Tag Archive for: regulatory frameworks

Red tape that tears us apart: regulation fragments Indo-Pacific cyber resilience

The fragmentation of cyber regulation in the Indo-Pacific is not just inconvenient; it is a strategic vulnerability.

In recent years, governments across the Indo-Pacific, including Australia, have moved to reform their regulatory frameworks for cyber resilience. Though well-intentioned, inadequate coordination with regional partners and stakeholder consultations have created a situation of regulatory fragmentation—the existence of multiple regulatory frameworks covering the same subject matter—within and among Indo-Pacific jurisdictions.

This inconsistency hinders our ability to collaboratively tackle and deter cyber threats, essentially fragmenting the cyber resilience of the Indo-Pacific.

Regulatory fragmentation threatens regional security for three key reasons.

Firstly, it impedes technical efficiency. While we tend to think of cyberspace as borderless, its composite parts are designed, deployed and maintained on the territory of states that enact their own laws and regulations. Factors such as threat perception, the organisation of the given state and its agencies, and regulatory culture shape these frameworks. The degree to which the state provides essential services and owns physical and digital infrastructure also influences framework development.

As governments introduce complex regulatory obligations for cyber resilience, most digital services providers and ICT manufacturers will have to divert resources from efforts that would otherwise enable them to prepare for and respond to threats more effectively and across jurisdictions. Ironically, this undermines the effectiveness of regulatory regimes for cyber resilience in the first place.

In addition, complex and confusing nation-specific requirements push regulatees to follow a checkbox approach to cyber resilience, rather than a holistic, risk-informed and agile one. Boards may prioritise meeting the bare minimum of regulatory requirements instead of maintaining a risk management posture commensurate with the rapidly evolving threat environment.

Secondly, regulatory fragmentation undermines innovation. Complex regulatory regimes—especially for government procurement and for critical infrastructure operators—can seriously undermine competition and innovation. Startups and smaller vendors (looking to sell to such entities) have to divert scarce resources away from research, development and innovation to fund compliance with a maze of obligations. This is especially problematic for small and medium enterprises in sectors reliant on innovation—such as cyber resilience and advanced manufacturing—as regulatory risk mitigation can deny these firms the ability to scale and expand into new markets.

Thirdly, regulatory fragmentation impedes trust in partnerships. A jurisdiction’s regulatory robustness in relation to cyber resilience is a key factor in determining the suitability of partners in sensitive policy domains.

For example, while Japan has taken steps to invest in its national cyber resilience, particularly after Chinese hackers compromised government networks, the United States has remained cautious about Japan’s ability to protect sensitive information. Through sections 1333 and 1334 of the National Defense Authorization Act for Fiscal Year 2025, the US Congress tasked the Departments of State and Defense with reporting on issues such as: the effectiveness of Japanese cyber policy reforms since 2014; Japanese procedures for protecting classified and sensitive information; and how Japan ‘might need to strengthen’ its own cyber resilience ‘in order to be a successful potential [AUKUS Pillar 2] partner’.

Collaboration requires trust. That trust hinges not just on the quality and harmonisation of regulatory frameworks; it also depends on whether they’re enforced and underpinned by a shared appreciation of the cyber threat environment, including in relation to state-sponsored actors looking to preposition themselves in critical infrastructure assets and steal intellectual property.

That trust also relies on a shared appreciation of the importance of removing unnecessary impediments to innovation, including the growth of allied and partner capability, and threat mitigation by stakeholders, which is itself contingent on shared political will.

After all, regulatory fragmentation is politically driven. Leaders, ministers, officials and regulators each seek to satisfy constituents at home and exert influence abroad over cyber policy. They may prefer to clean the cobwebs through visible operational reactions rather than kill the spider through holistic, long-term preparation.

Such political considerations may disregard commercial and technical realities when regulatory parameters are determined in the interests of digital sovereignty, including when it comes to (not) banning technology vendors.

Fixing this is a tall order but not impossible. Australia and its partners could consider establishing a baseline degree of regulatory harmonisation and reciprocity. This could include factors such as:

—Definitions of the subjects and objects of cyber regulation;

—Thresholds and deadlines for reporting breaches of cyber resilience to the state;

—Standards and controls that regulatees must implement, and outcomes they must achieve;

—Technology supply chain risk management requirements, including methods to assess whether procuring technology from certain vendors is too risky;

—Types of penalties for non-compliance; and

—Powers of the state to gather information or intervene in the operations of regulatees.

