Against the backdrop of the standoff between China and the Philippines in the South China Sea, the second Special Australia-ASEAN Summit offered leaders from Australia and Southeast Asia the opportunity to speak candidly about the implications of strategic competition on national security. Yet, amidst these discussions, an important subject remained under-discussed: cybersecurity.
Australia did sign cybersecurity agreements with the Philippines and Malaysia, focused similarly on improving cyber resilience and bolstering cooperation in the digital economy. But the Melbourne Declaration, released jointly by the leaders after the summit, offers no mention of cybersecurity—beyond that Australia is a co-chairing the ADMM-Plus Expert Working Group on Cybersecurity with Cambodia from 2024-2027. While some states were interested in talking cyber, it is evident that there was little interest at the regional level in covering the issue. This is a missed opportunity to show solidarity and strength at a time when strategic competition is making stability in cyberspace more uncertain.
For over a decade, the cyber ecosystem in Southeast Asia has become increasingly mired in uncertainty, with the region characterised by the rapid growth in the number of militaries developing cyber capabilities, proliferation of cyber mercenaries, and the growing scale and intensity of state-sponsored cyber operations.
Countries—particularly China and North Korea—have employed sophisticated cyber campaigns to compromise computer systems and networks across the region. While around 3.6% of all cyber-espionage operations globally affected Southeast Asian entities in 2014, cases quadrupled by 2020. Cyber operations often accompany geopolitical incidents as in China and the Philippines collisions in the South China Sea when we see increasing spikes of China-sponsored information operation campaigns, cyber-espionage, website defacements, and spoofing.
And not just military and government installations are targeted. Private entities are, too. Energy companies, universities focused on maritime research, and even financial institutions have all been targeted in the past, with many losing valuable, sensitive business information or suffering crippling ransomware or distributed denial of services attacks.
Southeast Asian states have become increasingly conscious of the cyber-attacks in their environment. While there is variation in cyber maturity, the past eight years have seen governments across the region lay the institutional and legal foundations for cyber governance, incident response, and defence. However, the range and complexity of threats emanating from cyberspace will likely worsen, especially as Southeast Asian governments continue to look at digital transformation to bolster economic growth and address economic and social ills.
ASEAN member-states and Australia need to elevate cybersecurity as a central topic of regional discussion. For Australia, supporting a cyber-resilient Southeast Asia is a key goal of its 2023-2030 cybersecurity strategy. Australia’s security and prosperity is closely linked to Southeast Asia. Given mutual aspirations to further bolster digital transactions and improve cooperation in the high-tech sector, Australian innovation and businesses are likely to become even more vulnerable to cyber incidents in the region. A cybersecure Southeast Asia would, thus, also help protect Australia from cyber-enabled attacks, especially since its companies, universities, and general public are becoming bigger targets of economic cyber-espionage operations and information operations campaigns.
Indeed, much has already been done, with the Australian government setting aside millions of dollars to provide cyber capacity-building support to Southeast Asian officials and even students. There are also existing mechanisms for engagement with Southeast Asia in the digital domain. At the regional level, there are the biennial ASEAN-Australia Cyber Policy Dialogues. Australia also maintains unique bilateral cyber engagements with Indonesia, Malaysia, Philippines, Singapore, and Thailand.
Some will argue that these actions speak louder than words but given the clear importance of cyber to the region it should have been a priority topic, with sustained leadership required to ensure existing efforts are further elevated and broadened so that cybersecurity remains a strong pillar of Australia’s engagement with Southeast Asia. In this regard, the announcement of a new ASEAN-Australia Centre in Canberra is a positive sign of a commitment to strengthening the relationship but, over time, will only be effective if it covers not only vital economic matters but also our shared security challenges, notwithstanding the region’s sensitivity to such discussions. Hiding from the reality of the challenges Australia and ASEAN face is not the recipe for long term stability. Furthermore, maintaining the status quo on cyber ultimately risks past efforts to flounder and lose impact.
As part of the process of strengthening the relationship in a meaningful way, Australia must work with ASEAN member-states to ensure that the rule of law exists not only in the kinetic realm but also in the cyber domain. ASEAN stands as the only regional organisation to embrace the UN’s 11 norms of responsible state behaviour in cyberspace. But it’s vital to ensure that the conversation doesn’t end there. There needs to be more collaboration both at the government and the expert level to identify means to operationalise these norms within Australia and ASEAN, and beyond. ASEAN’s Plus mechanism (which includes countries like China, India, Japan, and the US) would present such an opportunity. At the moment, we see experts working with the ASEAN secretariat to identify how to operationalise these norms. But future efforts must involve governments, working in tandem with experts from ASEAN member-states and their dialogue partners, advocating the application of these norms internationally, particularly in forums like the East Asia Summit.
Australia should also attempt to incorporate itself deeper into regional discussions on digital development, such as the ASEAN Digital Ministers’ Meeting (ADGMIN). Australia is one of the few ASEAN dialogue partners that is not a specific dialogue and development partner of the meetings. Not only has Australia’s absence meant that its contributions to cyber capacity-building become awkwardly omitted in joint statements (see an example here), but the participation of the cyber ambassador or the assistant minister of Foreign Affairs (a frequent participant of cyber meetings) would allow Australia to convey just how importantly it takes Southeast Asia’s digital future and cybersecurity.
Furthermore, as more Southeast Asian militaries develop cyber capabilities, it’s also fundamental that Australia and ASEAN kick off discussions over what it means to behave responsibly in cyberspace. Given that Australia is co-chairing the ADMM-Plus expert working group on cyber security from 2024-2027, it is uniquely placed to advocate for responsible ICT use.
Beyond that, involving not just government but also industry, civil society, and the expert community, Australia and ASEAN member states should consider establishing more permanent Track 1.5 dialogues to discuss how international law and norms can best be applied in cyberspace, and how states can best demonstrate that they are responsible actors in cyberspace. Such forums can cover how to operationalise UN norms, but also focus on how they are being applied now and build an evidence base of existing practice.
Existing expert forums on the subject are often ad hoc. Putting in place a more permanent forum that is perhaps attached to regional meetings on cyber, like the ADGMIN, could ensure clear engagement between government and important stakeholders. Fundamentally, from the government side, such dialogues should involve officials from not only the Department of Foreign Affairs and Trade and their Southeast Asian equivalents but also counterparts responsible for cyber defence and incident response.
Australia should intensify its bilateral cyber engagements as a means of supporting a cyber-resilient Southeast Asia. Working with some of the more cyber-mature countries of ASEAN (such as Singapore and Malaysia), as well as other countries in the region (like Japan and South Korea), Australia could pool resources for cyber capacity-building and establish a platform for cyber intelligence sharing. When working with development partners, it’s fundamental that there’s clear coordination to prevent repeated and wasteful provision of cyber capacity-building support.
A place to start could be the recently signed cyber resilience agreement with the Philippines, which faces considerable challenges from state-sponsored malign forces online. Helping the Philippines improve cybersecurity standards for its government and military, but also for private entities would ensure the country remains resilient in the face of cyber-attacks, especially state-sponsored operations.
In ensuring a cyber-resilient Southeast Asia and Australia, politicians and policymakers must pay more attention to challenges from the cyber domain. At a time of deepening strategic competition, states are more likely to use all instruments of national power—including cyber—to secure key economic and strategic goals. This calls for more collaboration between the Indo-Pacific’s regional and middle powers to work towards a more secure cyberspace.