Tag Archive for: cyberspace

ASEAN cyber norms need broad stakeholder engagement

As Malaysia assumes the chairmanship of the Association of Southeast Asian Nations in 2025, the government wants to make its mark on the region’s cybersecurity cooperation framework. Malaysia is keen to develop the third iteration of the cybersecurity cooperation strategy, which will guide ASEAN’s collaborative efforts in cyberspace. But to be truly effective, cooperation must remain a multistakeholder affair.

The landmark release of ASEAN’s cyber norms checklist in October last year, championed by Malaysia and Singapore, translated the United Nations’ eleven norms of responsible state behaviour in cyberspace into practical steps. ASEAN member states now have a structured way to implement cyber norms, focussing on political endorsements and safeguarding critical infrastructure.

However, the real challenge isn’t adoption; it’s implementation. Making these principles work in the real world requires more than government buy-in; it demands broad cooperation across sectors and countries.

As I have argued, one of the biggest hurdles is embedding these norms into the operations of defence, law enforcement and intelligence agencies. Southeast Asia’s cyber capabilities are expanding, but transparency remains a sticking point. Militaries, intelligence agencies and law enforcement are embracing cyber tools, but are reluctant to discuss operations and strategies. These institutions see cyber norms as constraints rather than mechanisms for stability. Without transparency, trust erodes as states struggle to gauge each other’s cyber intentions and capabilities.

Recognising these challenges, in August 2024, ASPI brought together experts from Australia, ASEAN member states and Timor-Leste in a civil society dialogue in Kuala Lumpur sponsored by the Australia-ASEAN Centre. Discussions on the shifting cyber threat landscape, regional progress on cyber norms and strategies for strengthening cooperation highlighted one thing—transparency, information sharing and collaborative threat assessments reduce misperceptions and strengthen trust among ASEAN members.

But governments cannot implement cyber norms alone. They must collaborate with those who build, manage and depend on digital infrastructure and with those who advocate for digital rights, privacy and cybersecurity. Private sector actors, particularly technology firms that manage critical information infrastructure, need to be engaged to ensure that cyber norms are not only socialised but policies or initiatives that come out of them are practical, enforceable and aligned with the rapidly evolving cyber landscape. Industry-driven initiatives, such as sector-specific security standards for critical infrastructure, can support government-led efforts by introducing adaptable and enforceable cybersecurity measures.

Academia and think tanks also play a role by supporting capacity-building programs and offering research and policy insights that help shape decision-making. They can help assess the success of policy measures, including progress in norms operationalisation, and can function as informal intermediaries between governments seeking to communicate issues indirectly.

For ASEAN’s cyber norms to take root, multistakeholder engagement must be institutionalised through regular dialogues that include government and non-government actors. ASEAN has long used these mechanisms to navigate complex security challenges. Applying them to cyber governance will ensure that all member states, regardless of their cyber capabilities, have a say in shaping the region’s approach to cybersecurity.

Beyond dialogues, ASEAN needs a regional model of cyber norms maturity to measure their progress in implementing UN cyber norms. Such a model would consider factors such as cybersecurity infrastructure, legal frameworks and policy development. A structured roadmap would enable ASEAN states to move from basic compliance to advanced implementation, creating a stronger, more cohesive approach to cybersecurity.

Engaging local stakeholders is just as important. Cyber norms shouldn’t just be the domain of policymakers; they must resonate with businesses, academics and local communities. Bringing small and medium-sized enterprises, universities and civil society groups into the conversation ensures that cyber norms are implemented in ways that are practical, relevant and responsive to local challenges. Regular feedback loops will help refine these norms over time, keeping them relevant and adaptive.

In addition, discussions on cyber norms must break out of traditional security silos. Cybersecurity challenges intersect with issues such as environmental protection, trade, human rights and even cultural heritage. ASEAN should take a broader, interdisciplinary approach and incorporate insights from diverse fields to craft comprehensive solutions. For example, protecting critical infrastructure, such as submarine cables, shows that cyber resilience is interconnected with economic and environmental stability.

As a long-standing ASEAN partner, Australia has a key role to play. Recognising that cyber threats do not respect borders, Australia has been a strong advocate for regional cybersecurity cooperation in Southeast Asia. Australia can offer technical expertise, capacity-building programs and legal assistance to help ASEAN member states bridge cyber capability gaps and build a resilient digital ecosystem.

