Tag Archive for: Cyber Norms & Confidence Building

The UN norms of responsible state behaviour in cyberspace

Guidance on implementation for Member States of ASEAN

Foreword

Global digital growth is continuing to fundamentally transform the lives of people, businesses and institutions, bringing people out of poverty, increasing wider prosperity, welfare and enabling new ways for governments and citizens to engage with each other. It is also creating a more connected world and supporting globalisation with greater access to free markets, democratic systems, prosperity and innovation.

But as we become more reliant on cyberspace, malicious cyber activity has grown in intensity, complexity and severity over recent years, with rising incidents of cybercrime and hostile states targeting critical national infrastructure, democratic institutions, business and media. There is too much at risk to allow cyberspace to become a lawless world and we need to continue to work together to identify the rules of the road in how international law applies to state behaviour in cyberspace just as it does to activities in other domains.

The 11 norms, as part of the UN framework of responsible state behaviour in cyberspace, is a way to help develop those rules of the road and the UK, as part of our outreach, is committed to supporting partners across all continents be better able to both implement the norms but also be better empowered to join in the international debate in the UN.

This ASPI programme has provided an insight into meaningful measures being put in place across ASEAN to deliver the norms, showcasing the region as trailblazing good practice and policies. Sharing and communicating these is in itself a confidence building measure and the examples shared in this report will have an impact across the global debate.

The UK, as a responsible democratic cyber power is proud to have supported this report and we look forward to future activity in the ASEAN region and globally to help shape the future frontiers of an open and stable international order in cyberspace.

– Will Middleton, Foreign, Commonwealth and Development Office, UK

Advances in cyber and critical technology underpin our future prosperity but they also have the potential to harm national and economic security interests and undermine democratic values and principles. The countries that can harness the current wave of innovation while mitigating its risks will gain significant economic, political and security advantages and will be at the forefront of 21st century leadership.

As states increasingly exert power and influence in cyberspace, it is important that there are clear rules in place. In other words, cyberspace is not the Wild West, all countries have agreed that existing international law applies in cyberspace and all countries have endorsed UN norms of responsible state behaviour.

The Plan of Action to Implement the ASEAN Australia Strategic Partnership 2020–2024 details our joint commitment to an open, secure, stable, accessible and peaceful ICT environment. Australia will continue to work closely with our ASEAN partners to deepen understanding and implementation of longstanding agreements of international law and norms in cyberspace.

This report, produced by APSI in partnership with Australia’s Cyber and Critical Technology Cooperation Program and the UK Foreign, Commonwealth and Development Office, is the result of a multi-year cyber-capacity building program focused on supporting the effective implementation of UN norms throughout ASEAN.

These 11 norms lay the groundwork for collective expectations for state behaviour in cyberspace. They are the bedrock on which regional and bilateral agreements around state behaviour in cyberspace are built and create a mutually reinforcing set of agreements and expectations.

Australia is grateful for ASPI’s tireless work on this important cyber-capacity building project helping to kickstart the process of understand and actioning the norms and behaviours which are central to an open, free, safe and secure cyberspace.

– Dr Tobias Feakin, Ambassador for Cyber Affairs and Critical Technology, Australia

Introduction

This document is the result of a multi-year cyber capacity-building program by ASPI in partnership with the UK Foreign, Commonwealth and Development Office and the Australian Department of Foreign Affairs and Trade (Cyber and Critical Technology Cooperation Program). Through the project, the partners sought to support member states of the Association of Southeast Asian Nations (ASEAN) with the implementation of the United Nations (UN) norms of responsible state behaviour in cyberspace. The content of this publication is primarily based on experiences, inputs and outputs from activities run under this program.

What are norms?

Norms in international affairs are generally defined as ‘a collective expectation for the proper behaviour of actors with a given identity’.

Norms are norms for the following reasons:

  • They are widely shared and agreed among a large group of states; norms exist only because we all believe they exist and apply.
  • They exert a moral attractiveness for states to conform to norms; states prefer to be seen to endorse, follow and promote norms, and to be responsible members of the international community.
  • They assign specific duties and obligations, albeit non-legal, for specific actors; most norms in cyberspace are regulative in character at the national level, as they recommend that states prescribe, prohibit or permit certain activities.
  • They are dynamic; they develop as expectations and opinions in society about what’s responsible and acceptable change over time.
  • People, organisations and states will—from time to time—contest or violate norms; this doesn’t mean that a norm does not exist as long as the norm remains accepted by a large and influential enough community, and the violator is held to account.

