• Home
  • About RSIS
    • Introduction
    • Building the Foundations
    • Welcome Message
    • Board of Governors
    • Staff Profiles
      • Executive Deputy Chairman’s Office
      • Dean’s Office
      • Management
      • Distinguished Fellows
      • Faculty and Research
      • Associate Research Fellows, Senior Analysts and Research Analysts
      • Visiting Fellows
      • Adjunct Fellows
      • Administrative Staff
    • Honours and Awards for RSIS Staff and Students
    • RSIS Endowment Fund
    • Endowed Professorships
    • Career Opportunities
    • Getting to RSIS
  • Research
    • Research Centres
      • Centre for Multilateralism Studies (CMS)
      • Centre for Non-Traditional Security Studies (NTS Centre)
      • Centre of Excellence for National Security (CENS)
      • Institute of Defence and Strategic Studies (IDSS)
      • International Centre for Political Violence and Terrorism Research (ICPVTR)
    • Research Programmes
      • National Security Studies Programme (NSSP)
      • Studies in Inter-Religious Relations in Plural Societies (SRP) Programme
    • Future Issues and Technology Cluster
    • [email protected] Newsletter
    • Other Research
      • Science and Technology Studies Programme (STSP) (2017-2020)
  • Graduate Education
    • Graduate Programmes Office
    • Overview
    • MSc (Asian Studies)
    • MSc (International Political Economy)
    • MSc (International Relations)
    • MSc (Strategic Studies)
    • NTU-Warwick Double Masters Programme
    • PhD Programme
    • Exchange Partners and Programmes
    • How to Apply
    • Financial Assistance
    • Meet the Admissions Team: Information Sessions and other events
    • RSIS Alumni
  • Alumni & Networks
    • Alumni
    • Asia-Pacific Programme for Senior Military Officers (APPSMO)
    • Asia-Pacific Programme for Senior National Security Officers (APPSNO)
    • International Strategy Forum-Asia (ISF-Asia)
    • SRP Executive Programme
    • Terrorism Analyst Training Course (TATC)
  • Publications
    • RSIS Publications
      • Annual Reviews
      • Books
      • Bulletins and Newsletters
      • Commentaries
      • Counter Terrorist Trends and Analyses
      • Commemorative / Event Reports
      • IDSS Paper
      • Interreligious Relations
      • Monographs
      • NTS Insight
      • Policy Reports
      • Working Papers
      • RSIS Publications for the Year
    • Glossary of Abbreviations
    • External Publications
      • Authored Books
      • Journal Articles
      • Edited Books
      • Chapters in Edited Books
      • Policy Reports
      • Working Papers
      • Op-Eds
      • External Publications for the Year
    • Policy-relevant Articles Given RSIS Award
  • Media
    • Great Powers
    • Sustainable Security
    • Other Resource Pages
    • Media Highlights
    • News Releases
    • Speeches
    • Vidcast Channel
    • Audio/Video Forums
  • Events
  • Giving
  • Contact Us
Facebook
Twitter
YouTube
RSISVideoCast RSISVideoCast rsis.sg
Linkedin
instagram instagram rsis.sg
RSS
  • Home
  • About RSIS
      • Introduction
      • Building the Foundations
      • Welcome Message
      • Board of Governors
      • Staff Profiles
        • Executive Deputy Chairman’s Office
        • Dean’s Office
        • Management
        • Distinguished Fellows
        • Faculty and Research
        • Associate Research Fellows, Senior Analysts and Research Analysts
        • Visiting Fellows
        • Adjunct Fellows
        • Administrative Staff
      • Honours and Awards for RSIS Staff and Students
      • RSIS Endowment Fund
      • Endowed Professorships
      • Career Opportunities
      • Getting to RSIS
  • Research
      • Research Centres
        • Centre for Multilateralism Studies (CMS)
        • Centre for Non-Traditional Security Studies (NTS Centre)
        • Centre of Excellence for National Security (CENS)
        • Institute of Defence and Strategic Studies (IDSS)
        • International Centre for Political Violence and Terrorism Research (ICPVTR)
      • Research Programmes
        • National Security Studies Programme (NSSP)
        • Studies in Inter-Religious Relations in Plural Societies (SRP) Programme
      • Future Issues and Technology Cluster
      • [email protected] Newsletter
      • Other Research
        • Science and Technology Studies Programme (STSP) (2017-2020)
  • Graduate Education
      • Graduate Programmes Office
      • Overview
      • MSc (Asian Studies)
      • MSc (International Political Economy)
      • MSc (International Relations)
      • MSc (Strategic Studies)
      • NTU-Warwick Double Masters Programme
      • PhD Programme
      • Exchange Partners and Programmes
      • How to Apply
      • Financial Assistance
      • Meet the Admissions Team: Information Sessions and other events
      • RSIS Alumni
  • Alumni & Networks
      • Alumni
      • Asia-Pacific Programme for Senior Military Officers (APPSMO)
      • Asia-Pacific Programme for Senior National Security Officers (APPSNO)
      • International Strategy Forum-Asia (ISF-Asia)
      • SRP Executive Programme
      • Terrorism Analyst Training Course (TATC)
  • Publications
      • RSIS Publications
        • Annual Reviews
        • Books
        • Bulletins and Newsletters
        • Commentaries
        • Counter Terrorist Trends and Analyses
        • Commemorative / Event Reports
        • IDSS Paper
        • Interreligious Relations
        • Monographs
        • NTS Insight
        • Policy Reports
        • Working Papers
        • RSIS Publications for the Year
      • Glossary of Abbreviations
      • External Publications
        • Authored Books
        • Journal Articles
        • Edited Books
        • Chapters in Edited Books
        • Policy Reports
        • Working Papers
        • Op-Eds
        • External Publications for the Year
      • Policy-relevant Articles Given RSIS Award
  • Media
      • Great Powers
      • Sustainable Security
      • Other Resource Pages
      • Media Highlights
      • News Releases
      • Speeches
      • Vidcast Channel
      • Audio/Video Forums
  • Events
  • Giving
  • Contact Us
  • instagram instagram rsis.sg
Connect

