Amidst the accelerated pace of digitalization arising from the pandemic, cybercriminals have also stepped up their game, and cyberattacks have grown with increased sophistication. On the upside, countries in Asia-Pacific (APAC) have been doubling down on cybersecurity, but who is winning the race remains to be seen.
Recognizing the global scale of cyber incidents, the urgent need for global discourse, and with the prolonged pandemic pushing communities to connect online, Kaspersky adapted the way we engage our partners and hosted our inaugural APAC Online Policy Forum (OPF) in August 2020. The series convened leaders across government, industry and academia for an open dialogue on the latest trends in cybersecurity. It is with a heavy heart that we draw the series to a close, but as we end on the high of the fourth instalment in January 2022, it is timely to look back at the past 18 months, insights from 13 expert panelists hailing from the region, and accompanied by over 6,000 registered participants.
In August 2020, the inaugural Forum exchanged views on “Cyber-resilience in the ‘new normal’: risks and new approaches”. In March 2021, we discussed strategies to combat cyber criminals in “Guardians of Cyberspace: Can Justice Prevail?”, and in September 2021, we dived deeper into concrete steps to build “Greater Cyber-resilience through Cyber Capacity Building”. The finale in January 2022 covered a discourse on “Strengthening ICT Supply Chain Resilience”, a growing trend in the region. We reflect on the key themes and policy proposals that emerged over the conversations.
Different stages and solutions across APAC
The diversity in culture, geography and people across APAC also speaks to the vast differences across the region, including its cybersecurity landscape. It is thus untenable to define the state of cyber resilience in APAC as a whole. Instead, we appreciate the varied stages of development and approaches across the region, and the common recognition of the importance of cybersecurity. Taking a look at the region,
Both India and Indonesia are on the cusp of releasing their national cybersecurity strategies, highlighting growing recognition of the importance of the issue, as well as the challenges posed by the pandemic. Elaborating on the progress made, Mr. Nur Achmadi Salmawan, Director of National Critical Information Infrastructure, National Cyber and Crypto Agency (BSSN), Indonesia depicted Indonesia’s understanding of cyberspace in three layers – the physical (infrastructure including the PC, satellite, submarine cable), logical (software, applications) and social, and its intent to both protect national interests and increase national economic growth through its national strategy. Reflecting on the impact of the pandemic, Lt General Dr. Rajesh Pant, National Cyber Security Coordinator of India shed light on how the lockdowns in India had created a shortage in manpower for Security Operation Centres across Ministries, thereby posing an implementation challenge. Nonetheless, in spite of these challenges, and in parallel to rolling out national guidelines, both countries are making commendable efforts to strengthen their cyber capacities, which Kaspersky is honored to be supporting.
Other countries have developed or refreshed their national masterplans and strategies in view of the fast evolving landscape. Mr. Nguyen Huy Dung, Vice Minister for the Ministry of Information and Communications, Vietnam described his country’s four-layer protection model which comprises (a) an in-house team; (b) 24/7 cybersecurity services by a professional provider; (c) an independent security audit; and (d) independent monitoring by the National Cybersecurity Center. In the Australian Cyber Security Strategy 2020 and Malaysian Cybersecurity Strategy 2020-2024, education and skills development was another priority area that featured heavily.
Some others are going one step further by taking a regional outlook. Singapore unveiled its ASEAN-Singapore Cybersecurity Centre of Excellence in 2019, which offers policy and technical programs for member states to bolster regional cybersecurity capabilities. Ms. Mihoko Matsubara, Chief Cybersecurity Strategist at NTT Corporation, Japan, shared how Japan has also expanded its partnership across Southeast Asia with the construction of new facilities such as the ASEAN-Japan Cybersecurity Capacity Building Center in Thailand, and conducting U.S.-Japan training workshops on areas like industrial control systems.
There is no right answer, or one-size-fits-all approach to cybersecurity given the varied needs of each country. But a multi-faceted approach is certainly a step in the right direction.
