How ASEAN states are unifying through cyber cooperation

In 2022, the United Nations’ International Telecoms Union (ITU) ranked Malaysia eighth out of 194 states on its Global Cybersecurity Index, and deemed the country “a quiet leader in cybersecurity”. What Malaysia may lack in a skilled cybersecurity workforce, it makes up for with a solid national strategy and a strong network of allies. 

Cybersecurity transcends boundaries, and states are only as strong as the weakest links in the region. What can other Southeast Asian states in the region emulate from Malaysia, and how can cyber cooperation be encouraged for ASEAN to maintain a strong and united cyber posture? 

At a recent webinar as part of GovInsider Live – ASEAN, GovInsider gathered key leaders from cybersecurity institutions in Malaysia and the ITU to discuss how to enact a successful cyber cooperation strategy, and the path forward for cyber cooperation in the ASEAN region. 

The Global Cybersecurity Index 

“Released in 2015, the Global Cybersecurity Index (GCI) became the first index in the world to measure cyber commitments globally,” said Orhan Osmani, Cybersecurity Coordinator at ITU. This provided a universal standard for comparing countries’ relative commitments to their cyber strategies and kickstarted the ball for cyber cooperation discussions. 

Being the UN’s formal cyber index, the GCI aims to raise awareness of the many dimensions of the broad cyber problem, including legal measures, technical measures, organisational measures, capacity development, and cooperation. While countries can submit their commitments, the UN needs to go and validate whether these commitments were actually followed through, Orhan explained.  

Based on the GCI, ASEAN could strengthen the harmonisation of its legal and regulatory cyber frameworks, in order to create a consistent and effective regulatory environment throughout the region, according to Orhan. 

Singapore, Malaysia, and Vietnam were among the high performers in ASEAN, while countries like Cambodia and Laos are lagging behind. But Orhan emphasised that states should not stop at striving for cyber excellence within national boundaries, and instead seek to actively share threat intelligence among the member countries in ASEAN. 

The application of the Index extends far beyond the state level – any community can use its questionnaire to assess how cyber-ready their communities are at the city, regional, or county level. “It is not just the responsibility of one cybersecurity entity, rather, the GCI should be leveraged as a knowledge base for anyone and everyone to use for themselves,” he said. 

That being said, the Index currently only measures commitments, not their maturity, Orhan points out. Other tools, such as the University of Oxford’s Cybersecurity Capacity Maturity Model for Nations, need to come hand in hand with the GCI in order for leaders to gain a full picture of the chinks in their cyber armours. 

A united front 

Cybersecurity needs to be addressed as a cross sectoral issue, a cross regional issue, and a cross border issue, said Shariffah Rashidah binti Syed Othman, Acting Chief Executive of Malaysia's National Cyber Security Agency. 

“Our diplomats, the forefront representatives of Malaysia, are all equipped with basic understanding of cybersecurity, so that they can pick out important lessons and information to bring back from international discussions,” said Shariffah. 

Early strategy focused on policy coordinations, including the establishment of the ASEAN Cyber Coordination Committee. “This is important because ASEAN used to have rather segmented discussions about cybersecurity,” she said. 

In fact, discussions continue to be segmented into three community pillars: politics and security, economy, and social and cultural matters. 

“We need to have swift coordination – sometimes, a security declaration that we have established in one community can actually be replicated in another pillar. This is why Malaysia strongly pushed for cross community discussions at ASEAN discussions in the earlier days,” she added. Now, leaders of each pillar regularly cross-share their cyber practices. 

The Committee created the ASEAN Cyber Coordination Strategy (2017-2020), which provided the first ever roadmap for regional cooperation in ASEAN. 

The second edition of the Strategy (2021, 2025) will move on to forge cyber recommendations parallel to ASEAN’s digital ambitions, as detailed in the ASEAN Digital Masterplan, ASEAN Smart Cities Network, and ASEAN Declaration on Industrial Transformation to Industry 4.0. 

Thinking like the bad guys

Speakers agreed that a key ingredient in forging a strong cyber strategy is capacity building, but the steep learning curve in the cyber industry creates challenges for developing a cyber workforce. 

“Cybersecurity professionals really need to have passion for their work, because the work is difficult. But those who do have the passion progress in their roles in such a magnificent way,” said Shariffah. 

To address this challenge, Shariffah urged cyber employers to market cyber work as creative work, because it often requires creative people to “think like the bad guys”. 

“When going up against black hackers – who are also passionate and creative – you often need to think out of the box and solve problems in unorthodox ways,” she said. This includes not only countering attacks that leverage emerging technologies like AI, big data, and cloud computing, but leveraging on the very same technologies themselves. 

Moving forward, there will be many incoming threats that cannot be accounted for, highlighted Dr Noor Nirwandy Mat Noordin, Security and Political Analyst, Center for Media and Information Warfare Studies (CMIWS) at Universiti Teknologi MARA. 

From forgery in the financial system to ransomware and any form of scam that could threaten the critical national infrastructures, the hurdles extend beyond the horizon. Hence, coming up with a standardised threat list and continuously updating it can emerge as a crucial resource for ASEAN. 

“We have already created the basis for diplomatic sharing across ASEAN. Eventually, we should work towards standardising the threats that the region can expect, and sharing the best practices with cyber agencies, policy makers, and communities across the region,” said Dr Nirwandy.

Read more: Securing critical infrastructure with privilege access management