Getting to RSIS

Map

Address

Nanyang Technological University
Block S4, Level B3,
50 Nanyang Avenue,
Singapore 639798

View location on Google maps Click here for directions to RSIS

Get in Touch

    Connect with Us

      rsis.ntu
      rsis_ntu
      rsisntu
    RSISVideoCast RSISVideoCast rsisvideocast
      school/rsis-ntu
    instagram instagram rsis.sg
      RSS
    Subscribe to RSIS Publications
    Subscribe to RSIS Events

    RSIS Intranet

    S. Rajaratnam School of International Studies Think Tank and Graduate School Ponder The Improbable Since 1966
    Nanyang Technological University Nanyang Technological University

    Skip to content

     
    • RSIS
    • Publication
    • RSIS Publications
    • SolarWinds & Cyber Diplomacy: The Missing Piece
    • Annual Reviews
    • Books
    • Bulletins and Newsletters
    • Commentaries
    • Counter Terrorist Trends and Analyses
    • Commemorative / Event Reports
    • IDSS Paper
    • Interreligious Relations
    • Monographs
    • NTS Insight
    • Policy Reports
    • Working Papers
    • RSIS Publications for the Year

    CO21038 | SolarWinds & Cyber Diplomacy: The Missing Piece
    Tan E Guang Eugene

    03 March 2021

    download pdf
    RSIS Commentary is a platform to provide timely and, where appropriate, policy-relevant commentary and analysis of topical and contemporary issues. The authors’ views are their own and do not represent the official position of the S. Rajaratnam School of International Studies (RSIS), NTU. These commentaries may be reproduced with prior permission from RSIS and due credit to the author(s) and RSIS. Please email to Editor RSIS Commentary at [email protected].

    SYNOPSIS

    Relying solely on a domestic response will not end the cycle of global cyber threats. A concerted effort to build capacity, confidence, and rules of the road may bring consequences to states who choose to continue sponsoring hostile activity.


