Cyber NEEDs and Development: An Asia-Pacific Perspective
Paper prepared for the European Commission and EUISS Cyber NEEDS and Development Conference - Brussels, BE - 23-24 February 2015
The Asia-Pacific region incorporates some of the most mature cyber actors in the world as well as some of the least connected. Across the board governments throughout the region are becoming increasingly aware of the importance of cyberspace, however the capabilities, needs, and priorities of each state lie across a wide spectrum. Digital standard-bearers such as Australia, South Korea, Japan, and Singapore boast some of the most digitally savvy economies, highly connected populations, and strong government commitment to developing cyber capacity. On the other hand, countries such as Cambodia and Myanmar are some of the least connected societies, with only 6 and 1.2 percent of individuals using the Internet respectively.[i] It is critical to consider this diversity in the formulation and execution of any cyber capacity building initiatives. When approaching the Asia-Pacific region, drivers of cyber capacity building should maintain a transparent and consistent overarching narrative, but must have the flexibility to tailor approaches to each particular circumstance and must prioritize pragmatism over ideologizing.
A Diverse Geography
The complex geography of cyberspace in the region stems from technical, political, social, and economic diversity. For nations such as Myanmar, Papua New Guinea, Cambodia, and across the Pacific islands, lack of infrastructure severely impedes growth in cyber capacity. The urban–rural internet penetration gap in those countries, which can be seen across the region to varying extents, continues to be a substantial obstacle. Lack of resources or weak supporting legislation restrict efforts to strengthen cyber resilience in the Philippines, Malaysia, Indonesia, Cambodia and Thailand. In India, a lack of implementation and enforcement capacity hinders an otherwise fairly well-developed policy framework.
Comparatively mature cyber actors also face major challenges. China possesses strong cyber surveillance and technical capabilities but lacks solid cybercrime and cybersecurity policy, legislation and coordination. Domestic content control also remains a concern and is increasingly prevalent across the region often under the guise of combating cybercrime. South Korea, one of the most wired countries in the world, faces a serious external cyber threat across the border, leading to a focus on the defensive dimensions of cyberspace, while Japan’s renewed efforts in cyber remain marred by issues with internal government cooperation. Australia’s cyber policy developments lag far behind its technical competence, where under-defined roles and responsibilities create confusion both within government and for the private sector and international partners.
Despite this diversity there are some interesting trends that can be drawn from the region. The growth in mobile technology adoption, while reflected in many parts of the world, is particularly acute in the Asia-Pacific. Mobile technologies offer a cheaper connection option in nations with nascent ICT infrastructure, leading to particularly rapid adoption in South East Asia. In countries with more advanced infrastructure, mobile technologies are seen as a key driver in the digital economy. The growing ubiquity of mobile technology offers many opportunities in bridging the digital divide, but also presents serious concerns, especially in regards to cybersecurity.
Social network usage, often through mobile devices, also represents an important part of the region’s cyber ecosystem. Social media adoption in emerging markets like Indonesia, India, and China is expanding rapidly, with about 77 percent of internet users in the region active on social networks.[ii] The primacy of social media creates a different sociocultural user experience that needs to be considered when approaching the region. The growth of social media as a platform for civil interaction has also resulted in a slew of reactive content control legislation, often presented as efforts to combat cybercrime.
Increased awareness of the importance of cyber, often driven by international engagement, is leading to generally positive cyber outcomes across the region. For example, Japan’s increasing engagement with a rapidly growing cohort of international partners is helping to shape its cyber capabilities, and its efforts to help regional partners develop their own cyber capacities offer a strong model for regional engagement. Robust existing regional policing and cooperation between national computer emergency response teams (CERTs) lay the foundation for higher level cyber policy engagement, particularly at the bilateral level. With the ASEAN Regional Forum, Asia-Pacific Economic Cooperation (APEC), and other regional bodies expanding their cyber efforts, the Asia–Pacific has every potential to see improved dialogue across both technical and policy realms and increasing levels of cyber capacity across the board.
Developing Capability and Capacity
‘Closing the digital divide’ has been a mantra that not only speaks to the social and political empowerment brought about through the proliferation of Internet connectivity, but also the incredible power of the Internet to drive economic growth. The catalytic potential for the Internet as an economic multiplier has pushed many countries in the Asia-Pacific to pursue a vigorous ICT infrastructure policy. The economic impetus has led to investment in infrastructure expansion, legal reforms to promote these sectors, and open engagement with international partners to develop the human capacity and skills to manage the digital environment. Informatization in China, the ASEAN ICT Masterplan 2015, and the APEC Strategy to Ensure Trusted, Secure and Sustainable Online Environment all demonstrate that regional governments are taking cyber capabilities for economic development seriously. While there is plenty of room for improvement and increased investment in this space, it does not represent the most pressing cyber capability need for most of the Asia-Pacific.
