To regulate cyber behaviour, listen to Indo-Pacific voices

The international community must broaden its understanding of responsible cyber behaviour by incorporating diverse perspectives from the Indo-Pacific, a region critical to the future of global cyber governance.

As the mandate of the United Nations Open-Ended Working Group on the security and use of information and communications technologies ends in July 2025, the world must reflect on what it means to be a responsible state actor in cyberspace. Over two decades, the UN has developed a framework of responsible state behaviour in cyberspace, which includes the acceptance that international law applies to state conduct in cyberspace and a commitment to observe a set of norms.

The framework, designed to address the weaponisation of cyberspace, narrowly focuses on high-stakes security concerns. While its emphasis on international peace and security is essential, this high threshold often sidelines domestic responsibilities and the challenges that developing and emerging economies face.

By amplifying the voices of mature cyber nations, it overlooks regions where the concept of responsible cyber behaviour is less expressed but no less important. As cyberspace is a cornerstone of economic, social, political, and military activities globally, we must expand the framework to address both domestic and international dimensions of cyber norms.

A report issued today and co-edited by ASPI and the Royal United Services Institute highlights this gap by examining how seven Indo-Pacific countries—Cambodia, Fiji, India, Indonesia, Japan, Pakistan and Taiwan—perceive responsibility in cyberspace. We investigate how governments and societies interpret this responsibility, going beyond their expectations of other states to see how they demonstrate their responsibility internally.

Our findings reveal a lack of common understanding and implementation of the UN’s cyber norms across the region. While commitments to responsible state behaviour are formally acknowledged at the UN level, domestic policies and regulations are inconsistent. For many Indo-Pacific countries, responsible cyber behaviour is mainly understood in terms of ensuring state sovereignty and territorial non-interference through cyber means. Governments are also mainly guided by national security concerns. This information is often shrouded in secrecy, complicating oversight and accountability.

Economics also shapes regional cyber policies. For most Indo-Pacific countries, socio-economic development, digitalisation and connectivity are top priorities. Given their limited sovereign cyber and digital capabilities, they view responsible behaviour as the ability to freely choose strategic partners and attract investments, technical support and capacity-building initiatives. This pragmatic approach underscores the need to reconcile international commitments with domestic priorities such as combating cybercrime, achieving data sovereignty, and ensuring affordable and reliable connectivity.

However, pursuit of these priorities often results in over-regulation and reliance on surveillance technologies and restrictive policies to counter cyber threats. Many Indo-Pacific countries struggle to balance protection of critical infrastructure and the information environment with promotion of open and inclusive digital spaces. Our report highlights the need for clear guidelines on the purchase, sale and use of dual-use technologies. While some countries adhere to international frameworks, others lack robust safeguards, exposing cyber vulnerabilities.

The Indo-Pacific’s diverse perspectives on responsible cyber behaviour emphasise the importance of domestic expertise. Governments must nurture talent within both public and private sectors and ensure access to international platforms that foster collaboration and knowledge-sharing. Otherwise, the region risks being left behind in shaping global cyber governance. Furthermore, many Indo-Pacific stakeholders argue that the UN framework’s emphasis on international norms must be complemented by actionable standards addressing states’ internal responsibilities, such as securing their networks and fostering resilient digital ecosystems.

International discussions on cybersecurity are increasingly polarised, with major powers vying for influence over Indo-Pacific countries to shape regional norms. In this context, we must ensure that the perspectives of emerging economies are not overshadowed by the interests of major powers. Ignoring these viewpoints is not only a poor diplomatic strategy—risking the alienation of regional actors and complicating negotiations—but also undermines international efforts to address shared challenges. Incorporating these voices into the framework would create a more inclusive and representative system that fosters equity, trust and long-term cooperation, ultimately strengthening global cybersecurity.

To achieve this, international and regional institutions must prioritise capacity-building and technical assistance tailored to the needs of Indo-Pacific countries. This includes creating platforms that allow these states to share experiences and shape global discourse on cyber norms. An example of such a platform is the Association of Southeast Asian Nations, through which member states have come to develop a norms checklist. It also requires the international community to recognise the interconnectedness of domestic and international cyber responsibilities. By grounding discussions in the specific contexts and priorities of the Indo-Pacific, the framework can evolve into a truly global standard that bridges the gap between developed and developing nations.

As the UN Open-ended Working Group mandate’s deadline approaches, we must reshape the framework of responsible state behaviour in cyberspace. The Indo-Pacific’s challenges and perspectives can help strengthen the framework’s relevance and effectiveness. By incorporating diverse regional viewpoints, the international community can build a more equitable and resilient cyberspace that serves the interests of all states, not just the most powerful. This is not merely a matter of inclusion; it is a matter of global cyber stability and security.