    Source: freepik

    COMMENTARY

    IT IS now evident that while the SolarWinds breach affected many government agencies in the United States, and potentially other users of its Orion software like Singapore, the operation has reportedly remained an act of espionage – something most states if not all do in one form or another.

    In a statement to the Singapore Parliament on 2 February 2021, Minister for Communications and Information S Iswaran announced that there has been “no indication” that the country’s critical information infrastructure and government systems have been adversely affected by the breach. He recognised that breaches like SolarWinds demonstrate how these cyber threats are first, global in nature; second, will happen again; and, third, are difficult to prevent, and called upon all users and operators to be vigilant in tackling cyber threats.

    Domestic Responses

    The breadth of the breach has however led to some observers to bay for blood, with some calling it an act of war and others to retaliate in a visible fashion. However, while such an act harms national security, retaliatory action for espionage activity may not be acceptable under international law.

    Espionage is, to all intents and purposes, not prohibited under international law, which makes any international response to acts of espionage illegitimate. States are however free to punish these acts based on their respective national laws. Responses to cyber threats that fall under the threshold of international law can thus be separated on two levels: the domestic and the international levels.

    Exhorting domestic actors to prepare for future cyberattacks and to remain vigilant makes for good domestic policy and will not antagonise other states. But these actions are limited because they do not fundamentally change the behaviour and motivations of state-sponsored threat actors.

    It is therefore interesting that Singapore has chosen to strengthen its domestic response rather than to build an international or regional consensus on the SolarWinds breach. Singapore has not chosen to punish or push its own attribution of the state actors behind the SolarWinds breach, but has instead chosen to focus on its own protocols and taken steps to strengthen its own cybersecurity processes.

    Taking steps to improve the resilience and robustness of domestic systems will make it harder for malicious actors to access critical systems and potentially decrease the benefit they derive from compromising these systems. But these steps on their own will not prevent future cyber threats from external sources.

    Expanding Role of Cyber Diplomacy

    As cyber threats are becoming more global in nature, there is much more to be considered in an international response to a cyber threat like SolarWinds. As a small state that seeks to be a friend to all, escalating any cyber incident will not benefit Singapore’s national security posture. This does not mean, however, that state-sponsored cyber incidents should remain unaddressed and without consequence to the offending party.

    Small states like Singapore should therefore consider and review their cyber diplomacy efforts to combat cyber threats. These efforts include building norms of responsible state behaviour, capacity building, and confidence building, which are all pillars of contained in the 2015 UNGGE consensus report.

    Pillar 1: Norms for Responsible State behaviour

    Singapore firmly believes that having stronger rules of the road will help define acceptable state behaviour in cyberspace. Singapore has been plugging into the different international conversations at the United Nations like the Open-ended Working Group (OEWG) and the Group of Governmental Experts (UNGGE) to advance discussions on the rules of responsible state behaviour in cyberspace.

    Regionally, Singapore has also been pushing for progress on the adoption and the operationalisation of 11 norms of responsible state behaviour. Additionally, a mechanism for cyber cooperation among ASEAN member states was also proposed at the 2018 Singapore International Cyber Week.

    When fully operationalised, the combination of the normative framework and cooperation mechanism can lead to a coordinated response that carries the full force of all ASEAN member states.

    Pillar 2: Capacity Building

    Singapore, through its ASEAN-Singapore Cybersecurity Centre of Excellence (ASCCE), has also been actively building technical, policy, and legal capacity among ASEAN member states.

    The benefit of the centre is two-fold: first, it enables states to discharge their obligations and responsibilities in cyberspace such as due diligence; and, second, it builds the trust and assurance among partners in the region. This will ensure that our regional and international partners can be trusted to have the expertise to tackle any cyber breach in the future.

    Pillar 3: Cyber Confidence Building Measures

    What Singapore needs to improve on in its cyber diplomacy efforts, however, is the third pillar of the 2015 UNGGE report – cyber confidence building measures. Cyber Confidence Building measures are even more important in times of geopolitical tension, and can be done by increasing interstate cooperation to improve the transparency, predictability, and stability of cyberspace.

