Written by Cheng Lai Ki.

Economic change, empowered through technological innovation has enabled states within Southeast Asia (S.E. Asia) to rapidly modernize. This has allowed the region to become a key player in international trade through the integration of cyber services across national, and international industries. The region has since become attractive for international investment. According to research from the U.S. advisory firm Gartner, there has been an increasing level of information technology (IT) investment within the region, including ‘vertical industry trends in Singapore’. However, the 2016 APAC Cyber Maturity Report by the Australian Security Policy Institute (ASPI) reveals that there remains a large capability gap between South East Asian nations and the greater Asia-Pacific (APAC) region.

Despite a cyber-espionage cessation agreement with the Americans, a 2015 FireEye Threat Research article details how China has consistently conducted long-term CNEs against South East Asia, dating back to 2004 and in alignment with ongoing geopolitical operations.

As the Chinese phrase states, ‘—a single timber cannot prop up an entire building (獨木難支)’. For South East Asia to continue incentivizing foreign investment, it must ensure a secure and balanced technological backbone across the region. To understand how to rebalance South East Asia’s regional cybersecurity, this article addresses the existing landscape and its geopolitical importance to either maintaining, or changing, the international status quo. In closing, the article concludes by examining initiatives and solutions supporting cybersecurity rebalancing.

Lay of the Land

Comprised of 11 nations bridging eastern India to Japan, the South East Asian tropical archipelago is divided between landlocked (Burma, Thailand, Laos, Cambodia and Vietnam), and island (Malaysia, Singapore, Indonesia, the Philippines, Brunei Darussalam, and East Timor) zones. The region is highly dependent on international trade which contributes to its collective Gross Domestic Product (GDP) of US$2.4 trillion, and an annual growth rate of 5%. IHS-Markit suggests that based on this trajectory, the collective region will surpass the trillion-dollar mark by 2030.

Currently, cyber integrated systems can be easily found in the financial, production, and energy sectors. Some of these systems include financial technologies, infrastructure control systems, inter-platform communication systems, and dense databases. However, less cyber-mature nations might still be suffering from undetected threats, existing legacy systems, and decreased levels of awareness amongst domestic businesses. Contextualised against the broader security landscape, bolstering the region’s cybersecurity will be instrumental towards ensuring infrastructure functionality, economic stability, and protection from various threat actors from political or criminal lineages.

Cybersecurity Landscape

In the Internet-of-Things, cyber threats can appear in various platforms and are open to a host of different strategies for advanced computer network exploitations (CNEs). Today, cybersecurity emergency response teams (CERTs) in S.E. Asia are facing advanced persistent malware, including utilizing social engineering to manipulate victims into downloading the malware as executable files (.exe), often through emails with embedded hyperlinks—more commonly known as phishing/spear-phishing.

According to a 2017 Microsoft Security Intelligence Report (Vol 21), the most common malware includes: i) Gamarue, a computer worm designed to allow system takeover and subsequent data exfiltration, ii) Lodbak, a Trojan mainly utilized as a means of payload delivery and violation of network air-gaps, and iii) Dynamer, another Trojan which can exfiltrate personal data and support follow-on CNEs or remote access. While understanding the threats themselves remain crucial towards developing tailored technical solutions, such security avenues require advanced computer skills and are not readily understood by the average policymakers.

Conventional security-studies teaches us the importance of reverse engineering the aftermath of the attack to obtain actionable intelligence. According to a simplified 2016 analysis by Control Risks, and corroborating intelligence from publicized cyber incidents within the region, most CNEs target hardware vulnerabilities to access governmental, financial, telecommunication and engineering platforms. These are big problems for cyber dependent states like Singapore who, often ‘tops the lists of countries with innovative IT initiates [and] have transferred several of its [governmental] services online’ or undertaken ‘an open data initiative… with nearly 9,000 datasets available in open format’—according to a 2015 Gartner press release estimating a regional IT spending to hit $62 billion by 2018.

East Winds

With businesses design strategies aligned with geopolitical maneuvers, governments are closely monitoring and manipulating economic investments as political tactics. Despite increased levels of cyber crimes within the region, the motivations behind these acts provide valuable intelligence as to how South East Asian cybersecurity strategies will be shaped. John Nugent argued that a key cybersecurity trend of 2016 is the influence of geopolitics in the development of deterrence strategies, and is highly reflective in the case of state-sponsored cyber operations in South East Asia.

Despite the threats to cyber wellbeing imposed by cyber criminality, nations must also manage state-sponsored cyber operations. As more national infrastructures and sponsored businesses go online, the ubiquitous nature of cyberspace has been consistently exploited by cyber-espionage (i.e. ICEFOG) or system-sabotage (i.e. STUXNET) by state entities. Within the context of South East Asia, state-attributive cyber attacks are frequently traced to the People’s Republic of China (PRC), and perhaps to the People’s Liberation Army Strategic Support Force (PLASSF) formed in December 2015.

Despite a cyber-espionage cessation agreement with the Americans, a 2015 FireEye Threat Research article details how China has consistently conducted long-term CNEs against South East Asia, dating back to 2004 and in alignment with ongoing geopolitical operations. With recent maritime territorial disputes over lawful claims of the South China Sea, researcher Pierluigi Paganini has identified a sequence of CNEs between China and the Philippines. Ending with the arbitration court’s 2016 ruling in favor of the Philippines, Finnish cybersecurity firm F-Secure later identified a CNE of Chinese origin dating back to 2014. They subsequently published a white paper detailing the NanHaiShu malware, which targeted governmental and private institutions (i.e. Philippines Department of Justice).

Considering transitionary power struggles between China and the United States, the international status-quo is changing. Cyberspace is the perfect hybrid tool, providing China with the seemingly borderless environment to support its legitimate economic expansions and illegitimate proxy powered conquests.

Rebalancing the Future

As indicated in the ASPI Cyber Maturity report and other professional assessments, a majority of South East Asian states still lack efficient cybersecurity measures—both in terms of policy and capability. Despite the existence of advanced tools (i.e. DeepInstinct), cybersecurity  remains a security-as-a-service (SaaS) solution, and requires integration into national security policies or tactics.

One such manual for weaker states seeking to protect their cyber sovereignty through lawfare strategies is the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge University Press, February 2017). Drafted by an international group of experts led by the NATO Cooperative Cyber Defense Centre of Excellence, the advisory publication covers a much broader scope of cyber operations than its predecessor, including state-sponsored cyber warfare (i.e. the DNC Hack) to activities constituting the majority of contemporary cyber-attacks (i.e. Dyn DDoS Attack).

Despite progressive improvements in regional national cybersecurity initiatives, South East Asian states still require advanced skills, adaptive security policies, and effective civil-education. Singapore has begun embarking on this, as per the October 2016 announcement of the ASEAN Cyber Capacity Program, spearheaded by Singapore’s Cyber Security Agency and to be launched in April 2017.

The Southeast Asian region is changing, becoming more technologically advanced and dependent. For regional protection against increasingly advanced CNEs from criminal and state actors, countries must bolster their technological and cyber policy backbones. While the process remains arduously long, the ASEAN community has recognized the need to rebalance cybersecurity capabilities through multilateral cooperation. Together they can strengthen the region against malicious threats by state and non-state actors.

Cheng Lai Ki is a freelance intelligence researcher with a Master’s in Intelligence & International Security from King’s College London and a Bachelor’s in Criminology from the University of Leicester. Formerly the Managing Editor for Strife Blog and Journal, he has been published in academic and commercial sectors in areas of security studies, cybersecurity, intelligence, regional politics and warfare. Image Credit: CC by Conew/Wikimedia Commons.