Breakthrough in ASEAN: Leaders Recognize Need for Norms in Cybersecurity

ASEAN Summits are not always the most productive affairs. Marshalling alignment across the bloc’s 10 member states presents some challenges, especially on thornier issues requiring tangible collaboration. This is why the 32nd ASEAN Summit that concluded on April 28 should be lauded in its brokering of an ASEAN Leaders Statement on Cybersecurity Cooperation.


ASEAN has previously tread into the domain of cybersecurity. In 2016, Singapore helped forge an ASEAN Cyber Capacity Program (ACCP) to raise technical capacity of ASEAN countries to address the evolving array of cyber threats. Last year, the group witnessed the adoption of a new ASEAN Cybersecurity Cooperation Strategy. The region is also spearheading initiatives with third-party countries, with the Japan-ASEAN Cyber Center slated to launch in Thailand in June.


The recent Leaders Statement represents an important evolution because it for the first time recognizes the need for and tasks relevant ministers “to identify a concrete list of voluntary, practical norms of State behavior in cyberspace that ASEAN can work towards adopting and implementing.” The statement suggests ASEAN member states take reference from the voluntary norms recommended in the 2015 Report of the United Nations Group of Governmental Experts (UNGGE). Given that the UNGGE process broke down last June among disagreements at the global level, the movement towards a regional set of cyber norms presents an opportunity for Southeast Asia to lead the way in contextualizing the existing set of global norms and implementing them in ways that work for ASEAN.


Why cyber norms matter to business


While voluntary cyber norms are not a panacea to addressing cybersecurity threats, broad adoption of cybersecurity norms will lend stability and security, and help promote social and economic development. Norms have a long history of reducing conflict between states, and if transposed to cyberspace, they can create flexible and shared behaviors. It’s these shared behaviors that build predictable and stable environments for businesses and citizens alike, as well as encouraging international cooperation on cybersecurity.


The 2015 UNGGE Report outlined 11 norms for responsible state behavior in cyberspace. They can be grouped into two broad categories: norms that limit what states should do in cyberspace (such as not supporting attacks on critical infrastructure), and those that speak to the positive duties of states in cyberspace (such as responding to requests for assistance in managing attacks).


As a leader on cybersecurity, Singapore has been a vocal proponent for regional cyber norms, which is why they are being addressed under its ASEAN chairmanship. We can expect ASEAN governments to take the Leaders Statement into account in preparing for the 3rd ASEAN Ministerial Conference on Cybersecurity to be hosted in Singapore from 18-20 September 2018, where a regional framework may be unveiled and discussed.


Business can engage in the process, and the Leaders Statement recognizes the value of enhanced dialogue and cooperation with external parties. A recent paper developed by Access Partnership and industry partners will serve as an input; the paper assesses cybersecurity policy and issues in Southeast Asia, outlines the existing efforts around cybersecurity norms and related activities in a variety of forums, and charts their development processes. It explains the benefits of collaborative cybersecurity for the region, and suggests some areas for the region’s stakeholders to continue work on norms development. Additionally, a recent paper by AT Kearney outlines cyber risks in ASEAN and suggests steps to address them.


Towards a peaceful, secure and resilient regional cyberspace

Producing strategic outcomes in ASEAN takes time, effort, and resolve. Yet progress is possible, and because the group convenes one of the most eclectic and important economic regions in the world, engagement can bear fruit. Working together, ASEAN governments, industry players, technical experts, academia, and civil society groups should all step up their engagement to improve cybersecurity resilience in the coming months, both on norms and other areas of cyber policymaking. The recent Leaders Statement offers a vision for a better regional cyberspace. It will be up to ASEAN stakeholders to make it happen.


If you are interested in cybersecurity issues in the region, Access Partnership invites AmCham members to join a workshop on “Cyber Security in Retail and Consumer Goods Industry” on 10 May 2018, at FTSE Room Level 9 Capital Tower, 168 Robinson Road. The event will feature Singapore’s Cyber Security Agency, Lazada, JurisAsia and Access Partnership. Register at


Christopher Martin – Chris leads Access Partnership’s operations in the Asia Pacific that focus on technology policy and regulation.  He works with global companies and organizations to develop strategies, shape policy discussions, and access new markets.



This blog showcases news and updates from AmCham’s member companies

Send Updates