    Confidence building measures recommended by the 2015 UNGGE such as cooperation on cybercrime, the creation of a points of contact directory, and a mechanism for threat information exchanges among states, have however been given the short shrift by states. It would make sense for states to build trust among stakeholders – both public and private.

    It is a given that cyber threats will increase and it is unclear where the next cyber threat will come from. It would therefore make sense for Singapore to build cooperation mechanisms like an information sharing network to build confidence among stakeholders and to stymie any potential cyber threat actor.

    In a sense, the reporting of the SolarWinds breach by the US government was in fact an act of transparency and a confidence building measure through the sharing of information of the threat vector.

    In short, while it is important for small states like Singapore to strengthen its domestic tools and responses against global cyber threats like Solarwinds, they can also find ways to cooperate with each other through the various cyber diplomacy tools for better cybersecurity.

    Any confidence building measures, capacity building, and norm implementation effort however requires the willingness of all states and stakeholders to be fully effective; more should be done to bolster the diplomatic effort to dispel the notion that malicious actions in cyberspace have no consequences.

    About the Author

    Eugene EG Tan is Associate Research Fellow at the Centre of Excellence for National Security (CENS), a constituent unit of the S. Rajaratnam School of International Studies (RSIS), Nanyang Technological University (NTU), Singapore.

    Categories: Commentaries / Country and Region Studies / Cybersecurity, Biosecurity and Nuclear Safety / Non-Traditional Security / East Asia and Asia Pacific / Global / South Asia / Southeast Asia and ASEAN

    Last updated on 04/03/2021

    comments powered by Disqus
    RSIS Commentary is a platform to provide timely and, where appropriate, policy-relevant commentary and analysis of topical and contemporary issues. The authors’ views are their own and do not represent the official position of the S. Rajaratnam School of International Studies (RSIS), NTU. These commentaries may be reproduced with prior permission from RSIS and due credit to the author(s) and RSIS. Please email to Editor RSIS Commentary at [email protected].

    SYNOPSIS

    Relying solely on a domestic response will not end the cycle of global cyber threats. A concerted effort to build capacity, confidence, and rules of the road may bring consequences to states who choose to continue sponsoring hostile activity.


    Source: freepik

    COMMENTARY

    IT IS now evident that while the SolarWinds breach affected many government agencies in the United States, and potentially other users of its Orion software like Singapore, the operation has reportedly remained an act of espionage – something most states if not all do in one form or another.

    In a statement to the Singapore Parliament on 2 February 2021, Minister for Communications and Information S Iswaran announced that there has been “no indication” that the country’s critical information infrastructure and government systems have been adversely affected by the breach. He recognised that breaches like SolarWinds demonstrate how these cyber threats are first, global in nature; second, will happen again; and, third, are difficult to prevent, and called upon all users and operators to be vigilant in tackling cyber threats.

    Domestic Responses

    The breadth of the breach has however led to some observers to bay for blood, with some calling it an act of war and others to retaliate in a visible fashion. However, while such an act harms national security, retaliatory action for espionage activity may not be acceptable under international law.

    Espionage is, to all intents and purposes, not prohibited under international law, which makes any international response to acts of espionage illegitimate. States are however free to punish these acts based on their respective national laws. Responses to cyber threats that fall under the threshold of international law can thus be separated on two levels: the domestic and the international levels.

    Exhorting domestic actors to prepare for future cyberattacks and to remain vigilant makes for good domestic policy and will not antagonise other states. But these actions are limited because they do not fundamentally change the behaviour and motivations of state-sponsored threat actors.

    It is therefore interesting that Singapore has chosen to strengthen its domestic response rather than to build an international or regional consensus on the SolarWinds breach. Singapore has not chosen to punish or push its own attribution of the state actors behind the SolarWinds breach, but has instead chosen to focus on its own protocols and taken steps to strengthen its own cybersecurity processes.

    Taking steps to improve the resilience and robustness of domestic systems will make it harder for malicious actors to access critical systems and potentially decrease the benefit they derive from compromising these systems. But these steps on their own will not prevent future cyber threats from external sources.

