Look south: challenges and opportunities for the ‘rules of the road’ for cyberspace in ASEAN and the AU

ABSTRACT

As the inaugural United Nations Open-Ended Working Group (UN OEWG) has not significantly updated nor advanced the ‘rules of the road’ for cyberspace, regional organizations such as the Association of Southeast Asian Nations (ASEAN) and the African Union (AU) provide additional venues wherein deliberations can continue among a smaller group of states. Several ASEAN and AU member states are also active participants at the UN OEWG. Nonetheless, questions remain on how and where agreement on international law and cyber norms at the regional level can be achieved. To assess the challenges and opportunities for progress, this paper examines the public positions of two ASEAN member states, Indonesia and Singapore, and two AU member states, Kenya and South Africa, during the 2019–2021 UN OEWG meetings and situates them in their respective regions. We argue that substantial progress at the regional level is challenging to achieve, due to varying attitudes and levels of technological development among states, long-standing concerns over state sovereignty, and the vital role that a highly motivated and well-resourced regional actor plays in championing the cause. Opportunities exist, however, in that ASEAN and the AU provide paths for leveraging existing partnerships on cybersecurity and building trust in the region.

KEYWORDS:

• OEWG
• ASEAN
• AU
• cyber norms
• Indonesia
• Kenya

1. Introduction

The proliferation of cyberattacks against businesses, government agencies and civil society has highlighted the need for rules for responsible state behaviour in cyberspace. Achieving a meaningful global agreement on this issue has been difficult, however, due to a longstanding discord among states. While China, Russia and their partners desire a binding framework that governs state behaviour, the United States, Canada and their allies argue that United Nations (UN) member states should focus on building upon the existing body of international law and voluntary, non-binding norms (or ‘cyber norms’ for short) instead. Given this disagreement at the global level, regional organisations provide additional venues where deliberations on the ‘rules of the road’ for cyberspace can continue among a smaller group of states. Although the global mandate of the UN cannot be replaced by regional organisations, efforts by states at the regional level can complement deliberations at the UN, help operationalise agreement according to specific local contexts, and inform conversations in other settings.

With growing internet connectivity, member states of the Association of Southeast Asian Nations (ASEAN) and the African Union (AU) have become increasingly concerned about the impact of information and communication technologies (ICTs) in the context of international security. Their heightened participation and influence in global cyber governance and security debates have led several ASEAN and AU member states to be labelled as swing states (Maurer and Morgus 2014).¹ A ‘swing state’ in internet governance is defined as ‘a state whose mixed political orientation gives it a greater impact than its population or economic output might warrant and that has the resources that enable it to decisively influence the trajectory of an international process’ (Maurer and Morgus 2014, 7). Some of these countries have also been described as ‘the digital deciders,’ defined as ‘states that remain largely undecided and possess the capacity to influence the global conversation’ (Morgus, Woolbright, and Sherman 2018).² As international law and cyber norms are subjects of intense debate, the positions held by swing states and digital deciders on these issues can significantly impact the future of the ‘rules of the road’ for cyberspace.

Although the major powers have set the tone of UN processes on governing state behaviour in cyberspace, the active participation of ASEAN and AU member countries in the UN OEWG demonstrates that countries in the Global South have been key stakeholders as well. In addition to serving as chair for the OEWG’s intersessional multi-stakeholder meeting, for example, Singapore has played an instrumental role in advancing cyber norms and capacity-building within ASEAN, while Indonesia’s participation is significant as it has the biggest internet economy in the Southeast Asian region (Eloksari 2020). In the AU, Kenya is known as one of a few states in sub-Saharan Africa that has a comprehensive cybersecurity framework, while South Africa has more recently updated its cybersecurity laws amidst increasing cybercrime and data privacy breaches (Moyo 2021).

