The Asia–Pacific’s rapid online growth has contributed to its rise as the world’s new economic centre of gravity. With the majority of the world’s internet users now living in the Asia–Pacific, the region abounds with both digital opportunities and vulnerabilities. Asian governments are increasingly looking to cyberspace to facilitate better governance and critical national infrastructure delivery, and citizens are using it to connect with each other and new digital business opportunities. As individuals, businesses and governments in the Asia–Pacific become more reliant on the benefits of cyberspace, cybersecurity will become an essential ingredient for regional and international stability. As such, developing behavioural norms and confidence building measures for cyberspace, while also improving awareness of the regional threat landscape, must be a high priority for all parties concerned.

ASPI’s third annual cyber maturity report emphasises that countries in the Asia–Pacific are adopting markedly different approaches to cyber security, stability, crime and digital growth, and with varying levels of maturity in their comprehension of risks and opportunities.

The countries of the Asia–Pacific are unevenly developed, with many within their populations remaining illiterate and poor. There’s significant scope for new technologies to advance the rate at which the least-developed countries attain significant goals in the growth of their economy, the education of their people, and their ability to earn. However, many regional governments view the unimpeded flow of information across borders as a threat to their power and seek to constrain it in order to ensure a monopoly on information. Beyond the detrimental effect that has to freedom of expression, those regulations are also inhibiting the emergence of local digital economies, which harms the ability of many to work their way out of poverty.

For some countries, legacy fixed-line telecommunications infrastructure doesn’t have the footprint required to enable widespread internet access, however mobile connectivity brings cyberspace to more people each year. For example, in Cambodia, only 0.5% of people have a fixed broadband connection while 42% have a mobile broadband connection. The emergence of cheap handsets and new apps in local languages is assisting otherwise disconnected individuals to engage with cyberspace: a small step towards closing the digital divide. As access to cyberspace grows, first-time users will be exposed to the potential dangers that cyberspace poses to the uninformed or uneducated, and more work will be required to support the security of new internet users.

Unfortunately, the cost of connectivity remains prohibitive for many in the region and programs to enable cheaper access, such as Facebook’s Free Basics program, have been praised by some but opposed by others for violating principles of net neutrality. For example, the Solomon Islands’ size and remote location makes a submarine cable connection uneconomical for commercial operators. In its absence, expensive satellite connections remain the only option. In other countries, such as Bangladesh, substandard infrastructure is inhibiting digital growth, with unstable power supply leaving connections unreliable.

At the other end of the spectrum, the region offers up some of the world’s most cyber-savvy and network-dependant countries. Japan and South Korea are among the most connected in the world, with over 100 mobile broadband connections per 100 people in both countries. The ubiquity of cyberspace and its importance to their citizens, government and economy, and the vulnerability of their geo-strategic situation means that those countries lead the region in the importance placed on attaining cybersecurity. Similarly, Singapore sits near the top of the rank table. The island nation’s mature cyber policies are informed not only by its understanding of online risks and opportunities, but also by a strategic culture of economic reliance on technology and strong defence posture that highlights the strategic benefits of cyberspace.

Cyberspace, with the potential it offers to enhance development and open new opportunities, will be a key enabler of a secure, stable and prosperous Asia–Pacific. Preserving regional cybersecurity will require coordinated efforts by capable like-minded countries to support emerging norms of behaviour and confidence building mechanisms for cyberspace. Capacity building in the form of providing policy, legislative and technical support to rapidly developing countries is also an essential endeavour for international partners. Creating a region that engages in cyberspace in a mature way is a daunting task, but one that’s increasingly critical to global security and must be led by the major economies of the region.

Following costly compromises in Bangladesh, Vietnam and Ecuador, Gottfried Leibbrandt, CEO of international bank settlement company Swift has told a conference in Brussels that cyber threats are his main source of anxiety. In his speech Leibbrandt outlined the organisation’s response to the cyber security breaches that have seen millions of dollars stolen. According to Leibbrandt, Swift plans to harden its security requirements, require certification for third party providers, assist members to identify suspicious behaviour, and develop security audit frameworks to ensure new security controls are properly implemented.

Swift has also criticised some members for being slow to report cyber security incidents affecting the network. Internationally, data breach notification requirements are inconsistent and there is disagreement about whether mandatory breach reporting has value. In The Wall Street Journal, Denise Zheng from CSIS and Andrea Castillo from George Mason University have discussed the case for and against mandatory data breach notifications. Zheng says that requiring companies to disclose breaches improves collective cyber security responses, but Castillo believes that regulating breach disclosure could weaken the ability of companies to properly investigate and respond to cyber threats. In Australia, the Privacy Amendment (Notifications of Serious Data Breaches) Bill is expected to be introduced into Parliament later this year. The Bill includes mandatory data breach disclosures and notifications for customers whose data is lost in cyber security incidents.