    Expanding Role of Cyber Diplomacy

    As cyber threats are becoming more global in nature, there is much more to be considered in an international response to a cyber threat like SolarWinds. As a small state that seeks to be a friend to all, escalating any cyber incident will not benefit Singapore’s national security posture. This does not mean, however, that state-sponsored cyber incidents should remain unaddressed and without consequence to the offending party.

    Small states like Singapore should therefore consider and review their cyber diplomacy efforts to combat cyber threats. These efforts include building norms of responsible state behaviour, capacity building, and confidence building, which are all pillars of contained in the 2015 UNGGE consensus report.

    Pillar 1: Norms for Responsible State behaviour

    Singapore firmly believes that having stronger rules of the road will help define acceptable state behaviour in cyberspace. Singapore has been plugging into the different international conversations at the United Nations like the Open-ended Working Group (OEWG) and the Group of Governmental Experts (UNGGE) to advance discussions on the rules of responsible state behaviour in cyberspace.

    Regionally, Singapore has also been pushing for progress on the adoption and the operationalisation of 11 norms of responsible state behaviour. Additionally, a mechanism for cyber cooperation among ASEAN member states was also proposed at the 2018 Singapore International Cyber Week.

    When fully operationalised, the combination of the normative framework and cooperation mechanism can lead to a coordinated response that carries the full force of all ASEAN member states.

    Pillar 2: Capacity Building

    Singapore, through its ASEAN-Singapore Cybersecurity Centre of Excellence (ASCCE), has also been actively building technical, policy, and legal capacity among ASEAN member states.

    The benefit of the centre is two-fold: first, it enables states to discharge their obligations and responsibilities in cyberspace such as due diligence; and, second, it builds the trust and assurance among partners in the region. This will ensure that our regional and international partners can be trusted to have the expertise to tackle any cyber breach in the future.

    Pillar 3: Cyber Confidence Building Measures

    What Singapore needs to improve on in its cyber diplomacy efforts, however, is the third pillar of the 2015 UNGGE report – cyber confidence building measures. Cyber Confidence Building measures are even more important in times of geopolitical tension, and can be done by increasing interstate cooperation to improve the transparency, predictability, and stability of cyberspace.

    Confidence building measures recommended by the 2015 UNGGE such as cooperation on cybercrime, the creation of a points of contact directory, and a mechanism for threat information exchanges among states, have however been given the short shrift by states. It would make sense for states to build trust among stakeholders – both public and private.

    It is a given that cyber threats will increase and it is unclear where the next cyber threat will come from. It would therefore make sense for Singapore to build cooperation mechanisms like an information sharing network to build confidence among stakeholders and to stymie any potential cyber threat actor.

    In a sense, the reporting of the SolarWinds breach by the US government was in fact an act of transparency and a confidence building measure through the sharing of information of the threat vector.

    In short, while it is important for small states like Singapore to strengthen its domestic tools and responses against global cyber threats like Solarwinds, they can also find ways to cooperate with each other through the various cyber diplomacy tools for better cybersecurity.

    Any confidence building measures, capacity building, and norm implementation effort however requires the willingness of all states and stakeholders to be fully effective; more should be done to bolster the diplomatic effort to dispel the notion that malicious actions in cyberspace have no consequences.

    About the Author

    Eugene EG Tan is Associate Research Fellow at the Centre of Excellence for National Security (CENS), a constituent unit of the S. Rajaratnam School of International Studies (RSIS), Nanyang Technological University (NTU), Singapore.

    Categories: Commentaries / Country and Region Studies / Cybersecurity, Biosecurity and Nuclear Safety / Non-Traditional Security

    Last updated on 04/03/2021

    Back to top

    Terms of Use | Privacy Statement
    Copyright © S. Rajaratnam School of International Studies. All rights reserved.
    This site uses cookies to offer you a better browsing experience. By continuing, you are agreeing to the use of cookies on your device as described in our privacy policy. Learn more
    OK
    Latest Book
    SolarWinds & Cyber Diplomacy: The Missing Piece

    SYNOPSIS

    Relying solely on a domestic response will not end the cycle of global cyber threats. A concerted effort to build capacity, confidence, and rules o ...
    more info