Against the backdrop of the standoff between China and the Philippines in the South China Sea, the second Special Australia-ASEAN Summit offered leaders from Australia and Southeast Asia the opportunity to speak candidly about the implications of strategic competition on national security. Yet, amidst these discussions, an important subject remained under-discussed: cybersecurity.

Australia did sign cybersecurity agreements with the Philippines and Malaysia, focused similarly on improving cyber resilience and bolstering cooperation in the digital economy. But the Melbourne Declaration, released jointly by the leaders after the summit, offers no mention of cybersecurity—beyond that Australia is a co-chairing the ADMM-Plus Expert Working Group on Cybersecurity with Cambodia from 2024-2027. While some states were interested in talking cyber, it is evident that there was little interest at the regional level in covering the issue. This is a missed opportunity to show solidarity and strength at a time when strategic competition is making stability in cyberspace more uncertain.

For over a decade, the cyber ecosystem in Southeast Asia has become increasingly mired in uncertainty, with the region characterised by the rapid growth in the number of militaries developing cyber capabilities, proliferation of cyber mercenaries, and the growing scale and intensity of state-sponsored cyber operations.

Countries—particularly China and North Korea—have employed sophisticated cyber campaigns to compromise computer systems and networks across the region. While around 3.6% of all cyber-espionage operations globally affected Southeast Asian entities in 2014, cases quadrupled by 2020. Cyber operations often accompany geopolitical incidents as in China and the Philippines collisions in the South China Sea when we see increasing spikes of China-sponsored information operation campaigns, cyber-espionage, website defacements, and spoofing.

And not just military and government installations are targeted. Private entities are, too. Energy companies, universities focused on maritime research, and even financial institutions have all been targeted in the past, with many losing valuable, sensitive business information or suffering crippling ransomware or distributed denial of services attacks.

Southeast Asian states have become increasingly conscious of the cyber-attacks in their environment. While there is variation in cyber maturity, the past eight years have seen governments across the region lay the institutional and legal foundations for cyber governance, incident response, and defence. However, the range and complexity of threats emanating from cyberspace will likely worsen, especially as Southeast Asian governments continue to look at digital transformation to bolster economic growth and address economic and social ills.

ASEAN member-states and Australia need to elevate cybersecurity as a central topic of regional discussion. For Australia, supporting a cyber-resilient Southeast Asia is a key goal of its 2023-2030 cybersecurity strategy. Australia’s security and prosperity is closely linked to Southeast Asia. Given mutual aspirations to further bolster digital transactions and improve cooperation in the high-tech sector, Australian innovation and businesses are likely to become even more vulnerable to cyber incidents in the region. A cybersecure Southeast Asia would, thus, also help protect Australia from cyber-enabled attacks, especially since its companies, universities, and general public are becoming bigger targets of economic cyber-espionage operations and information operations campaigns.

Indeed, much has already been done, with the Australian government setting aside millions of dollars to provide cyber capacity-building support to Southeast Asian officials and even students. There are also existing mechanisms for engagement with Southeast Asia in the digital domain. At the regional level, there are the biennial ASEAN-Australia Cyber Policy Dialogues. Australia also maintains unique bilateral cyber engagements with Indonesia, Malaysia, Philippines, Singapore, and Thailand.

Some will argue that these actions speak louder than words but given the clear importance of cyber to the region it should have been a priority topic, with sustained leadership required to ensure existing efforts are further elevated and broadened so that cybersecurity remains a strong pillar of Australia’s engagement with Southeast Asia. In this regard, the announcement of a new ASEAN-Australia Centre in Canberra is a positive sign of a commitment to strengthening the relationship but, over time, will only be effective if it covers not only vital economic matters but also our shared security challenges, notwithstanding the region’s sensitivity to such discussions. Hiding from the reality of the challenges Australia and ASEAN face is not the recipe for long term stability. Furthermore, maintaining the status quo on cyber ultimately risks past efforts to flounder and lose impact.