James Clapper, the US Director of National Intelligence, told Congress back in 2015 that Russia had surpassed China as the US’s principal cyber threat, even though Russian hackers have been notoriously hard to detect. This week Switzerland’s CERT.ch has revealed that one of the country’s top defence, aerospace and technology firms, Ruag, had been compromised for at least two years by an APT, most likely linked to the Russian Turla APT. CERT.ch was apparently monitoring the breach for some time to gather evidence about the APT’s tactics and techniques, but this was cut short after a media leak earlier this month. CERT.ch characterised the actor responsible as extremely patient and deliberate, moving carefully through the company’s network and identifying individuals so that they could specifically target only those with valuable information. System logs revealed at least five occasions last year when significant amounts of Ruag’s data was exfiltrated using proxy servers.

Not to be outdone, a Chinese APT dubbed ‘Ke3chang’ by FireEye has reappeared two and a half years after it was first detected targeting European foreign ministries just before the G20 summit. Palo Alto’s Unit42 has found evidence that Ke3chang has reengineered a remote access tool into a new tool called TidePool in order to target 30 Indian embassies around the world. Ke3chang distributes TidePool by spoofing emails from other embassy employees to induce their targets to open infected attachments. The vulnerability used (CVE-2015-2545) has also recently been used by another hacker group against anti-China protesters in Hong Kong.

Moving across the ditch, Andrew Hampton, the new head of New Zealand’s signals intelligence organisation GCSB, has told stuff.co.nz that one of the ‘more disturbing revelations’ of his first month at the helm was the scale of the cyber threat that his agency deals with. Hampton revealed that GCSB detects an average of seven serious cyber incidents per month, in addition to about 12 reports from other agencies of less serious incidents. He characterised the actors responsible as ‘foreign sourced, complex and persistent’. Hampton is a career public servant, but unusually for his role has no previous experience in intelligence or security.

And finally, the status of the US Cyber Command is again under examination, as Congress debates a measure in the National Defense Authorisation Act (NDAA) that would elevate Cyber Command to the status of Unified Combatant Command, equivalent to Pacific Command or Central Command. The measure was passed by the House, but is absent from the Senate’s version of the Bill, and the White House has opposed its inclusion in the NDAA. Cyber Command is currently a Sub-unified Command of Strategic Command, while its commander Admiral Mike Rogers is dual-hatted as Director of the NSA. Rogers has lobbied for Cyber Command to be taken out of Strategic Command as it would allow more control over its strategic priorities and budget measures which he believes  will allow it to better respond to cyber threats.

With a war of words akin to the build-up to a heavyweight boxing match, the highly anticipated courtroom battle between Apple and the FBI was called off, leaving fight fans without a clear cut understanding of who had won or lost. Just hours before the court case was to commence, the US Department of Justice announced that they postponed due to a ‘third party’ demonstrating a viable technique for accessing the iPhone that belonged to one of the San Bernardino shooters.

Despite some headlines stating that the ‘encryption battle’ was now over, the opposite is true. We’re only at the beginning of what is shaping up to be a second crypto war. The fall out of this incident will be drawn out and messy, with clear cut winners hard to identify.

The first and most obvious outcome is that relations between the US law enforcement community and the US tech industry are going to be fragile at best, insurmountably riven at worst. Post-Snowden, it’s taken a great deal of effort to re-establish trust and rebuild productive relationships. Clearly relationships between the private sector and US government have been tarnished by the case. With so many companies strongly supporting Apple’s stance, it’s difficult to imagine that they will be less wary of future US government requests for assistance.

What did Apple’s relationship with the State look like before the court case? While Apple haven’t highlighted their previous cooperation with the FBI and the White House, they have at times enjoyed strong collaboration, especially—and ironically—when working together to persuade China against adopting strong new anti-encryption policies. The FBI has agents assigned to work with Apple. Tim Cook had contributed money to both of Obama’s presidential campaigns, and has met with White House officials at least 14 times since 2010. It’s hard to envisage such a degree of cooperation returning for some time.

Second, it’s likely that the quality and standard of encryption will be raised by the tech industry. The public’s increased awareness of what encryption is and its benefits for their privacy will further complicate the government’s access to encrypted data. Having found a way into the iPhone, the FBI have shown that they can circumvent Apple’s much-lauded security. You can guarantee that Apple’s finest minds are attempting to decipher how the FBI hacked the phone in order to ‘plug’ that hole quickly. And now that we know that a security vulnerability exists, it’s certain that the world’s white and black hat hacker communities and private sector entities are also focused on finding it.