Source: Based on Martha Finnemore, Cybersecurity and the concept of norms, Carnegie Endowment for International Peace, 30 November 2017, pp. 1–2.

The UN norms were first agreed by a UN group of governmental experts in 2015. The group’s report was subsequently endorsed by consensus at the UN General Assembly in 2015 through resolution 70/237. It called on all member states ‘to be guided in their use of ICTs’ by the 2015 report. The focus on the operationalisation and implementation of the UN norms was also front and centre in the 2019–2021 round of UN First Committee negotiations. The report of the OEWG recommended that states ‘further support the implementation and development of norms’. The 2021 UNGGE report offers an additional layer of understanding to help governments with their implementation.

In 2018, the ASEAN leaders expressed a commitment to operationalise the UN norms as a core element in ASEAN’s approach to promoting regional stability in cyberspace. That same year, the ASEAN ministers responsible for cybersecurity subscribed in principle to the norms. At the 2019 ASEAN Ministerial Conference on Cybersecurity, they agreed to establish a working committee to develop a framework for implementation.

Participants reaffirmed the importance of a rules-based cyberspace as an enabler of economic progress and betterment of living standards,and agreed in-principle that international law, voluntary and non-binding norms of State behaviour, and practical confidence building measures are essential for stability and predictability in cyberspace.

– Chairman’s statement of the third ASEAN Ministerial Conference on Cybersecurity, 2018.

In compiling this document, ASPI intends to contribute to the ongoing UN and ASEAN working groups, and offer participants region-specific perspectives based on real and observed examples of good practice. The information was gathered through various regional workshops and training activities that took place between 2019 and 2021, and supplemented with open-source research.

This document consists of two main parts:

  1. An explanation of the norms implementation process.
  2. Practical guidance on implementation with examples from the ASEAN region.

Each government is responsible for its own pathway to implementation and for informing other states of its efforts. Expectations of national and regional implementation will alter as states start to focus on local implementation and as understanding of the norms’ meaning grows.

This document should help kickstart that process of understanding and actioning. It should be considered a living document that supports a gradually maturing regional approach.

This document will help policymakers and state officials answer questions such as:

  • What examples can governments consider to demonstrate their efforts in implementing the UN norms?
  • How can a state demonstrate that it is implementing and following the UN norms of responsible state behaviour in cyberspace?
  • Where can a state find advice, assistance and support to advance further implementation efforts?

PART A – THE IMPLEMENTATION PROCESS EXPLAINED

Part A: the implementation process explained

In this first part of the document, the process for implementation of the UN cyber norms is explained. It starts with a clarification of the concept of international norms, how the cyber norms work and what practical steps make up an implementation effort. Examples of mechanisms and tools to demonstrate implementation efforts are also provided. At the end, we elaborate on the reasons why states would want to make an effort to implement the UN norms of responsible state behaviour in cyberspace.

Full text of the UN cyber norms

  1. Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security;
  2. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences;
  3. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs;
  4. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect;
  5. States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression;
  6. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public;
  7. States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions;
  8. States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty;
  9. States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;
  10. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICTdependent infrastructure;
  11. States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.

What are the UN norms of responsible state behaviour in cyberspace?

The UN norms of responsible state behaviour in cyberspace (Figure 1) are 11 voluntary and non-binding rules that describe what states should and should not be doing in cyberspace.

Figure 1: The UN norms of responsible state behaviour in cyberspace

The content of the 11 norms reflects the expectations that the broader international community has of each state and regional organisation.1 They express a common opinion of what is considered to be responsible behaviour by states. Naturally, this collective opinion of what is responsible and what is irresponsible behaviour develops over time as understanding of cybersecurity deepens, incidents occur, and more governments contribute to the process.

The purposes of the norms as reflected in UNGA Resolution 70/237 are to reduce risks to international peace and security, and to contribute to conflict prevention.2 They have been crafted to deal with state-to-state actions that could potentially carry the highest risks to international peace and security and the welfare of citizens.

