3 February 2024

The State of Cyber Defense Cooperation in ASEAN

Gavin Harris

To address the severe cyber threats their economies and critical infrastructure are facing ASEAN countries must strengthen the ASEAN Cyber Defense Network (ACDN) and continue the process of integrating their military cyber defense agencies. Cooperative measures and intelligence sharing between defense agencies would help bridge the resource gaps in member-state cybersecurity capabilities and help align the diverse national cybersecurity interests within ASEAN. ASEAN would also benefit from a cybersecurity agreement that gives the integration of cyber defense agencies more priority than the current Cybersecurity Cooperation Strategy. This article traces the cyber threat ASEAN countries face, the way they are resourcing their militaries to respond, and evaluates current ASEAN cyber defense cooperation.

Threats

As ASEAN has grown in geopolitical significance due to its increasing economic weight, natural resources, and geographic position, it has also rapidly digitized. Despite the recent introduction of internet infrastructure in the region most countries in ASEAN, except Laos and Myanmar, have internet penetration rates of over 75%.[i] As a result, ASEAN member states have faced increased cyberattacks and cyberespionage campaigns, especially from state-sponsored advanced persistent threats, or APTs. Multiple Chinese-backed APTs operate in Southeast Asia. In addition, there are also numerous private and military-backed organizations that have initiated cyber espionage in Southeast Asia. As many as 49% percent of attacks by organizations in Southeast Asia resulted in data leaks, and the most frequently attacked entities were governments (22%).[ii] CYFIRMA reported that within ASEAN, APTs conducted the most attacks in Singapore, followed by Thailand, Vietnam, and Indonesia.[iii]

ASEAN Cyber Military Defense Forces

This expanded environment of cyber threats has prompted ASEAN states to create and expand cyber defense capabilities in the military. Jason Blessing established a taxonomy of cyber forces in ‘The Global Spread of Cyber Forces, 2000–2018.’ Military computer response teams, reservist components, and civilian intelligence agencies do not constitute cyber forces; the definition Blessing gives is: “active-duty military organizations with the capability and authority to direct and control strategic cyberspace operations.” 

There are three organization models of cyber forces: branches are controlled by military support agencies, service models fall under the command of a single primary military service, and joint models fall under the command of two or more services. There are also three classifications for command structure: subordinated commands are cyber forces initiated under existing conventional commands to support kinetic operations within the conventional structure, sub-unified commands are sub-organizations created to operate in cyberspace as a standalone mission, and unified commands are institutions that fulfill an independent cyberspace mission with no parent organization, reporting directly to ministers or principals.[iv] The following is an inventory of ASEAN’s military cyber defense forces (see table below).

Singapore established the Digital Intelligence Service (DIS) under the Singapore Armed Forces (SAF) in October 2022 as a fourth unified service, which is an uncommon structure internationally. The DIS subsumed a few cyber defense organizations that were insufficient to address the SAF’s expanding needs and Singapore’s uniquely high susceptibility to frequent cyberattacks because of its attractiveness to cyberespionage campaigns. The DIS contains four commands: the Joint Intelligence Command, the SAF C4 Command/Cybersecurity Task Force, the Digital Defense Command, and the DIS Training Command, as well as the Digital Ops-Tech Centre which develops innovative research solutions in contact with other industries.[v]

Thailand’s Ministry of Defense contains the Defense Information and Space Technology Department, a subordinated branch which manages a large swath of operations, from the cybersecurity of defense systems to telecommunications and space affairs.[vi] Thailand also operates the Army Cyber Center, which is a sub-unified service of the Royal Thai Army established in 2016. It provides cybersecurity and threat intelligence services within the General Headquarters and monitors disinformation within the country.[vii]

Vietnam’s Ministry of National Defense contains the Cyberspace Operations Command (Command 86), a joint unified operation with the Vietnam People’s Army that maintains readiness and safety for Vietnamese defense organizations in cyberspace.[viii] The VPA also contains a unit called Force 47. Force 47 seems to operate as a unified joint command but its estimated 10,000 employees wage information warfare against dissenters and government critics within Vietnam, not against foreign threats, leaving it in a grey area in the taxonomy. [ix]

The Indonesian military (TNI) addresses cyber operations through Satsiber – a unified joint service that operates in each of the three armed forces.[x] Indonesia’s Ministry of Defense also operates the Defense Strategic Installation Agency (Bainstrahan),[xi] which runs two sub-ordinated branches that complement Satsiber: the Cyber Defense Center (Pushansiber), which is responsible for the preparation and implementation of cyber defense policy as well as the Defense Strategic Information Center, or Pus Infostrahan, which implements cyber intelligence and espionage strategy.[xii] It is not clear which of these organizations holds real power to implement operations. Recently, the governor of the National Resilience Institute proposed the possibility of a fourth armed unified service dedicated to cyber, much like Singapore’s DIS.[xiii] Problems arose when considering how to incorporate the variety and operation of cyber defense organizations already present, not to mention the prominent cyber institutions within the police and other ministries.

