ASEAN Cybersecurity Policy and China-ASEAN Cooperation
Threats and vulnerabilities in the digital environment have brought extensive cybersecurity risks to all countries economic and social activities. Cybersecurity and digital security governance are important issues for ASEAN countries, and they are one of the common non-traditional security issues faced by China and ASEAN countries. ASEAN is one of the fastest-growing digital economic regions in the world; it has an important influence on regional cyberspace governance and plays an increasingly vital role in global cybersecurity issues. Moreover, ASEAN is a priority in Chinas neighborhood diplomacy and a key Belt and Road Initiative region. Strengthening cybersecurity cooperation between China and ASEAN helps safeguard each others cybersecurity interests but also promotes the building of a multilateral, democratic and transparent global digital governance system and a solid community of shared future in cyberspace.
The Perceptions and Policies of ASEAN Countries on Cybersecurity
The ASEAN countries understanding of cybersecurity evolved with the rapid Internet and digital economy development. In the face of increasingly complex cybersecurity threats, ASEAN countries have maintained a peaceful, secure and resilient regional cyberspace by strengthening regional cybersecurity cooperation mechanisms, promulgating cybersecurity legislation and other strategic measures. In addition, ASEAN countries actively work with other countries and international organizations to promote peaceful, safe and flexible regional cyberspace.
Cybersecurity threats facing ASEAN countries
The ASEAN region now has about 400 million Internet users, around 70 per cent of its population? With the booming digital economy, ASEAN countries face security threats from traditional technologies and more complex security challenges from new technologies such as 5G, artificial intelligence and quantum computing
Since the global outbreak of COVID-19, ASEAN countries have confronted a more complex cybersecurity situation. The average cost of a data breach in ASEAN in 2022 was $2.87 million, and cyber-attacks on critical infrastructure are becoming one of the fastest-growing forms of cybercrime? In 2020, the Philippines experienced a three-fold increase in cybercrime losses of up to $18.9 million. During the same period, Vietnam also suffered losses of over $1 billion due to computer viruses, with an average loss of $68.50 per computer user. In 2021, Singapore saw a 145% increase in cyber-attacks compared to the previous year, with an average of 1,123 organizations being attacked weekly; Vietnam recorded and warned of over 9,700 cyber-attacks that caused problems in information systems in 2021, a 42.4% increase from the previous year. According to the 2021 ASEAN Cyberthreat Assessment Report released by Interpol, the main cybersecurity threats faced by the ASEAN region include commercial email attacks, phishing, ransomware, e-commerce data interception, crimeware, cyber fraud, and crypto-jacking. In addition, cybersecurity threats and traditional security issues are intertwined. In particular, in the post-pandemic era and under the influence of the Ukraine crisis, cyberspace is increasingly being used for political and ideological purposes. Moreover, increased international polarization has hindered multilateralist governance in the cyber sphere. The ASEAN region has become the “main battlefield” in cyberspace rivalry among major powers, and the cybersecurity environment is becoming more complex.
ASEAN’s perceptions of cybersecurity
In the early days of the Internet age, ASEAN countries had different understandings of cybersecurity, and the initial cybersecurity policy of ASEAN was built on the concept of “protecting cyberspace by building a resilient national system through regional cooperation” and national cybersecurity capacity building was one of the main priorities. With the growing complexity of cybersecurity threats in the ASEAN region, ASEAN has generally recognized the importance of building a peaceful, secure and resilient regional cyberspace to promote economic progress in the region, enhance intra-regional connectivity and improve the well-being of its people.7 ASEAN has different perceptions of cybersecurity from the perspectives of various ASEAN communities. The political security community seeks to strengthen cooperation in lawmaking and governance capacity building. The economic community discusses cybersecurity from the viewpoint of cyberinfrastructure and information protection. The socio-culture community considers cybersecurity from the perspective of promoting digital literacy and reducing the harmful effects of misinformation in promoting healthy cyberspace.
Emerging new security threats, such as the potential disruptions of new digital technologies and rising geopolitical tensions, have significantly impacted ASEANs digital economy and digital transformation, ASEAN countries know that cybersecurity threats have expanded from traditional fields affecting information, education, and health care to many other areas of the economy and society. Cybersecurity is not limited to data sharing, personal information protection & cross-border data flow safety; cybersecurity issues have permeated into different domains of digital transformation and security governance. At the same time, the growing interconnection of ASEAN countries has exacerbated systemic cybersecurity risks. In particular the rapid upgrades of technologies such as cloud computing and the Internet of Things have made it more difficult for countries to deal with cybersecurity threats. The complexity of new emerging cybersecurity threats in the digital economy has exceeded ASEANs earlier understanding and capabilities to deal with it.
ASEAN countries must accelerate the formulation of cybersecurity strategies to ensure cyberspace safety and stability; thus improving the digital ecosystems resiliency; The strategies must be anchored on the development realities of each member state. They should develop expertise in burgeoning technologies such as 5G, quantum computing, artificial intelligence and edge computing, constantly improve cyberspace policies and governance systems, and participate in formulating international norms and standards on cybersecurity. Moreover, ASEAN countries should strengthen coordination on regional cyber policies, step up personnel training, and carry out international cooperation in cyber strategy, technology and capacity building to effectively bridge the “‘cybersecurity governance gap.”
