michelangelus - Fotolia

Navigating ASEAN’s patchy cyber security landscape

Cyber resilience remains low across Southeast Asia, a regional economic powerhouse that is increasingly susceptible to cyber threats as its digital economy grows

This article can also be found in the Premium Editorial Download: CW ASEAN: CW ASEAN: Time to boost cyber defences

At the recent World Economic Forum (WEF) in Davos, governments, cyber security experts, businesses and law enforcement agencies banded together to support the launch of a new global institution dedicated to combating the world’s cyber threats.

Called the Global Centre for Cybersecurity, the global platform will facilitate global collaboration on cyber security challenges, overcoming the limited capacities of institutions that are currently dealing with cyber threats in isolation.

“If we want to prevent a digital dark age, we need to work harder to make sure the benefits and potential of the fourth industrial revolution are secure and safe for society,” says Alois Zwinggi, the World Economic Forum’s managing director and head of the new centre.

Collaboration is indeed a vital aspect of cyber security. “Without collaboration, siloed cyber security ecosystems are easily compromised,” says Foo Siang-tse, managing director of Quann, a Singapore-based provider of managed security services.

“There are many areas that countries and entities need to work together on, such as strengthening security infrastructure, growing and enhancing work force capabilities, sharing intelligence and even setting up multinational Computer Emergency Response Teams,” he adds.

Collaborative efforts in cyber security are not new. In the ASEAN region, a cyber crime operation in 2017 led by Interpol uncovered nearly 9,000 command and control (C2) servers that were used to launch cyber attacks in eight ASEAN countries.

Run out of Interpol’s Global Complex for Innovation in Singapore, the operation had brought together investigators from Indonesia, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam who shared information on specific cyber crime situations in each country. Additional cyber intelligence was provided by China.

Experts from seven cyber security companies – including Trend Micro, Cyber Defense Institute, Booz Allen Hamilton, British Telecom, Fortinet, Palo Alto Networks and Kaspersky, which provided data on C2 servers found to be active in the ASEAN region – also took part in pre-operational meetings.

The information from security companies, combined with cyber issues flagged up by participating countries, had enabled its specialists to produce nearly two dozen cyber activity reports. Besides highlighting various threats and cyber criminal activity, the reports recommended actions to be taken by national authorities.

Although the operation was a fine example of how public and private sectors could work efficiently together to combat cyber threats, it does not alleviate the urgent need for countries across the region to build up their cyber resilience.

Read more about cyber security in ASEAN

  • The personal data of more than 46 million mobile phone users in Malaysia was reportedly leaked online in possibly the biggest data breach in the Southeast Asian country.
  • A majority of publicly listed companies in Singapore had little or no exposure to cyber threats even as the country is being used as launch pad for cyber attacks.
  • Coordination is vital to ensure that Southeast Asia’s cyber security efforts are focused, effective and in synergy with one another, said ministers and senior officials at a recent cyber security event in Singapore.
  • The Malaysian government will work with Chinese technology giant Huawei to deepen its capabilities in combatting cyber threats.
  • Singapore’s Ministry of Defence is getting white hat hackers to identify loopholes in its internet-facing IT systems in the country’s first government-led bug bounty programme.

According to a Cisco-commissioned report by A.T. Kearney, a global management consultancy, the region’s cyber resilience remains low, particularly around policy, governance and cyber security capabilities. The absence of a regional governance framework also makes it difficult to collaborate and share intelligence in and across countries.

Among countries in the region, Singapore has the most advanced cyber security strategy, according to Simon Piff, vice-president of security practice at IDC Asia-Pacific. “Singapore has looked at the socio-economic impact of a cyber threat to what it defines as critical infrastructure,” he says.

Singapore’s upcoming Cybersecurity Bill – slated to become law this year – is crafted to ensure that organisations in critical sectors such as financial systems are able to demonstrate a level of cyber security preparedness. Also critical is the need to disclose and share with the commissioner of cyber security full details of any cyber security breaches.

“This alone stands out as the most thought-leading example of how cyber crime will be defeated in the future,” says Piff.

It is difficult, if not impossible, to make direct comparisons as to which countries have ‘better’ or ‘more comprehensive’ strategy.
Teong Eng Guan, Palo Alto Networks

“The other markets in the region have poor disclosure laws – consequently many breaches go unpublicised, leaving many organisations to believe a country is ‘safe’ from attack, when in fact the breaches are many and are simply unknown to the public at large and possibly even the government.”

Other countries such as Malaysia, Thailand and Vietnam have also drafted cyber security bills, while cyber crime laws have been passed in Singapore, Malaysia, Thailand, the Philippines and Brunei. Five of the six most developed countries in ASEAN have also enacted data protection and privacy laws.

In 2017, Indonesia formed a national cyber security agency, joining Singapore, Malaysia and the Philippines in setting up similar agencies in their respective countries to drive national cyber security agenda.

Teong Eng Guan, vice-president of Palo Alto Networks in ASEAN, says cyber security strategies differ across ASEAN, largely because countries in the regional grouping are at vastly different stages of infrastructure development and technology adoption.

“It is difficult, if not impossible, to make direct comparisons as to which countries have ‘better’ or ‘more comprehensive’ strategy,” says Teong.

