site stats

Event

Seminar on "Cyber Security In East Asia”

by Dr. Nicholas Thomas
Research Assistant Professor, Centre of Asian Studies, University of Hong Kong

Date: 4th December 2008
Venue: RSIS Conference Room 1, Level B4
Time: 3.00pm - 4.30pm

Nick Thomas

Please click here for the presentation slides.

Introduction

Dr Nick Thomas began his presentation by noting that cyber security, though fascinating, is an understudied area of regional security relations. Since the 1990s, there has been increasing literature on the expanding notions of security – such as the UNDP’s 1994 report on New Dimensions of Human Security, and the Copenhagen School’s theory of securitization (since 1998), which highlights the military, environmental, economic, societal and political sectors of security. However, cyber security or cyber threats have been overlooked in this regard. Yet in the contemporary period the potential for virtual realm of cyberspace to be used as a conduit to harm those in the real world is seen as one of the most serious threats to national stability and prosperity. In light of this, there is a need to reconcile old ways of considering security threats with the new realities is the key challenge facing policymakers. Appropriate policies for combating the myriad of cyber security problems now emerging are often lacking because securitising actors have yet to properly understand the environment in which they are now placed. Moreover, the boundaries of cyberspace are not conterminous with the boundaries of the real world – making the responsibilities for action and resolution difficult at best.

1. The Situation in the East Asian Region

1.1 Increasing in Cyber Threats

The need to respond to this security challenge can be seen from the increasing exposure of East Asian networked users to cyber attacks. In Japan for instance, reports of cyber-crimes in 2005 increased 52 percent (to 3,161 reported incidences) from the previous year. A similar trend can be seen in South Korea where, in 2002, the number of internet-based criminal cases increased to 60,000 up from 121 in 1997. By 2006 it had increased to 70,545 instances, with identity fraud and hacking being the two most prevalent crime types. Although this jump was undoubtedly due, in part, to the effects of new legislation it does reflect a genuine upwards trend in cyber crime reports; a trend that is evidenced in other regional countries as well as in extra-regional jurisdictions. Dr Thomas also noted that these statistics were nevertheless under reported due the varying definitions of cybercrimes and also corporations’ preference not to disclose these statistics.

In addition to the increasing number of cyber threats, the nature of the threats is also changing as cyber groups become more sophisticated in the structure of their attack vectors. These range from elaborate “phishing” scams, which use phone web sites to steal credit card numbers and perpetrate identity theft; fraudulent spam that launches viruses or spyware; and “malware” such as Trojans, which enable criminals to take remote control over thousands of computers for massive, distributed attacks. The latter has been particularly significant, given China’s growing online presence, as it now has the largest pool of users in the world. These will be issues of concern not only for China but also for other countries exposed to its web presence.

1.2 Divides/Inequalities amongst States

Dr Thomas also noted that economic and political divides amongst regional states would also have a direct impact on their respective computing capacities. States that are more developed economically and more open politically have a greater capacity to address cyber insecurities, than poorer and more repressive states. Moreover, the differences in Internet connectivity have a direct correlation with a state’s economic modernisation as well as with its integration with global processes of development. These underlying factors and the resulting cyber presence in each of these countries, in turn, have a direct effect on the types of cyber security challenges they face.

There are also cultural divides amongst states. A high level of economic development and a liberal-democratic political system does not automatically guarantee a shared set of norms and values with other similarly developed countries. Such is the case in Japan, where pornographic websites are not always seen as constituting a threat but other countries, whose citizens access the materials, disagree. Moreover, a high level of economic and social development coupled with a high degree of Internet penetration does not guarantee a relaxed attitude to Internet access. In the case of Singapore, a socio-economically advanced state, access to most websites is allowed but some, domestically and internationally, are still denied.

In light of this, while cyber security presents many new problems for regional law and order it would be wrong to consider these threats as completely new or requiring a completely new law enforcement approach. They rely very much on the real world contexts in which they are found but it is an interconnected world, one not bound by the rules of sovereignty and one for which non-interference is not an option if the sources and consequences of cyber threats are to be addressed.