In this paper, we explore the challenges and opportunities in advancing international law, cyber norms and capacity- and confidence-building measures in ASEAN and the AU. We do so by examining the public positions of member states that meet two criteria. The first criterion is that they are considered ‘swing states’ or ‘digital deciders,’ and the second is that their representatives have delivered statements at every session convened by the 2019–2021 UN Open-Ended Working Group (OEWG) on cybersecurity.³ Based on these criteria, two member countries of ASEAN – Indonesia and Singapore – and two member countries of the AU – Kenya and South Africa – were selected for analysis. Indonesia, Kenya, Singapore and South Africa delivered between eight and twenty statements over the course of the OEWG. Indonesia also spoke on behalf of the Non-Aligned Movement (NAM),⁴ and Singapore on behalf of ASEAN. All four countries’ public positions were found in written and oral statements made at OEWG sessions or those uploaded to the OEWG website. Recordings of OEWG sessions were also used to review countries’ statements.⁵ We analysed and situated these statements in the broader context of cybersecurity and the regulation of cyberspace in the respective regions.

The article proceeds as follows. Section 2 provides a brief background about deliberations on the ‘rules of the road’ for cyberspace at the UN, ASEAN and the AU. Section 3 explains why regional organisations have remained relevant to these discussions. Section 4 outlines the challenges in developing norms of responsible state behaviour within ASEAN and the AU. Sections 5 and 6 offer a comparative analysis of public statements delivered by Indonesia, Kenya, Singapore and South Africa at the UN OEWG, which are then situated in the context of their respective regional organisations. Finally, section 7 highlights opportunities for furthering agreement and cooperation and offers a brief conclusion.

2. Background

As the internet became commercially available and more widely used in the 1990s, governments around the world began to recognise the need for rules and principles to ensure responsible state behaviour in cyberspace. Russia was the first to push a resolution on this issue at the UN General Assembly (UNGA) in 1998 that called on member states to consider ‘existing and potential threats in the field of information security’ (A/RES/53/70). This resolution was followed in 2000 by a set of ‘principles of international information security’ (A/55/140), which included non-interference in states’ internal affairs and for the UN to ‘identify the defining features of information wars and to classify them.’ These proposals received little support from other UN member states.

A renewed attempt to develop a set of principles for responsible state behaviour was made in 2004, when the UN established the Group of Governmental Experts (GGE).⁶ Governments join the GGE on the basis of equitable geographical representation and they traditionally send representatives with subject-matter expertise. The GGE has included the five permanent members of the UN Security Council, liberal democracies, and non-aligned nations (Hurwitz 2014, 325). Six GGEs have been convened thus far and their work has laid the foundation for the ‘rules of the road’ for cyberspace. The 2013 GGE report recognised the applicability of international law to state actions in cyberspace, while the 2015 report outlined eleven voluntary, non-binding norms for state behaviour in cyberspace (Schmitt and Vihul 2017). The 2017 GGE, however, failed to reach consensus when it became clear that states hold different views on how international law applies to cyberspace. Specifically, opposition was voiced by Cuba, Russia and China on the issues of self-defence, international humanitarian law (IHL) and countermeasures to cyberattacks (Tikk and Kerttunen 2017, 15).

In December 2018, the UNGA adopted two resolutions (A/RES/73/266 and A/RES/73/27) to establish the 2019–2021 GGE and the inaugural Open-Ended Working Group (OEWG) on Developments in the Field of Information and Telecommunications in the Context of International Security for 2019–2021. While the 2019–2021 GGE limits membership to twenty-five rotating member states, the OEWG allows for the participation of all interested UN member states. Out of 193 UN member states, only forty states have participated in the GGE, while only half of those states have been members of more than one GGE (Tikk and Kerttunen 2017, 38–39). The OEWG therefore greatly expands the opportunity for all governments to gain knowledge and exchange insights on cybersecurity issues.