“What’s most important is that governments in the region place adequate focus on cyber security, and work closely with both their internal agencies and external partners to ensure that their strategies are well implemented.”

Lack of a unifying framework

Although it is commendable that governments across the region have taken proactive measures to boost their defences and increase their resilience, today’s cyber challenge is so complex that it cannot be fixed with merely more people, nor with more money, says Sanjay Aurora, managing director at Darktrace Asia-Pacific.

“Broader, international work needs to take place which enables defenders to form a united front against increasingly organised, sophisticated attackers,” Aurora says, adding that there is room for improvement in the pursuit of cyber criminals across international borders.

“Just as with physical crime, there needs to be a clear deterrent to digital criminality. Improved practical international agreements from governments could result in a significantly less hostile internet for ASEAN citizens.

“Tighter, more well-defined measures for pursuing and convicting cyber criminals would create huge opportunity for industry to feed information about criminal attacks to law enforcement for investigation.”

But without a structured ASEAN cooperative framework to address cyber crime, the region will remain vulnerable. Such a framework is particularly difficult to pull off within ASEAN, largely because of the inherent absence of a power to legislate or veto budgets and appointments, according to A.T. Kearney.

“The ASEAN Inter-Parliamentary Assembly only has the power of moral persuasion. In contrast, the European Union, with a strong legislative framework and a powerful secretariat, has placed cyber resiliency very high on its agenda and has developed a cohesive regional cyber security strategy,” it added.

There is little in the way of legislation that mandates any form of cyber security in Malaysia, so while it is possible to read that the ‘intent’ is there, the execution is clearly not at a governmental level.
Simon Piff, IDC

George Chang, Forcepoint’s vice-president of Asia-Pacific, says regional forums such as the ASEAN Ministerial Conference on Cybersecurity could help, by providing countries with a knowledge-sharing platform and common understanding of what strategies are needed in ASEAN. 

“Such platforms will validate efforts of each country and provide them an opportunity to learn from one another.  It’s much like the Interpol, where cooperation and information sharing between international police boosts public safety and enhances security of the nations involved instead of jeopardising them,” he says.

As more countries realise the importance of trans-national cyber security, a form of “cyber Geneva Convention” will emerge over the coming years, according to IDC.

With Singapore as ASEAN chair this year, more work is expected in this area, but IDC’s Piff says many markets in the region are still a long way from supporting any form of regional legislation, especially in cases where no local legislation exists.

“Something like GDPR is spurring many countries to overhaul their own legislation, and we can expect more of this type of legislation over time,” he adds. “But it may be a longer timeframe in Asia than in Western markets.”

Gaps in private sector

With national cyber security strategies largely focused on securing systems in critical functions such as government and healthcare as a starting point, there is a potential gap between what is enforced in the public sector compared to the private sector in most countries.

“The region should aim to develop cyber security strategies that also cover the private sector but without inhibiting its growth,” Forcepoint’s Chang says.

In the absence of a strong framework for mitigating cyber risks, many organisations in ASEAN either underestimate or overestimate their cyber security requirements. Furthermore, corporate stakeholders often have a myopic view of cyber risk, seeing it as an IT issue and not a business risk, according to the A.T. Kearny report.

This has resulted in under-spending in cyber security, estimated to be $1.9bn in ASEAN in 2017, representing just 0.06% of the region’s GDP. With the exception of Singapore, most countries spend below the global average, creating a potential risk of insufficient spend relative to a rapidly escalating threat landscape.

In the meantime, new emerging technologies are opening new potential attack surface that many organisations may not be prepared for.

“Cyber criminals are on a prowl for any opportunities to breach popular technology and devices with a high adoption rate – such as cloud or internet-of-things devices,” says Kenneth Chen, ASEAN managing director at Symantec.

“Our Symantec cloud security survey found that chief information security officers in Singapore estimate that, on average, 32% of cloud-based applications used at their company are unsanctioned, or ‘shadow apps’.

“The vast majority also believe that their CEO has probably broken internal security protocols at some point – either intentionally or unintentionally.”

Need for active defence and execution

Against the backdrop of looming cyber threats and patchy cyber resilience across ASEAN, A.T. Kearny called for policy makers and the private sector to work together to raise awareness of cyber security and adopt a stance of active defence. This is defined by the US Department of Defense as the employment of limited offensive action and counter attacks to deny a contested area of position to the enemy.

This can be achieved by elevating cyber security on the regional policy agenda, securing a sustained commitment to cyber security, fortifying the cyber security ecosystem and building the next wave of cyber security capabilities, it says.

Such efforts are addressed in most national cyber security strategies, but just as important is the ability to execute on those strategies.

“Just look at the result of the ITU global cyber security index 2017, which ranks Malaysia as number three,” says IDC’s Piff. “There is little in the way of legislation that mandates any form of cyber security in Malaysia, so while it is possible to read that the ‘intent’ is there, the execution is clearly not at a governmental level.

“This is a country that has many other political issues to deal with before getting around to a strong cyber security agenda, but when we consider the investments that Malaysia as a country has made to upgrade its overall IT agenda, with the creation of the Multimedia Super Corridor nearly 20 years ago, it is clear that there is a huge difference between intent and execution.”

Read more on Hackers and cybercrime prevention