ASEAN’s adoption of the cyber norms checklist is a promising step, but real progress will depend on sustained implementation, capacity-building and advocacy. Multistakeholder collaboration, including between ASEAN and Australia, will ensure these norms move from paper to practice. Through inclusive engagement and cooperative action, the region can take decisive steps toward a secure, resilient and rules-based Indo-Pacific cyber landscape.

Six years in the making: UN reaches global cyberspace consensus

After a lag of six years, a renewed global cyber consensus was reached on 12 March when the UN member states agreed to the final report of the open-ended working group on information and communication technology developments in the context of international security.

In 2018, the group was instructed to make the UN negotiation process more democratic, inclusive and transparent, and to develop—or amend—current understandings of rules and norms and principles of responsible state behaviour. They were also asked to develop shared understandings of existing and potential threats, and how international law applies to the use of ICT.

The final report reaffirms the initial framework for what states should and shouldn’t be doing in cyberspace that was first agreed in 2015. The framework includes the recognition that international law applies to state activities in cyberspace, and affirms a set of 11 norms, confidence-building measures and a collective commitment to capacity-building.

The fact that 91 participating states managed to reach agreement is an accomplishment in itself, a Herculean task according to the South African delegation.

Concerns that some states would attempt to backtrack on previously agreed consensus outcomes proved unjustified. Relatively early in the process, major countries reaffirmed their commitment to the existing UN framework of responsible state behaviour. At the same time, Iran made the argument that ‘the consensus of the past is not the consensus of the present’ and Russia kept bringing up its ambition to work towards a legally binding treaty instrument for international ICT security.

The previous round of negotiations, between 2016 and 2017, broke down over proposals describing in greater detail how international law applies to state activities in cyberspace. The US tried to get the process moving again by suggesting that each state instead outline and publish its views on the application of international law separately. So far, at least 10 countries have done so.

Diplomats appeared disillusioned at the prospect of a long-term breakdown in interstate collaboration to solidify what was still a fragile rules-based framework for cyberspace. News articles appeared with headlines such as ‘The end of cyber norms’, ‘The end of an era’ and ‘The death of the UNGGE process’. This anxiety was exacerbated in late 2018 when the US and Russia proposed two similar but competing resolutions at the UN General Assembly.

The US called for the establishment of a sixth group of governmental experts (UNGGE), based on a practice started in 2004 for a select group of national experts to advance thinking and agreement on global rules. Russia, probably anticipating broader support for its viewpoints among the full UN membership, proposed that an open-ended working group be formed in which all countries could participate ‘on equal footing’.

Despite initial scepticism, the chair of the working group, Swiss Ambassador Jürg Lauber, and the UN support team have to be applauded for establishing a valuable and inclusive process that encouraged 40 new countries to join the conversations. There were also several, unofficial but on-the-record, opportunities for non-governmental organisations to provide input. This was, surprisingly, a novelty for the UN First Committee; until then, only states had addressed disarmament and international security issues.

But it was not all sunshine and roses.

During the last week of negotiations, states declined to approve text disclosing their areas of disagreement and that section was stripped from the report. Also, China successfully argued for the paragraph on ‘norms’ to be placed before the one on ‘international law’, a move not supported by Australia. Beijing is prioritising norms development, in particular around global rules for data security, over the decade-old entrenched discussion over the application of international law.

At the end of a successful negotiation process, delegations normally try to highlight their success stories. This time, however, delegations expressed their shared unhappiness with the report in quite explicit terms; they all had hoped a final report would be more reflective of their particular standpoints.

Russia’s representative, Ambassador Andrey Krutskikh, a veteran of the UN process, echoed South Africa in saying that ‘the report does not make us happy, but it is satisfactory’.

[N]ot all my country’s proposals are fully reflected in the document. In this regard, I would like to caution in advance that Russia will continue to actively advocate for its interests and for the interests of its friends in the future negotiation process on this topic.

US Ambassador Michele Markoff, also a veteran of the UN process, made similarly clear that the US felt the final report was ‘not perfect’ and continued ‘to have reservations’.

The UK said it would have liked to see more progress in the international law section, but because others had been flexible, it supported the global adoption of the report. Iran went furthest: while it didn’t block consensus, Tehran disassociated itself from those parts of the text that didn’t match its ‘principled positions’.