Allies and partners must better align their regulatory frameworks. Be it via multi-stakeholder collaboration or multilateral regulatory diplomacy, tackling regulatory fragmentation will make the Indo-Pacific more cyber-resilient.

Let us tear away the red tape that tears us apart.

Australia needs Australian AI

Australia must do more to shape its artificial intelligence future. The release of DeepSeek is a stark reminder that if Australia does not invest in its own AI solutions, it will remain reliant on foreign technology—technology that may not align with its values and often carries the imprints of its country of origin.

This reliance means that Australian user data and the economic benefits derived from it will continue to flow offshore, subject to foreign legal jurisdictions and foreign corporate priorities.

When people engage with AI chatbot assistant-type services from platforms such as ChatGPT, Gemini, Copilot or DeepSeek—via web interfaces, mobile apps, or application programming interfaces (or APIs)—they are sharing their data with these services as well as receiving AI-generated responses. The market entry of DeepSeek, which stores its data in China and moderates its responses to align with Chinese Communist Party narratives, raises two critical concerns: the exploitation of data for foreign interests and the ability of AI-generated content to shape public discourse.

AI platforms not based in Australia operate under the legal frameworks of their home countries. In the case of DeepSeek, this means compliance with China’s national intelligence laws, which require firms to provide data to the government on request. User inputs including text, audio and uploaded files, and user information such as registration details, unique device identifiers, IP address and even behavioural inputs like keystroke patterns, could be accessed by Chinese authorities. The flow of Australian data into China’s data ecosystem poses a long-term risk that should not be overlooked.

While individual data points may seem insignificant on their own, in aggregate they provide valuable insights that could be leveraged in ways contrary to Australian interests. As a 2024 ASPI report found, the CCP seeks to harvest user data from globally popular Chinese apps, games and online platforms, to ‘gauge the pulse of public opinion’, gain insight into societal trends and preferences, and thereby improve its propaganda.

This may be even more powerful for chatbots, which can collect data for aggregation to understand audience sentiment in particular countries, and also be used as a tool for influence in those countries. AI models are shaped by the priorities of their developers, the datasets they are trained on, and the fine-tuning processes that refine their outputs. This means AI does not just provide information, it can be trained to reinforce particular narratives while omitting others.

Many chatbots include a safety layer to filter harmful content such as instructions for making drugs or weapons. In the case of DeepSeek, this moderation extends to political censorship. The model refuses to discuss politically sensitive topics such as the 1989 Tiananmen Square protests and aligns with official CCP positions on topics such as Taiwan and territorial disputes in the South China Sea. AI-generated narratives influence public perception, which can pose risks to the democratic process and social cohesion, especially as these tools become more commonly embedded in search engines, education and customer service.

Australia’s response should be about having the right safeguards in place to mitigate known risks. It needs to ensure that AI systems used in the country reflect its values, security interests, and regulatory standards. This challenge demands that Australia play an active role in AI development and implement regulatory frameworks that protect against harms and foster domestic innovation.

DeepSeek challenges the idea that only tech giants with massive resources can develop competitive AI models. With a team of just 300, DeepSeek reportedly developed its model for less than US$6 million, far less than the $40 million training cost of OpenAI’s GPT-4, or the $22 million cost for training Mistral’s Mistral Large. While some experts argue this figure may not reflect the full cost—including potential access to restricted advanced processors before US export controls took effect—the broader lesson is clear: significant AI advances are possible without vast financial backing.

DeepSeek has proven that having talent is even more important than having tech giants, which highlights an opportunity for Australia to participate meaningfully in AI development.

To harness its potential, Australia must foster an environment that nurtures homegrown talent and innovation. The announcement last week of the $32 million investment by Australian AI healthtech firm Harrison.ai by the National Reconstruction Fund is a step in the right direction, but investment in a single company is not enough.

Australia needs increased investment in education and research, strengthening existing developer communities—particularly open-source initiatives—supporting commercialisation efforts, and promoting success stories to build momentum. A well-supported AI sector would allow Australia to harness the benefits of AI without attempting to match the spending power of global tech giants. The focus should be on fostering an environment where AI talent can thrive and ethical AI can flourish, ensuring that Australia reaps both the economic and societal benefits.

Without strategic investment in domestic AI capabilities, Australia risks ceding influence over critical technologies that will shape its economy, security and society in the years ahead. The challenge is not just technological—it is strategic. Without decisive action, Australia will remain a passive consumer of AI technologies shaped by foreign priorities and foreign commercial interests, with long-term consequences for democratic integrity, economic security and public trust in AI-driven systems.