The UN OEWG sessions concluded in March 2021 with the adoption of a consensus report by all member states. Although this report was an achievement (given the large number of governments involved), it largely failed to deliver on the OEWG’s main objectives – i.e. ‘to further develop the rules, norms and principles of responsible behaviour of States … and the ways for their implementation’ (UN General Assembly 2018, 5). Perhaps the most glaring omissions from the OEWG consensus report are the lack of references to accountability and IHL, both of which are key to preserving security and stability in cyberspace (Basu, Poetranto, and Lau 2021). Occurring alongside these UN processes are efforts by regional organisations to continue the deliberations on a smaller and more manageable scale.

ASEAN is one of the regional organisations that has made some progress in cyber norms. In 2018, the ten ASEAN member states agreed to ‘subscribe in principle’ to GGE norms (Noor 2018). At the AU, in contrast, engagement on cyber norms has been low – for example, the organisation is yet to adopt GGE norms (Kumar 2019). Instead, the AU is supporting national or domestic efforts by its fifty-five member countries to implement key cybersecurity policies and frameworks, including the AU Convention on Cyber Security and Personal Data Protection (AU Convention), while the overarching goal is for cyber norms to eventually be adopted at a regional level (Signé and Signé 2021).

Regional cooperation is necessary, as ICTs are swiftly transforming Southeast Asia and Africa. Southeast Asia’s digital economy reached US$100 billion in 2019, and it is predicted to reach US$300 billion by 2025 (APF 2019). Africa’s internet economy has the potential to reach 5.2 per cent of the continent’s GDP by 2025, thereby contributing nearly US$180 billion to its overall economy (Buckholtz and Oloo 2020). Southeast Asia and Africa also have youthful populations that are prolific internet users. Nearly a billion people in Asia are below the age of fifteen, particularly in South Asia and Southeast Asia (UNDP 2016), while in Africa, 77 per cent of the population is below the age of thirty-five as of 2020, and by 2050, two in every five children in the world will be born in this continent (Hajjar 2020). Ensuring the security and stability of ICTs in Asia and Africa is crucial to facilitate improvements in education and the private sector, which would help tackle unemployment and lift individuals out of poverty.

The rapid growth of ICTs in Southeast Asia and Africa is occurring simultaneously as cyber threats are on the rise. Research by FireEye (2015) highlighted that advanced persistent threat (APT) groups have conducted cyber espionage in Southeast Asia, stealing military secrets and political and financial services information related to the territorial disputes in the South China Sea. The novel coronavirus (COVID-19) pandemic has also accelerated the activities of cybercriminals (e.g. ransomware attacks, data breaches and online financial fraud). Experts in Kenya, for example, maintained that COVID-19 has triggered ‘an epidemic of cybercrimes,’ with a 37.3 per cent increase in cyberattacks in the period between April and June 2021 compared to January and March 2021 (Onyando 2021). Countering these criminal activities and cyberattacks requires a comprehensive and consistent regional strategy that improves cross-border cooperation and law enforcement capacity (UNODC 2021). These trends indicate that the need to bolster regional cyber capacity and cooperation has become urgent.

3. Why regional organisations matter

Regional organisations are a form of international organisations established by nation states to provide solutions to problems that require collaborative action (Haas 1990, 2). For developing countries, their post-colonial economic and political weaknesses (compared to the more developed nations) means that pooling sovereignty by participating in regional bodies can help maximise their collective bargaining power (Acharya 2016, 119). Developing countries are more likely to use regional cooperation to help safeguard state sovereignty, whereas developed countries tend to favour more integrative regional strategies (Acharya and Johnston 2001, 20).

Regional organisations offer several advantages that could help further the ‘rules of the road’ for cyberspace. With fewer member states involved at the regional level (unlike the 193 participating states in the UNGA), the obstruction of negotiations by certain states may be avoided (Henriksen 2019, 6). Regional organisations also tend to have more legitimacy among their members, as they are institutions that operate according to regionally-derived social and political norms. ASEAN, for example, is ‘generally considered as the most successful regional organisation in the Global South’ (Stubbs 2019, 941), which is a testament to its legitimacy.

