ASEAN cyber norms need broad stakeholder engagement

As Malaysia assumes the chairmanship of the Association of Southeast Asian Nations in 2025, the government wants to make its mark on the region’s cybersecurity cooperation framework. Malaysia is keen to develop the third iteration of the cybersecurity cooperation strategy, which will guide ASEAN’s collaborative efforts in cyberspace. But to be truly effective, cooperation must remain a multistakeholder affair.

The landmark release of ASEAN’s cyber norms checklist in October last year, championed by Malaysia and Singapore, translated the United Nations’ eleven norms of responsible state behaviour in cyberspace into practical steps. ASEAN member states now have a structured way to implement cyber norms, focussing on political endorsements and safeguarding critical infrastructure.

However, the real challenge isn’t adoption; it’s implementation. Making these principles work in the real world requires more than government buy-in; it demands broad cooperation across sectors and countries.

As I have argued, one of the biggest hurdles is embedding these norms into the operations of defence, law enforcement and intelligence agencies. Southeast Asia’s cyber capabilities are expanding, but transparency remains a sticking point. Militaries, intelligence agencies and law enforcement are embracing cyber tools, but are reluctant to discuss operations and strategies. These institutions see cyber norms as constraints rather than mechanisms for stability. Without transparency, trust erodes as states struggle to gauge each other’s cyber intentions and capabilities.

Recognising these challenges, in August 2024, ASPI brought together experts from Australia, ASEAN member states and Timor-Leste in a civil society dialogue in Kuala Lumpur sponsored by the Australia-ASEAN Centre. Discussions on the shifting cyber threat landscape, regional progress on cyber norms and strategies for strengthening cooperation highlighted one thing—transparency, information sharing and collaborative threat assessments reduce misperceptions and strengthen trust among ASEAN members.

But governments cannot implement cyber norms alone. They must collaborate with those who build, manage and depend on digital infrastructure and with those who advocate for digital rights, privacy and cybersecurity. Private sector actors, particularly technology firms that manage critical information infrastructure, need to be engaged to ensure that cyber norms are not only socialised but policies or initiatives that come out of them are practical, enforceable and aligned with the rapidly evolving cyber landscape. Industry-driven initiatives, such as sector-specific security standards for critical infrastructure, can support government-led efforts by introducing adaptable and enforceable cybersecurity measures.

Academia and think tanks also play a role by supporting capacity-building programs and offering research and policy insights that help shape decision-making. They can help assess the success of policy measures, including progress in norms operationalisation, and can function as informal intermediaries between governments seeking to communicate issues indirectly.

For ASEAN’s cyber norms to take root, multistakeholder engagement must be institutionalised through regular dialogues that include government and non-government actors. ASEAN has long used these mechanisms to navigate complex security challenges. Applying them to cyber governance will ensure that all member states, regardless of their cyber capabilities, have a say in shaping the region’s approach to cybersecurity.

Beyond dialogues, ASEAN needs a regional model of cyber norms maturity to measure their progress in implementing UN cyber norms. Such a model would consider factors such as cybersecurity infrastructure, legal frameworks and policy development. A structured roadmap would enable ASEAN states to move from basic compliance to advanced implementation, creating a stronger, more cohesive approach to cybersecurity.

Engaging local stakeholders is just as important. Cyber norms shouldn’t just be the domain of policymakers; they must resonate with businesses, academics and local communities. Bringing small and medium-sized enterprises, universities and civil society groups into the conversation ensures that cyber norms are implemented in ways that are practical, relevant and responsive to local challenges. Regular feedback loops will help refine these norms over time, keeping them relevant and adaptive.

In addition, discussions on cyber norms must break out of traditional security silos. Cybersecurity challenges intersect with issues such as environmental protection, trade, human rights and even cultural heritage. ASEAN should take a broader, interdisciplinary approach and incorporate insights from diverse fields to craft comprehensive solutions. For example, protecting critical infrastructure, such as submarine cables, shows that cyber resilience is interconnected with economic and environmental stability.

As a long-standing ASEAN partner, Australia has a key role to play. Recognising that cyber threats do not respect borders, Australia has been a strong advocate for regional cybersecurity cooperation in Southeast Asia. Australia can offer technical expertise, capacity-building programs and legal assistance to help ASEAN member states bridge cyber capability gaps and build a resilient digital ecosystem.

ASEAN’s adoption of the cyber norms checklist is a promising step, but real progress will depend on sustained implementation, capacity-building and advocacy. Multistakeholder collaboration, including between ASEAN and Australia, will ensure these norms move from paper to practice. Through inclusive engagement and cooperative action, the region can take decisive steps toward a secure, resilient and rules-based Indo-Pacific cyber landscape.