In Malaysia, the Ministry of Defense manages the Cyber Defence Operation Center as a subordinated branch, which secures the Malaysian cyber military sector,[xiv] and the Malaysian Armed Forces contains the Defence Cyber and Electromagnetic Division (BSEP) as a sub-unified service.[xv] BSEP and CDOC often work in tandem, strengthening each other’s functions to counterintelligence gathering APTs.[xvi]

Brunei follows a similar cyber defense institutional setup to the former nations. The Ministry of Defense operates the Defense Information Technology Unit, a subordinated branch which serves to enforce policy.[xvii] The Royal Brunei Armed Forces operates the Cyber Defense Unit, which is a sub-unified service.[xviii]

The Armed Forces of the Philippines (AFP) contains the Cyber Group as a sub-unified service. It operates as a support group, with a mission to defend defense networks, facilitate cyber operations, and gather intelligence on threats.[xix] In addition, the Cyber Battalion under the Army Signal Regiment has the mission to conduct active and defensive operations to protect AFP assets.[xx] AFP recently announced its commitment to creating a ‘Cyber Command’ in a more active and expanded role from the Cyber Group, likely a joint unified position, in response to a recent influx of cyberattacks and Chinese espionage.[xxi]

Some ASEAN nations have no cyber defense command of any variety. Laos has a law on cybercrime but no military defense institutions; Cambodia has not even established a codified law on cybersecurity, although a draft of such a law has been facing pushback for privacy concerns.[xxii] Myanmar’s military government is too busy waging civil war to establish national cyber defense commands.


ASEAN militaries employ a wide variety of cyber organizations. As indicated in the table, there are no overwhelming majorities in terms of model and scale. Most were established around 2016-2018. Singapore’s Digital Intelligence Service, as the only unified service in the region, leads in clarity and efficiency. Priorities of organizations may differ. For example, Vietnam’s commands tend to combat ‘disinformation’ (often internal) which threatens the state, whereas the Philippines is prioritizing protection against espionage and crippling attacks. The delegated responsibilities and relations between cyber military organizations within countries are often unclear, as national cyber defense strategies are uncommon. Concrete details on personnel, budgets, and operations are hard to find. These differences in structure, priorities, and clarity in ASEAN cyber commands provide obstacles to cooperation.

Future Cooperative Cyber Defense Policy in ASEAN

Despite the existence and mobilization of these cyber defense organizations the current ASEAN policy framework for cybersecurity, the ‘ASEAN Cybersecurity Cooperation Strategy,’ only mentions military cyber defense organizations once and provides no specific policies related to cyber defense. Instead, it focuses on five dimensions, which are Advancing Cyber Readiness Cooperation, Strengthening Regional Cyber Policy Coordination, Enhancing Trust in Cyberspace, Regional Capacity Building, and International Cooperation.[xxiii]

On the military side, cybersecurity is coordinated in the Cybersecurity Working Group of the ASEAN Defense Minister’s Meeting (ADMM). The ADMM is the highest defense cooperation group within ASEAN. The ADMM-Plus (including ASEAN’s eight Dialogue Partner states) operates Experts’ Working Groups in seven areas of practical cooperation, including cybersecurity. One of the stated objectives of the group is to “develop appropriate mechanisms for cooperation among the defense and military establishments of the ADMM-Plus countries and for coordination of military and civilian groups in addressing cyber security challenges.” Up to 2020, the group had achieved a directory of contacts, a glossary on cyber technologies, as well as running Tabletop Exercises, meant to test theoretical capabilities. [xxiv]

Two major ASEAN-wide initiatives of the ADMM are the Cybersecurity and Information Centre of Excellence (ACICE) and the ASEAN Cyber Defense Network (ACDN). Singapore currently funds and operates the ACICE which began operation in the summer of 2023. It is meant to improve information-sharing capacity among ASEAN cyber defense institutions, especially through increasing access to research and analysis on regional threats and working in tandem with the ACDN.[xxv] The ACDN, proposed by Malaysia at the 15th ASEAN Defense Minister’s Meeting in 2021, is meant to link cyber defense centers, provide for the development of new centers, identify areas of necessary cooperation, and disseminate ACICE information.[xxvi] One meeting has occurred via videoconferencing in 2022, and the second occurred in Kuala Lumpur in 2023.[xxvii] In the longer term, the network would promote joint exercises, physical visits, and closer partnerships.

Cooperation in cyber defense is immediately advantageous but also aligns with the principles of the ASEAN Charter in that it preserves the sovereignty of its member nations while also ensuring the region’s autonomy in the future. Although ASEAN has generated significant cyber military forces and made steps to integrate them in ACICE and the ACDN, there must be greater investment and serious attention towards regional cyber defense cooperation and information sharing. Learning from each other would help members to adopt more comprehensive and effective policies on cyber defense and connect and strengthen diverse organizations within states. It would also bolster individual capacities to resist foreign espionage through intelligence sharing and help build regional identity and solidarity.

No comments: