyber-literacy and norms across multiple channels and activities.
Nonetheless, against the backdrop of ongoing global tensions such as the Russian invasion of Ukraine, the feud between China and the US, and the post-pandemic global economic recovery woes, the EU and ASEAN must scale up their efforts to combat cyber-maritime cooperation, for crimes escalate and thrive in high-level disputes.
For instance, there is always a risk of sectoral and proxy spillover of the war in the northern sphere as Russia began pivoting toward its Asian neighbors for support.
Southeast Asia not immune
As fancy as it may sound to a layperson, maritime cyber-catastrophes are no longer alien to Southeast Asia – albeit the region still remains the “second front” on such issues.
The NotPetya incident is pertinent in this regard. NotPetya, the deadliest state-sponsored malware the world has ever seen, was set in motion in Ukraine on June 27, 2017, resulting in ballistic global effects on other multinational and transnational companies based in the country.
At the time, the largest shipping company in the world, the Danish-based Maersk Line, lost around US$300 million. Nearly half of its 76 global terminals, which are located in countries ranging from the Americas to Central Asia, were unable to function as a result of the network shutdown, preventing them from receiving the necessary electronic data interchange documents from approaching ships.
Additionally, trucks headed for the seaports were unable to enter because of the disrupted infrastructure.
The domino effect began when a Kremlin-linked elite hacking group called Softworm installed an illicit wormhole in the servers of a Ukrainian software company containing NotPetya, which sells such products as MeDoc, software widely used by businesses and accounting enterprises operating in the state.
On the day of the attack, the malware took less than a minute to crash the network of big industries in Ukraine, such as banks and hospitals. Hence it was only a matter of time before it reached multinational enterprises that installed the MeDoc software on their computers, including Maersk’s office in the Ukrainian port city of Odessa.
The White House’s estimate of the overall damage inflicted on other victims such as Merck, FedEx, Mondelez, Reckitt Benckiser and Saint-Gobain amounted to a whopping $10 billion.
Such was the extent of the destructive power of the Russian-origin malware, whose intent was not the same as that of ransomware, which typically seeks financial gain, but rather, political warnings for countries that sided with Ukraine against Russia during its first invasion of Ukraine.
Worse, there will always be a chance that similarly destructive cyber-weapons will reappear at any time or place in the future for a variety of unknowable reasons, disrupting networks in land, sea, and air spaces and ultimately leading to detrimental losses of assets, properties, and naturally, globally interconnected economies via the intricate supply-chain networks.
Need for preventive measures
In Southeast Asia, there have been no imminent and direct cybercrime threats of such a scale so far. The only time it came near to one was in 2017, when Maersk cargo ships traveling across the Indo-Pacific region impeded shipping lanes and seaports because of the immobilized networks of its terminal operation.
The Southeast Asian oceanic region, which is home to some of the busiest maritime chokepoints in the world, such as the Malacca Strait, Singapore Strait, and the South China Sea, could be extremely vulnerable to maritime cybercrime activities without proper preventive measures and policies, which may very well expose it to detrimental effects that are irreparable.
After all, seaborne crimes like piracy, theft, terrorism, illegal immigration, and trafficking are nothing new in these maritime passageways, which have been making headlines in the Southeast Asian regional maritime insecurities.
However, compared with cyber-borne dangers, which have no physical boundaries and can have catastrophic repercussions that might have an impact on global economic activity, particularly given the rising level of digitization in marine infrastructures and sectors, these concerns are not as serious.
Although the ASEAN Cybersecurity Cooperation Strategy (2021-2025) emphasizes strategic planning for greater cooperation, capacity-building, and coordination among member states to create a safe cyberspace in the ASEAN region, the reality is that the regional bloc consists of varying degrees of cyber capabilities and experiences in each country, coupled with a lack of cyber expertise, infrastructures, and a common regional framework.
Challenging as it may sound, ASEAN’s capacity shortfalls in dealing with maritime cyber-threats are apparent, making its members vulnerable in the face of increasingly digitized and robotized world that is already making a transition to artificial intelligence and hybrid methods in warfare.
ASEAN must avoid being a sitting duck on matters maritime in general and matters maritime-cyber in particular, which might be the case if its policies are not backed by adequate pre-emptive measures and proactive regional consensus against the threats known and unknown.
ASEAN does not have a regional cybersecurity framework like the EU Budapest Convention on Cybercrime, which is a framework that enables practitioners in the signatory states to share insights and create meaningful connections for cooperation in various areas as well as during emergencies.
The EU could contribute to sharing experience with regional framework to tackle cybersecurity threats and the expertise and high standards including on data protection are also worth collaborating with.
Currently, of the 10 members of ASEAN, only the Philippines has ratified the convention. If ASEAN aspires to have smooth-sailing teamwork with the EU in maritime cyber-security, it should do well to ensure its commitment to the cause in the future.