Despite all the reservations, the report delivers several positive steps.

The report recommends that states ‘continue to study and undertake discussions … on how international law applies to the use of ICTs by states’. This opens the door to continue seeking individual states’ views on how they see principles of international law, including international humanitarian law, applied in cyberspace.

The report unequivocally emphasises the need to support and invest in implementing agreed norms at the national, regional and global levels. States are called upon ‘to avoid and refrain from the use of ICTs not in line with the UN norms’—an important qualification as the norms are technically voluntary and non-binding.

Taking the experiences from the Covid-19 pandemic into account, an Australian-initiated proposal to highlight healthcare institutions as a key part of a nation’s critical infrastructure was endorsed. The report recommends that states prioritise efforts to protect all critical infrastructure and critical information infrastructure.

As the dust settles from the heavy lifting of reaching, in the words of the Australian delegation, ‘a report balanced on a knife’s point’, all eyes will now be on the UNGGE process. The closed-door discussions among the 25 experts when they tackle the unresolved issues are sure to be more fierce than in the open forum of the working group.

With a deadline of May, the UNGGE report is all but certain to garner a consensus. For now, though, a global cyber consensus has been re-established, and that’s a positive thing.

Information-age warfare and defence of the cognitive domain

The arrival of the information age has created both opportunities and challenges for the United States, its allies and our defence organisations. In the information age, warfare has changed from kinetic to non-kinetic attacks.

Adversaries deterred from engaging the US in direct armed conflict are now using cyberspace and information operations to steal our intellectual property, disrupt our government, threaten our critical infrastructure and, most dangerously, challenge our democratic processes. These developments have forced America and its allies into long-term strategic competition below the level of traditional armed conflict to defend our way of life.

China and Russia have expanded that competition to include continuous, far-reaching strategic influence campaigns against the US cognitive domain—the human space where mental skills develop and knowledge is acquired—to achieve the political objectives which their militaries cannot. Achieving political objectives has always been the aim of warfare. China and Russia, in particular, are attempting to do that without firing a single shot.

The introduction of new tactics changes the characteristics of warfare. The industrial age created super-elevated hard power, massed kinetics, and extremely violent characteristics. The information age has introduced mostly non-kinetic techniques to achieve strategic objectives. Cyber and information operations harnessing everyday applications like Facebook and Twitter, and the news media, are used to influence the cognitive domain in countries around the world.

These are the new weapons of war. Unfortunately, they’re not yet recognised as warfare because digital 1s and 0s can’t be seen, heard or feared like bombs or bullets. The US and its allies must acknowledge the changing characteristics of warfare in the information age and move to defend against cognitive domain attacks.

In information-age warfare, state and non-state actors operate in a constant state of competition just below the level of armed conflict. That means the cognitive domain, where we think, learn and develop ideas, is open to attack. Attempts to influence this domain occur every day.

Our adversaries want to steal advanced technology and research to enhance their economies and armies, break apart NATO and the EU, and create distrust in democratic systems. The cognitive domain provides viable ways for them to meet their strategic objectives.

The information age has given state actors access to the 55% of the world’s population who use the internet—or 4.2 billion of its 7.6 billion people. In the US, that percentage jumps to 76%; in Australia, it’s 86%. Mobile devices are used by 5.1 billion people worldwide. A simple laptop and internet connection provide states and non-state actors with the ability to conduct influence campaigns from anywhere, at any time.

To make the information environment even more complicated, not all cyber operations are crimes. Purposefully distributing accurate information to stir discontent, for example, is a highly effective strategic manoeuvre, but not a crime or necessarily even a fabrication.

Cyberattacks are not just perpetrated by state actors trying to steal secrets, information or data. They can also include deliberate actions to influence a population over time, changing the dynamics and opinions of a nation, one screen at a time.

Reaching a political objective through the cognitive domain is easier, cheaper and more effective than using military power alone. We must see the theft of intellectual property as akin to Chinese long-range intelligence, surveillance and reconnaissance aircraft circling above Silicon Valley or London. We must move beyond the acknowledgment of the ‘little green men’ and hybrid warfare of Crimea. That was the last war.