While the foundation of regional governments pursuing economically driven efforts is sound, the realities carry often overlooked long-term risks. In order to ensure the sustainability of the Internet as a growth engine, countries must ensure that physical infrastructure investments are matched by considered policy and proactive education and training efforts to mitigate cyber threats before they arise. For the region to develop into a hub of the 21st century digital economy, efforts to build holistic cyber policies must be pursued with the same vigour as those pursuing economic growth, as in the long term they are one and the same.
Cyber policies, legislation, and governance structures lag behind in the drive for economic growth. To varying degrees of success, Asia-Pacific states have attempted to slot cyber responsibility into existing organizational structures. In China, efforts to tame the nine cyber dragons have resulted in the central Internet security and informatization leading group chaired by President Xi Jingping. Singapore has launched the Cyber Security Agency to consolidate and centralize cybersecurity capabilities and Japan is looking to establish a Headquarters of Cyber Security Strategy. In Australia, the launch of the Australian Cyber Security Centre brought together operational cyber capabilities from across government, however the policy picture is remains far more muddled.
While some states have struggled to establish whole-of-governance coordination bodies, other states have adopted a more ad hoc approach. In Papua New Guinea, due to its responsibility over ICT, cyber policy is largely dictated through the National Information and Communications Technology Authority. In India, despite appointing a National Cyber Security Coordinator, a lack of bureaucratic capacity and supportive organization structures hampers implementation.
The policy deficient is also reflected in the legal capacity of states on cyber issues, in particular cybercrime. Many regional states lack the proper laws in place to deal with cybercrime and without the necessary understanding of cybercrime issues within police forces and legal practitioners what laws exist often go unenforced. While there have been notable attempts to improve efforts to combat cybercrime, especially through ASEAN, too often cybercrime efforts are co-opted for censorship and content control purposes.
Across the region there is a need to build effective management structures for cyber policy, and more importantly clear organizational relationships to govern a policy space that impacts nearly every aspect of governance. This is where the international community can have the most meaningful impact.
Building a Cyber Capability Engagement Strategy
Across the region a prioritization of economic development often distracts from the need to develop prudent policy and clear governance structures to manage the digital space. However, this emphasis on economics can be used to establish practical, concrete avenues for cyber capacity building.
There is a recognition around the region that a trusted, safe, secure, and resilient cyberspace is vital to maintain confidence in, and the vibrancy of, digital economies. An economic argument offers a clear avenue to build quick and meaningful engagement on a wide spread of cyber capabilities. The economic imperative offers states the justification to invest in CERT capabilities, supporting cyber skills efforts, developing digital economy strategies, pursuing cybercrime cooperation, and establishing clear government-public sector relationships on cyber issues. Furthermore, market forces will independently push economies towards synchronisation, building momentum on ICT infrastructure standards, DNSsec, and other vital cyber capability needs. This pragmatism facilitates incremental progress, where new benchmarks can be set, while bypassing ideological barriers.
International actors working to improve regional cyber capacity need to be transparent in their core principles, but cannot be dogmatic in their application. While lessons learned from international efforts are useful, European models cannot be transposed wholesale on to the Asia-Pacific. In fact, many actors in the region have an allergic reaction to projects perceived as overly rooted in the transatlantic tradition and received as preaching from afar.
While the work of the Tallinn Manual is extremely useful, its North Atlantic framing causes immediate tensions if not carefully attuned. Similar reactions can be seen to OECD efforts and the Budapest Convention, which also faces an implementation capability challenge for many states in the region. International efforts need to more directly engage regional actors to be relevant in the Asia-Pacific and more importantly need the flexibility to tailor implementation to the particular circumstances of the partner states.
That is not to say good governance and human rights should be sidelined. However placing international law, international obligations, and what may be seen as ‘western values’ at the fore can sabotage engagement efforts before they begin. An ‘all or nothing’ approach marginalizes regional partners, often leading to adverse results. A prime example can be seen in the case of Laos, where despite early interest in the Budapest Convention, an inability to meet ascension requirements drove policy makers to look to Vietnam, China, and Myanmar when formulating Internet regulations. A more effective policy, which has been adopted by some signatories, would see efforts to help establish de-facto, adapted Budapest frameworks that are more cognisant of the target state’s capability and capacity.
Pragmatism and flexibility must be the watchwords of any effective cyber engagement in the Asia-Pacific. An economic approach offers a solid foundation for cyber capability building and can provide the necessary impetus for regional states to focus on critical infrastructure protection, efforts to combat cybercrime, the need to build a skilled workforce as well as improve cybersecurity awareness across the public, and a whole range of cyber needs.
Image courtesy Cyber NEEDS and Development Conference.