Meeting this challenge requires more than just regulatory safeguards; it demands sustained support for a strong domestic tech ecosystem.

Spyware is spreading far beyond its national-security role

Spyware is increasingly exploited by criminals or used to suppress civil liberties, and this proliferation is in part due to weak regulation.

Politicians, diplomats, human rights activists and journalists have been targeted by malicious software worldwide. Just last week, former Polish justice minister Zbigniew Ziobro was arrested for allegedly approving use of spyware on 600 people, including opposition leaders.

Spyware is increasingly exploited by private actors, often criminal, for international crime, corruption, transnational repression and weapons smuggling. For instance, Mexican criminal organisations have tapped into Titan, security software used by law enforcement and intelligence agencies, to geolocate their rivals and conceal criminal activity. What’s more concerning is that some of these spyware products are being procured by government officials informally, without bureaucratic checks and balances.

The opacity of the spyware trade can make it difficult for governments to develop effective policies and regulatory controls. While commercial spyware giants such as the NSO Group, Intellex Consortium, NoviSpy and Cellebrite have become well known and increasingly scrutinised, hundreds of smaller firms have attracted little attention and oversight. They also provide hackers-for-hire services and such products as economical intrusion software. They are often set up by larger entities as a means of evading export controls, and they offer a more discreet way for governments and private actors to procure spyware, including illicit services and products.

The Atlantic Council’s Cyber Statecraft Initiative found connections between 435 entities across 42 countries in the spyware market. This revealed a web of investors, vendors, holding companies, subsidiaries, suppliers and individuals in the exploitation supply chain that contribute to spyware development, proliferation and misuse.

Misuse of spyware by malign actors can threaten national security and undermine civil liberties. This is a challenge for democracies and authoritarian regimes alike.

Between 2011 and 2023, at least 74 governments contracted commercial firms to obtain spyware or digital forensics technology. Of these, 44 were autocratic regimes, and 56 procured such technologies from firms based in or connected to Israel, the leading exporter of spyware.

The commercial spyware market is characterised by convoluted corporate structures and obscure supply chains, underscoring the need for collective efforts to increase transparency. The international community will need to cooperate and align their spyware regulations and approaches to address shared risks.

On 31 January, WhatsApp revealed it had detected spyware attacks targeting users across multiple countries. The software had come from Israeli company Paragon Solutions, but WhatsApp was unable to identify the user.

The international community is making some moves to counter misuse of commercial spyware. In January, Australia released a statement at the United Nations calling out the practice. Australia is also one of 23 signatories of the US-initiated joint statement on countering spyware proliferation and misuse.

Britain and France have also established the Pall Mall Process, which involves industry, governments and civil society committing to developing comprehensive guiding principles on the proliferation of commercial spyware.

These measures are major developments in the multilateral commitment to develop stricter safeguards, bringing states closer to alignment on spyware regulation policies.

However, too few countries and entities remain involved in the global effort to counter the proliferation and misuse of spyware. Stakeholder participation within existing mechanisms remains limited. This participation is concentrated in a small number of countries, mainly in Europe and North America, as well as Australia and a few Northeast and Southeast Asian states. This is despite a history of major emerging economies, such as Brazil, advocating against mass surveillance.

Countries need to develop more stringent regulations to prevent the proliferation and misuse of spyware. Nations should establish clear guidelines for nations’ preparedness and pathways to improvement, as well as transparency around what proliferation means to each state. This will help partners to understand and communicate their biggest hurdles, and what is needed to drive reforms.

Identifying and improving domestic commercial spyware landscapes is a good starting point for multilateral initiatives, but bringing the technology into international discussions would also help to mobilise the international community to respond. Australia should work together with partners in the European Union and the Association of Southeast Asian Nations to incorporate the issue into regional organisations. Both the EU and ASEAN are home to an increasing number of commercial spyware entities, even though its member-states also have a vested interest in preventing misuse of the technology.

Inaction or complacency by democracies risks the legitimisation of a largely unregulated industry. This reduces the impact and likelihood of developing meaningful policies to curtail the industry, further enabling spyware misuse.

To regulate cyber behaviour, listen to Indo-Pacific voices

The international community must broaden its understanding of responsible cyber behaviour by incorporating diverse perspectives from the Indo-Pacific, a region critical to the future of global cyber governance.