While FBI officials have outlined their thinking on when they decide to disclose a flaw, they are clearly in no hurry to share their discovery with Apple, demonstrated by the fact that they have already offered to unlock another iPhone belonging to two teenagers accused of murder.

All of this points towards a competition between the private sector and the FBI in relation to encryption, which surely can’t be a healthy platform from which to reach any sort of consensus and cooperation in the future.

Third, the second crypto war is now coming squarely to the attention of the US Congress who are now taking their first steps towards providing a legal framework around the issue. Since December 2015, Senators have been drafting an encryption bill that would apparently authorise federal judges to order tech companies to provide encrypted data to law enforcement. But with the way that encryption is heading, there are questions around whether compliance will even be possible. Other efforts in the House of Representatives have been made to study the intricacies of encryption in order to understand the unintended consequences of legislative responses. That of all points towards an energised political debate and a Congress that’s looking to act.

As Obama so sagely advised in a recent talk, now’s the time to be thinking about appropriate legislative changes. He rightly stated that in the wake of major terrorist attacks or major acts of crime, the public’s positon sways in favour of strong law enforcement agencies and could result in ‘sloppy’ and poorly crafted legislation on encryption being pushed through the political cycle. We can be absolutely certain that this is unlikely to be the last time a law enforcement agency tries to compel a tech company to help bypass security measures.

So what’s happening in Australia in relation to this issue? Both of Australia’s major political parties explicitly rejected a Senate motion calling on the Government to support public use of strong encryption technologies, in a move that coincided with the Apple case in March. The Attorney-General George Brandis also spoke on the issue, stating that he would ‘expect that all order of courts should be obeyed by any party which is the subject of a lawful order by a court.’ Yet he acknowledged that encryption’s ability to make certain evidence inaccessible is a serious problem for law enforcement. We know that Prime Minister Turnbull himself is a fan of encrypted communications, however he’s also fully cognisant of the challenges that face the national security community. So it’s hard to know exactly where he might fall on the issue.

What’s certain is that we need to have a focused debate on what will be a key security issue over the coming years, between public and private sectors: a conversation that ASPI’s ICPC will support and facilitate.

Following up on last week’s cliffhanger, the Safe Harbour agreement was deemed invalid by the European Court of Justice. For the last 15 years, this agreement has allowed the transfer of EU data across the Atlantic by US businesses, based on corporate self-regulation. EU concerns over the US approach to data privacy were exacerbated by the Snowden saga, and undoubtedly contributed to the recent decision. This verdict has potentially significant implications for the more than 3,000 businesses in Europe and the US that depended on the agreement.

In the wake of last month’s historic agreement on cyber security between the US and China, the Washington Post reported this week that China has arrested several suspected hackers at the request of the US. The US identified the culprits as guilty of stealing US commercial secrets and they were arrested by the Chinese two weeks before Xi Jinping’s visit to Washington DC. This move is a far cry from the normal denials; however it’s unclear whether the arrests demonstrate a lasting policy change or simply a short-term strategy to avoid Obama’s threatened sanctions.

In a Clinton-esque move, new PM Malcolm Turnbull has come under fire for sending official emails from a private server, separate to Parliamentary systems. Greens Senator Scott Ludlum has called for an audit of the server, and criticised the PM for making the role of Government cyber security experts more difficult. Commentators have drawn parallels between this scandal and Hillary Clinton’s use of a private server to handle classified information during her time as Secretary of State. Keenly aware of cyber security threats, Turnbull has denied his communication involved restricted information. The Parliamentary network has in the past been the subject of numerous attempts by hackers to extract sensitive data from members and ministers.

The Internet of Things promises to change the way people interact with cyberspace. Harbor Research has produced a handy infographic which illustrates the potential impact of the growing ubiquity of digital sensors in everyday items.

Cisco researchers have successfully disrupted a group of cyber criminals operating the infamous Angler Exploit Kit. One of the most advanced ransomware on the market, Angler EK restricts a user’s access to their system, often through encryption, demanding payment in exchange for data restoration. The investigators at the company’s Talos Security Unit noticed that the majority of Angler victims were connected to a Limestone Networks server and after a process of server examination with the cooperation of Limestone it was discovered that the operation was exploiting up to 90,000 users every day. The exposed operation was responsible for up to half of all Angler Exploit Kit activity and is estimated to have been generating up to US$30 million of revenue every year.