Norms in international affairs are political agreements. They do not infringe on a state’s sovereignty or impose legal obligations on states.3 In fact, the norms provide a common basis for a state to design strategic direction, develop capabilities and execute actions in a responsible manner.

The UN norms process

International efforts to establish norms of responsible state behaviour in cyberspace concentrate around the work of two groups: the UNGGE and the OEWG.

The first UN group of governmental experts convened between 2004 and 2005, and a sixth round of negotiations concluded in 2021. Four rounds concluded with consensus reports, in 2010, 2013, 2015 and 2021. The OEWG was first established in 2019, and a second round has commenced in 2021 for a period of five years.

The UNGGE and OEWG are predominantly intergovernmental negotiation processes with—at times—opportunities for consultations with non-government organisations and civil society. Those consultations have, however, a non-official character.

The UN cyber groups

UN Group of Governmental Experts (UNGGE) on Developments in the Field of Information and Telecommunications in the Context of International Security

2004-05 ֍ 2009-10 ֍ 2012-2013 ֍ 2014-2015 ֍ 2016-17

UN Group of Governmental Experts (UNGGE) on Advancing responsible state behaviour in cyberspace in the context of international security

2019-21

UN Open-ended working group (UN OEWG) on developments in the field of information and telecommunications in the context of international security

2019-21 ֍ 2021-25

Member states of ASEAN have been participating in all the meetings of the UNGGE and the OEWG that have convened since 2004. Figure 5 shows ASEAN member states’ participation in the UNGGE and OEWG since 2004. Stars indicate a country’s membership of the UNGGE, and its active participation in the OEWG as determined by written submissions or oral statements.

Figure 5: ASEAN member states’ participation in UN norms processes 2004-2021.

Notes: * Although Brunei has not participated in the UNGGE or the OEWG, it did offer a national views document in 2017; it was the first ASEAN member state to do so. # Although Vietnam did not offer written submissions or made any statements, representatives formally attended OEWG meetings in New York.

In parallel to the UN-facilitated intergovernmental negotiation processes, various multistakeholder and other government-led initiatives have formed too. Examples include:

  • Cyber Tech Accord: a commitment of 150+ companies to work together and follow a set of principles that seeks to protect and empower users and customers
  • Paris Call for Trust and Security in Cyberspace: a multistakeholder commitment to work together to reduce risks to the stability of cyberspace and to build up confidence, capacity and trust
  • Agreement on Cooperation in the Field of ICTs: a proposal by the Shanghai Cooperation Organisation’s six member countries for an international code of conduct
  • World Wide Web Foundation Contract for the Web: an internet community-led initiative to advance principles of accessibility, affordability, availability and rights-based principles of respect for human rights and privacy for all in the operations of the internet.

What do norms do?

Norms typically codify existing state practice. The UN norms, as introduced in UNGA Resolution 70/237, set the standards of what the international community considers responsible on the basis of observed behaviour by state actors in the past and currently. With these agreed norms, activities and intentions of states can be subjected to assessments. States can be complimented on their response to an incident, or national practices can be heralded as global good practice. Also, states can be reprimanded if they haven’t done enough to prevent an incident, or if they have used cyber capabilities in an irresponsible manner.

In practice, governments will use international norms, such the UN norms of responsible state behaviour in cyberspace, in three ways:

  1. To serve as a point of reference to reassure other states of their good intentions and to demonstrate that they are constructive members of the international community.
  2. To serve as a point of reference to guide national cybersecurity policy and national cybersecurity investments.
  3. To serve as a point of reference to hold other actors responsible for behaviour that is not in line with the UN norms for responsible state behaviour.

Governments that embrace the UN norms and can report on their efforts contribute to predictability, trust and confidence in cyberspace.

How do norms work?

The implementation of internationally agreed political agreements is always challenging. As they have been crafted through an intergovernmental negotiation process, their language and terminology can be ambiguous. For that reason and in the absence of an overall blueprint, it is important that states find their own way and form their own view and approach to embracing the UN’s normative framework.

Figure 2: The four components that make up the UN framework of responsible state behaviour in cyberspace.

