Genie Sugene Gan (Ms.), Head of Public Affairs, Asia-Pacific
Digital technology and digitalization of every sector of the economy and national security over the past two decades have ushered in new possibilities that have revolutionized business operations through integration and the seamless transfer of information in real time. This digital transformation has played a large role in leveling the playing field, allowing startups and smaller companies to scale rapidly and disrupt established players — a prospect largely unimaginable at the turn of the millennium.
As the digital landscape transforms with new innovative technologies, challenges have cropped up in parallel: cyberthreats and zero-day exploits — from state-sponsored advanced persistent threats to opportunistic cybercriminals — resulting in costly intellectual property and data theft. Even single actors can pose grave threats to critical infrastructure, financial and logistics systems and national security, endangering millions.
Enterprise solutions such as endpoint security, cloud security and threat intelligence have enabled both the private sector and the public sector entities to detect and keep ahead of such threats as they develop. Yet new technologies have the potential to expose vulnerabilities and exploit digital weaknesses.
There has been additional impetus to evolve the current security culture’s focus on confidentiality, integrity and availability to account for issues such as online abuse, harassment, disinformation and radicalization. As the scope of cybersecurity expands, so too will the drive to define and proscribe this kind of behavior. The development will spark debates on when intervention is acceptable and when it violates personal freedoms, feeding into larger conversations on tech values, ethics and regulation.
As technology evolves and new solutions emerge, governments have taken greater interest in regulatory matters, particularly in Asia-Pacific economies with nascent domestic tech industries. Technology companies must learn to work with regulators to strike a balance between data management and data governance on the one hand and ensuring a fertile environment for continued growth — involving streamlined and uniform regulations — on the other.
Companies must also be mindful that 21st century geopolitics will play a dominant role in shaping cybersecurity decisions and regulations. The trust of governments, companies and consumers has become an essential ingredient for sustainability and transparency, a hallmark of success.
In response to the largely unrestrained technology boom over the last two decades, there has been a surge in regulation from leery governments desperate to exercise control over tech firms. This is no different in Asia-Pacific, where countries have adopted regulations to control the flow of information — often for national security purposes — to prevent and punish cybercrime, capture lucrative rents, and allow for fair competition, market access, and the growth of domestic tech industries.
But technology is evolving fast, and regulators are having difficulty keeping up, resorting to hasty legislation that can be harmful to the tech industry. Such was the case with Indonesia’s GR 82 data localization regulation, which was eventually amended by the less restrictive GR 71. Burdensome cybersecurity legislation can also compromise personal data and information privacy. In 2019, Australia passed the Assistance and Access Act, which allows the government to view encrypted information and requires firms to create ‘backdoors’ to grant access. The Indian government is now entertaining similar legislation that may threaten or even outlaw end-to-end encryption, undermining data privacy and leaving the biometrics and other personal information of over a billion people unprotected.
Though tech companies have tried to lobby for regulations favorable to the tech sector, the absence of those tech companies in policy consultations has sometimes resulted in regulation that may stymie growth and innovation in the sector. The emergence of a balkanized patchwork of conflicting regulations from different jurisdictions further complicates compliance and highlights the need for a common framework that advances the interests of all parties involved. Then-Prime Minister Shinzo Abe of Japan articulated such a vision at the 2019 G20 summit, where he proposed uniform rules on data sharing and data governance.
Regardless, the consultative process will become increasingly important to take into account the considerations of all stakeholders and develop sound and enduring policies. In the meantime, security firms would do well to keep clients abreast of new legislation so they are aware of the environment in which they operate, ensure compliance, and make adjustments to their investment calculus.
Kaspersky actively invests in building a community by forging ties with its customers and partners that enhance knowledge, skills and awareness about cybertrends, including regulatory compliance. Kaspersky’s training activities equip our customers with effective incident response (IR) know-how and following recommended best practices. Our Cyber Capacity Building Program provides product security evaluation training, taking into account modern regulatory and policy developments to keep our clients updated on important legislation that may impact business.