As part of the process of strengthening the relationship in a meaningful way, Australia must work with ASEAN member-states to ensure that the rule of law exists not only in the kinetic realm but also in the cyber domain. ASEAN stands as the only regional organisation to embrace the UN’s 11 norms of responsible state behaviour in cyberspace. But it’s vital to ensure that the conversation doesn’t end there. There needs to be more collaboration both at the government and the expert level to identify means to operationalise these norms within Australia and ASEAN, and beyond. ASEAN’s Plus mechanism (which includes countries like China, India, Japan, and the US) would present such an opportunity. At the moment, we see experts working with the ASEAN secretariat to identify how to operationalise these norms. But future efforts must involve governments, working in tandem with experts from ASEAN member-states and their dialogue partners, advocating the application of these norms internationally, particularly in forums like the East Asia Summit.

Australia should also attempt to incorporate itself deeper into regional discussions on digital development, such as the ASEAN Digital Ministers’ Meeting (ADGMIN). Australia is one of the few ASEAN dialogue partners that is not a specific dialogue and development partner of the meetings. Not only has Australia’s absence meant that its contributions to cyber capacity-building become awkwardly omitted in joint statements (see an example here), but the participation of the cyber ambassador or the assistant minister of Foreign Affairs (a frequent participant of cyber meetings) would allow Australia to convey just how importantly it takes Southeast Asia’s digital future and cybersecurity.

Furthermore, as more Southeast Asian militaries develop cyber capabilities, it’s also fundamental that Australia and ASEAN kick off discussions over what it means to behave responsibly in cyberspace. Given that Australia is co-chairing the ADMM-Plus expert working group on cyber security from 2024-2027, it is uniquely placed to advocate for responsible ICT use.

Beyond that, involving not just government but also industry, civil society, and the expert community, Australia and ASEAN member states should consider establishing more permanent Track 1.5 dialogues to discuss how international law and norms can best be applied in cyberspace, and how states can best demonstrate that they are responsible actors in cyberspace. Such forums can cover how to operationalise UN norms, but also focus on how they are being applied now and build an evidence base of existing practice.

Existing expert forums on the subject are often ad hoc. Putting in place a more permanent forum that is perhaps attached to regional meetings on cyber, like the ADGMIN, could ensure clear engagement between government and important stakeholders. Fundamentally, from the government side, such dialogues should involve officials from not only the Department of Foreign Affairs and Trade and their Southeast Asian equivalents but also counterparts responsible for cyber defence and incident response.

Australia should intensify its bilateral cyber engagements as a means of supporting a cyber-resilient Southeast Asia. Working with some of the more cyber-mature countries of ASEAN (such as Singapore and Malaysia), as well as other countries in the region (like Japan and South Korea), Australia could pool resources for cyber capacity-building and establish a platform for cyber intelligence sharing. When working with development partners, it’s fundamental that there’s clear coordination to prevent repeated and wasteful provision of cyber capacity-building support.

A place to start could be the recently signed cyber resilience agreement with the Philippines, which faces considerable challenges from state-sponsored malign forces online. Helping the Philippines improve cybersecurity standards for its government and military, but also for private entities would ensure the country remains resilient in the face of cyber-attacks, especially state-sponsored operations.

In ensuring a cyber-resilient Southeast Asia and Australia, politicians and policymakers must pay more attention to challenges from the cyber domain. At a time of deepening strategic competition, states are more likely to use all instruments of national power—including cyber—to secure key economic and strategic goals. This calls for more collaboration between the Indo-Pacific’s regional and middle powers to work towards a more secure cyberspace.

Security weaknesses and cyber ‘doors left open’, employees turned rogue, and hackers demanding ransom, all demonstrate dramatically the need for strong critical infrastructure risk management.

Examples of how vulnerabilities will be exploited were highlighted in August when ASPI and Providence Consulting Group hosted a workshop with around 30 senior executives from nine critical infrastructure sectors. The workshop was also attended by senior executive officers from the Departments of Home Affairs, Infrastructure, Transport, Regional Development, Communication and the Arts, and the Australian Security Intelligence Organisation and Australian Institute of Company Directors.

It covered the Security of Critical Infrastructure Act 2018 (SOCI Act), obligations of critical infrastructure boards and strategies for developing cost-effective critical infrastructure risk management programs (CIRMPs) in the current threat environment. CIRMPs provide assurance to regulators that the entity is taking steps to manage material risks posed by hazards to the critical infrastructure asset. The risks fall across five key hazard vectors: cyber and information, personnel, physical, natural and supply chain.

The workshop’s timing marked the initiation of the countdown towards the September 2024 deadline for owners and operators of critical infrastructure assets in Australia to report to the Department of Home Affairs or other Commonwealth regulator on the effectiveness and maturity of their risk mitigations as set out in their CIRMP. The annual CIRMP report must be approved by the entity’s board, council, or other governing body.

