Security: Why does Southeast Asia lag behind?

A look at how Southeast Asia is lagging behind in Asia’s cybersecurity posture

Cybersecurity investment in Asia, and specifically in Southeast Asia, is dangerously lagging behind. That’s according to a report published in January by consulting firm AT Kearney. The study delved into the state of cybersecurity policy and money trails throughout the region and found a patchwork of rules and initiatives that could be putting enterprises in Southeast Asia at risk.

Specifically, the report calls on nations in the ASEAN (Association of Southeast Asian Nations) intergovernmental group to boost its cybersecurity spending – to around $170 billion in total – as the world’s digital economy shows no signs of slowing down and ASEAN businesses are in danger of losing $750 billion in market capitalization as a result. ASEAN is made up of ten members: Indonesia, Malaysia, Philippines, Singapore, Thailand, Brunei, Vietnam, Laos, Myanmar, and Cambodia.


Why is ASEAN at risk?

“You have quite a wide variation in terms of where these countries are in their digital journey so that’s why the numbers you see in terms of under investment [are so different],” says Gareth Pereira, a principal at AT Kearney.

Singapore’s systematic approach to technology is impressive but not easily replicable elsewhere. What can other cities learn from Singapore’s extensive tech initiatives?

“There’s a wide disparity and that’s partly the reason why you see this region lagging behind.”

It may not come as a surprise that Singapore tops the list for cybersecurity. The city-state has invested eye-watering sums of money into smart city initiatives and digital industries. If cybersecurity was passed over, then it would be staring at a truly disastrous situation.

Singapore spent 0.22% of its GDP on cybersecurity in 2017, the third highest spender globally after Israel and the UK. Malaysia spent 0.08%, putting it in ninth place, well behind Japan, South Korea, and the US.

On the flipside, ASEAN countries like Brunei and Laos are much further behind, which drags down the average for ASEAN. These countries are not only spending less on security but their overall network preparedness is lower than their neighbors.

Pereira anticipates that this under investment “will persist over time” and is unlikely to be fixed too quickly. While ASEAN has a consensus-minded approach and will agree on matters like capacity building, it is down to each country to make a move respectively.

“We don’t see the sort of legislative framework that the EU has so that becomes a bit of an issue,” explains Pereira.

Why is security such an issue in Asia-Pacific? Check out: APAC: A hotbed of cybercrime

“You get countries like Singapore and Malaysia trying to push the envelope in terms of what the other countries should be doing but there’s no unifying framework in place in ASEAN to look at national strategy around cybersecurity, to look at legislation, to look at governance. There’s nothing to monitor progress in this area.”

In Europe, there’s the GDPR, which comes into effect in May and will hand out staggering fines to companies with poor security.

“I don’t think fines is the right way to go about it,” Pereira responds. “I think companies need to cognizant a little bit more about the value at risk for them.”

The costs of cyberattacks are much more prevalent and known now, so a case needs to be made internally for greater cybersecurity spending, which in the long term will lead to a greater return on investment.

As the cost of cyberattacks starts to impact the bottom line, the very top echelons of the c-suite will have no choice but to take notice. It’s no longer the realm of the IT department and CEOs are being held to account. After the infamous Equifax breach last year, its CEO Richard Smith resigned. Those at the top must pay attention.


What is the attack surface?

All the obvious targets are at risk: critical infrastructure, banking, telecoms, public utilities, healthcare, and transport systems.

The proliferation of IoT and connected devices in both the enterprise and among consumers has opened up a whole host of new threats and risks too. Again, Singapore has been the most advanced here – deploying sensors collecting huge amounts of data – but Jakarta, Ho Chi Minh, and Bangkok have all launched their own smart city programs. This has opened more avenues for attack.

“In the last few years, the transportation sector has seen the proliferation of IoT and connected cars, which have the potential to be ubiquitously connected and form a far larger attack surface for DDOS – multiple times larger than what we have seen in the Mirai worm example,” said one transport authority official quoted in the report, referring to the botnet that took down hundreds of sites through DDOS attacks in late 2016.

This digital connection between long running infrastructure and new technologies highlights the need for better coordination between the public and private sector.

To this end, AT Kearney has proposed a Rapid Action Cybersecurity Framework. This involves creating new agencies responsible for cybersecurity awareness and coordination among different sectors and setting standards that everyone follows. Singapore has taken an approach like this.

“Let’s say there is an attack on a bank in Singapore, this is brought to the notice of the Monetary Authority of Singapore, which alerts all the other banks. In future, it’s that process of collecting information and sharing it around which gets you better prepared to deal with emerging threats.”


How about the rest of Asia?

With all this talk of ASEAN, you may have forgotten about the rest of Asia. The continent’s biggest economies are a little more aware of the risks and taking action. China is obviously a regular topic of conversation but that’s usually on the offensive front. On the defensive, the Chinese government has instituted its own GDPR-like law.

In the approach to the winter Olympics, South Korea set up a cyber defense team to assuage cyber threats. Similarly, as Japan prepares for the 2020 Tokyo Olympics, the government has established a separate agency for monitoring potential attacks on critical infrastructure.

But Japan and other developed countries share one thing with ASEAN – skills shortages. Japan is now issuing its own agenda for stimulating IT security employment in the economy. The number of professionals coming out of universities is “simply inadequate” says Pereira and will need to speed up in order to meet demand. He points to specific shortages in behavioral and forensics analytics.

Skills and money alone won’t solve the problem though.

“It’s important where you’re spending that money, are you spending it largely on firewalls or are you spending it on other aspects, on what we call the cybersecurity lifecycle, which is how do you recover?” says Pereira. Attitude and approach will be key: “What is your response mechanism?”