A

s Singapore hands over its ASEAN chairmanship to Thailand, experts are calling on member states to maintain their commitment to cybersecurity by establishing norms and focusing on capacity building amid a rise in online attacks targeting the region.

Sithuraj Ponraj, director of the international cyber policy office at the Singapore Cyber Security Agency, said having a cybersecurity norm would mean the international community agreed on what should be done, and what should not be done.

“When we can agree on how we behave, it fosters predictability and stability in cyberspace. Once [an attack] happens we know that we can trust each other to behave in a certain way,” he said during a book launch on cybersecurity in Southeast Asia at the Centre for Strategic and International Studies (CSIS).

Sithuraj said building awareness and increasing the capacity of policymakers outside of the technical community were some of the important building blocks toward the adoption of cyber norms in ASEAN.

“Capacity building is not just for people with technical expertise, we need to build capacity and develop experts in the region who understand these issues and may go to international forums to explain the ASEAN perspective,” he said.

Singapore fell victim to a cyber attack on its healthcare system that compromised the data of 1.5 million people in July 2018.

The push to focus on cybersecurity in ASEAN gained renewed momentum under Singapore’s chairmanship last year as the issue became one of its main priorities.

Most recently, the city-state was tasked with drawing up a formal ASEAN cybersecurity mechanism to discuss cyber diplomacy, policy and operational issues.

CSIS researcher Fitriani said there was still a lack of awareness about what needed to be done in terms of increasing cyberspace stability, safety and security.

“Cybersecurity should not be an elitist topic, it should always include not only the tech community […] but also lawmakers and civil servants as well as civil society, which can increase people’s awareness of their rights to the internet,” she said in her presentation.

The ASEAN Ministerial Conference on Cybersecurity, the interim platform for regional security discussions, also agreed to subscribe in-principle to 11 voluntary norms recommended in the 2015 Report of the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security.

However, Riefqi Muna of the Indonesian Institute of Sciences pointed out that for countries to commit to norms, a multilateral push was not always necessary, whether it be from the UN or ASEAN, rather it was a country’s own awareness of cyber issues that mattered.

He said Indonesia, for example, had, among other things established its own cyber agency in 2018 and the Defense Ministry had issued a guideline on cyber security in 2014. “So there are some initial institutionalization of regulations,” he said.

In addition to establishing norms among governments, it is also necessary for ASEAN to engage the private sector.

Chief representative and head of public policy for Twitter Indonesia Agung Yudha said the different characteristics of each ASEAN member state was one of the main challenges for promoting international cyber norms at the international level.

Meanwhile, airline ticketing and hotel booking service Traveloka legal counsel Ardhanti Nurwidya said her company had been trying to educate users and find the balance between data protection and good user experience.

“Many users requested to have their data removed without knowing the consequences, […] they cannot login to our system anymore and must make a new account. [This is because] they only know about developments in personal data from articles and news reports that don’t explain the consequences,” she said.