2. Regional Responses

Dr Thomas noted that regional approaches to security threats are not new. Since the founding of the ASEAN Regional Forum in 1994, East Asian states and their extra-regional dialogue partners have discussed ways to alleviate regional insecurities. In the post 9/11 environment, other regional organizations – such as APEC – have also moved to include regional security issues on their policy agendas. In this sense, cyber security threats have benefited from pre-existing as well as recently introduced regional security mechanisms. Thus, even as states seek to overcome shortfalls in cyber capacity, they are working within regional organizations such as the ASEAN-related institutions and APEC, to mitigate the challenges posed by cyber security threats.

2.1 ASEAN & ASEAN Regional Forum

Dr Thomas noted that ASEAN attempts to secure cyberspace have come in two forms. First, there has been a generalized attempt to improve regional capacity and resources through the e-ASEAN process (since 1999). Second, there has been a set of more explicit attempts to secure cyberspace from transnational subversion of national security; especially those stemming from the activities of criminal and terrorist organizations. There is also a subfocus on the cyber development aspect, which is considered critical – if only to help address what are seen as the root causes of crime and terrorism (that spill over into the regional cyberspace), namely poverty and underdevelopment. To a certain extent 9/11 provided a boost to efforts to securitize cyber security at the regional level. However, the efforts were largely political – with studies of regional countries legal systems, information exchanges, and attempts to develop extradition treaties among the main responses.

2.2 Asia Pacific Economic Cooperation (APEC)

With regards to APEC, an institution with a far broader membership base, it has faced similar but different challenges in protecting its members against cyber threats. As an economically-focused institution APEC’s responses to cyber issues and threats have focused on issues such as e-commerce, identity theft, and related developments, before shifting in the late 1990s to focus on the criminal aspects of cyberspace (particularly information security), and then post 9/11 to focus on cyber terrorism. Further, there is a far greater digital divide between APEC members than that which exists between ASEAN members.

Dr Thomas further noted that given APEC’s business focus, – far more so than ASEAN – it is proactive in engaging with the business sector and, more recently, civil society organizations, in ensuring that its activities have the widest possible input and support. This was reflected in APEC’s collaborations with the OECD – such as its Malware workshop in April 2007 – and its joint APEC-ASEAN workshop on Network Security, which allowed both sets of participants to interact and share knowledge and practices.

3. International Responses

While these regional initiatives are commendable, the challenge in combating cyber insecurities lies not just at the regional level but also at the wider international level. Dr Thomas provided the example of the European Union (EU), which has developed one of the most comprehensive cyber security agreements of any transnational organisation. In the late 1990s the European Union began to formally consider the destabilising impact cyber threats could have on its member states, their markets and societies. The end result was a ‘legally binding instrument’ called the 2001 European Convention on Cyber-Crime (or the Budapest Convention), is considered a landmark treaty addressing cyber security matters at the domestic and regional level. Moreover, the inclusion of Canada, Japan, South Africa and the United States in the drafting process meant that the Convention has a reach beyond the boundaries of Europe. The key section of the Convention is that which deals with harmonization of legislation and the transnational reach of law and order officials in pursuing cyber crimes across borders.

By mid 2004, the signatories to the Convention had expanded to 37 states. In terms of transnational cooperation, the Convention requires ratifying states to provide the broadest cooperation possible. In creating this binding instrument the CoE and the drafting partners all sought the inclusion of the private sector as well as civil society organizations. While several groups had reservations regarding privacy and individual freedom issues, the Convention’s rapid adoption – in a political region where civil rights are considered paramount – is also a signal of widespread acceptance. Moreover, it is increasingly becoming a global standard, both for cooperation as well as best practices. Thus, at the international level, the European Union provides an example of transnational policy responses that seek political solutions to perceived security challenges.