Regional organisations have better insights into national priorities and therefore are better positioned to advance cyberspace governance at the regional level. Regional organisations would also have extant mechanisms to facilitate cooperation in areas where states find broad agreement and can help create domestic implementation frameworks (Ott and Osula 2019, 1). These organisations can further promote the sharing of common challenges and offer lessons learned on how to move beyond them, as well as help to obtain consensus more broadly (Kumar 2019). Moreover, regular exchanges through regional organisations could reveal governments’ positions that are ‘like-minded.’ This knowledge is crucial in negotiations on international law, cyber norms and confidence- and capacity-building, as states may have multiple (or even competing) agendas (Henriksen 2019, 6).

A formidable challenge to deepening the trust and collaboration required to ensure responsible state behaviour is the strong emphasis on sovereignty. Sovereignty has been a long-standing concern for ASEAN and the AU, which has inhibited both organisations from playing a more enhanced and integrated role in maintaining regional peace and security, including on cybersecurity (Jácome, Matsuno, and Wulf 2009, 8). ASEAN is known for its ‘ASEAN Way’ of decision-making through consultation and consensus-building, as well as the principle of non-interference in the domestic affairs of other states (Narine 2002, 180). Meanwhile, even though the AU has abandoned the ‘absolute observance of non-intervention’ of its predecessor, the Organisation of African Unity (Jácome, Matsuno, and Wulf 2009, 8),⁷ the principle of non-intervention still influences the positions of some AU member states today (Welz 2016, 50).

Despite their limitations, ASEAN and the AU have had some successes in negotiating pressing international security issues, such as nuclear proliferation and climate change. Both ASEAN and the AU have established a Nuclear-Weapon-Free Zone (NTI 2015). Furthermore, as states are building national capacity to undertake climate change adaptation and mitigation efforts, regional organisations have provided a guided framework and the mechanism to pool resources to tackle common threats presented by the climate crisis (Williams and McDuie-Ra 2018, 32–33). Climate change has been on the agenda of ASEAN and the AU since 2007 and both organisations have taken steps to address this issue on a regional level, including through transnational forest management and cooperation on climate resiliency and natural disaster management (ASEAN 2015a).

In sum, regional organisations have remained relevant, as they ‘do more than just make rules’ that enable cooperation; they also ‘spread values and norms of behaviour’ (Farrell and Finnemore 2016, 577). Repeated interactions among member states, such as through technical assistance training and programmes, can facilitate better understanding of the obstacles to progress on certain issues and the development of strategies for how to overcome them. Regional initiatives can thus enable eventual cyber norm cascade and internalisation, which occurs when norms are accepted or at least ‘are no longer a matter of broad public debate’ (Finnemore and Sikkink 1998, 895).

4. Rules, norms and principles of responsible behaviour of states in ASEAN and the AU

A single overarching regime on the ‘rules of the road’ for cyberspace is unlikely to be achieved any time soon, due to persistent disagreement among UN member states. Therefore, fragmented efforts, in addition to the challenges posed by the fragmentation of authority and accountability, can be expected to continue (Nye 2014; Dunn Cavelty and Wenger 2020). This impasse has led regional organisations to engage in their own norm-building efforts. The Shanghai Cooperation Organisation (SCO), for example, devised a ‘plan of action to ensure international information security’ in 2007, which subsequently informed the ‘International Code of Conduct for Information Security’ that was submitted to the UNGA in 2011 and again in a revised form in 2015 (McKune 2015). In Europe, the Council of Europe’s Convention on Cybercrime (also known as the ‘Budapest Convention’) entered into force in 2004, with the aim of harmonising national laws and facilitating international cooperation against cybercrime. The Permanent Council of the Organization for Security and Cooperation in Europe (OSCE) has also adopted confidence-building measures (CBMs) in March 2016 to reduce the risks of conflict stemming from the use of ICTs (Grigsby 2016; Daskal and Kennedy-Mayo 2020).