Kaspersky’s trainings are complemented by its literature — including Kaspersky’s Daily, Secures Future, Securelist and Policy Blog — where the company proactively shares cybersecurity knowledge, insights and threat intelligence as well as the latest industry trends, and the interplay between policy and technology.
Also, Kaspersky’s Transparency Centers provide its customers and partners with executive briefings about the company’s best practices, engineering and data management processes, experiences operating on the global market and knowledge on the latest policy and technology developments in the industry.
Decoupling and Supply Chain Disruptions
COVID-19 has accelerated the pace of decoupling and highlighted the importance of supply chain diversification — developments that were already in motion since the geopolitical kerfuffle of a U.S.-China trade war. In Asia-Pacific, companies are exploring ways to mitigate risk as they relocate assets from China to other countries in the region, with Vietnam attracting a large share of investments. The digitalization of supply chains and logistics systems is one method of managing such risk, and countries in Asia-Pacific are already exploring this option as they scramble to attract investment. In Indonesia, the Minister of State-Owned Enterprises, Erick Thohir, has called for the digitalization of supply chains to gain access to new markets and kickstart the county’s economic recovery, while Japan is trying to nudge their companies to shift production away from China, as the pandemic exposed overreliance, and the Make In India campaign for New Delhi is a chance to restart India’s high-end manufacturing growth story.
But digitalization carries risks of its own that must be addressed to ensure sustainability. As Vietnam becomes a more attractive destination for companies looking to shift their supply chains, it becomes ever more important that the integrity of its digital logistics systems is safeguarded.
Kaspersky’s Cyber Capacity Building Program and code review workshops — part of its larger Global Transparency Initiative — help to provide security evaluation knowledge to businesses, government organizations and academic institutions for assessing supply chain cyber-resilience. With this program, Kaspersky helps clients secure their critical ICT infrastructure through testing and awareness building on products and services, which in turn shows them how to identify cybersecurity risks as well as to manage and mitigate them. Through such trainings, Kaspersky helps clients firm up supply chains to ensure resilience, mitigate risks and withstand many of the challenges contributing to the current threat landscape.
The digitalization of supply chains will require countries to adopt legislation that accommodates the changing tech landscape while providing for its security. As technology plays an increasingly large role in managing critical infrastructure, appropriate safeguards will need to be put in place to make sure the advantages to be gained through digitalization do not come at a terrible cost.
Though the use of industrial control system (ICS) computing has done much to streamline critical infrastructure management — from energy and aerospace facilities to sewage systems — it has greatly increased the susceptibility of such systems to malicious cyberattacks. In 2019, Kaspersky detected over a hundred vulnerabilities in industrial, industrial internet of things (IIoT) and IoT solutions. If exploited, these vulnerabilities could pose grave threats to national security, particularly for countries that have a greater dependence on ICS technology.
The looming threat of DoS attacks, remote code execution, session hijacking and zero-day exploits demands robust IIoT solutions that ensure the integrity of critical infrastructure. As of H2 2019, only 39 percent of cyberattacks are blocked on ICS computers globally, though countries in the Asia-Pacific tend to be more resistant, with Southeast Asia blocking 55.2 percent and South Asia 48.8 percent. Nevertheless, many Asian countries face a higher volume of ICS attacks, with Bangladesh, Vietnam, Indonesia, India, Malaysia and Thailand ranking among the most targeted countries. Ransomware is perhaps the single biggest threat to ICT, and less than one percent of attacks in 2019 were blocked on all systems globally.
The devastating potential of ICS attacks were clearly illustrated in September 2019, when the Dtrack malware was discovered on India’s Kudankulam nuclear power plant, which allows attackers to access user credentials that may place them in total control of the nuclear power plant – a very precarious situation.
To read more about the expanded scope of cybersecurity amid a pandemic, geopolitization of security and values, in order to embrace 2021 with better wisdom gained through ‘2020 hindsight’, please click here.