The recent spotlight on automotive cybersecurity hasn’t gone unnoticed in Canada. The Canadian Government is making moves to secure its cars by offering a contract for the fortification of the electronic control units (ECUs) of government and military vehicles against cyber threats. A Tender Notice titled ‘Cybersecurity of Automotive Systems’ was released last week, emphasising the ‘need to study the security of automotive vehicles, including understanding their vulnerabilities and assessing the potential mitigation measures’. Defence Research and Development Canada is offering up to US$825,000 for the job.

The Great Firewall seems to still be up and running, with Apple News being blocked in China. The new app, officially launched in the US and under testing in the UK and Australia, can be accessed around the world by travelling iPhone users, even in Hong Kong. However, when connecting from within mainland China, the app presents the message: ‘Story Unavailable: News isn’t supported in your current region’. The source of the block is unclear, however it’s being suggested that Apple is self-censoring in order to comply with China’s restrictive media laws. China is Apple’s second largest consumer and made sales of over US$13 billion in the third quarter.

It’s been an interesting week for smartphone cyber hygiene. Apple has cleaned out its iOS App store of several programs that were capable of disrupting the encrypted connections between servers and users. The nefarious apps install root certificates in smartphones, enabling the monitoring of personal data. Apple has urged its users to delete these apps in order to protect their privacy, however has neglected to disclose the apps’ names, making this advice difficult to follow. In Washington, the White House has decided not to pursue legislation that would force tech companies to install ‘backdoors’ in their encryption software. The overruling of this law is seen as a victory for privacy advocates; however this fight between law enforcement imperatives and customer privacy has been going on since the mid-90s and is far from over.

The Japanese Government formally adopted its new Cybersecurity Strategy last Friday. The Strategy outlines the directions of Japanese cybersecurity policy as the country approaches the 2020 Olympics and Paralympics in Tokyo, and faces the challenges of a rising China. The Strategy’s ultimate objective is to ensure a free, fair and secure cyberspace—balancing the need for security with freedom of access and expression.

The cyber threats posed to the Tokyo Olympics are at the forefront of the Strategy, which notes that extensive public, private and academic cooperation will be required to develop secure networks from the ground up, particularly as the interface between cyberspace and physical objects grows with the ‘Internet of Things’. This includes the recommendation that corporations position their Chief Information Security Officers at suitably senior levels to adequately make the changes necessary for more secure networks. Public-private partnerships are also noted as critical for the security of Japan’s critical information infrastructure (CII), as is better information sharing between government agencies and CII operators. The Strategy was released for comment in May this year, and was originally due for release in June, but was delayed to incorporate the lessons learned from the Japan Pension Service hack.

Meanwhile, the Australian cyber community will be waiting until late October for the Australian Cyber Security Review to be released, according to a Prime Minister & Cabinet spokesperson. The launch of the Strategy will reportedly follow closely after the fourth annual Cyber Security Challenge Australia on 30 September. The Challenge is a public-private event for Australian tertiary students to test their cyber security skills and engage with key government and private sector cyber security leaders.

Competitors in the Cyber Security Challenge may one day be press-ganged into national cyber service if Australian Information Security Association executive James Turner’s proposal to nationalise the Australian cyber security industry is adopted. Turner’s proposal would see the role of the Australian Cyber Security Centre expand, and the pooling of cyber security expertise to provide a critical mass to support government and private sector cyber security. While suggestions like this seem extreme, governments around the world may start to consider similar measures to tackle this increasingly expensive problem. The US is reportedly planning to spend US$14 billion on government cybersecurity in the 2015-2016 financial year, while corporate entities will spend US$31.5 billion in the same timeframe, but the vulnerability of both sectors  to hackers is unlikely to decrease any time soon.

Australia and India’s bilateral cyber policy and security engagement took another forward step last month as the first Australia–India Cyber Policy Dialogue concluded successfully in New Delhi. Announced as part of the Framework for Security Cooperation agreed by Prime Ministers Modi and Abbott last November, the Dialogue reportedly discussed the ‘full range’ of cyber issues including threat perceptions and government cyber security arrangements, and international cyber security policy, governance and cybercrime cooperation. Notably, the two national CERT teams signed a framework to enhance their operational collaboration for information sharing and incident response. The Modi government’s Digital India programme was also discussed at the Dialogue—an initiative that seeks to increase internet penetration to enable the delivery of core government services through high speed internet connections. However, India is facing the same cyber skills shortages as many other nations, requiring an estimated 1 million cyber security professionals by 2025 to meet its goals, from its current base of 62,000.