ASEAN member states are prime targets for cybercrime given their position among the fastest-growing digital economies in the world. As described in a 2020 Interpol report, the impact of cybercrime will only increase as cybercriminals become more sophisticated, taking advantage of the inefficiencies in regional law enforcement structures.
In recent years, ASEAN has made significant progress on enhancing regional cybersecurity through capacity-building programs, the creation of new multilateral institutions, and its endorsement of international norms developed through the United Nations. As it moves forward with proposing new solutions and mechanisms to tackle cyber threats, ASEAN would benefit from establishing a shared cybercrime framework to fill some of the gaps created by inefficiencies in regional law enforcement structures, including the harmonisation of cybercrime laws and standards.
Most ASEAN member states have adopted cybercrime legislation in key areas, such as fraud and forgery, child pornography, and offenses against confidentiality, integrity and availability of computer data and systems. However, capabilities and national priorities vary across member states, creating a marked disparity in cybercrime legislation and enforcement. In particular, there are important differences in how members define criminal conduct in cyberspace and how they go about collecting electronic evidence for cybercrime investigations, making cross-border cooperation lengthy and complex.
The most effective way of obtaining e-evidence is through mutual legal assistance treaties—agreements between two or more countries to facilitate collection and sharing of evidence for investigations or proceedings related to criminal offences involving computer systems and data. Though often considered too complex and lengthy, a mutual assistance agreement is the only mechanism that ties together the laws of receiving and requesting countries.
In 2004, ASEAN member states agreed on a regional Treaty on Mutual Legal Assistance in Criminal Matters. However, its application to cybercrime remains limited as it lacks provisions for addressing the transnational nature of cyberthreats, such as retention of and access to e-evidence. Such provisions are important because e-evidence is stored online by service providers that are often based in a different country than the requesting one.
Today, the only legally binding multilateral instrument dealing with cybercrime matters is the 2004 Budapest Convention. Drafted by the Council of Europe, it seeks to address internet and computer crime by harmonising national laws, improving investigative techniques and increasing international cooperation—including mutual legal assistance.
But the Budapest Convention has failed to reach universal consensus and has been dismissed by major global players, such as China, Russia, India and Brazil. Among ASEAN members, the Philippines has been the only one to ratify it. The main points of contention have been the convention’s perceived violations of the principles of state sovereignty and non-interference in the internal affairs of other states.
Still, there are several steps ASEAN could take to harmonise cybercrime laws and standards across its members.
In the short run, ASEAN should aim to streamline the mutual legal assistance process wherever possible to ensure effective coordination. This could be done by drawing on existing models for making a request for mutual assistance and by adopting a common taxonomy of cybercrime terminology. ASEAN should also consider amending the 2004 mutual assistance treaty to include cybercrime-related provisions.
In comparison with the Budapest Convention, the ASEAN treaty lacks the following provisions to deal effectively with cybercrime: expedited preservation of stored computer data; expedited disclosure of preserved traffic data; mutual assistance regarding accessing stored computer data; transborder access to stored computer data with consent or where publicly available; and mutual assistance in the real-time collection of traffic data.
In the long run, ASEAN could consider drafting a regional cybercrime convention that establishes common cybercrime policies and institutions to foster cross-border cooperation in line with its own values. This would be no easy task, as the ASEAN decision-making process is based on reaching consensus through informal—and often slow—procedures. Its decisions are often political and non-binding.
Although this practice often produces good decisions, it’s a slow-moving process that exacts a high cost in the fast-changing environment that is cyberspace. In the absence of consensus, member states that want to move forward more quickly could do so through the ‘ASEAN minus X’ (A-X) voting formula, which allows some members to move ahead on the basis that the others will follow at a later stage.
Historically, A-X has mostly been employed to deal with economic matters. However, in cybersecurity, economics and security are two sides of the same coin. A-X has also already been used to pass legally binding conventions to counter different cross-border security threats, such as the 2007 ASEAN Convention on Counter Terrorism and the 2015 ASEAN Convention Against Trafficking in Persons, Especially Women and Children.
Harmonisation of cybercrime laws and standards would allow ASEAN to fill some of the gaps created by the inefficiencies in existing law enforcement structures. Nonetheless, there’s no silver bullet for tackling cybercrime effectively. These measures would need to be part of a broader set of initiatives that include the development of capabilities to prevent, detect and investigate cybercrimes across the region.