As the mandate of the United Nations Open-Ended Working Group on the security and use of information and communications technologies ends in July 2025, the world must reflect on what it means to be a responsible state actor in cyberspace. Over two decades, the UN has developed a framework of responsible state behaviour in cyberspace, which includes the acceptance that international law applies to state conduct in cyberspace and a commitment to observe a set of norms.

The framework, designed to address the weaponisation of cyberspace, narrowly focuses on high-stakes security concerns. While its emphasis on international peace and security is essential, this high threshold often sidelines domestic responsibilities and the challenges that developing and emerging economies face.

By amplifying the voices of mature cyber nations, it overlooks regions where the concept of responsible cyber behaviour is less expressed but no less important. As cyberspace is a cornerstone of economic, social, political, and military activities globally, we must expand the framework to address both domestic and international dimensions of cyber norms.

A report issued today and co-edited by ASPI and the Royal United Services Institute highlights this gap by examining how seven Indo-Pacific countries—Cambodia, Fiji, India, Indonesia, Japan, Pakistan and Taiwan—perceive responsibility in cyberspace. We investigate how governments and societies interpret this responsibility, going beyond their expectations of other states to see how they demonstrate their responsibility internally.

Our findings reveal a lack of common understanding and implementation of the UN’s cyber norms across the region. While commitments to responsible state behaviour are formally acknowledged at the UN level, domestic policies and regulations are inconsistent. For many Indo-Pacific countries, responsible cyber behaviour is mainly understood in terms of ensuring state sovereignty and territorial non-interference through cyber means. Governments are also mainly guided by national security concerns. This information is often shrouded in secrecy, complicating oversight and accountability.

Economics also shapes regional cyber policies. For most Indo-Pacific countries, socio-economic development, digitalisation and connectivity are top priorities. Given their limited sovereign cyber and digital capabilities, they view responsible behaviour as the ability to freely choose strategic partners and attract investments, technical support and capacity-building initiatives. This pragmatic approach underscores the need to reconcile international commitments with domestic priorities such as combating cybercrime, achieving data sovereignty, and ensuring affordable and reliable connectivity.

However, pursuit of these priorities often results in over-regulation and reliance on surveillance technologies and restrictive policies to counter cyber threats. Many Indo-Pacific countries struggle to balance protection of critical infrastructure and the information environment with promotion of open and inclusive digital spaces. Our report highlights the need for clear guidelines on the purchase, sale and use of dual-use technologies. While some countries adhere to international frameworks, others lack robust safeguards, exposing cyber vulnerabilities.

The Indo-Pacific’s diverse perspectives on responsible cyber behaviour emphasise the importance of domestic expertise. Governments must nurture talent within both public and private sectors and ensure access to international platforms that foster collaboration and knowledge-sharing. Otherwise, the region risks being left behind in shaping global cyber governance. Furthermore, many Indo-Pacific stakeholders argue that the UN framework’s emphasis on international norms must be complemented by actionable standards addressing states’ internal responsibilities, such as securing their networks and fostering resilient digital ecosystems.

International discussions on cybersecurity are increasingly polarised, with major powers vying for influence over Indo-Pacific countries to shape regional norms. In this context, we must ensure that the perspectives of emerging economies are not overshadowed by the interests of major powers. Ignoring these viewpoints is not only a poor diplomatic strategy—risking the alienation of regional actors and complicating negotiations—but also undermines international efforts to address shared challenges. Incorporating these voices into the framework would create a more inclusive and representative system that fosters equity, trust and long-term cooperation, ultimately strengthening global cybersecurity.

To achieve this, international and regional institutions must prioritise capacity-building and technical assistance tailored to the needs of Indo-Pacific countries. This includes creating platforms that allow these states to share experiences and shape global discourse on cyber norms. An example of such a platform is the Association of Southeast Asian Nations, through which member states have come to develop a norms checklist. It also requires the international community to recognise the interconnectedness of domestic and international cyber responsibilities. By grounding discussions in the specific contexts and priorities of the Indo-Pacific, the framework can evolve into a truly global standard that bridges the gap between developed and developing nations.

As the UN Open-ended Working Group mandate’s deadline approaches, we must reshape the framework of responsible state behaviour in cyberspace. The Indo-Pacific’s challenges and perspectives can help strengthen the framework’s relevance and effectiveness. By incorporating diverse regional viewpoints, the international community can build a more equitable and resilient cyberspace that serves the interests of all states, not just the most powerful. This is not merely a matter of inclusion; it is a matter of global cyber stability and security.