ASEAN’s response to cybersecurity threats
ASEAN countries understand the importance of cooperation to cope with the growing cybersecurity threats. They are increasingly aware of the importance of strengthening cooperation on security strategies, technical cooperation and capacity building* It is a national priority for member states to take coordinated actions to cope with the ever-expanding cybersecurity threats.
First, strengthen regional cybersecurity cooperation mechanism building, ASEAN aims to establish a unified coordination framework in cybersecurity as an important part of the ASEAN Political-Security Community Blueprint 2025, ASEAN Economic Community Blueprint 2025, e-ASEAN Framework Agreement, and ASEAN Framework on Digital Data Governance. ASEAN encourages member states to adopt consistent rules in data protection rules, localization, and cross-border data transfers. In 2003, the ASEAN Telecommunications and Information Technology Ministers Meeting and Related Meetings (TELMIN) spearheaded the ASEAN Cybersecurity Initiative. Subsequently, there have been more dialogue platforms and mechanisms on cybersecurity at various levels, such as the ASEAN Ministerial Meeting on Transnational Crime (AMMTC), the ASEAN Regional Forum (ARF), the ASEAN Defense Ministers5 Meeting Plus (ADMM-plus), the ASEAN Ministerial Conference on Cybersecurity (AMCC), and the ASEAN Digital Ministers Meeting (ADGMIN). ASEAN has also set up a Cybersecurity Coordination Committee and a Computer Emergency Response Team to strengthen inter-agency coordination on cybersecurity further. Following the ASEAN Cybersecurity Cooperation Strategy (2017-2020) issued in 2017, the ADGMIN launched the ASEAN Cybersecurity Cooperation Strategy (2021-2025) in 2021, which states that future efforts for cybersecurity protection will be focused on five aspects: cyber cooperation, regional cyber policy coordination, trust in cyberspace, regional capacity building and international cooperation. To further intensify cooperation among ASEAN countries, Singapore spearheaded the establishment of the ASEAN-Singapore Cybersecurity Centre of Excellence (ASCCE) in 2021 to facilitate information sharing and capacity building among ASEAN defence agencies. At the same time, Southeast Asias first comprehensive cybersecurity testing centre was also set up in Singapore, providing detection, inspection and certification services to enterprises in the region.
Second, strengthen strategic measures in legislation, supervision, and technology. ASEAN has enhanced its cybersecurity governance capacity by formulating security strategies, policies and measures. It has introduced the ASEAN Data Management Framework (2021), the ASEAN Model Contractual Clauses for Cross Border Data Flows (2021), the ASEAN ICT Master Plan (2020), the Key Approaches for the ASEAN Cross Border Data Flow Mechanism, the ASEAN Framework on Digital Data Governance (2018), the ASEAN Framework on Personal Data Protection (2016). Moreover, ASEAN has identified unified data flows and technical standards to enhance overall cybersecurity protection capacity in the region. For example, Vietnam has published technical specification requirements for information terminals, base stations and 5G network service quality; Singapore has actively promoted applying zero-trust and other innovative technologies to move from border protection to zero-trust security; The cybersecurity law introduced by countries such as Singapore and Thailand provides the government and the private sector with regulations on cybersecurity technical standards and norms. Malaysia has developed a cybersecurity technical framework for relevant agencies, especially key information infrastructure sectors. Brunei, Singapore, Indonesia, Malaysia and other countries have set up special cybersecurity agencies responsible for monitoring, coordinating and responding to cybersecurity-related issues and threats. Malaysia, Singapore and Indonesia have also joined the Arrangement on the Recognition of Common Criteria Certificates in Information Technology Security(CCRA), encouraging enterprises to follow international security standards for product quality. To strengthen the building of a cybersecurity ecosystem, Singapore has launched the ”Innovation Cybersecurity Ecosystem at BLOCK 71 (ICE71)” after proposing the ASEAN Cyber Capacity Program (ACCP) in 2016.
Third, cooperate with other countries and international organizations on cybersecurity protection, ASEAN seeks to conduct dialogue and cooperation on cybersecurity through bilateral and multilateral platforms and dialogue mechanisms with the United States, Japan, Australia, China, India and other countries.
Documents were jointly released. Declarations such as the ASEAN-US Leaders5 Statement on Cybersecurity Cooperation, the ASEAN-EU Statement on Cybersecurity Cooperation, and the Co-Chairs’ Statement on the 1st ASEAN-China Cyber Dialogue were released to promote the building of a framework of multi-sectoral and multi-stakeholder partnership. In 2021, Singapore and the United States signed a Memorandum of Understanding on Cooperation in Cyberspace to extend and institutionalize cybersecurity cooperation to the military sector.
Carry out dialogues and exchanges. For example, ASEAN and the United States have launched the Digital Connectivity and Cybersecurity Partnership (DCCP), and conducted three consecutive ASEAN-US Cyber Policy Dialogues. In addition, the US provided cybersecurity and technology training to ASEAN through the US-ASEAN Connect. ASEAN and Japan have held 14 consecutive cyber policy meetings and conducted dialogues and exchanges through various mechanisms, such as the ASEAN-Japan Policy Conference on Information Security and the ASEAN-Japan Ministerial Policy Meeting on Cybersecurity Cooperation. In 2018, Australia launched a cyber policy dialogue with ASEAN and signed MOUs on cybersecurity cooperation with Singapore and Indonesia. The first ASEAN-India Cyber Dialogue was held in 2019, focusing on regional data governance, cyber norms and cybersecurity trends.