Conclusion

In concluding his presentation, Dr Thomas noted the need for states to consider what emphasis the policy focus should have – whether a regional or global approach would be more suitable to specific needs. The link between the domestic realm and the global arena is that of a vertical relationship, with the state choosing to participate in international organizations to further its own needs. However, the presence of states with various capacities in the international community makes it difficult to allow for the swift resolution of a particular problem. The rapidity of change in cyberspace – and the attendant emergence of web-based threats against states, markets, societies and individuals – requires prompt action by securitizing actors if the essential medium through which most of the world’s population now communicates is to be preserved. What is needed is therefore a supporting horizontal structure where states at similar levels of development, with similar needs can work together in enhancing their cyber security. Dr Thomas noted that the creation of regional levels of governance has created a collaborative space whereby such horizontal activities can take place.

As such, the challenge for a state in addressing cyber threats is two-fold. First, it must find and adopt an appropriate balance between regional and international approaches. Second, where the state is a member of a regional organisation, it needs to ensure that regional approaches and international norms do not diverge but instead develop in parallel. Thus, while issues of shared cultures, histories and geography may play a key role in further regional-level development of cyber security policies, the commonalities should never become the basis for differences with wider international efforts.

Discussion

Effectiveness of International Cooperation

Several questions and comments were made regarding the effectiveness of international cooperation in ensuring cyber security. Responding to a question on the effectiveness of the Budapest Convention, Dr Thomas noted that it enabled a greater means sharing of knowledge and information, and thereby building up human capacity. He cited the case of the cyber warfare attacks in Estonia and Georgia, where the EU’s response in establishing a centre in Estonia allowed Georgian and Estonian officials the opportunity to share knowledge and training in addressing cybercrime.

It was also noted that transnational convention would work and can cater to varying legislation in different countries. For instance, in dealing with the issue of identity theft in Singapore, the latter would have a degree of commonality with other jurisdictions in other countries. Government initiatives on transnational crime could also come into the fold.

Shouldering responsibility

On the issue of who should bear the responsibility in addressing the problem, a comment was made that the focus should be on companies to ensure safe software that are ‘bug free’. While this is true, realistically, bug-free software cost much more and thereby encouraging some to find loopholes to get around it. This, therefore, again highlights the various divisions amongst regions and their unequal capacities in responding to these threats. Moreover, it is important to address the issue in a holistic manner. While software issues are important, border control issues are just as critical. In line with this, it was noted that academic and non-government agencies also play a significant role in moving the issue beyond legal enforcement and thus highlight these issues in a holistic manner, and engage with other sectors of society such as the business sector.

Differences in Norms

On the issue of managing different norms and attitudes to ensure a concerted effort, Dr Thomas noted the need for persistent and sustained attempts to change mindsets. similar with other policies. Examples of this would be Japan’s manga animation, some of which would be considered pornorgraphy. The clash of norms is also an issue when one takes into account the right of freedom of expression, which may clash with the interests or even the fragile security of states.

About the Speaker:

Dr Nicholas Thomas is a full-time Research Assistant Professor in the Centre of Asian Studies, University of Hong Kong, where he coordinates the China-ASEAN project. His book publications include: Regionalism and Governance in Asia (forthcoming 2009), Advancing East Asian Regionalism (with Melissa Curley), Southeast Asia and China: Continuity and Change (with Nie Dening), China-ASEAN: Political and Strategic Ties (with James Chin), Re-Orienting Australia-China Relations: 1972 to the Present, and Democracy Denied: Identity, Civil Society and Illiberal Democracy in Hong Kong. He has published articles on East Asian regionalism, non-traditional security challenges and Chinese foreign policy with such journals as Asian Survey, Contemporary Southeast Asia, Australian Journal of International Affairs, Asian Perspective, Asian Journal of Social Science, Journal of International and Area Studies and Security Dialogue. He is a member of the Aus-CSCAP and the Ford Foundation’s Non Traditional Security Consortium in Asia. In 2009 Nick will be moving to the Department of Asian and International Studies, City University of Hong Kong as an Associate Professor.