The 11 norms should be seen in their entirety and not as a ‘pick-and-choose’ menu. It is important that governments review their efforts in a comprehensive manner covering aspects that touch on issues of national (cyber)security, security of ICTs as well as on constructive inter-state relations.

Furthermore, governments need to keep in mind that the 11 norms are part of a broader framework that also includes the recognition that international law applies to state conduct in cyberspace, a set of confidence-building measures and a commitment to coordinated capacity building.4 Together, those four components make up the UN framework of responsible state behaviour in cyberspace (Figure 2).

In general, the more states show commitment to the norms and actively engage in their implementation, the more robust the norms become and the more compelling the call for compliance becomes.

What does the implementation of international norms involve?

States can demonstrate their implementation of international norms of behaviour in various ways (see figure 3). Typically, implementation occurs at three different levels: at the level of political endorsement, national laws and policies, and actions on the ground (Figure 3).

  1. First, political endorsement can be demonstrated, for example, through voting in favour of relevant resolutions at the UN General Assembly, by subscribing to ASEAN leaders’ statements and by (prime) ministerial statements.
  2. Second, states can integrate or internalise norms (explicitly or implicitly) in national legal frameworks, strategies and national policies.
  3. Third, a state can demonstrate implementation by referring to its government practices in the form of its institutional capabilities, doctrine and procedures, and actions. Those practices can offer de facto evidence of a state’s effort to follow norms of responsible behaviour, as they demonstrate an ability and willingness to act.

Implementation of international norms of responsible state behaviour

Figure 3: A framework for the implementation of norms.
Source: The author.

Responsibility for the implementation of the UN norms rests with governments. In practice, however, meaningful implementation will rely on individual governments’ ability and willingness to consult and collaborate with industry, civil society organisations, the internet technical community and academia, and on governments’ ability to ensure a whole-of-government approach.

Meaningful implementation requires the involvement of multiple stakeholders and a whole-of-government approach.

For the purpose of including views, expertise and capabilities of non-government stakeholders, mechanisms such as a national action plan or a national road map are proven methods that help build a national or whole-of-economy approach to cybersecurity.

A National Action Plan is an effective method to form an integrated approach to implementation.

What’s a trajectory for the implementation of norms?

Building a national approach to cybersecurity let alone the implementation of the UN norms is neither straightforward nor instant. Typically, stakeholders go through a step-by-step process of gradually increasing their understanding, maturity and comfort with the topic (see figure 4).

  1. A first step is to build awareness across the government of its international responsibilities. This could be achieved through a dedicated training program or awareness campaign on the UN norms.
  2. This should lay the foundation for a cross-governmental recognition that the government is committed to the UN’s normative approach and is willing to be guided by it in its national and international cybersecurity activities.
  3. What follows could be an assessment of where the country stands in its implementation efforts. Such a baseline assessment could be done by a third party or through a whole-of-government mapping process.

    Figure 4: A step-by-step process towards implementation.
  4. The outcome of the baseline assessment will inform the government of its strengths and areas for improvement.
  5. This could then lead to domestic investments in particular areas of cybersecurity, to requesting assistance from the global cyber capacity-building community, or to offers of expertise to others.
  6. At the end of these steps, one can presume a state to be implementing the UN norms commensurate with its own means and capabilities.

The implementation of norms is a dynamic process that evolves as a country’s maturity in cybersecurity grows over time. At the same time, it’s unlikely that any state will ever reach a state of ‘full implementation’, just as no state will ever be 100% cybersecure.

How can governments demonstrate implementation?

For the purpose of the UN norms (to reduce risks to international peace and security, and to contribute to conflict prevention), it is critical that states demonstrate what they’re doing and what they intend to do. Therefore, documenting and reporting are critical in implementation.

There are several ways for states to make their views, achievements and known capacity shortfalls known.

1. Reporting through the UN Secretary-General

On regular occasions, the UN Secretary-General invites member states to share their views and assessments (see figure 6). Governments can share their ‘general appreciation of the issues of information security; efforts taken at the national level to strengthen information security and promote international cooperation in this field; the content of concepts such as the application of international law; and possible measures that could be taken by the international community to strengthen information security at the global level’.