Cooperation was conducted in professional areas of cybersecurity. For example, ASEAN and Japan have established the ASEAN-Japan Cybersecurity Capacity Building Centre (AJCCBC) to carry out the Tokyo-tech Supercomputer and Ubiquitously Accessible Mass-storage Environment (TSUBAME).9 Indonesia, Malaysia, and the Philippines have strengthened cooperation with the US in cybersecurity and information infrastructure, including the agreement signed between Indonesia and the US to strengthen the fight against transnational cybercrimes, the agreement reached between India has launched Centers of Excellence for Software Development and Training (CESDTs) in Cambodia, Laos, Myanmar and Vietnam to strengthen digital cooperation. At the same time, China has promoted practical cooperation with ASEAN in training, joint emergency exercises and forum exchanges.
Regarding cooperation with international organizations, ASEAN is the first regional organization to sign the 11 items of voluntary, non-binding norms of Responsible State Conduct in cyberspace under the UN auspices. In 2019, the United Nations Counter-Terrorism Office implemented the Southeast Asia Cybersecurity Initiative to offer training workshops for countries like Thailand, Brunei, the Philippines and Laos. In addition, ASEAN has been strengthening cooperation with other regional organizations in cybersecurity; For example, the EU has actively engaged in dialogue with ASEAN through the Asia-Europe Meeting (ASEM) to provide ASEAN with experience in the collective defence of cybersecurity; In 2019, ASEAN and the EU issued the ASEAN-EU Statement on Cybersecurity Cooperation to exchange best practices and responsible behavior in cyberspace. The EU and ASEAN jointly launched the Cybersecurity Awareness and Knowledge Systemic High-level Application (YAKSHA) project based on the cooperation statement.
Current Situation and Potential of China-ASEAN Cybersecurity Cooperation
China and ASEAN have broad common interests in cybersecurity cooperation. With the accelerated implementation of a series of projects, such as the Initiative on Building China-ASEAN Partnership on Digital Economy, and the Action Plan on Implementing the China-ASEAN Partnership on Digital Economy Cooperation (2021-2025), cybersecurity has become one of the priorities in China-ASEAN cooperation. In recent years, cooperation between China and ASEAN in fighting cybercrimes, protecting data security, building digital infrastructure and governing cyberspace security has been expanded and deepened.
Cybersecurity cooperation is deepening
Under multilateral and bilateral mechanisms such as “10+1,” China and ASEAN have conducted dialogue and cooperation on cybersecurity in key areas, including infrastructure construction, technical cooperation, economic and trade services and information sharing. Cooperation frameworks at different levels and subjects have been formed between China and different ASEAN countries, enterprises, and research institutions and between Chinese local governments and ASEAN counterparts, Tb jointly respond to cybersecurity threats, enhance mutual trust, and jointly build a peaceful, secure, open and cooperative cyberspace, the two sides discussed and reached a consensus on cybercrimes and other security issues in the 2002 China-ASEAN Declaration on Cooperation on Non-traditional Security Issues. In 2009, the signing of the China-ASEAN Telecommunication Regulatory Council Cooperation Framework on Cybersecurity marked the launch of cooperation between the two sides in cybersecurity. In 2013, China and ASEAN reached the China-ASEAN Mutual Recognition of Electronic Signature Certificates, which provides cross-border e-commerce operators with security services such as identity authentication, behavior tracking and responsibility identification to ensure the security of online economic activities. China has also signed memorandums on cybersecurity with Cambodia and Indonesia, respectively; In 2013, China held its first cybersecurity seminar under ARF cooperation mechanism. In 2018, the ASEAN Regional Forum Foreign Ministerial Meeting adopted a China-proposed initiative to raise awareness and share information on cybersecurity emergency response. In 2019, China, Singapore and Cambodia co-hosted the ARF Seminar on Awareness Raising and Information Sharing on Cybersecurity Emergency Response. In addition, Chinese local governments are actively working with ASEAN countries to develop the cybersecurity industry; they are setting up cybersecurity-related innovation pilot zones and innovation alliances.
China and ASEAN are working together to meet the new challenges posed by cybersecurity through new cooperation mechanisms» In 2020, China and ASEAN established the China-ASEAN Dialogue Mechanism on Cyber Affairs. In December of the same year, China and ASEAN issued the Co-Chairs Statement of the 1st Round of China-ASEAN Dialogue on Cyber Affairs to discuss the overall situation in cyberspace, respective policies and mechanism building, global governance and rules development, and regional capacity building cooperation. In January 2022, ADGMIN released the Draft Strategy for Cooperation on Cybersecurity (2021-2025) and identified Cambodia and Singapore to work with China to raise awareness, know-how and share information on how communication systems related to securitychallenges. ADGMIN also supported Vietnam and China in setting up training courses on communication technology to combat crimes. In 2020, China put forward the Global Data Security Initiative, which has also received positive responses from ASEAN countries. In addition, China has further strengthened cooperation with ASEAN countries in combating cybercrimes, developing the security industry, cyber counter-terrorism and protecting critical information infrastructure through such sub-regional cooperation mechanisms as Lancang-Mekong Sub-region Cooperation, Greater Mekong Sub-region Cooperation, China-Indochina Peninsula Economic Corridor and Pan-Beibu Gulf Economic Cooperation. China has further strengthened cooperation with ASEAN countries in combating cybercrimes, developing the security industry; cyber counter-terrorism and protecting critical information infrastructure.
