- The Strategist - https://www.aspistrategist.org.au -

Now that ASEAN has its cyber norms checklist, the hard work begins

Posted By on October 25, 2024 @ 06:00

Southeast Asian countries have made an important step towards operationalising UN standards on government cyberspace behaviour, but the job is far from finished.

On behalf of the Association of Southeast Asian Nations, Singapore last week published [1] a checklist of action points aimed at giving effect to the standards, which are called 11 norms [2] and were endorsed by the UN General Assembly in 2015. Now, the challenge is to put the action points themselves into practice, overcoming resistance inside Southeast Asian governments and encouraging other states to follow.

The importance of this should be clear in Southeast Asia, since it and the wider Indo-Pacific region are increasingly plagued by malicious cyber activities. Encouraging states to abide by accepted practices of responsible behaviour in cyberspace is urgent.

In 2018, ASEAN became the first, and still only, regional organisation to adopt the norms when they were endorsed [3] in an ASEAN leaders’ statement on cybersecurity cooperation. The new checklist, promoted by Malaysia and Singapore, aims to break the norms down into practical, actionable steps.

For example, to support the norm of not damaging another country’s critical infrastructure, the checklist includes making supportive political statements and setting clear internal guidelines for officials’ use of cyber tools. Meanwhile, cooperating internationally to combat crime and terrorism online means that responsible agencies should have a regularly updated directory of points of contacts of overseas counterparts.

But the discussion so far is at the level of foreign ministries and cybersecurity agencies. Checklist items need to be implemented by the core institutions responsible for deploying cyber capabilities, including defence, police and intelligence agencies.

Getting them to commit to the norms checklist will be no easy task. Agencies building cyber capabilities are often inward-looking and focused on national security work rather than broader cooperation. So they are not too receptive to commitments that could constrain their activities. Governments will need to introduce these principles across agencies, demonstrating to domestic constituencies their relevance for regional stability and national security.

Furthermore, ASEAN’s checklist needs to be more than a set of guidelines; it must serve as a tool for diplomatic engagement with external powers. My assessment of open sources shows that Southeast Asia remains one of the most targeted regions for state-sponsored cyber campaigns, primarily by China and North Korea. Most suspected state-sponsored [4] cyber operations in the region have been linked to China. This makes it essential for ASEAN to advocate its checklist beyond its members, encouraging adherence by irresponsible state actors. This will be especially challenging, as some actors are increasingly weaponising [5] cyberspace to secure economic and strategic aims.

ASEAN has long hoped to use [6] norms and principles—institutionalised in arrangements like the Treaty of Amity and Cooperation and an eventual South China Sea code of conduct—to influence behaviour of other states. In the cyber domain, this could mean ensuring that the agreed commitments in the text serve as a benchmark for responsible behaviour. Irresponsible states, such as China and North Korea, are unlikely to immediately embrace the checklist. But even incremental shifts toward greater transparency and accountability would be significant progress.

To support these efforts, ASEAN needs to develop robust confidence-building measures alongside the checklist. The measures can serve as reasons for dialogue, information sharing and transparency, helping government agencies—including those with authority over cyber capabilities—to build trust in the cyber domain. These measures can also be crucial platforms for reducing misunderstandings, managing tensions and fostering cooperation among states. Confidence-building measures should also be designed to cover either each of the 11 norms or combinations of them, allowing discussions that highlight either common or shared challenges in implementing and operationalising them. Another initiative could be devising the means of tracking checklist implementation.

Australia’s role in this context is instrumental. It has put much effort into cyber capacity-building in Southeast Asia, often working closely with ASEAN member states to raise awareness about the importance of cyber norms. Canberra should continue to use its diplomatic, technical and financial resources to support ASEAN’s efforts, particularly in promoting the operationalisation of the checklist at the national level.

The checklist is only a step on a journey. Implementation will determine its impact. Translating diplomatic principles into operational realities is urgent as cyber threats continue to evolve.

The road ahead will be marked by diplomacy, negotiation and gradual progress, but it is a road worth taking if Southeast Asia aims to create a safer and more secure cyber environment for all its people.



Article printed from The Strategist: https://www.aspistrategist.org.au

URL to article: https://www.aspistrategist.org.au/now-that-asean-has-its-cyber-norms-checklist-the-hard-work-begins/

URLs in this post:

[1] published: https://www.csa.gov.sg/News-Events/Press-Releases/2024/singapore-and-asean-member-states-deepen-commitment-to-enhance-collective-cybersecurity-in-the-region

[2] 11 norms: https://www.aspi.org.au/report/un-norms-responsible-state-behaviour-cyberspace

[3] endorsed: https://asean.org/asean-leaders-statement-on-cybersecurity-cooperation/

[4] state-sponsored: https://apt.etda.or.th/cgi-bin/aptstats.cgi

[5] weaponising: https://www.aspi.org.au/report/state-sponsored-economic-cyberespionage

[6] long hoped to use: https://api.taylorfrancis.com/content/chapters/oa-edit/download?identifierName=doi&identifierValue=10.4324/9780203014813-6&type=chapterpdf

Copyright © 2024 The Strategist. All rights reserved.