News of cyber attacks and personal data breaches frequently make headlines nowadays, particularly in Asia Pacific*, and every time a new incident happens, it deals a blow to the trust of some users. Since cyber threats are grave and growing, society must understand how policymakers are addressing cybersecurity concerns, and what can be done to strengthen trust.
A United Nations agency recently launched a tool to do exactly that. Against the backdrop of increasingly complex cybersecurity policies around the world, the portal aims to “enhance informed participation in key policy processes by all relevant stakeholders”, thus facilitating information sharing, capacity building, and trust and cooperation in cyberspace. We spent some time with it to evaluate the state of cybersecurity in the Asia Pacific and to highlight the importance of the issue.
The Cyber Policy Portal, released this month by the United Nations Institute for Disarmament Research (UNIDIR), maps the global cybersecurity capability landscape, covering all 193 of the UN Member economies, 13 intergovernmental organizations, including the Association of Southeast Asian Nations (ASEAN), and a number of multilateral frameworks.
The interactive map draws from public information and, where applicable, carries links to original documents. Systematically, it answers some of the salient questions about an economy’s cybersecurity capabilities: What policies are in place? Are they supported by any strategy documents or implementation frameworks? What is the agency responsible for cybersecurity? Is there a national Computer Emergency Response Team (CERT) or Computer Security Incident Response Team (CSIRT)? What laws are there? And, finally, is it part of any international cooperation?
It is encouraging to notice from the portal that most economies in the Asia Pacific have adopted national cybersecurity strategies. Some economies, notably Australia, Indonesia, Japan, Malaysia, the Philippines, Singapore, Sri Lanka, and Thailand have detailed and up-to-date cybersecurity strategies in place, often backed up by legal and operational frameworks, and dedicated agencies that address critical infrastructure protection requirements and emergency response. Others, including Lao PDR, Myanmar, and Pakistan, have general information and communication technology (ICT) master plans that cover aspects of cybersecurity.
Since cybersecurity is a threat that cuts across many domains, there is a clear need for a strategy that sets out an economy’s vision, goals and priorities in ensuring that public and private entities and individuals are equipped to respond to the cybersecurity challenges of an ever more connected world. It also raises awareness and facilitates partnerships for a resilient and trusted Internet.
Another positive finding is that almost all APAC economies — with the exceptions of Island economies including Fiji, the Solomon Islands, and Tuvalu — have in place national CERTs or CSIRTs, which play a crucial role in incident reporting and responses, thus improving cyber resilience. Like a fire department, the bodies are set up to manage critical events that threaten the availability and integrity of key information networks and systems.
The Asia Pacific region’s strength and consistency in the establishment of CERTs and CSIRTs reflects its relatively high level of cybersecurity awareness. It is no coincidence that cybersecurity has been the top concern for Internet users in Asia Pacific in the past two years, according to the Internet Society Survey on Policy Issues, done yearly by the Internet Society’s APAC Bureau. The region’s other pressing concerns include access, data protection, privacy, and Internet of Things (IoT). The Online Trust Alliance (OTA), an Internet Society initiative, has released the IoT Trust Framework, a strategic set of 30 foundational principles providing guidance for developers, device manufacturers, and service providers to help enhance the privacy, security, and lifecycle of their products.
But the UN portal sheds light on only part of what is necessary in the management of cyber risks. In fact, no single policy, strategy, or legislation can secure cyberspace by itself; the collaborative approach that helped to drive the growth of the Internet and allows it to thrive is essential for effective cybersecurity. This means participation not only by policymakers and a few big companies, but also security practitioners and developers, protocol developers, network operators, civil society groups, and researchers.
Moreover, it should be noted that when policies are indeed deemed necessary, it is important that they are flexible enough to evolve over time. It is clear the technology is going to change, and so the solutions should be responsive to new challenges.
Beyond the multilateral frameworks the portal covers, there is also an essential need to foster international collaboration, such as the Paris Call for Trust and Security in Cyberspace, one of many cross-border efforts.
In addition, amid an ever-shifting threat landscape, education and awareness programs are also vital to ensure governments and organizations of all sizes, as well as consumers, take the right steps to secure their own systems. Many Asia Pacific economies, including Singapore and Australia, have dedicated considerable resources to cybersecurity education, including innovative awareness campaigns aimed at the general public, but it is by far, not the norm.
*The Asia Pacific region accounted for 35.9% of the global number of cybersecurity events in the first half of 2018, the highest in the world according to the findings by digital security company Gemalto, as reported by CIO Asia. Gemalto said the region was subject to 27.2% of compromised records worldwide in the period. However, the actual figures could be much higher since most economies in Southeast Asia did not require a compulsory report of data breaches.
Adapted from original article which appeared on the Internet Society Blog.
Adrian Wan is Outreach Manager, Asia-Pacific at the Internet Society.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.