Enterprises are also an important force in promoting bilateral cybersecurity cooperation. In 2017, Huawei and Malaysias Cybersecurity Ministry (CSM) signed an MOU to work together on cybersecurity; Huawei will support local players in the cybersecurity industry through the Cybersecurity Cooperation Partner (CCP) program12. Huawei has also worked with Malaysias CSM and other agencies to set up Southeast Asias first 5G network security testing laboratory and signed MOUs on cybersecurity cooperation with Thailands Ministry of Digital Economy and Society and National Cybersecurity Agency; In 2019, Chinas Qi’anxin Group and Indonesias AG Group jointly built a threat detection infrastructure platform, the first large-scale cybersecurity infrastructure project undertaken by a Chinese enterprise overseas.
Chinese industry associations and research institutes have initiated exchange programs and cyber-related emergency exercises with ASEAN countries to strengthen cybersecurity capacity building together. In 2014, cybersecurity was on the program of the China-ASEAN Expo for the first time. The two sides have held 13 seminars on China-ASEAN Cybersecurity Emergency Response Capacity Building and conducted cybersecurity exchange training and joint emergency exercises based on the China-ASEAN Information Harbor. Since 2017, China has visited Cambodia, Laos, Myanmar, Indonesia and Malaysia to conduct field training on cybersecurity emergency response for local cybersecurity emergency response organizations and cybersecurity agencies practitioners. China National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) conducted network security training with the Vietnam Cybersecurity Emergency Response Teams/Coordination Center (VNCERT/ CC) through the online form. In addition, China has established the China-ASEAN cybersecurity Exchange and Training Center to Institutionalize personnel training and exchanges.
Many opportunities for cybersecurity cooperation
First, China and ASEAN have common interests in preventing cybersecurity risks. With the advent of the digital age, cybersecurity has become a global challenge, and safeguarding it has become a shared responsibility of the international community; With the new technologies, such as artificial intelligence, cloud computing, blockchain and quantum computing, continually evolving, risk prevention of cybersecurity extends from traditional Internet to emerging fields like critical infrastructure, industrial Internet and smart cities, and cybersecurity threats in all fields are constantly escalating. The uncertainty and complexity caused by new technology implementation and governance structure change have become the most prominent new features in the current cybersecurity environment. The expanding use of digital technologies brought about by the COVID-19 outbreak has further created an urgent need for cybersecurity cooperation. At the same time, China and ASEAN are also major victims of cybersecurity risks and face severe cybersecurity threats. Both sides must build a secure and resilient cyberspace and work together on transnational problems such as cyber terrorism, crime and fraud- China and ASEAN can jointly make cyberspace more resilient and secure to promote an open, secure and peaceful cybersecurity environment in the region.
Second, the two sides share an interest in strengthening cybersecurity capabilities and promoting digital economy growth. The digital economy is a new cooperation engine between China and ASEAN countries, ASEAN is in the initial rapid growth phase of the digital economy; At the same time, China has become a major force in the digital economy. The Chinese digital economy experience complements the need of ASEAN in this phase of its digital economy development. Based on their respective comparative advantages, China and ASEAN have strengthened policy exchanges and communication and have innovated cooperation mechanisms. The Digital Silk Road, as one of the new cooperation mechanisms, has unlocked new potential for further practical cooperation between China and ASEAN in various fields and also provided new exploration for building a China-ASEAN community of shared future in cyberspace. According to statistics, from 2016 to 2021, Chinas digital economy grew at an average annual rate of over 17%, while ASEANs was over 34%. It is estimated that by 2025, the combined digital economy of China and ASEAN will reach USD 9.58 trillion, demonstrating broad space for cooperation. The growing digital economic ties between China and ASEAN countries mean that cooperation between the two sides will face a wider range of security threats, such as hacker attacks, online fake news, information leaks and supply chain disruptions. The cybersecurity challenges have become a key issue in both sides’ sustainable and healthy development of their digital economy; Therefore, it is imperative to strengthen security cooperation to ensure the healthy development of the digital economy, digital transformation and national security of China and the ASEAN countries.