Figure 6: UN member states’ views and assessments

2. Submissions through UN working groups

As part of the ongoing OEWG process, member states are encouraged to provide written submissions or statements to the working group. The statements are shared by the UN Secretariat to other member states, the chair(s) and non-government stakeholders. States are also encouraged to participate in a UN-facilitated survey of their national efforts and experiences.

3. ASEAN Regional Forum

The ARF’s semi-annual Inter-Sessional Meeting on ICT Security offers participants an opportunity to exchange their views on the regional and global ICT landscape and their efforts and initiatives. For the ARF’s annual security outlook, member countries are asked to submit a contribution that includes a section for ‘cyber/ICT security’.

4. Recognition by third party/ies

A state can engage third-party organisations to perform an external assessment and prepare a report. This could be done through a capacity-building relationship, such as ASPI’s national norms implementation reports (see figure 7). ASEAN member states can also make use of their academic and think-tank organisations such as those represented in ASEAN–ISIS and the Council for Security Cooperation in the Asia Pacific (CSCAP).

Figure 7: ASPI national norms implementation reports

Why would states make an effort to implement the UN cyber norms?

There are a few reasons why states would make the effort to implement international norms, such as the UN norms of responsible state behaviour in cyberspace.

  1. Cyber resilience. By following the recommendations from the norms and through acts of implementation, States are effectively strengthening their national cybersecurity maturity. Therefore, implementation of the norms is directly contributing to a nation’s ability to protect against malicious cyber activity, reduce exposure to risks and vulnerabilities in ICTs, and respond to malicious ICT activity.
  2. International credibility. Most states want to be, and be seen as, responsible members of the international community. Showing demonstrable support for norms of responsible behaviour adds to a country’s international and regional credibility. Domestically, the implementation of international norms helps governments provide direction to their national cybersecurity policy and developments.
  3. Contribute to norm-setting. The effective demonstration of implementation allows states to shape the common opinion of what is and what is not considered responsible behaviour of states and ensure that international expectations align with the local and regional context.
  4. Reassurance, accountability and transparency. In a situation in which a large enough group of states can show demonstrable implementation of the UN norms, each within its own means and capabilities and within its national and regional context, a global environment is created in which states can be reassured of each other’s willingness and ability to prevent unnecessary tensions and unintended conflict. Altogether, this adds to the accountability and transparency of state activities in cyberspace.

PART B – PRACTICAL GUIDANCE ON IMPLEMENTATION, WITH EXAMPLES FROM THE ASEAN REGION

To read part B, please download the full report here.

ASPI’s Bart Hogeveen provides a brief overview of the project.

Acknowledgements

The author would like to acknowledge contributions by officials and participants working with the governments of Brunei Darussalam, Cambodia, Indonesia, Lao PDR, Malaysia, the Philippines, Singapore, Thailand and Vietnam.

Our particular appreciation goes to:

  • the Department of Foreign Affairs, Department of ICT, Office of the President and the National Security Council, the Philippines
  • the Ministry of Foreign Affairs and Badan Siber dan Sandi Negara, Indonesia
  • the Ministry of Information and Communications, Ministry of Foreign Affairs, and the Diplomatic Academy Vietnam, Vietnam
  • the National Cybersecurity Agency, Ministry of Foreign Affairs, and CyberSecurity Malaysia, Malaysia

In addition, the author is indebted to contributions from Dr Fitriani, Ms Farlina Said, Dr Moonyati Yetid, Mr Eugene Tan, Mr Ben Ang and the Global Forum on Cyber Expertise and support from the UK Foreign, Commonwealth and Development Office and the Australian Department of Foreign Affairs and Trade and their embassies and high commissions in Southeast Asia.

This publication is the output of a project funded by the UK Government and the Australian Government (Cyber and Critical Technology Cooperation Program). More information can be found at https://www.aspi.org.au/cybernorms. The views expressed in this work are not necessarily those of the UK or Australian governments or of the participating governments. The author is responsible for its content, any views expressed or mistakes.

What is ASPI?

The Australian Strategic Policy Institute was formed in 2001 as an independent, non‑partisan think tank. Its core aim is to provide the Australian Government with fresh ideas on Australia’s defence, security and strategic policy choices. ASPI is responsible for informing the public on a range of strategic issues, generating new thinking for government and harnessing strategic thinking internationally.

