As Southeast Asia propels forward in its digital transformation, it inevitably faces accompanying threats to its growth. The region has long acknowledged the imperative to safeguard its digital economy from cyber-attacks, exemplified by the United Nations Office on Drugs and Crime’s report indicating a staggering 600% increase in cyber-attacks in 2021.
Fortunately, this recognition has spurred the region into action. Southeast Asia has proactively devised collaborative plans to fortify its digital landscape, striving to create a peaceful, secure, and resilient cyberspace.
The first ASEAN Cybersecurity Cooperation Strategy from 2017-2020 laid the groundwork towards one shared goal— a safe cyberspace. Similarly, the ASEAN Information and Communications Technology (ICT) Masterplans aimed to fortify the protection of networks and services.
However, despite having a roadmap and updated strategies, many hurdles still decelerate the region’s cybersecurity development. These obstacles include uneven capacity development, lack of standardisation, and limited information-sharing mechanisms.
In an age where cyber threats are on the rise, is being “secure” enough? Are existing policies sufficient to protect the future digital landscape?
Current Regional Challenges
Southeast Asian countries are in varying stages of cyber capability and digital development. The disparities present problems for coordination and communication regarding cross-border threats and crimes.
Although there are existing ASEAN cooperation strategies and master plans, these mainly focus on capacity-building rather than policy development and coordination. These measures may be helpful to countries in their early stages but not those that have already established their domestic policies. For example, Singapore, Malaysia, Thailand, and the Philippines have established policies to safeguard their governments, citizens, and businesses against evolving cyber threats. In contrast, Vietnam and Indonesia are in the early stages of implementing measures to enhance the protection of their digital economy, with room for improvement. These differences are expected, reflecting the diverse stages of digital development and cyber capability across the region.
Moreover, the lack of a unifying framework created difficulties for the region’s interconnected infrastructures and economies. The countries become more vulnerable to the same threat actors since they have no system for incident reporting and data collection.
Hence, with a great chance of facing and experiencing the same cyber-attacks, Southeast Asia needs to develop common strategies, enact unified standards, and enhance regional cybersecurity and cyber resilience.
Cybersecurity to Cyber Resilience
Contrary to common belief, cybersecurity and cyber resilience are closely related yet entirely different. According to the International Telecommunications Union (2023), cybersecurity is the tools, policies, and guidelines used to protect an organisation’s assets.
Meanwhile, cyber resilience is the ability to anticipate, attack, withstand, recover from, and adapt if the assets are compromised. Cyber resilience encompasses the capacity to anticipate, withstand, recover from, and adapt to compromises in digital assets. In contrast, cybersecurity primarily deals with preventing and detecting breaches, while cyber resilience focuses on enhancing systems post-breach. Rooted in the acknowledgment that attacks are inevitable and threat uncertainties persist, cyber resilience requires continual development.
Shifting the discourse to cyber resilience enables Southeast Asian nations to formulate forward-looking policies. Governments, policymakers, business leaders, and individuals can prioritise ongoing development and evolution to match the rapid pace of evolving cyber threats.
A United Nations University study assessing 14 cybersecurity strategies in the Asia Pacific region revealed that while the term “cyber resilience” is commonly used, few countries have operationalized its meaning. Singapore, for instance, has clearly defined resilience in its national strategy, while Malaysia, although not explicitly using the term, underscores the importance of business continuity. Encouraging a shift in perspective towards “cyber resilience” emphasises not just protective measures but also the significance of adaptive efforts.
In the Tech For Good Institute’s research, our proposed Cyber Resilience Framework does not seek to reinvent the wheel; instead, it builds upon established frameworks. Embracing the Organisation for Economic Cooperation and Development‘s definition of resilience as “the ability of individuals, communities, and states and their institutions to absorb and recover from shocks, whilst positively adapting and transforming their structures and means for living in the face of long-term changes and uncertainty”, our framework represents a reconceptualisation rather than a complete overhaul of principles.
What distinguishes our proposed framework is its emphasis on states not only rebounding after an attack but also advancing and consistently seeking improvements in their systems. It strives for a balanced approach that acknowledges the importance of not just recovery but continuous enhancement.
Building Resilience, Securing Future
Today, the conversations remain focused on preventing and detecting a breath rather than improving the systems once breached. However, understanding the difference and elevating the conversations from cyber security to cyber resilience is a must to combat cyber-attacks.
Southeast Asian nations can chart a course towards a more secure digital future by formulating forward-looking policies that engage governments, policymakers, business leaders, and individuals collaboratively. Given the dynamic nature of emerging threats in the digital economy, fostering cooperation across these sectors is paramount. Notably, the considerable variability in cyber resilience among ASEAN member states underscores the necessity for a shared framework establishing cybersecurity standards. Such a framework would not only fortify individual states against potential vulnerabilities but also contribute to the collective strength of regional efforts in cyber resilience. Regular reviews of this regional baseline are essential to ensure its ongoing relevance and efficacy.
Addressing the widening gap in the cybersecurity workforce demands concerted efforts through public-private partnerships and increased investment. The proposed Cyber Resilience Framework provides a strategic guide for countries to identify priority areas for investment, allowing them to tailor their focus based on specific domains that offer the greatest potential for growth. For instance, Indonesia and Vietnam can concentrate on domains enhancing their defences against cyber threats, while Thailand and the Philippines may prioritise improving adaptability.
In bolstering cyber resilience, countries contribute not only to their individual prosperity but also to the overall security of the regional digital landscape. The 2018 ASEAN Leader’s Statement on Cybersecurity Cooperation aptly underscores the significance of a “peaceful, secure, and resilient cyberspace” as a foundational element for economic progress. As Southeast Asian nations navigate the complexities of the digital age, building and sustaining cyber resilience remains a shared imperative for a secure and prosperous future.
To find out more about fostering cyber resilience in the region, read the full report here.