Finally, the two sides shared common ideas on developing cybersecurity standards and dismantling digital hegemony; There are three modes of cybersecurity standards: Chinese, American, and European. To safeguard their interests and occupy a favorable position in the competition of the digital economy, China, America and Europe all attach great importance to developing cybersecurity standards and promoting the internationalization of their national cybersecurity standards. The US has agreed in principle with the EU on cross-border data flows and will use the Indo-Pacific Cooperation Framework to push its cross-border data governance propositions. However, the American proposals run counter to the interests of developing countries, so they will adversely afïect the digital economic interests of data-rich countries such as Indonesia, Vietnam, the Philippines and Thailand. At the same time, the United States has proposed the establishment of “The Alliance for the Future of the Internet” to impose rules for Internet access and exclusion based on American standards. Transplanting American standards is an extension of the hegemonism centred on maximizing the interests of the United States in cyberspace, which runs counter to the fundamental interests of the vast majority of countries in the world, especially developing countries. Instead, China stands for improving the mechanism of dialogue and consultation in cyberspace; the country pushes for developing international rules accepted by all parties in cyberspace, properly handling conflicts and respecting each others sovereignty in cyberspace. Chinas proposals and plans are more in line with the interests of ASEAN countries and have been widely welcomed.
Major Challenges Facing China-ASEAN Cybersecurity Cooperation
Although there is great potential and much progress thus far in the cooperation between China and ASEAN in cybersecurity; there are factors like the uneven investment and governance capacity of ASEAN countries in cybersecurity, the complexity and uncertainty in implementing cooperation brought by the diverse cooperation mechanisms and modes, the emergence of new digital technology and the interference of external forces have increased the cooperation challenges between China and ASEAN.
Insufficient investment in resource factors is constraining the quality of cooperation
ASEANs relatively serious “digital divide” hinders the collective action capacity of China and ASEAN countries to respond to cybersecurity threats. Despite Chinas rapidly developing cybersecurity industry, overall spending has not yet reached 100 billion yuan. IT cybersecurity spending accounts for only 1.84% of the IT market, far lower than the global average of 3.74%, and it reflects underinvestment in cybersecurity.14 The number of secure Internet servers per million people in ASEAN countries is increasing yearly; but the number varies greatly among countries. For example, in 2020, the number of secure Internet servers per million population in Singapore was 128,378, while in Myanmar, it is only 14. Although all ASEAN member states have set up computer emergency response teams, their efficiency depends on individual countries5 resource mobilization capacity and input intensity; Meanwhile, the lack of a unified implementation framework also leads to limited investment.
Among the five functions of cybersecurity defence, i.e. ”identification, protection, detection, response and recovery” proposed by the National Institute of Standards and Technology (NIST) of the United States, enterprises in Southeast Asia focus on identification, protection and detection functions, and little attention on awareness and investment in response and recovery functions.According to A.T Kearney, ASEAN needs to invest about $171 billion in cybersecurity between 2017 and 2025; otherwise, the top 1,000 companies in the region could lose about $750 billion from cyber-attacks ASEAN countries spent $1.9 billion on cybersecurity in 2017, just 0.06 per cent of their combined GDP and less than half the global average of 0.13 per cent.
The shortfall in cybersecurity capacity building affects the effectiveness of cooperation
Although the cybersecurity capabilities of ASEAN countries have improved in recent years, they are still at a low level overall. Informal institutional arrangements at the official level of ASEAN dominate ASEAN cyberspace governance cooperation. ASEAN mainly adopts relatively loose and flexible institutional forms such as statements, declarations, master plans and action plans, which lack binding force and enforcement power. 18 According to the Global Cybersecurity Index 2020 released by the International Telecommunication Union, apart from Singapore and Malaysia, which are among the top 20 countries in preventing global cyberattacks, other ASEAN countries such as Laos, Cambodia and Myanmar have insufficient cyber security capabilities.
New technologies, such as 5G networks, quantum computing and artificial intelligence, are giving rise to new threats. In particular, the rapid development of cryptography, cloud computing, virtual currency and the Internet of Things has brought new security design flaws and vulnerabilities, adding complexity to the monitoring and response of cybersecurity incidents. In addition, the access to massive, intelligent terminal equipment and the heterogeneity of technical architecture have further increased the difficulty and complexity of security management. The response-ability and efficiency of China and ASEAN countries in cybersecurity-related policies and countermeasures lag behind technological development, ASEAN countries have adopted different approaches to deal with security issues like data privacy and cybercrime, and their technical standards are diverse. The absence of a unified technical governance framework makes it more difficult to manage cyberspace. At the same time, China and ASEAN lack professionals to deal effectively with cybersecurity threats. Chinas cybersecurity talent gap reached 1.4 million in 2021 and is expected to widen to 3 million in 2027. Singapore faces a shortage of 3,400 cybersecurity talents in 2020. A Fortinet survey found that 91% of Thai entrepreneurs believe it is difficult to retain cybersecurity talents.
Diversified modes of cooperation increase uncertainties in cooperation
ASEAN countries have different preferences in the code of conduct and development path of cybersecurity; For example, regarding codes of conduct, countries like Singapore and Malaysia tend to push local cybersecurity industry development by promoting cybersecurity norms for Internet behavior. In contrast, other countries, such as Laos and Cambodia, want to promote cybersecurity by protecting physical infrastructure and developing regulatory frameworks.
ASEAN countries dififer not only in the code of conduct on cybersecurity but also in the development path of cybersecurity; Regarding cybersecurity governance approaches, there are several models, such as the Budapest Cybercrime Convention and the International Code of Conduct for Information Security; The former focuses on threats arising from activities that harm the confidentiality; integrity and availability of computer data and systems, while the latter emphasizes the sovereignty and national security issues of ICT products and services. China is inclined to cooperate with ASEAN countries under the International Code of Conduct for Information Security; However, ASEAN countries generally choose the cybersecurity paths and modes based on their domestic national cybersecurity foundation and status quo.