ASPI International Cyber Policy Centre

ASPI’s International Cyber Policy Centre (ICPC) is a leading voice in global debates on cyber, emerging and critical technologies and issues related to information and foreign interference and focuses on the impacts those issues have on broader strategic policy. The centre has a growing mixture of expertise and skills and teams of researchers who concentrate on policy, technical analysis, information operations and disinformation, critical and emerging technologies, cyber capacity building, satellite analysis, surveillance and China-related issues. The ICPC informs public debate in the Indo-Pacific region and supports public policy development by producing original, empirical, data-driven research. The ICPC enriches regional debates by collaborating with research institutes from around the world and by bringing leading global experts to Australia, including through fellowships. To develop capability in Australia and across the Indo-Pacific region, the ICPC has a capacity-building team that conducts workshops, training programs and large-scale exercises for the public and private sectors.

Important disclaimer

This publication is designed to provide accurate and authoritative information in relation to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering any form of professional or other advice or services. No person should rely on the contents of this publication without first obtaining advice from a qualified professional.

© The Australian Strategic Policy Institute Limited 2022

This publication is subject to copyright. Except as permitted under the Copyright Act 1968, no part of it may in any form or by any means (electronic, mechanical, micro-copying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system or transmitted without prior written permission. Enquiries should be addressed to the publisher. Notwithstanding the above, educational institutions (including schools, independent colleges, universities and TAFEs) are granted permission to make copies of copyrighted works strictly for educational purposes without explicit permission from ASPI and free of charge.

First published February 2022.

Funding support for this publication was provided by the UK and Australian governments.

  1. UN General Assembly, Group of Government Experts on Developments in the field of ICTs in the context of international security, A/70/174, 22 July 2015, paragraph 10. ↩︎
  2. UN General Assembly, Group of Government Experts on Advancing responsible state behaviour in cyberspace in the context of international security, A/76/135, 14 July 2021, paragraph 15; UN General Assembly, Open-ended working group on developments in the field of ICTs in the context of international security, A/75/816, 18 March 2021, paragraph 24. ↩︎
  3. UN General Assembly, Group of Government Experts on Developments in the field of ICTs in the context of international security, A/70/174, 22 July 2015, paragraphs 26-28. ↩︎
  4. It is important to distinguish between ‘norms of responsible state behaviour’ (that is, the UN norms) and what are called ‘norms of international law’. In this document, the term ‘norms’ refers only to the former. ↩︎

ICT for development in the Pacific islands

Information and communication technologies (ICTs) as an invisible driver of socio-economic change have long captured the imagination of politicians, policymakers and aid professionals alike. 

Since the first fibre-optic submarine cable connected Fiji 20 years ago, many reports and studies have been written about the potential that the introduction of ICTs in the South Pacific would bring for reaching targets of poverty reduction and economic growth. 

The internet, mobile devices and e-commerce have already penetrated the Pacific, configured to the political, economic and sociocultural context of the various island nations. 

This report takes a step back and zooms in on one aspect of that digital revolution: e-government. 

E-Government is defined as a set of capabilities and activities that involves the use of ICTs by government to improve intragovernmental processes and to connect with citizens, businesses and industry. 

Fiji was the first island to get linked up to the global network of submarine communications cables in 2000. In 2020, all major islands in the region are connected through one or more domestic and international fibre-optic cables. The region is connected. 

This report finds that the potential of ICTs to enable stronger governance, effective public service delivery and better government services is there. In all countries that are part of this study, critical foundational infrastructure is in place: 

  • Government broadband networks that connect departments, schools and hospitals have been established.
  • Central government data centres have been built, public registries are being digitised, and the introduction of national (digital) identities is currently being considered.
  • All Pacific island states have introduced relevant strategy and policy documents and have reviewed, or are currently reviewing, legislation related to data-sharing, cybersecurity and universal access.
  • All islands have an online presence that is steadily professionalising. Government (information) services are increasingly provided online, along with tourism information, fisheries data, geological data and meteorological forecasts. 

But there’s still a lot to be unlocked. 

Increased internet connectivity, the availability of mobile devices and online services and access to information are creating a greater demand from users to their governments. International donors similarly focus on the delivery of ‘digital aid’, using ICTs to provide international assistance more efficiently and effectively. 

