Written by Liam Nevill & Zoe Hawkins.

The importance of the Asia-Pacific region as a powerhouse of global economic growth and the home of increasingly tense international security flashpoints means that understanding the challenges of regional cybersecurity is increasingly important. Cyberspace’s centrality to modern life and its criticality to the routine functioning of a government, corporate, industrial and social activities means that significant cyber disruption in the Asia-Pacific may have severe knock-on effects on global security and economic prosperity. At the same time, growing connectivity and trust in online interactions also has the potential to enhance the development of the region’s less developed countries, further strengthening the need for strong national and regional approaches to cyber security.

Mature countries recognise that cyberspace as a network is only as strong as its weakest link, and know that their security and prosperity rests on that of the Asia-Pacific at large.

Understanding trends in cyber threat development and commercial and social uses of cyberspace in the Asia-Pacific requires a detailed and holistic assessment of how individual countries in the region conceive and address cyberspace. For this reason, the Australian Strategic Policy Institute’s (ASPI) International Cyber Policy Centre publishes an annual report, Cyber Maturity in the Asia-Pacific Region, which assesses the cyber ecosystem of more than twenty countries

Undertaking this whole-of-nation assessment of a country’s cyber maturity involves five different indicators across the spectrum of political, legislative, law enforcement, military, economic and social perspectives. For each category, a country is scored on the presence, effective implementation and operation of cyber-related structures, policies, legislation, organisations and partnerships. The results from each category are then weighted according to relative importance and combined to form a unique country score. The resulting report offers comprehensive country profiles, creates a relative scale by which to compare countries in terms of their cyber maturity, and identifies regional trends in policy best practise and vulnerabilities to watch.

The annual maturity assessment reveals there are significant disparities in understanding and approach to cyber issues across the region. These deep divides in cyber maturity and capacity reflect the broader development trends of the region, with the developed economies in the region pulling ahead of their developing and less-developed regional neighbours.

Countries such as the US, South Korea, Japan and Singapore are acutely aware of the importance of a strong cyber security posture and support for the growth of digital commerce. We’ve seen a trend in more mature countries towards increased centralisation of cyber policy functions through the elevation of dedicated agencies, such as the Cyber Security Agency of Singapore, allowing for a more coordinated and comprehensive approach to cyber issues. Mature countries partner collaboratively with the private sector to boost the digital economy, and possess cyber specific legislation and dedicated law enforcement structures to address the associated challenge of cybercrime. They’re active in international cyber discussions and offer a higher degree of transparency around military doctrine in cyberspace, such as the recent admission of national offensive cyber capabilities from the US, Australia and New Zealand.

Less-developed states such as Laos, Cambodia and Papua New Guinea on the other hand face much steeper challenges in addressing cyber threats. These countries tend to have more byzantine structures for managing cyber issues, with no identifiable leading agency. Cyber policy is often still the responsibility of communication ministries that don’t have the capacity to engage in cross-sectoral issues, and there’s a notable absence of legislation and strategic policy documentation relating to cyberspace outside those pertaining to ICTs in the development context. Government engagement with digital business tends to be one directional and top down, while social engagement with cyber issues is often limited by government censorship and poor connectivity.

Interestingly, while some less mature countries such as Vietnam and Cambodia suffer a paucity of government leadership, support and regulation for the digital economy, they’re enjoying a boom in bottom-up growth of connectivity and digital business. This haphazard development poses a dilemma: citizens and businesses coming online without the necessary awareness and frameworks are perfect targets for the growing gangs of cybercriminals. Government action to enact appropriate legislation, and support for law enforcement agencies to acquire the necessary skills to enforce it is required to reduce the rate of cybercrime in these countries, and to ensure the sustainable growth of their e-commerce sectors.

Mature countries recognise that cyberspace as a network is only as strong as its weakest link, and know that their security and prosperity rests on that of the Asia-Pacific at large. The risk of less mature countries being leveraged as safe havens for regionally active cybercriminals, and vulnerable interlinkages between smart cities and legacy infrastructure across Southeast Asia mean your neighbour’s cyber insecurity is often yours as well. For this reason, countries such as Japan, South Korea, Singapore, the US and Australia undertake capacity building projects in an effort to elevate collective cyber resilience of the region. This often takes the form of training judicial officers, law enforcement agencies, and computer emergency and incident response (CERT/CSIRT) teams in countries that have less experience and resources with which to tackle these new problems.

Mapping the cyber maturity of individual countries and the shifts and developments seen in the Asia-Pacific over time is a useful way to frame future engagements in the region and identify looming issues. At the national level, this provides information for governments and businesses on how to engage with specific countries on cybersecurity issues. At a macro level, it reveals the regional disparities in understanding cyber threats, ability to mitigate them, and capacity to take advantage of the opportunities connectivity offers for commerce, education, government service provision and development. The assessment reveals ongoing concern over the interdependence of vulnerable legacy infrastructure systems and the boom in unsecured IoT devices, but little action on a regional scale to mitigate the problem.

The information collated in ASPI’s annual assessment of the cyber maturity of regional countries provides an overview on how to approach the region as a whole. By highlighting the emerging gaps in regional cyber resilience, it provides guidance on the key issues and priorities to inform bilateral discussions and deliberations in multilateral regional fora such as ASEAN and ADMM Plus.

ASPI’s International Cyber Policy Centre will continue to assess and analyse trends in cyber maturity development across the Asia-Pacific, with the 2017 report to be released later this year.

Liam Nevill is principal analyst at the Australian Strategic Policy Institute’s Cyber Policy Centre. His research focuses on deterrence in cyberspace, Australian Army cyber modernisation, and digital trade in the Asia-Pacific. Zoe Hawkins is an analyst at ASPI’s Cyber Policy Centre where she researches and writes on international and domestic cyber policy issues. The authors tweet at @liam_nevill and @_ZoeHawkins_. Image Credit: CC by Yuri Samoilov/Flickr.