In the AU, discussions on the importance of ICTs and cybersecurity among its fifty-five member states intensified in 2009 when the Oliver Tambo Declaration was adopted.⁸ The declaration directed the AU to draft a convention that addresses the ‘legal and regulatory requirements on electronic transactions, cyber security, and personal data protection’ (African Union 2009). Drafted in 2011, the AU Convention includes obligations for states to establish cybersecurity frameworks and institutions, along with efforts to promote international cooperation and legal harmonisation. This convention was eventually adopted in 2014.

As of 2021, however, there are only eight out of the fifteen ratifications required for the AU Convention to come into force (African Union 2020).⁹ It is striking that the two African countries that are analysed in this paper (South Africa and Kenya) have not signed or ratified the convention. Chief among the challenges is the lack of capacity and comprehensive national cybersecurity frameworks (Finnan 2015). As of 2018, out of fifty-five AU member states, only forty have laws on cybersecurity, only twenty have created national cybersecurity policies, and just eighteen have national Computer Emergency Response Teams (CERT) frameworks (Orji 2018, 113). Consequently, cybersecurity cooperation in the African region has progressed slowly, even though cybersecurity has been recognised as one of the flagship projects of the AU’s Agenda 2063 and the AU Cyber Security Expert Group has been established to facilitate the convention’s ratification (among other tasks) (African Union 2015; African Union 2019).

In ASEAN, member states have made pronouncements regarding the internet since 1996 (Noor 2020, 107).¹⁰ However, concerns regarding ICTs and international security gained extra prominence in the region around the time of the 2013 and 2015 GGE. The fifteenth telecommunications ministerial meeting in 2015, for example, placed more emphasis on ICT security, especially with the endorsement of the ASEAN ICT Masterplan 2020 (ASEAN 2015b). In 2016, participants in the first ASEAN Ministerial Conference on Cybersecurity (AMCC) agreed to develop ‘a set of practical cybersecurity norms of behaviour in ASEAN’ (Ibrahim 2016).

ASEAN and its partners have also coordinated regional cybersecurity and confidence-building efforts through the ASEAN Regional Forum (ARF).¹¹ Yet obstacles to significant progress exist, including differences in cybersecurity capacity and threat perception among member states, inadequate infrastructure and legal frameworks and, most notably, other domestic security priorities that may be more pressing than cybersecurity (ASEAN Regional Forum 2018, 2). The lack of political will in deepening cooperation is also apparent. For example, only Singapore, Indonesia and the Philippines have taken on a leadership role in advancing cooperation on security issues in the ARF, while other countries have preferred for the ARF to remain only a venue for dialogue and not for practical cooperation (Haacke 2009, 444).

The development of the ‘rules of the road’ for cyberspace in regional organisations has also encountered challenges due to sovereignty concerns. From a historical perspective, regional bodies such as ASEAN and the AU were established during the era of decolonisation when economic nationalism was considered to be inseparable from state sovereignty. Today, these institutions still find it difficult to expand their mandate, scope and function to better address emerging transnational threats, including those mediated through technology (Buyoya 2006, 165; Spandler 2019, 51; Acharya and Johnston 2001, 21). Large and complex institutions like regional organisations are also prone to inaction without dedicated resources and a champion for a specific cause (Allison-Reumann 2017, 22–26). ASEAN, for example, has a track record of being averse to directly responding to complex political issues and been criticised for its slow-paced decision-making and inability to play a meaningful role in safeguarding East Asia’s security (Noor 2020, 116; Stubbs 2019, 940). When it comes to cybersecurity, some progress has been achieved, however, and it is largely due to Singapore’s leadership.