This report asks the following questions: 

  • What capabilities have been established and are in place?
  • What are the current policy issues?
  • What can the international (donor) community do to enhance its support for the digitisation process of the Pacific island governments? 

The report reaches five main conclusions for the implementation of e-government and digital government initiatives, and it concludes with four recommendations for future programming of international support in the area of ICTs and e-government. 

Sydney Recommendations – Practical Futures for Cyber Confidence Building in the ASEAN region

In the lead-up to the ASEAN–Australia Special Summit, ASPI’s International Cyber Policy Centre launched an initiative with partners across the region to develop the Sydney
Recommendations on Practical Futures for Cyber Confidence Building in the ASEAN region.

These recommendations build on the extensive work undertaken by the think-tank community in the region starting in the early 2010s.

Cyber Maturity in the Asia Pacific Region 2017

The Cyber Maturity in the Asia–Pacific Region report is the flagship annual publication of the ASPI International Cyber Policy Centre.

This report assesses the national approach of Asia–Pacific countries to the challenges and opportunities of cyberspace, taking a holistic approach that assesses governance and legislation, law enforcement, military capacity and policy involvement, and business and social engagement in cyber policy and security issues.

The 2017 report is the fourth annual cyber maturity report. It covers 25 countries and includes assessment of Taiwan and Vanuatu for the first time.

The United States continues its leadership of the country rankings and although the transition to the Trump administration caused a pause while cyber policy was reviewed, the US military is recognising the importance of cyber capability and elevating US Cyber Command to a unified combatant command to give it increased independence and broader authorities.

Australia has moved up in our rankings from fourth to equal second on the back of continued investment in governance reform and implementation of the 2016 Cyber Security Strategy. Australia’s first International Cyber Engagement Strategy was released and the 2017 Independent Intelligence review made a number of recommendations that strengthen Australia’s cyber security posture – this includes broadening the Australian Cyber Security Centre’s (ACSC) mandate as a national cyber security authority and clarifying ministerial responsibility for cyber security and the ACSC,.

Japan (equal second with Australia), Singapore, and South Korea round out a very close top five countries. All countries in this leading group have improved their overall cyber maturity although very tight margins have seen some change in rankings: Australian and Japan moving up to equal second and Singapore and South Korea dropping to fourth and fifth.

Taiwan and Vanuatu both made strong initial entries into the Cyber Maturity Report. Taiwan ranked ninth, just behind China, hampered by difficulties with international engagement, while Vanuatu came seventeenth, best of the Pacific islands.

https://www.youtube.com/watch?v=nEszlPxaATMhttps://www.youtube.com/watch?v=nEszlPxaATM

Securing Democracy in the Digital Age

The proliferation of cyberspace and rise of social media have enriched and strengthened the application of democratic governance.

Technological developments have expedited the international flow of information, improved freedom of speech in many areas of the world, and increased the quality of interaction, accountability and service delivery from democratic governments to their citizens. But these benefits must be balanced against a longstanding vulnerability of democracy to manipulation that cyberspace has enhanced in both scope and scale.

The 2016 US presidential election demonstrated the increasingly complex cyber and information environment in which democracies are operating. Using US case study illustrations, this report offers a conceptual framework by which to understand how cybersecurity and information security techniques can be used to compromise a modern-day election.

The report places this case study in its historical context and outlines emerging approaches to this new normal of election interference before identifying associated policy considerations for democracies.

Cyber norms & the Australian private sector

Across the world, there are conflicting ideas about how to manage the dynamic environment of cyberspace. States have the liberty of implementing legislation for the domestic regulation of cyberspace, but disagreements arise over national visions for the management of cyberspace internationally. Many have looked to norms to fill this breach, as their flexibility to adapt to changing technology and are attractive for the management of cyberspace and its broader stakeholder group. For this reason, norms, alongside international law have emerged as the preeminent means to establish what is acceptable behaviour in global cyberspace.

As owners and operators of a large amount of the world’s internet infrastructure and expertise, private sector bodies are some of the best placed organisations to speak authoritatively on the operation of cyberspace, and are therefore critical to the successful implementation of norms. However the private sector has largely been absent from the discussions shaping the creation of these international norms. To gain a deeper understanding of private sector perspectives on cyber norms, ASPI conducted a workshop and survey series with experts from some of Australia’s largest and most influential private sector organisations. Through this discussion and workshop series it was established that key Australian private sector organisations both understand and are interested in the formation of cyber norms. The resulting report documents the key takeaways from this research, highlighting central private sector insights on how cyber norms should be shaped to enable economic prosperity and broader wellbeing of the interconnected online ecosystem.