Building cyber awareness and education
“People” featured heavily in discussions across the series. As Mr. David Koh, Commissioner of Cybersecurity, Chief Executive of the Cyber Security Agency of Singapore nicely put it, the “human dimension” poses a significant challenge across all societies, besides the usability, security and cost of ensuring cybersecurity. In contrast to the instincts we have for our physical security, we lack the same level of instincts for cybersecurity.
In terms of solutions, Mr. Koh shared that the Singapore government had sent out advisories to companies and guidelines to educate individuals on cybersecurity safeguards, even helping some face-to-face through digital ambassadors. Dr. Greg Austin, Professor of Cyber Security, Strategy and Diplomacy, University of New South Wales; and Senior Fellow for Cyber, Space and Future Conflict, International Institute for Strategic Studies discussed the need for enhanced emphasis and investment in cybersecurity education at the tertiary level, noting that most countries were not investing in education in line with their ambitions, with an estimated $100-200 million required over 5-10 years to support a robust national curriculum in Australia. There was also a need to pursue educational reforms in the field, for instance by incorporating more exercises, simulations, red teaming — an area for the private sector to collaborate with tertiary institutions (as some, like Kaspersky Academy are already doing).
In a separate discussion, Professor Gabriel Kim Seungjoo, Head of the Department of Cyber Defense of Korea University, and a Member of the Presidential Committee on the 4th Industrial Revolution identified higher education as an important starting point for students to hone their practical skills (e.g. through data driven exercises). The ultimate goal would be for them to fill a gap in security experts with in-depth knowledge of systems and threats specific to their domain, and hands-on experience to be ready for activation from the get go.
In terms of ways to strengthen the emphasis on education, Professor Li Yuxiao, Vice President of the Chinese Academy of Cyberspace Studies, and Secretary General of the Cyber Security Association of China, shared that China had launched various laws and polices (e.g., Cybersecurity Law, Personal Information Protection Law, Critical Information Protection Legislation, etc.) to ensure cybersecurity. He viewed that cyber capacity building should first focus on cyber infrastructure, and be sensitive to the challenges posed by cybersecurity. Developing a talent training system would be key. More importantly, we should take a long term view to build a community with a shared future in cyberspace.
Besides individuals, Dato’ Ts. Dr. Haji Amirudin Abdul Wahab, Chief Executive Officer of CyberSecurity Malaysia (CSM) talked about the need for SMEs to also pay attention to cyber resilience. Given the important role of SMEs as the backbone of various sectors, a cyberattack targeting the group could potentially send a ripple effect across the industry. While the finance and telecommunication sectors in Malaysia have been hardest hit, it was important for businesses across sectors to invest in cybersecurity in view of the growing digitalization across the entire economy. Dato Amirudin shared Malaysia’s holistic approach to strengthening cybersecurity, focused on people, process and technology. For instance, the focus on “people” in CSM’s SiberKASA program manifests through awareness building, education and training efforts across all functions within an organization from management to technical practitioners, via programs like vulnerability assessment, malware scanning, and assessment of risk and compliance.
More broadly, there was concern that the broader society considered cybersecurity to be someone else’s problem, and therefore not an issue of personal concern. Dr. Pratama Persadha, Chairman of the Communication & Information System Security Research Center (CISSReC), Indonesia challenged this notion by pointing out the risks of relying on a small group of ICT vendors/ third parties — any lapses in IT security could go undetected in the absence of cyber awareness/ knowledge from subscribers (e.g. on how ICT supply chain attacks work, where they come from).
Partnerships are key
With the scale of cyberattacks, and the impact on stakeholders across sectors, various panelists echoed the need to tighten coordination across stakeholders, summarized well by Mr. Achmadi’s depiction of Indonesia’s quadrihelix approach to mobilize stakeholders from all segments: government, enterprise/ businesses, academia, and the broader public.
Within the government, coordination continues to be key to implementing cybersecurity, particularly across the broader public. Ms. Azleyna Ariffin, Principal Assistant Director, National Cyber Security Agency (NACSA), Government of Malaysia described how NACSA actively partners CyberSecurity Malaysia on policy implementation, and in the realm of general education efforts, coordinates closely with the Ministry of Education and Ministry of Communications and Multimedia in Malaysia.