Singapore has been funding efforts ‘to develop technical, policy, and strategy-building capabilities’ in cybersecurity in ASEAN since at least 2016 and has proposed mechanisms to enhance regional cyber coordination (CSA Singapore 2016; Ang 2018, 2). The ASEAN-Singapore Cybersecurity Centre of Excellence, for example, was drafted to build up the skills of senior ASEAN officials (Baharudin 2018). With Singapore as ASEAN’s chair in 2018, the group subscribed ‘in principle’ to GGE norms (Noor 2018) and ASEAN member states agreed to set up a working-level committee on cyber norms at the fourth AMCC in 2019 (Lee 2019). Singapore has cooperated with the UN to develop a norms implementation checklist (Tham 2020). There is also the plan for a ‘Cybersecurity and Information Centre of Excellence’ to be set up in Singapore to coordinate information-sharing and capacity-building, and in June 2021, the Ambassador for the Permanent Mission of Singapore to the UN in New York was elected to be the chairman of the next iteration of the UN OEWG (2021–2025) (Lim 2021; Pytlak 2021).

Singapore’s leadership, funding and technical expertise makes it a cybersecurity ‘norm entrepreneur’ in Southeast Asia. Norm entrepreneurs ‘may be any actor or actors who have a norm that they want to promote, whether for groups of which they are members or for some other community to adopt’ (Finnemore and Hollis 2016, 446). As a small city–state, Singapore relies on ‘rules of the road’ that are developed in ‘open and inclusive spaces’ such as the UN where all states have an equal stake. Hence, its prioritisation of GGE norms, as opposed to norms developed elsewhere (Ibrahim 2017, 20; Ang 2018, 3). Singapore’s highly developed and internet-penetrated economy also makes it nine times more vulnerable to cyberattacks than other Asia-Pacific economies (Reiber and Sukumar 2017, 14), while its status as a banking, aviation and maritime hub means that disruption from data breaches, ransomware and other attacks could erode public trust, or worse, cripple its economy (Ang 2020, 219).

Cyber norm entrepreneurs typically offer their own versions of norms and are actively involved in internet governance discussions at various forums and seek allies to support their positions (Maurer 2020, 299–301). At the global level, they include Russia, China and the United States. States may choose to be norm entrepreneurs to shape the framing or interpretation of norms, but those that are highly connected to the internet would also have an incentive to be a cyber norm entrepreneur, as they face greater risks (just as they reap massive benefits) from developing and using ICTs (Finnemore and Hollis 2016, 437).

Norm entrepreneurs may emerge to promote agreement when norms are contested, due to the lack of a universally accepted set of norms, disagreement on the key concepts that make up the norm or how to implement them. Challenges associated with cyber norms acceptance include a varied understanding of the key terminology used (e.g. what is ‘critical infrastructure’), different levels of norms awareness among states and the capacity to implement them, and the difficulty of attributing incidents in cyberspace with certainty (Finnemore and Hollis 2016, 458). The flouting of cyber norms by certain actors and a lack of clear mechanisms to monitor and report on compliance also create disincentives to comply with them (Brown and Esterhuysen 2019, 2).

States generally seek to promote the version of norms that most closely aligns with their interests. But states’ views on the ICT environment are at least partly informed by their levels of economic development and cybersecurity capacity. That is, the more a state’s economy relies on ICTs and the more capacity it has in the use of ICTs generally, the more likely it is to be invested in norms debates (Tran Dai and Gomez 2018, 222). This strategic calculation may also lead governments to use different forums to develop and socialise norms or to focus on specific norms, or aspects of certain norms, more than others (Finnemore and Hollis 2016, 466).

Norm entrepreneurs can disseminate norms through socialisation and pressure until enough states accept the idea and conform to the generally accepted behaviour. China and Russia have promoted their preferred norms in the SCO, while the United States and its partners have advanced their vision of cyber norms through the Tallinn Manual, which outlines the applicability of international law in cyberspace (McKune and Ahmed 2018; Maurer 2020, 291). The United States, Canada and some of their allies are also seeking to advance accountability for activities by states that violate norms, for example, through the ‘2019 Joint Statement on Advancing Responsible State Behavior in Cyberspace’, in which twenty-eight countries agreed to ‘work together on a voluntary basis to hold states accountable’ for activities in cyberspace (US Department of State 2019).

