In my previous post, I looked at the polarised geopolitical, technological and economic situation that provides the backdrop to ASEAN states’ deliberations on cyberspace. During the course of the ARF meeting there was a focus on practical ways in which states in the region can begin to create a more even playing field, and begin to create a common understanding of the language, vulnerabilities and responses to cyber threats. My talk focused on what measures the ARF could take to assist in capacity building in the region to bolster the capabilities of those states capabilities that are severely lagging behind.
Capacity building can take place at both the policy and the technical levels; it’s a fact that having the technical cyber capabilities to respond to a crisis is of no use if policy mechanisms aren’t in place to enable them. And it’s important to recognise that the private sector and civil society are key parts of the equation for the most comprehensive and constructive capacity building.
Bearing that in mind, I proposed five key areas for capacity building for the ARF to consider. None of this is rocket science, but failure to act could lead to a regional cyber domain that’s akin to the Wild West.
1) Sharing approaches to cyber policymaking
A relatively easy place to start, it’s already taking place within the ARF in some respects, but it needs reinforcing. Exposure to one another’s policies can help those nations less confident of their mechanisms to learn from the best practice of others, and to pick and choose the best ideas to adopt for themselves. This process serves two purposes. First, it builds nations policy understanding of each other and, second, it also acts as a confidence building measure. Peering into one another’s doctrinal approaches creates more certainty about how a nation will respond in times of crisis.
2) Building Regional Cybersecurity Baselines
There’d be great advantage in the ARF defining a baseline of cybersecurity for its member states. However rudimentary this baseline might end up being, it could help countries identify and then reach minimal technical and policy standards. It’s in all parties interests for ASEAN members to have sound cybersecurity policies and mechanisms in place. One particular area where much assistance is needed is critical national infrastructure protection—many highly developed nations struggle to understand their own vulnerability, a problem magnified many times when a country has difficulties with the most basic elements of cyber capability.
To begin this process the ARF could make a statement supporting the raising of cybersecurity standards across the region, including an outline of the mutual benefits this would bring to member states. However, I strongly suspect this fell on deaf ears as making such a statement would take quite a while to negotiate between ARF member states.
3) Training and Simulation
Training people is one of the most effective ways of raising the bar in cybersecurity. If the ARF were to begin raising expertise within government about simple measures they can take to improve cybersecurity this would be an extremely positive move. They would do well to look closely at the Australian Signals Directorate’s award winning ‘Top 35 mitigation strategies‘. Introducing just the top four can prevent 85% of targeted cyber intrusions.
Live simulations can demonstrate to policymakers and the uninitiated what a cyber crisis actually is, and give a fuller understanding of the different elements of crisis management and incident response.
4) Learn from and reinforce Good Policing and CERT (Computer Emergency Response Team)/CSIRT (Computer Security Incident Response Team) Relations
There are already strong working relationships between police forces, CERT and CSIRTs within ASEAN, predominantly related to fighting cybercrime. These areas of cooperation could helpfully be extended to the political level, where many areas of division still exist. Bureaucrats could learn from the practical approach that these groups take in achieving a common goal, and apply their no-nonsense approach to other areas of government.
5) Utilise the private sector creatively
The private sector is often described as having a vital role in addressing cybersecurity issues, but little explanation is offered. In the ARF context, member states should invite key areas of the relevant industry sectors to share their best practices as, in many cases, they have more sophisticated cyber capabilities than governments. For example, the capabilities of many of the banking sectors’ CERTs exceed those of many nations in the ARF. Above I mentioned critical national infrastructure as a key area for understanding vulnerabilities—here the private sector would be invaluable in assisting capacity building efforts, as a vast majority of the CNI is already in private sector hands. The ARF should also encourage existing industry groupings that already share threat data to further expand their networks across the region, thus spreading the understanding of threats beyond their normal jurisdictions.
There was a great deal of discussion of an ARF Workplan, intended to produce more practical work on building cybersecurity across the region. The workplan included some of the suggestions outlined above, and there appeared to be support for the initiative. However, as is often the case with multilateral groupings, enthusiasm for practical initiatives can be stalled when political agendas come into play, and this became evident during the course of the ARF. The glaring divide between certain states in terms of their political positions became crystal clear, as did the way in which this could derail the positive practical suggestions that were made. That will be the topic of my final piece on the ARF.
Tobias Feakin is a senior analyst at ASPI.