To win the next war, we need to think of ‘little green digits’ as adversary weapons that can attack our cognitive domain and begin to formulate our responses. If we don’t change the way we think about these threats and defend against them, we risk losing the next war before we realise we’re actually fighting it.

Leaders across the US and its allies, in all departments, services and organisations, must acknowledge the change in our adversaries’ strategic approach and begin whole-of-nation preparations to deal with attacks in the cognitive domain.

Government departments must defend critical infrastructure, and academia must educate the population on adversary influence operations and the purposeful manipulation and distribution of facts. Private companies need to protect intellectual property and keep America as the world’s dominant technological leader. Corporations like Google, Facebook and others must protect their customers from influence campaigns perpetrated by bots and hackers. Informed discussion and action is the only way to counter adversary actions in the cognitive domain.

Carl von Clausewitz described war as an ‘act of violence intended to compel our opponent to fulfil our will’. This type of thinking was correct in the industrial age, but in the information age, violence is not always needed for one nation to bend another to its will. And that changes everything.

Keeping up with the Pentagon in the information age

Between March and July 2018, the US Joint Chiefs of Staff issued a raft of new or revised authorised statements of military doctrine. They included a landmark ‘note’ on strategy, a joint concept on integrated campaigning, and a doctrine on peace operations. The flood of publications reflects the changing priorities of the Pentagon under Defense Secretary James Mattis that were outlined in the new national security strategy issued by the White House last December.

The strategy note is of most interest. It supplements three earlier joint doctrines on military policy, joint operations and joint planning. The guidance is not intended to be authoritative, but rather ‘provides context for those who develop national strategy and implement it at subordinate levels’. The note says that force can be applied in ‘any domain (land, maritime, air, space) and the information environment (to include cyberspace)’. Cyberspace is not, in the Joint Chiefs’ view, a fifth domain of warfare but an environment shared by the four physical domains. This has to be a fundamental point of strategic reorientation for all countries’ armed forces.

The update on cyberspace operations replaces the 2013 joint publication and reflects organisational changes (the establishment of Cyber Command as a functional combatant command, and the new Cyber Mission Force), but it also provides new guidance on the command and control of cyberspace operations and their planning.

One of the big changes is the distinction between two modes of command and control for cyberspace operations: ‘routine’ and ‘crisis/contingency’. An important feature of this section for Australia and other US allies is its recognition that a military alliance in cyberspace will look and operate differently from other forms of cooperation: ‘the level of integration of US cyberspace forces with foreign cyberspace forces will vary depending upon in-place agreements with each partner and may not mirror the level of integration of other types of forces’.

Outer space receives special attention in what appears to be a completely new doctrinal manual on space operations. The executive summary gives useful background on the recent announcements by the US about the creation of a new branch of the armed services for military operations in space. The doctrine remarks on the intimate mutual interaction of outer space and cyberspace in US military thinking: ‘many space operations depend on cyberspace, and a critical portion of cyberspace can only be provided via space operations’.

That’s also the view of China’s 2015 military strategy: ‘Outer space and cyber space have become new commanding heights in strategic competition among all parties. The form of war is accelerating its evolution to informationization.’

As the clunky word ‘informationization’ suggests, China now accepts, as the US does, that there’s an inseparable link between information operations and cyberspace operations. China has adopted the longstanding US concept of ‘information dominance’ as a centrepiece of its military strategy.

The shift by competitors of the United States like China, but especially Russia and North Korea, to enhanced conflict with the US below the threshold of war or the use of armed force, especially by cyber-enabled information operations, has led the US to bolster its already formidable information warfare capabilities. One of the new doctrinal publications, the Joint concept for integrated campaigning, reflects this change. The publication is an effort to offer ‘an alternative to the obsolete peace/war binary’. The document promotes the idea of ‘integrated campaigning’ and stresses that ‘the integration of physical and information power’ is a ‘critical element to enabling globally integrated operations’. These considerations also inform newly released doctrines on counterinsurgency and civil–military operations.

One of the more ground-breaking documents is the update of Joint Publication 3-27, Homeland defense. The 2013 version had itself revised the cyber elements of an earlier version to see them as part of the information environment and not just as combat support activities. The 2018 version repositions information operations as one of seven joint functions and provides much more detail on cyberspace operations. It specifically recognises the role of Cyber Command in homeland defence missions, and assigns Special Operations Command a primary responsibility for coordinating cyber missions against terrorists in US territory.

