Asean countries have been slow to produce comprehensive national cyber security strategies and implement the necessary legal frameworks for security and critical infrastructure protection, according to research.
The BSA’s APAC cyber security study Dashboard found that all markets reviewed have gaps in their cyber security capabilities, and there are opportunities to improve the systems needed to protect against, prevent, mitigate, and respond to cyber attacks. It examined the national cyber security strategies of 10 countries in the Asia-Pacific region, of which four are Asean countries – Singapore, Malaysia, Indonesia and Vietnam.
BSA, an industry trade group that represents several software giants, considers it critical for countries to develop comprehensive national cyber security strategies and sector-specific plans that are practical, flexible, risk-based and respectful of privacy and other civil liberties.
“Implementation of sector-specific responses to cyber security in Asean, and in fact across the Asia-Pacific region is very limited,” said Jared Ragland, director, policy – APAC at BSA.
Simon Piff, associate vice-president, enterprise infrastructure at IDC Asia Pacific, agreed there is a lack of local legislation covering cyber security. “With no really meaningful data management laws in place, and absolutely no disclosure laws in most markets, the need to secure data is not as high on the agenda for most Asean organizations as it perhaps should be,” he said.
But Piff expects this to change soon as organizations that are in some way involved in a security breach may be expected to pay their share of lawsuit costs, which can be hefty. The lawsuit costs faced by Target and Home Depot could amount to $8m to $10m each.
“This means that a local organization that did not patch a web server that then gets used in a hack could potentially be liable,” said Piff. “While the laws may not yet be in place to deliver on this reality, such a reputation in the US or EU markets could severely cripple many local businesses.”
To date, Malaysia and Singapore have established public-private partnership initiatives to take advantage of private-sector experience in preventing, detecting, responding to and mitigating cyber security incidents. In contrast, said Ragland, Indonesia and Vietnam need to do more to leverage the private sector’s cyber security knowledge and best practices.
On a positive note, Ragland noted that Asean countries have set up computer emergency response teams (CERTs) and related operations, which can play a crucial role in improving a market’s cyber security capabilities.
Singapore has a five-year national cyber security masterplan in place, and its new Cyber Security Agency recently began operations. Although Malaysia does not have a standalone cyber security strategy, it does have a collection of policies and strategies, and its government plans to completely revise and strengthen this suite of policies by 2017. Meanwhile, Indonesia and Vietnam are in the earlier stages of developing national cyber security strategies.
“The Indonesian market is hampered by the imposition of local standards and testing requirements that are inconsistent with a truly international approach to addressing cyber security and will likely slow Indonesia’s ability to develop effective cyber security capabilities,” said Ragland.
For Asean countries to really improve their cyber security, the first step is to realize their responsibility.
“Sadly, for many Asean businesses, it will take legislation to make this responsibility a reality, and even then it will take the enforcement of such legislation to make it stick,” said Piff. “This new world, where being part of the kill-chain could result in severe financial impact, to my mind is the more pressing motivator for the Asean markets.”