^[1]

I recently spoke at the third ASEAN Regional Forum (ARF) workshop on cybersecurity held in Beijing. In the following two posts I’ll look at the cybersecurity of critical infrastructure in the Asia­–Pacific, and examine some of my personal takeaway themes from the two-day meeting.

The starting point for any discussion about the ASEAN region is that of technological, economic, or social diversity, reflected in the variation between ASEAN states’ critical national infrastructures.

One of the nightmare ‘cyber scenarios’ that we are frequently presented with at these gatherings is the take down of critical infrastructure delivery services, such as energy, water and communications which would leave a nation crippled. This has led to much debate internationally about how to lower the potential use of this attack vector in any future scenario. Yet for many nations in the region, simply understanding what their critical assets and services are would be a good starting point. For some nations such as China, infrastructure is still largely state-owned and run, whereas in Australia approximately 90% of all infrastructure is private sector-owned. This makes assigning common roles and responsibilities for critical infrastructure protection a complex task. Additionally the definitions of critical infrastructure used also vary across the region, meaning that the playing field is far from even. Australia works with the following definition ^[2]:

those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security.

Increasingly large parts of our critical infrastructure are connected to the internet, enabling threat actors to target aspects of our critical infrastructure making any government uncomfortable as impacts on one nation can have implications for another thousands of kilometres away. Yet as much as the region has a variable critical infrastructure picture, there are a range of shared risks.

A recent report by Lloyd’s of London and Cambridge University ^[3] estimated that a sophisticated cyberattack on the US power grid could cause nearly $250 billion in economic losses and, under the most severe circumstances, cost more than $1 trillion to the US economy. A recent poll by the Organisation of American States ^[4] found that hacking attacks that destroy rather than steal data or that manipulate equipment within critical infrastructure are far more prevalent than widely believed within that region. The poll found that 40% of respondents had battled attempts to shut down their computer networks, 44% had dealt with bids to delete files and 54% had encountered ‘attempts to manipulate’ their equipment through a control system.

Destruction of data presents little technical challenge to carry out compared with penetrating a network, so the infrequency of publicised incidents has often been ascribed to a lack of motive for attackers. However, now that hacking tools are being spread more widely particularly through the Darknet, more criminals, activists, spies and business rivals are experimenting with such methods.

Additionally there’s the very real threat posed to increasingly internet-connected supervisory control and data acquisition (SCADA) ^[5] systems which communicate with industrial control systems to provide operators with the capacity to control the physical parts of the system, like fans, pumps and valves. Those that are linked online, create backdoors for malicious actors who can gain control of critical infrastructure facilities.

There’s little regional reporting as to what the key threats are, and research is urgently needed to get a better grasp on the threat environment, especially as the region is expected to see rapid expansion in infrastructure delivery. That infrastructure is going to be highly inter-connected nationally and internationally, meaning that the systems and networks to deliver them need to be cyber secure. It’s expected ^[6] that by 2020 critical infrastructure security spending in the region will reach US$22 billion. This also means that government cyber policies will need to keep pace with the rate of development and spending, as will the regional discussion of these issues.

Asia–Pacific nations have a shared interest in ensuring that delivery of their critical goods and services is continuous, especially with the increasingly cross-border nature of management and ownership of critical national infrastructures. We’re more interconnected than we sometimes like to admit and this means as situation of shared risk.

So what are the practical measures that ASEAN can take? Well the region isn’t starting from the ground floor in this area; there’s already agreement ^[7] (PDF) that critical national information infrastructure needs to be protected across the region. Malaysia, China, America, Russia, and Japan were all present at the latest ASEAN ARF and were also members of the UN Group of Government Experts ^[8] that recently agreed to the norm that critical infrastructure shouldn’t be intentionally damaged by another state. So it’s obvious that this norm should be reinforced amongst ASEAN nations. A clear statement in the resulting ARF report reiterating this norm and advocating the advancement of critical infrastructure cyber resilience for all states would be powerful.

Second, I proposed the baselining of minimum cybersecurity standards for ASEAN critical infrastructure in order that a clearer picture emerges for those nations developing their infrastructures. Obviously there would need to be discussion about how exactly this could be monitored and measured, but additional work is sorely needed, and regional level standards could assist in both building capacity and building confidence.

Finally, ASEAN could lead critical infrastructure specific workshops for those who are responsible for delivering policies and the goods and services in order that they share best practice and approaches to cybersecurity in this area.

The ARF was highly focused on the practical measures that ASEAN nations could adopt to enhance cyber capacity and build confidence amongst its member state, and it was fascinating to see how this was interpreted differently by those who were in attendance. The second post in this series will look at the overall themes and messages from the meeting.