Cyber maturity in the Asia-Pacific region 2016

The 2016 Cyber Maturity report is the culmination of 12 months’ research by the ASPI International Cyber Policy Centre. The report assesses the approach of 23 regional countries to the challenges and opportunities that cyberspace presents, in terms of their governance structure, legislation, law enforcement, military, business and social engagement with cyber policy and security issues.

The 2016 report includes an assessment of three new countries, Bangladesh, Pakistan and the Solomon Islands. It also features, for the first time, separate data points on fixed line and mobile connectivity to better reflect the growth of mobile-based internet access across the region, its role in facilitating increased connectivity and opening new digital markets.  

Turning to the country rankings, coming in at top of the table for the third year running is the United States. In 2016 the United States continued to further refine its national policy approach to cyber issues, with President Obama’s National Security Action Plan and 30-day Cybersecurity Sprint, and the passing of the Cybersecurity Act. South Korea, Japan, Australia and Singapore round out the top five.

South Korea and Japan have swapped positions in second and third place, and Australia has leapfrogged Singapore into fourth place, recovering after dropping to fifth place in 2015. Australia’s improved position reflects the changes taking place as part of the implementation of the new Australian Cyber Security Strategy.

This includes the appointment of Australia’s first ministerial level cyber position (Minister Assisting the Prime Minister The Hon. Dan Tehan) and a new coordinator within the Department of the Prime Minister and Cabinet for government for cyber issues (Alastair MacGibbon).

Cyber maturity in the Asia-Pacific Region 2015

The second edition of the International Cyber Policy Centre’s annual Cyber Maturity in the Asia Pacific is the culmination of 12 months research and analysis delving into the cyber maturity of 20 countries within our region. It is a usable, quick-reference resource for those in government, business, academia, and the wider cyber community who are looking to make considered, evidence-based cyber policy judgements in the Asia-Pacific. It provides a depth of information and analysis that  builds a deeper understanding of regional countries’ whole of nation approach to cyber policy, crime, and security issues, and identifies potential opportunities for engagement. 

This years’ maturity metric contains five new countries and integrates a stand-alone assessment category on cybercrime enforcement. This new cybercrime category joins continuing assessments of whole-of-government policy and legislative structures, military organisation, international engagement and CERT team maturity in addition to business and digital economic strength and levels of cyber social awareness. This information is distilled into an accessible format, using metrics to provide a snapshot by which government, business, and the public alike can garner an understanding of the cyber profile of regional actors.

Cyber maturity in the Asia-Pacific Region 2014

To make considered, evidence-based cyber policy judgements in the Asia-Pacific there’s a need for better tools to assess the existing ‘cyber maturity’ of nations in the region.

Over the past twelve months the Australian Strategic Policy Institute’s International Cyber Policy Centre has developed a Maturity Metric which provides an assessment of the regional cyber landscape. This measurement encompasses an evaluation of whole-of-government policy and legislative structures, military organisation, business and digital economic strength and levels of cyber social awareness.

This information is distilled into an accessible format, using metrics to provide a snapshot by which government, business, and the public alike can garner an understanding of the cyber profile of regional actors.

Tag Archive for: Cyber Norms & Confidence Building

Status update: Responsible state behaviour in cyberspace

2025 is a pivotal year for international cyber governance. Not only is it the tenth anniversary of the international community’s agreement to a global framework for responsible state behaviour in cyberspace, but it is also the year that the UN Open-Ended Working Group on security of and in the use of information and communications technologies will conclude its mandate. This sets the stage for the establishment of a more permanent mechanism for global cyber discussions.

To discuss these developments and reflect on how states around the world have interpreted and operationalised responsible state behaviour in cyberspace, ASPI’s Gatra Priyandita speaks with two leading cyber experts, Farlina Said from the Institute of Strategic and International Studies in Malaysia, and Louise Marie Hurel, from the Royal United Services Institute in London.