What does the SOCI Act mean for national security? The threats not only endanger critical infrastructure but also have far-reaching implications for national security. They can compromise the integrity, availability, and continuity of essential services, potentially impacting the safety and wellbeing of the nation. They also present significant risks to Australia’s ability to defend itself.

Some entities have well-established security programs and experience in managing risks while others, including newly classified SOCI entities, may be new to this formal process. However, all entities are dedicated to resilience and business continuity. The key question isn’t just about the cost of achieving CIRMP compliance, which can be significant for some, but rather the potential consequences of not being adequately prepared or compliant.

Examples illustrate challenges encountered by SOCI entities, some of which may have had well-established risk management, security, or business continuity strategies in operation that did not protect them.

In September 2022, an unknown threat source breached Optus’ security measures by taking advantage of an Application Programming Interface (API) that had no security measures surrounding it. Nor did it have access control policies. This situation provided an obstacle-free entryway into the company’s systems. To prevent that happening, Optus chould have routinely assessed its systems and addressed critical vulnerabilities.

Stolen data, reportedly involving up to 11 million individuals, included customer names, email addresses, postal addresses, phone numbers, dates of birth, and for a portion of the affected customers, identification numbers including passport numbers, driver’s licence numbers and Medicare numbers.

Whilst Optus did not pay the $1.5 million ransom, the breach resulted in its parent company, Singtel, setting aside $140 million for customer remediation. Further, Optus faced significant costs (reportedly up to $2 billion) in investigating the incident, upgrading security systems, legal fees and compensation. The harm to the company’s reputation is incalculable.

The first example demonstrates the impact on supply lines. In 2021, a cyberattack on the 8,850km United States East Coast Colonial Pipeline, which carries gasoline and jet fuel, forced its closure for almost a week. The shutdown reduced the short-term availability of fuel and forced up prices. With no ways to distribute the fuel, refiners had to reduce production. That triggered consumer ‘panic buying’ which exacerbated shortages and drove up costs further.

Within two hours of the attack, over 100GB of data was stolen. Colonial paid the hackers nearly $5 million in ransom for a decryption key. That reportedly pushed up Bitcoin ransom payments by 311% compared to 2019 to around $350 million.

The attack underscored the importance of keeping up with evolving malware and fortifying the last line of defence. Inadequate protection and neglect of system updates can lead to compromises. It also emphasizes the need to safeguard not only critical fuel assets but also related services.

The need for thorough and ongoing vetting of personnel was illustrated by the situation Connected Solutions Group (CSG), a company with significant NT Government contracts, found itself in in 2008 when  former employee David Anthony McIntosh, a computer engineer, disrupted government services at Berrimah Prison, Royal Darwin Hospital, and the Supreme Court. McIntosh also deleted over 10,000 public servants’ records using a former coworker’s laptop and password. This disruption lasted five days, causing chaos at courts and hospitals and leading to prisoners at Berrimah jail being discharged without their belongings. Restoring the system required 130 experts and took five days and $1.25 million.

McIntosh, who received a three-year jail sentence, claimed to have a ‘high-level clearance’ for maintaining the government’s entire IT system. This case illustrates the importance of initial and ongoing suitability assessments and staying vigilant about potential threats from current and former employees with access to critical data. Limited availability of ICT personnel in certain settings raises risks associated with rehiring convicted cyber felons.

The intervention of natural hazards was demonstrated during the 2020 NSW south coast bushfires when the region’s main broadcast transmitter used by the ABC melted, causing widespread devastation and communication issues. Repairing the equipment took months and cost between $1.5 million and $2 million. The ABC’s managing director emphasized the importance of AM radio technology and the need for backup generators during disasters. Analysts have been adamant that it is crucial that future infrastructure is as resilient as possible as broadcast towers remain the weakest link during emergency broadcasts.

These case studies shed light on the challenges faced by SOCI entities, even those with established risk management, security, or business continuity strategies in place. They highlight that no entity is immune to vulnerability, emphasising the importance of vigilance and preparedness in safeguarding critical infrastructure and, by extension, national security. The continual growth and enhancement of enterprise security maturity and achieving compliance with the SOCI Act will be a critical step in ensuring national security.