In cybersecurity policy, although ASEAN requires its member states to be consistent with ASEANs decisions in philosophy and actions, the lack of coordination and compliance mechanism for the implementation of decisions in ASEAN leads to decisions made at the regional level depends on the effective implementation and supervision policies of member states at the national level. In addition, enterprises are an important vehicle for driving bilateral cooperation. Though some countries have shown a very positive attitude towards cooperation at the national level, domestic enterprises may choose different partners based on their own interests and market demands. All these factors increase the uncertainty of China-ASEAN cybersecurity cooperation. Such uncertainty raises the cost of cooperation between the two sides. It is not conducive to forming unified rules and standards and expanding the voice of developing countries in the governance of the digital economy;
Disruption and interference by external forces complicated the cooperation
To maintain its absolute dominance and erstwhile unchallenged global leadership in cyberspace, the United States often adopts a pre-emptive cyberspace strategy, and targets ASEAN as an important area to woo and aims to enhance its voice and influence in Southeast Asia cyberspace issues.
First, the United States and other Western countries define China as “digital authoritarianism” and “digital absolutism,exaggerating the “threat” that China has posed to ASEANs cybersecurity and demonizing the so-called “China model” of digital governance. They repeatedly defamed China and stated that China is bringing “digital risks” to Southeast Asia. In July 2021, the US, the European Union, the United Kingdom, Australia, Canada, New Zealand, Japan, Norway and NATO launched a smear campaign against China, claiming that China was engaged in hacking activities worldwide, including Southeast Asia. The smear campaign was the first time the US and NATO accused China publicly and unwarrantedly. At the same time, the US hype up Chinas cyber-attacks and hacker intrusion in Southeast Asia through its domestic companies. Insikt accused Chinese hackers of using custom malware FunnyDream and Chinoxy to hack into the governments and private sectors of Thailand, Vietnam, Malaysia and the Philippines.
21 FireEye, a US cybersecurity company, has alleged that APT30, a group funded by the Chinese government, targeted companies in Southeast Asias communication, technology, finance and aviation sectors in a decade-long hacking and intelligence acquisition campaign. Chinese state-backed hacking group RedDelta has been conducting cyber espionage since at least 2019, according to US-Based firm Recorded Future.22
Second, the US is actively working with its Allies to intensify its efforts to suppress China in cyberspace. After the Trump administration launched its Clean Network Program in 2020, the United States and about 60 countries and regions worldwide signed A Declaration for the Future of the Internet directly aimed at China and other countries. The United States and Japan launched the Digital Connectivity and Cybersecurity Partnership (DCCP) to continue strengthening cooperation with Japan on cybersecurity capacity building in Southeast Asia. Furthermore, the United States and Japan have jointly promoted the APEC Cross Border Privacy Rules to combat digital protectionism and the illegal use of data by the so-called ‘authoritarian governments” and promote the free flow of data and the protection of privacy and intellectual property rights. 23 The United States has convinced its allies around the world to form institutions such as the DIO Alliance, the T12 Science and Technology Alliance, and the EU-US Trade and Technology Council (TTC) in an attempt to “decouple” China in various fields and hinder cooperation between Chinese enterprises and ASEAN.
Third, the US interferes with digital infrastructure cooperation and cybersecurity cooperation between China and ASEAN. The United States has been pressuring Southeast Asian countries to reduce or give up the use of Chinese equipment and technologies, thus squeezing the overseas market space of Chinese IT companies. For example, after the US launched its Clean Network Program in 2020, Singapore bowed to pressure to drop Chinas Huawei and choose Nokia and Ericsson as its 5G network suppliers. 24 Vietnam, Malaysia and other countries have also given up their cooperation with Huawei under pressure.
Finally, the United States has intensified its lobbying with ASEAN on the international rules of the digital economy and cyberspace governance. It has also cooperated with ASEAN to identify the “risks” of over-dependence on China for key technologies and urged them to strictly scrutinizes investment in relevant technology projects by China.25
As China improved its comprehensive national strength and innovation capability, ASEAN countries have different views towards strengthening cybersecurity cooperation with China. On the one hand, they hope to strengthen cooperation with China to deal with cybersecurity threats; on the other hand, they also worry about becoming more dependent on Chinas technology, capital, and standards; and losing their “digital sovereignty.” In addition, the South China Sea issue has hurt the mutual trust between China and some ASEAN countries. Furthermore, after the outbreak of COVID-19, different ASEAN countries and social groups also have different perceptions of China, which brings some uncertainty and complexity to China-ASAEN cooperation on cybersecurity.
Pathways of Deepening China-ASEAN Cybersecurity Cooperation
It is both sides’ common interests to strengthen cooperation on cybersecurity; China and ASEAN should fully tap the potential built on fruitful collaborations thus far and raise cybersecurity cooperation to a higher level.