It also asserts a new mission of coordination with the private sector for cyber homeland defence operations involving US military forces: ‘For cyberspace, the vulnerability and complex interrelationship of national and international networks demand closely coordinated action among the military, private sector, and other government entities at all levels.’

This is all unclassified information. One needs to be a serious sleuth to decipher the sheer volume of text and the meaning of the changes. That said, Australia and its closest ally, the US, appear to be worlds apart in their governments’ willingness to engage with all of their military personnel, their corporate sectors, and their citizens about the gravity of threats in the information environment, including cyberspace.

China’s state security strategy: ‘everyone is responsible’

A couple of counter-espionage videos published as part of an online course on state security for China’s primary and secondary school students caught the attention of the international media last month. One video focuses on a child whose father emailed military secrets to overseas media and eventually confessed to sharing state secrets. The other draws lessons from three types of espionage scenarios, including compromise through network security rule violations.

While these animated videos provide great media fodder, it’s important to get beyond the headlines and take a deeper look. The videos are centred on the idea that everyone is responsible for preventing, stopping and punishing behaviour that could compromise the security of the state. The videos were criticised by some netizens for similarities to the Cultural Revolution; in many ways, the individual responsibility concept isn’t far removed from the ideological mobilisation tactics that the revolution embodied. The videos are designed to involve the entire society in safeguarding the state.

The government has used similar campaigns over the past few years to warn Chinese citizens against foreign spies. But state security education isn’t limited to counter-espionage work; rather, it promotes the Chinese Communist Party’s (CCP’s) holistic concept of state security—which is quite different from Australian and US notions of ‘national security’.

China’s educational campaigns cover security in 11 realms: homeland, military, economic, cultural, social, political, information, scientific, ecological, natural resources and nuclear. Each area identifies an integrated threat perception—in other words, threats come from both inside and outside China’s physical borders and from both inside and outside the CCP. China doesn’t delineate between external and internal security policy. Instead, it has a single integrated security policy with internal and external elements.

For instance, ‘information security’ includes cyber security, and it’s mainly about protecting and promoting the party’s ideas. Similarly, ‘scientific security’ is most clearly about handling the double-edged sword that is science and technology. It implicitly absolves the party’s leadership of blame for mistakes in the application of science-related law.

In addition, state security isn’t simply about managing external threats or obvious internal issues like social unrest. It’s also about managing the party itself, in terms of both its relationship with society and its internal power dynamics. The worst-case crises that China prepares for include internal unrest ranging from isolated but large-scale dissent to a series of widespread destabilising events, potentially compounded by discord inside the CCP. They also include wars, whether over disputed territory such as in the South and East China seas or an attack on the Chinese mainland by a foreign military power. China particularly fears a scenario like the Kosovo War, where a domestic conflict could be used as a justification for outside interference. A matter of critical importance, therefore, is loyalty to the party and to the state in every sector of society—security forces, party members and the general population.

It may seem far-fetched to an outsider, but those ideas have a clear importance in Chinese thinking. China’s 2000 defence white paper, for example, pointed to ‘signs of increasing hegemonism, power politics and neo-interventionism’. The 2009 version claimed that China ‘faces strategic manoeuvres and containment from the outside while having to face disruption and sabotage by separatist and hostile forces from the inside’. The perception is magnified where technology could support a ‘colour revolution’ such as Georgia’s Rose Revolution or Ukraine’s Orange Revolution. This integrated perception of threat also helps to explain China’s approach to sovereignty. It isn’t just about protecting physical spaces; it’s also about protecting an unbounded ideas space outside of China’s borders, particularly in the digital age. The CCP’s concept of cyberspace sovereignty, for instance, is heavily influenced by this concept of sovereignty.

Perhaps it’s paranoia, but the individual responsibility requirement is based on a well-articulated state security concept, largely focused on threat pre-emption. The idea is reinforced in all recent state-security-related legislation, from the State Security Law (2015) to the Intelligence Law (2017). It can also be seen in rules such as the new regulations that make chat group administrators criminally liable if they fail to remove prohibited content. Mobilising the people, both inside and outside the party—and whether voluntarily or by coercion—is seen as key to the state’s long-term security.