While Singapore’s norm entrepreneurship in ASEAN has led to some progress on the ‘rules of the road for cyberspace,’ there is no AU member country that has played a similarly assertive role in Africa in terms of leadership, training and funding. This gap is exemplified by the fact that the share of African countries at the bottom of the 2020 ITU Global Cybersecurity Index, which ranks the cybersecurity commitment of countries, is greater than in any other region. Kenya and South Africa respectively ranked fifth and eighth among African countries, but fifty-first and fifty-ninth globally (ITU 2021, 25).¹² It is thus possible that, despite possessing some ICT capacity, countries like Kenya and South Africa would rather seek external help to build cyber capacity in the region and provide assistance to AU member states.

As the cybersecurity capacity of African states lags behind the rest of the world, many African countries are more vulnerable to attacks (Allen 2021). In October 2020, Uganda suffered a major hack that compromised the country’s mobile money network, which has grown in importance during the pandemic (Kafeero 2020), while a June 2020 cyberattack targeting a group that operates sixty-six hospitals in South Africa ‘affected admissions systems, business processing systems and email servers’, forcing them to switch to manual back-up systems (Bottomley 2020). Africa’s fight against cybercrime is complicated by the fact that as of April 2020, fifteen out of fifty-five countries in the continent still do not have specific legal provisions on cybercrime (Calandro 2020). African countries have also lagged in their participation in the UN GGE. Only nine out of fifty-five AU member states have been UN GGE members, in contrast to three out of ten ASEAN member states.

Another challenge in norms acceptance is AU and ASEAN members’ economic, social and political diversity, which has led to different understandings of what constitutes ‘cybersecurity.’ States’ approaches to cybersecurity are also framed by what they perceive as ‘threats’, which can differ from one country to another (Tran Dai and Gomez 2018, 222). For example, several AU states have passed cybersecurity and data protection laws that are overly broad or vague and can be used to stifle political dissent rather than to effectively secure the internet (Turianskyi 2020, 9). This divergence among states has complicated negotiations on how to best ensure responsible state behaviour in cyberspace. Studies on ‘veto players’ – defined as ‘individual or collective actors whose agreement is necessary for a change of the status quo’ (Tsebelis 1999, 593) – have shown that a meaningful policy outcome is less likely to be achieved when actors with significantly different ideologies, interests and strategies are involved in deliberations. Furthermore, research has shown that regional organisations can be ‘almost as awkward and inflexible as the UN itself’, and consequently, ‘practical measures often fail to be adopted due to lack of political agreement’ (Jácome, Matsuno, and Wulf 2009, 16). As such, challenges at the global level due to differing attitudes and capacities among states have emerged in regional processes as well.

5. Singapore and Indonesia’s statements at the OEWG and their implications for ASEAN

Countries with a high degree of cyber maturity like Singapore are likely to be more willing to spend their energy and resources to engage with cybersecurity issues, unlike those with lower levels of cyber maturity (Tran Dai and Gomez 2018, 222). Meanwhile, Indonesia’s keen interest in cybersecurity is contributed by its status as the biggest internet economy in Southeast Asia (Eloksari 2020). It is thus unsurprising that among ASEAN members, Singapore and Indonesia have been active participants at the OEWG and GGE, while states whose economies are less internet-penetrated, such as Myanmar and Cambodia, made no statements or contributions at the OEWG nor have they been GGE members.

An examination of the public positions delivered by Indonesia and Singapore at the 2019–2021 UN OEWG revealed not only several areas of agreement and potential for cooperation but also nuanced differences that may complicate progress in ASEAN. Both Singapore and Indonesia similarly underlined that it is the misuse of ICTs that is of concern, rather than the specific technologies themselves. Therefore, any measures or legal frameworks regarding the use of ICTs ‘should be crafted not to impair new innovation and development of technology’ (Indonesia 2020a, 2). Both countries also agreed that confidence- and capacity-building are much needed for the implementation of cyber norms.

