Filling the gaps: The story of APAC’s cyber capacity building

The recent cyberattack incidents involving the largest pipeline system for refined oil products and one of the world’s biggest meat producers in the United States serve as yet another reminder that countries will continue to deal with cyberattacks. And the number is growing. Globally, the percentage of attacked industrial control systems in the second half (H2) of 2020 was 33.4 percent --- an increase of .85 percentage points compared with the first half of the year.

For cybercriminals, countries in the Asia Pacific (APAC) region have not fallen off the radar. If anything, cyber gangs are stepping up their campaigns in a region, which continues to attract more and more investments in supply chains and logistics.

Unfortunately, not all countries have the capacity to tackle cyber threats adequately. Laying the foundation for an organization’s cyber-resiliency starts with having a cyber-capacity-building program in place and cultivating a culture of cooperation among all stakeholders.

Stages of Cyber-Resiliency

Cybersecurity education and capacity-building begins with a recognition of the vast diversity that exists in the region.

Looking at APAC, we can categorize countries into three groups, according to the stages that they are at in dealing with cyberattacks:

• Advanced: Leaders in the cybersecurity field that have a clear strategy in place and are already doing more in terms of development
• Intermediate: Those that have identified cyberattacks as an area they need to look into and have attempted to make some inroads;
• Initial: Countries which have just begun paying attention to this area for various reasons, including more pressing domestic needs.

The State of Play in APAC

Singapore is an example of a country that is putting a lot of effort into boosting its national cybersecurity capabilities. When Singapore launched its $30-million, five-year project called the ASEAN-Singapore Cybersecurity Centre of Excellence in 2019, it opened up an opportunity to offer policy and technical programs for member state participants to help bolster regional cybersecurity capabilities. The project also pushed for collaboration among ASEAN member countries to conduct research, share knowledge and train to respond to cyber threats.

Placing data security high on the national list is what we saw when Australia’s Cyber Security Strategy 2020 kicked off last year with an investment of A$1.67 billion allocated over 10 years. The government’s three-pronged strategy of building a stronger digital ecosystem, growing a skilled workforce and protecting Australians shows us that they are taking cybersecurity very seriously.

Japan has also gradually integrated cybersecurity into boosting capacity-building in ASEAN, offering platforms for collaboration with individual Southeast Asian countries as well as the United States through additional coordination. Through mechanisms such as the annual ASEAN-Japan Cybersecurity Policy Meeting first held in 2009, Tokyo has gradually broadened its engagement with Southeast Asian states to include a range of areas such as mutual notification for incidents, joint industry-government-academic collaboration, the construction of new facilities such as the ASEAN-Japan Cybersecurity Capacity Building Center in Thailand, and the holding of U.S.-Japan training workshops on areas like industrial control systems.

In today’s landscape, a key focus area of cybersecurity education and capacity-building is enabling countries in the intermediate category to move towards the advanced group.

Vietnam in particular has been actively reinforcing regulations and standard-setting across the government and in partnership with the private sector. Among the pivotal measures it has established include a national cybersecurity law, standards and blueprints across government and private organizations. In its twin five-year cybersecurity master plans, the private sector is encouraged to collaborate with the government in cascading materials to customers, granting scholarships and co-organizing campaigns and training. One of the prominent campaigns in the country was the government-led National Malware Detection and Removal Campaign launched in 2020 and supported by 18 local and foreign cybersecurity firms, including Kaspersky.

Both India and Indonesia are on the cusps of releasing their national cybersecurity strategies, highlighting the awareness that these markets have on the importance of the issue. While India may have grappled with an unprecedented spike in cyberattacks since the pandemic, it has made headway in training thousands of government officials and critical sector companies, initiating cybersecurity investments and establishing agreements outside ASEAN such as with Japan, Israel and more recently with Bahrain to boost cooperation in cybersecurity in capacity-building, research and development and the protection of critical information infrastructure. Efforts to promote cybersecurity education and capacity-building should also build on or integrate ongoing initiatives. India is a case in point, with New Delhi having several individual efforts but facing challenges in integrating them into a coherent strategy and promoting cyber awareness across society at large.

Indonesia, which is in a similar spot as India, is counting on firming up its cybersecurity education and capacity-building initiatives to achieve its national interests including political stability and economic growth. Through its National Cyber and Crypto Agency (BSSN), the country has involved its key stakeholders including the public for cybersecurity awareness to address the shortage of local cybersecurity experts. Cybersecurity education and capacity-building initiatives would help Indonesia's government agencies to address concerns on data leaks and data-sharing practices. Data leaks continue to occur often in Indonesia, most recently with its state health insurer, and government agencies have taken the necessary steps to ramp up prevention and mitigation measures in a bid to protect Indonesia's information security and critical infrastructure. Meanwhile, data-sharing initiatives may also create beneficial spill over effects, where data can be reused by government agencies safely to open up significant growth opportunities or to generate benefits across society in ways that could not currently be seen.

Asian states are actively thinking about cybersecurity, while some may still be lagging behind due to not being well-equipped to either advance thinking or practice or provide timely opportunities for ideas to be shaped in a meaningful manner. It is important that each country’s strategy is cohesive enough to enable them to understand where to bridge their own internal gaps. Regional and international organizations provide additional platforms that countries can leverage.

Regional Cooperation on Cybersecurity

As countries look towards formulating and implementing their strategies, regional cooperation between countries and with the industry is essential to help with knowledge and capacity building.

While there are already conversations on cybersecurity in Asian multilateral institutions, there are opportunities for expansion both horizontally and vertically. This includes not only channels within ASEAN engagements, but also in APEC where there may be links between cybersecurity issues and wider subjects being discussed such as data flows and digital transformation.

Now that cybercriminals are upping their game like never before, cyber infections are not going away, even for the APAC region whose threat landscape is as diverse as it is rapidly evolving. Against the backdrop of the pandemic and geopolitics, government organizations will continue to be natural targets for a whole array of cyberattacks, be it espionage or politically-motivated attacks.

The respective situations of certain countries in the region shared above, while still in flux, should nonetheless give all other countries a few ideas to explore strategies and evolve their cybersecurity implementation if they want to achieve cyber resilience and mitigate catastrophic risks.

To remain ahead of the game, a multifaceted approach is required. From Kaspersky’s experience, the most effective formula is to have constant improvement of security awareness. This includes engagement with the wider cybersecurity community and stakeholders, including cybersecurity providers to validate and verify the trustworthiness of its products, internal processes and business operations - an important pillar upheld by Kaspersky. To help improve incident response capabilities and ensure the safety and wellbeing of their citizens, countries should also continually promote skills training and enhanced collaboration.