Promote synergy between China-ASEAN cybersecurity governance strategies
China should work hard to deepen mutual trust with ASEAN in cybersecurity and consolidate the consensus over bilateral cybersecurity cooperation. First, the two sides must strengthen the synergy between the Digital Silk Road and the ASEAN Cybersecurity Cooperation Strategy (2021-2025). They should formulate a flexible, inclusive, innovative cybersecurity cooperation framework or action plan to address global cybersecurity challenges jointly.
Second, the two sides should enhance the depth and breadth of cooperation in cybersecurity, promote the continuation and normalization of China-ASEAN cybersecurity cooperation, and establish a permanent cybersecurity coordination mechanism based on the China-ASEAN Digital Economy Development and Cooperation Forum.
Third, the two sides ought to intensify cooperation between China and ASEAN Computer Emergency Response Teams, explore establishing a China-ASEAN cybersecurity cooperation centre based on the China-ASEAN Information Harbor, and further improve the overall effectiveness of regional accident response.
Fourth, China and ASEAN should seize the opportunity of post-COVID-19 global economic recovery to promote cooperation on data security protection, policy communication and coordination. China and ASEAN should strengthen policy and legal coordination, adjust and upgrade existing policies, enhance the coordination and compatibility of bilateral cooperation policies, and ensure the policies get a broad appeal on a global scale.
Perfect cybersecurity practices require law and policy coordination that transcends national priorities and capabilities. In the field of cybersecurity law, China has completed the legislation of the Cybersecurity Law (2017), the Data Security Law (2021) and the Personal Information Protection Law (2021) in recent years, thus forming a relatively complete legal system to enhance cybersecurity. While ASEAN has successively adopted the ASEAN Framework on Personal Data Protection (2016) and the ASEAN Framework on Digital Data Governance (2018). China and ASEAN need to coordinate their legislation on cross-border data protection and privacy regulation based on their respective legal frameworks. Due to the differences in laws and regulations among ASEAN member states, compliance for enterprises faces significant challenges. China and ASEAN countries can explore establishing a cybersecurity “sandbox mechanism” in cross-border data flow and supply chain security to pressure test cybersecurity policy measures.
Work together on cybersecurity rules and standards
China and ASEAN should institutionalize a cybersecurity risk assessment and management framework and a China-ASEAN Digital Standards Working Group. For Singapore, Malaysia and other countries with a more advanced digital economy, cooperation can be conducted in technology research and development, intellectual property rights and other fields. Global technical standards and norms can be established in emerging technologies to promote the transformation of ASEAN member state from users of technologies to meaningful producers, Regarding data flow, bilateral or multilateral agreements and treaties should be signed to regulate all parties5 cross-border data flow. 27 For the part of China, it is necessary to fully use the institutional guarantee role of the Measures for Security Assessment for Outbound Data Transfer (2022) for the outbound data flow between China and ASEAN. Moreover, the two sides can jointly establish a mutually recognized data classification and tiered protection system, improve the ability of data lifecycle protection, and build a more refined data security protection system and personal privacy compliance protection system.
Regarding the security of data exchange and fusion technology, the two sides should jointly explore and build workable risk management methods, processes and rules for new forms of business, new services and new technologies brought by the digital economy. In addition, they should enhance the interoperability of existing payment infrastructure, such as the ASEAN Working Committee on Payment and Settlement System (WC-PSS) and ASEAN Pay.
Regarding security rule standards, data can be classified, labeled, and processed according to classifications such as open data, restricted data, and national security data to promote effective cross-border data flow and jointly build cybersecurity rules and standards that are suitable for emerging and developing countries. Furthermore, the two sides can make use of multilateral mechanisms such as the Regional Comprehensive Economic Partnership (RCEP), China-ASEAN Free Trade Agreement (FTA), and Digital Economy Partnership Agreement (DEPA) to jointly formulate cybersecurity rules and standards such as cross-border data transfer, digital communication technologies, and network technology standards and protocols.
With the deepening of China-ASEAN digital economic cooperation, the two sides should promote rules and standards on data management, judicial jurisdiction and personal information protection under the RCEP framework. Currently, China is applying to join DEPA. Once it joins, Chinas strength in the digital economy will help attract other ASEAN countries to join the agreement to negotiate and harmonize rules and standards for digital development and governance. In addition, the two sides may jointly explore the formulation of rules and standards in security areas as equipment protection, personal data and privacy protection, health and welfare, and environmental protection under the UN Digital Literacy Global Framework.
Jointly promote cybersecurity technology research and development and industrial development
China is a digital giant, but its cybersecurity technology lags behind some developed countries. Chinas innovation in the basic underlying technology, disruptive asymmetric technology, and other areas is insufficient. Its research and development in cybersecurity technology are lagging, hurting its effort to build an independent and self-sufficient information technology industry; China should accelerate research cooperation with ASEAN in basic technologies, strengthen basic, universal and forward-looking technological innovation, and jointly guard against security risks in data, personal information and critical infrastructure. In addition, China may work with ASEAN to promote the integration of cybersecurity in manufacturing, agriculture, retailing, transport and logistics, and information technology, explore new modes of application of cybersecurity technology, promote the effective application of cybersecurity technology in the economy, strengthen the protection of intellectual property rights and intangible assets, and realize the application of innovative technologies to products, services, and integrated solutions. China and ASEAN can encourage Chinese and ASEAN enterprises to form alliances to work together. In particular, the two sides should fully exploit the role of the China-ASEAN Information Harbor Digital Economy Alliance, carry out joint research and development in cloud computing, big data and the Internet of Things, focus on personnel training and industrial services, and share research results.
