Asia Transnational Threats Forum: Cybersecurity and cyber resilience

On October 29, the Center for East Asia Policy Studies at Brookings hosted the fourth Asia Transnational Threats Forum (ATTF), on cybersecurity and cyber resilience. This year’s ATTF webinar was preceded by two roundtable discussions, with discussion on the perils and promise of the internet in the age of COVID-19, and North Korean cyber threats. Below are some of the key takeaways from the webinar.

CYBER THREAT LANDSCAPE AND RESPONSE STRATEGIES

Jongin Bae, ambassador for International Security Affairs at South Korea’s Ministry of Foreign Affairs, opened the discussion by describing the Indo-Pacific region’s cyber threat landscape as a consistently shifting environment where technology outpaces policy. He noted increased attacks against the financial sector and the daily occurrence of phishing attacks as key developments in recent years. Bae stated that the coronavirus pandemic has expanded the threat surface as people in large numbers are using digital platforms.

To address these threats, Bae called for enhanced bilateral, regional, and interregional cooperation for both practical measures and implementation. Underscoring that “no country is safe until all countries are safe,” Bae called for international policies to advance global rulemaking, trust-building, and capacity-building. Specifically, Bae argued that consensus and the multi-stakeholder approach are instrumental for rulemaking.  In particular, trust-building measures contribute to transparency and stability of cyberspace, while capacity-building efforts lend opportunities for strategic convergence such as between Seoul’s New Southern Policy and Washington’s Indo-Pacific Strategy.

REGIONAL RESPONSE TO CYBER THREATS

Experts discussed the responses of the public and private sectors to growing cyber threats. Thomas Uren of the International Cyber Policy Centre at the Australian Strategic Policy Institute discussed drivers of malicious cyber activities and Australia’s response and lessons learned. Identifying North Korea, China, Russia, and the United States as key cyber actors, Uren described how each state actor employs its cyber capabilities to support its respective strategic objectives. North Korea, for example, focuses on cyber-heists to generate revenue and evade sanctions, while China engages in cyber espionage and intellectual property theft to support its manufacturing industries in accordance with its “Made in China 2025” initiatives. As it had in the 2016 U.S. presidential election, Russia employs cyber capabilities to achieve its political goals. The United States, which has greater transparency in its cyber activities, attempts to demonstrate that it can use cyber operations in a responsible manner.

According to Uren, Australia’s cybersecurity strategy has become more proactive across the board. Canberra is promoting responsible behavior across the region, attributing cyberattacks against Australia, and using offensive cyber capabilities against offshore cyber criminals. For example, Canberra has issued four joint attributions with the United States and the United Kingdom to identify North Korea, Russia, and China as state-based actors behind cyberattacks targeting Australia. Although he has doubts about the deterrence effects of attribution, Uren assessed that, while there was no firm evidence, Australia’s use of disruption was likely to be tactically effective.

Elina Noor, director of Political Security Affairs at the Asia Society Policy Institute’s Washington D.C. office, examined the Association of Southeast Asian Nations’ (ASEAN) actions to build this cooperative infrastructure on cyber issues, many of which have been successful. Despite differences in the countries’ governance systems and technological skills — as well as competing domestic priorities — ASEAN became the first region in the developing world to adopt a harmonized legal framework for e-commerce. All 10 ASEAN member states have now established a computer emergency response system and conducted incident drills together. It was also the first regional body to agree to the 11 norms of responsible state behavior, laid out in the 2015 U.N. Group of Governmental Expert’s consensus report.

Nonetheless, ASEAN is faced with challenges at the technical, policy, operational, and legal levels. The region remains a hotspot for cybercrime, warranting greater attention to basic cyber hygiene at all levels from the individual user to organizations and the government, Noor advised. Cooperation with dialogue partners outside of the ASEAN region, therefore, is needed to overcome the challenges. Noor concluded that ASEAN’s cyber experience can be summarized as developmental pragmatism, incrementalism, and cooperation.

Mihoko Matsubara, the chief cybersecurity strategist at NTT Corporation, presented on Japan’s industry-driven private-public partnership to build cybersecurity professionals. Noting the rise of sophisticated cyberattacks and an acute shortage of more than 4 million cybersecurity professionals in the world, Matsubara discussed how Japanese companies launched the Cross-Sector Forum to create an ecosystem to educate, hire, train, and retain cybersecurity professionals in collaboration with the government and academia. She highlighted the importance of a shared definition of cybersecurity missions and developing professionals based on a global common language. The forum adopted the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework as a global common language to communicate with different industrial sectors and other countries.

CYBERSECURITY POLICIES

Based on her experience of regional public-private partnerships, Matsubara recommended that successful public-private partnership should include 1) a common language to facilitate effective communication; 2) regular meetings; 3) consensus on identification and prioritization of goals; 4) identification of local leaders; 5) commitment to fostering a culture of contributing back into the community; and 6) no tolerance for free riders.

Panelists concurred that trust and confidence-building are essential for facilitating meaningful discussions, as regularized communications create predictability and stability. Although Uren agreed on the importance of maintaining regular channels to avoid unintended accidents or mistakes, he was more skeptical about the efficacy of cyber norms for the preservation of cyber peace, and suggested that these should be accompanied by the establishment of norms to punish transgressions.

The experts had differing observations on the role of the United States in the Indo-Pacific region’s cybersecurity. Uren observed that the current U.S. administration’s approach is to demand that allies and partners acquiesce to U.S. priorities and initiatives, rather than using persuasion, influence, and power of example. This approach has had harmful consequences on the U.S. relations with the region. Noor cautioned that the U.S. cyber strategy of defending forward and persistent engagement may undermine stability, trust, and the rules-based order in cyberspace, as it complicates the understanding of what a rules-based order means and whether it applies equally across the board. Matsubara positively assessed U.S. capacity-building efforts in Southeast Asia via bilateral and regional platforms.