The ASPI International Cyber Policy Centre was fortunate enough to be part of the team that put together the second ASEAN Regional Forum workshop on cyber security (the first was held late last year in Beijing). The Kuala Lumpur based workshop drew together key individuals from government, think thanks, the private sector and academia across the region. Co-chaired by Australian and Malaysian government representatives, the meeting set out to be a practically orientated discussion rather than one trapped in the diplomatic quagmire of the internet governance debate. The sessions explored specific proposals for practical cyber confidence building measures (CBMs) within the Asia-Pacific. This type of discussion is vital to lowering the risks of miscalculation and misinterpretation in cyberspace, especially in a region that has become the focus of cyber-competition.
The core aim of the ARF workshop was simple; to establish a network of contacts within ASEAN states that could be activated in times of cyber crisis. This may sound like a simple task, but is surprisingly difficult when so many states’ national mechanisms for cyber and lines of responsibility are opaque and often concealed. There was almost total agreement in the room that current technical and policing channels of communication were well established, particularly at a CERT-CERT level, and that this provided a solid foundation to build on. But it was abundantly clear that there was a lack of—and an urgent need for—a developed communications network between cyber policy makers and national security leaders. Even at a basic level there was strong appetite for discussion mechanisms between states—a refreshing change from the barrage of diplomatic finger-pointing that often occurs in these types of meetings. Critically, the workshop began to identify appropriate points of contact, where they existed, and was successful in underlining that this needed to be developed and maintained over the coming months and years.
The second big theme that arose during the discussions was that there’s a clear requirement for baselines of domestic cyber coordination and technical capabilities across ASEAN states. This was strongly evidenced during the practical ‘desktop exercise’ component of the workshop which used an escalating hypothetical cyberattack against the banking sector to test the ‘whole-of-government’ domestic and international responses to cyber events. Put simply there’s a complete imbalance in different nations’ responses:some are clear, concise and well organised, others are confusing and problematic to interface with as the structures have grown in a haphazard manner. Similarly, nations have different levels of technical capacity, expertise, and legislation which again becomes problematic when countries are attempting to de-escalate cyber incidents. It became obvious that to deal with these situations, clear lines of command are vital, as rapid decision making is demanded when responding to cyber threats.
The third big take-away for the meeting, and perhaps the most important for future iterations of the process, was two-fold. Firstly, the less formal discussions enabled by the desktop exercise led to friendly and frank exchanges between national representatives which were invaluable in relationship building and sharing of best practice. This assisted in building confidence between those assembled in a way in that would have been impossible in official government–to-government settings. Secondly, the multidisciplinary nature of the delegates assembled was important for creating the rich discussion had over the two days. The diverse spread of professionals from technical, national security, policy, and law enforcement backgrounds mixed with a dash of non-governmental expertise, from both developed and developing countries, was an excellent recipe.
As ASPI executive director Peter Jennings pointed out to the gathering, cyber security experts have their own distinct language. They speak of the latest DDos attack, UNGGE deliberations or ICANN developments. Such expertise and understanding is unique and transcends borders. As a next step we need to more actively engage the private sector in these discussions. Cyberspace is multi-stakeholder in nature, this should be reflected in its representation at the ARF.
The Australian Government did a great job putting together the workshop and its much needed active, practical cyber agenda. Engaging the region in this way presents a valuable opportunity for Australia to play a leadership role on those issues. As this process shows, involving a cross-sector and whole-of-government team in this process will harness diverse expertise, present more opportunities and build understanding across the ARF nations, boosting Australia’s regional image. Now’s the time to seize the opportunity to build on the excellent groundwork laid in Malaysia.