Asean needs to confront fundamental challenges in cybersecurity

Asean needs to confront fundamental challenges in cybersecurity

If these issues are not fully addressed, the region’s digital ambitions oriented around Asean’s inclusive community-building agenda are likely to be aspirational rather than attainable.

data peribadi

From Murugason R Thangaratnam

It was interesting to read digital minister Gobind Singh Deo’s call for unified cyber standards in Asean.

He said Asean must establish consistent digital and cybersecurity standards, particularly in the rapidly advancing field of artificial intelligence to foster a trusted digital environment and strengthen the region’s global digital economy position.

Kudos to the minister for highlighting the need to expedite this much needed regional collaboration.

However, seizing its full potential in the emerging data-driven economy and the rapid growth in next generational technology requires confronting head-on fundamental challenges in cybersecurity.

Internet penetration may be continuously increasing, but digital inequity is growing at the same time. Mobile connections are skyrocketing, yet digital literacy to combat cybercrime, disinformation and misinformation is plummeting. Most importantly, cyberattacks are rising but trust-building among key stakeholders remains stagnant, or worse, declining.

If these issues are not fully addressed, the region’s digital ambitions oriented around Asean’s inclusive community-building agenda are likely to be aspirational rather than attainable. Perhaps this is an opportunity for Malaysia to take the lead, leveraging on its position as Asean chair.

Cybersecurity has become a cross-sectoral issue in the region. Initially focussing on the digital economy, cybersecurity now cuts across Asean’s three community pillars which are political-security, economic and social-cultural.

The region should strive to achieve a feasible, middle-path approach to cybersecurity standards, i.e. one that is aligned to international standards and best practices yet localised and context-specific.

Along with each country’s earnest efforts to pour more investments into digital infrastructure and human resources, the parallel middle-path approach can pave the way for the Asean region to become a leader rather than a follower in standard settings, thereby improving its capacity to influence various technical and policy discussions, even at a global stage.

Ambitious but not impossible, and the European Union is a living example. Any unified cybersecurity standards should be outcome rather than implementation-oriented to avoid being too prescriptive. Such an approach can help the region strike a healthy balance in the adoption of international standards according to the domestic context.

Additionally, the standards-setting processes should be agile and iterative due to the ever-changing nature of emerging and critical technologies. Adhering to highly rigid or inflexible processes could render standards obsolete in the long run.

The biggest challenge is going to be getting the respective nations to sit at the table and agreeing on a transparent method to share information without sacrificing their national security and sovereignty.

Currently, at the national level, issues like regulatory non-compliance, cost considerations, exposure or leakage of sensitive data or intellectual property and reputational damage prevent the public and private sectors from sharing or disclosing information on cyber incidents in a timely fashion.

Stakeholders are aware that the failure to mitigate cyber incidents is often seen as shameful, which deters organisations from sharing more information publicly.

Across the board, ineffective data sharing is driven by the prevailing trust deficit, which leads to weak enforcement of rules and regulations.

Even though there is a strong appetite to collaborate on data sharing and incident management, especially due to the borderless nature of cybersecurity risks, and the obvious interdependencies among industries, the lack of government incentives for the private sector often undermines the effectiveness of public-private partnerships.

Industry representatives often agree that partnerships must provide equal benefits to all parties involved, either through financial means or the reciprocal exchange of information. To be fair, most government policymakers recognise the role of incentives; however, resource constraints and shifting political bandwidth at the government level largely undercut their ability to invest in positive inducements consistently. Overcoming the trust deficit is going to be critical to achieving unified regional cybersecurity standards. Once again, it’s an arduous task but not impossible.

Asean has always traditionally moved very slowly, especially on sensitive issues that touch on sovereignty and security, where the pace of consensus forming adjusts and changes with the mood of that moment. But, with many high-level discussions, ministerial conferences, strategies and frameworks mapped out since 2018, it seems to be getting its act together and waking up to the fact that, in terms of securing cyberspace, building regional sovereignty will in the long run benefit each nation state’s sovereignty.

But beyond the high politics of cyber dialogue and the nuts and bolts of technical cooperation, there are pressing questions in terms of how Asean members are viewing their digital futures. Many countries struggling with cyber-attacks, fake news or disinformation campaigns have been remaking or, in the case of Malaysia, updating their regulatory regimes through the prism of cyber as a threat vector.

The passing of the Cyber Security Act, amendments to the Personal Data Protection Act, Online Safety Bill, Data Sharing Bill and Social Media Regulations are testament to the seriousness of the Malaysian government in getting its digital security foundation in order.

And on the digital trust and data governance front, the digital minister is leading the charge by establishing the right building blocks for us to lead by example, by engaging with the private sector, tapping into success stories from nations outside Asean and setting up the right vehicles to drive the nation’s digital aspirations. A recent example of this is the launch of the National AI Office (NAIO).

There won’t be easy answers, but the important thing is to get the conversation moving at a more rapid and urgent pace.

In addition to the conferences and summits planned for the year, more informal dialogues can allow member states to share challenges and ideas openly, and help to build shared understandings. Member states seem to be aligned in having an Asean voice in the international cyber ecosystem conversation.

But how coherent or unified that voice will be is likely dependent on three things: an appreciation of internal cyber threats without being consumed by them, a nuanced awareness of the agendas and power plays within the international cyber norms debate, and a clear-headed drive to look to the best ideas in the field, whether they come from within or outside of Asean.

Malaysia has an opportunity to lead the way, and help crystalise a standardised cyber sovereign structure for the region.

 

Murugason R Thangaratnam is a cybersecurity practitioner.

The views expressed are those of the writer and do not necessarily reflect those of FMT.

Stay current - Follow FMT on WhatsApp, Google news and Telegram

Subscribe to our newsletter and get news delivered to your mailbox.