Besides, the two sides should strengthen innovation in the cybersecurity industry, establish platforms for technology research and development, innovation services and industrial collaboration, and optimize and improve the cybersecurity industry environment to form a sound ecosystem for the innovation industry. Also, the two sides may jointly explore the extension of cybersecurity into the supply chain system, improve the security of science and technology supply chains, and promote the security of regional supply chains on which trade depends. Currently, the research and development and application of new technologies in the digital field are mainly developed and led by technology companies. Network security at the technical level depends more on the private sector and technical experts. Therefore, establishing publicpublic, public-private and private-private partnerships, including governments, enterprises, NGOs, industry associations and individuals, is also the focus of ensuring the smooth development of bilateral cybersecurity cooperation.
Increase China’s cybersecurity assistance to ASEAN
China may increase its assistance to ASEAN in cybersecurity rules and operating norms setting, technologies, and capacity building. The move will enhance Chinas ability to deliver complete system cybersecurity solutions and provide ASEAN countries with turnkey that meet their development realities. Under the Initiative on Building China-ASEAN Partnership on Digital Economy framework, the two sides may strengthen assistance cooperation in key digital infrastructure areas such as comm unications, Internet and satellite navigation» Relying on the China-ASEAN Information Harbor, ASEAN countries can accelerate the development of critical infrastructure and digital equipment. Under the framework of the Plan of Action on the Implementation of the China-ASEAN Digital Economy Partnership (2021-2025), the two sides need to build an Internet security monitoring and awareness-raising platform actively, focus on combating cyber-attacks, cybercrimes and cyber terrorism, and safeguard critical infrastructure and important information systems» Through the online platform of the China-ASEAN Cybersecurity Exchange and Training Center, the two sides can increase training on ASEAN cybersecurity technologies, further deepen exchanges and cooperation between Chinese enterprises and digital enterprises of ASEAN countries, help ASEAN countries upgrade their cybersecurity technologies, and achieve balanced and reasonable development of cyber technology among ASEAN countries. China and ASEAN can jointly build a China-ASEAN ”information expressway” create a series of information exchange platforms, and conduct regular professional cybersecurity training. The moves can increase the technical knowledge reserve of relevant cybersecurity enterprises.
Guard against external interference and sabotage
Based on the common value of openness and cooperation, together with sharing the principles of mutual respect, mutual trust and shared governance, China and ASEAN can build a community of shared futures in cyberspace. They can promote the formation of common norms and goals for cyberspace and help each other to play a meaningful role in cyber agenda-setting, forming regional consensus on cyber cooperation, enhancing political mutual trust, reducing strategic miscalculation and strengthening cyber crisis management ability; China and ASEAN can jointly maintain peace in cyberspace and avoid turning cyberspace into a new arena of geopolitical and ideological competition. The two sides should actively respond to the interference and sabotage of China-ASEAN cybersecurity cooperation and the deliberate disparagement and suppression attempt of Huawei, ZTE and other Chinese enterprises doing business in ASEAN by the «Clean Network Program” and the Quad.
China and ASEAN should strengthen dialogue and exchanges at the global, regional and sub-regional levels and leverage the role of international organizations with the United Nations at their core as a platform to fight cyberspace hegemony and digital protectionism. They can work together to safeguard a peaceful, secure, open, cooperative and orderly cyberspace and a multilateral, democratic and transparent international cyberspace governance system. Furthermore, the two sides should use the UN World Summit on the Information Society (WSIS), the UN Internet Governance Forum (IGF) and other global forums to strengthen dialogue and communication with major countries outside the region based on mutual respect, equality and mutual benefit, and enhance understanding on the applicability of international law in cyberspace, norms of responsible state conduct and confidence-building. Although China, the United States, and other Western countries have differences in cybersecurity construction, this does not affect their cooperation. They should deepen the ongoing dialogue mechanism on cybersecurity, seek consensus of cooperation, and raise the level of cooperation in cyber terrorism, cybercrime, cyber fraud and other fields.
Conclusion
The increasingly complex cyberspace has created many common cybersecurity risks that cannot be effectively controlled and prevented by any party alone, making international cooperation on cybersecurity particularly important. Although ASEAN has made great progress in effectively dealing with cybersecurity threats in recent years, it is still faced with serious cybersecurity threats from insufficient resource investment, limited technical expertise and shortfall in capacity building. Though the situation affects the cybersecurity cooperation between China and ASEAN countries, it also brings opportunities for the two sides to deepen cooperation. In the future, China should adhere to the concept of common, comprehensive, cooperative and sustainable security concept, uphold the principle of indivisible security, build a balanced, effective and sustainable security architecture; continuously strengthen and enhance cyber governance; intensify cybersecurity cooperation with ASEAN countries, and focus on capacity building, trust enhancement and formulation of cyber norms in a bid to explore a flexible and inclusive framework for cybersecurity cooperation and make cyberspace governance more just and equitable.