Between the public and private sectors, there exists boundless opportunities to exchange best practices and tap on the cybersecurity expertise of the private sector. Vice Minister Dung and Ms. Azleyna highlighted the importance of engaging the private sector in the drafting process, and successful implementation of Vietnam and Malaysia’s cybersecurity strategies respectively. For Vietnam, Kaspersky for example, was privileged to be a partner in the National Cyber Security Centre’s 2020 campaign to remove malware, which saw a 50% reduction in the number of botnet IPs. For Malaysia, Ms. Azleyna commended the involvement of various industry players including CEOs, CFOs and CIOs, who contributed ideas on how to translate the goals in Malaysia’s cybersecurity strategy into reality.
Globally, international organizations play a crucial role in convening stakeholders, processing global data, and promoting alignment towards a rules-based approach in cyberspace. Craig Jones, INTERPOL’s Cyber Crime Director shared how INTERPOL aggregates national and regional data to provide governments with a more comprehensive view of the significant impact of cyber incidents, and the interconnectedness of the problem, thereby highlighting the need for integrated solutions. Additionally, INTERPOL leveraged its expertise and networks to set up its ASEAN Cyber Capacity Development Project for countries to jointly identify capability and capacity gaps, needs and solutions. In a separate discussion, Lt Gen Dr. Pant reiterated the importance of cross-border collaboration, especially at international platforms like the UN Group of Government Experts, to facilitate threat attribution.
Shri Rajeev Chandrasekhar, Minister of State in the Ministry of Electronics and Information Technology, and the Ministry of Skill Development and Entrepreneurship, India additionally clarified that strong governance can be complemented and enhanced through partnership – while he stressed the responsibility of governments to ensure an open, inclusive, safe and trusted cyberspace in light of the significance of the internet and technology to the overall economy, the Minister noted that central to the strategy was partnership: cross-border collaboration for a coordinated effort against cybercriminals.
Conclusion
We have covered good ground over the course of the APAC OPF series. Just like how we conceived an online series in the thick of the pandemic, it is now time to rethink our approach to continue engaging a wider community alongside the evolving pandemic situation. The discourse does not end here, and we look forward to further engaging the community, contributing to conversations, and supporting the implementation of cybersecurity strategies in the days, weeks, months, and years ahead.
Special thanks to our esteemed panelists for their important contributions to this ongoing discourse:
OPF I
- General (Dr.) Rajesh Pant, National Cyber Security Coordinator of India
- David Koh, Commissioner of Cybersecurity, Chief Executive of the Cyber Security Agency of Singapore
- Mihoko Matsubara, Chief Cybersecurity Strategist at NTT Corporation, Japan
OPF II
- Nguyen Huy Dung, Vice Minister, Ministry of Information and Communications, Government of the Socialist Republic of Vietnam
- Nur Achmadi Salmawan, Director of National Critical Information Infrastructure, National Cyber and Crypto Agency (BSSN), Government of Indonesia
- Azleyna Ariffin, Principal Assistant Director, National Cyber Security Agency, Government of Malaysia
- Greg Austin, Professor of Cyber Security, Strategy and Diplomacy, University of New South Wales; and Senior Fellow for Cyber, Space and Future Conflict, International Institute for Strategic Studies
OPF III
- Director Craig Jones, INTERPOL’s Cybercrime Director
- Professor Li Yuxiao, Vice President of the Chinese Academy of Cyberspace Studies, and Secretary General of the Cyber Security Association of China
- Professor Gabriel Kim Seungjoo, Head of the Department of Cyber Defense of Korea University, and a Member of the Presidential Committee on the 4th Industrial Revolution
OPF IV
- Shri Rajeev Chandrasekhar, Minister of State in the Ministry of Electronics and Information Technology, and the Ministry of Skill Development and Entrepreneurship, India
- Dato’ Ts. Dr. Haji Amirudin Abdul Wahab, Chief Executive Officer of CyberSecurity Malaysia
- Pratama Persadha, Chairman of the Communication & Information System Security Research Center (CISSReC), Indonesia