Indonesia and Singapore’s statements recognised that cyberthreats cannot be mitigated simply by building up domestic capacity. Instead, there is also a need to help other, less developed states that are potentially more vulnerable and prevent them from becoming targets of or proxies for cyberattacks. Singapore considered capacity-building as necessary to build ‘confidence, predictability, and stability that is essential for economic progress’ (Singapore 2020a). Indonesia also stressed the importance of cyber capacity-building for those ‘that have yet to partake in cyber security discourse’ (Indonesia 2020a, 2) and argued that this would ‘benefit the larger system of cybersecurity’, ‘close the digital divide’, and ‘encourage states to engage and be more active in the cybersecurity discussion’ (Indonesia 2020b). These statements showed an agreement among the two countries that the ‘rules of the road’ for cyberspace requires commitments from and participation by all states, including those that still have limited understanding of the issue.

Both Singapore and Indonesia recognised the important role that regional organisations play and made it a point to highlight ASEAN in their statements. Singapore supported the role that regional and sub-regional bodies can play in developing and adapting CBMs to their specific context as well as in awareness-raising and information-sharing through cross-regional or inter-organizational exchanges (Singapore 2020b, 2). Specific institutions within ASEAN that can serve as venues for the further elaboration of norms were also mentioned (e.g. the ASEAN-Singapore Cybersecurity Centre of Excellence) (Singapore 2020b, 3). Indonesia’s statements additionally echoed the importance of regional organisations. In particular, it ‘acknowledge[d] efforts made by regional organisations, including ASEAN, in promoting CBMs in the field of cybersecurity’ (Indonesia 2020a, 2).

Despite several common views espoused by Singapore and Indonesia, differences in their statements exist, such as on threat perception. Singapore articulated specific threats, including data breaches, disruption to cloud services and the exploitation of cloud services for malicious aims like Distributed Denial of Service (DDoS) attacks, and the targeting of biometric data. These issues are significant to Singapore, given its developed and highly internet-penetrated economy (Singapore 2020a). In contrast, Indonesia only referred generally to threats such as ‘cyberattacks’ and ‘malware attacks’. Indonesia also mentioned the threat of cyberspace being hijacked to ‘spread hatred and racial ideology’ as a concern (Indonesia 2020b) while Singapore did not. A similar point was made in the NAM’s written statement to the OEWG on the need to end the ‘misuse of media platforms, […] as well as the dissemination of discriminatory and distorted information of events, and campaigns that defame and incite hatred against religion, cultures and symbols’ (NAM 2020, 2).

Singapore and Indonesia’s statements on the issue of international law and voluntary, non-binding norms have the most potential for disagreement. While both agree that the implementation of existing norms is important and necessary, their language on the topic signals different views. Singapore only affirmed that international law, ‘in particular the UN Charter, applies to cyberspace’ (Singapore 2020b, 1). Indonesia, meanwhile, specifically argued against the ‘automatic application of existing laws without examining the context and unique nature of activities in cyberspace’, and suggested that ‘practical adjustment and possible new interpretations are needed’ (Indonesia 2020a, 2). Unlike Singapore, Indonesia stated explicitly the need to address gaps by drafting additional norms, ‘with a view to gradually developing binding international norms’ (Indonesia 2020a, 3). Indonesia further expressed concerns that states still hold divergent views on important legal concepts, particularly what constitutes maintaining sovereignty in the context of cyberattacks (Indonesia 2020b). Nonetheless, the NAM (of which Singapore and Indonesia are members) maintained that ‘differences among Member States should not prevent the OEWG from further developing specific recommendations on what States shall and shall not do in the ICTs environment’ (NAM 2020, 3).

A complicating factor in achieving agreement on international law and cyber norms is ASEAN’s principle of decision-making by consensus. Given political sensitivities and disagreement on these issues, the group’s members would probably prioritise advancing less divisive objectives, such as capacity-building and the sharing of good practices. This approach could mean that cybersecurity cooperation in ASEAN would remain broad and shallow. For meaningful progress to be achieved in the region, member states must be willing to move certain issues aside and proceed with consultation in other areas when disagreements arise (Weber 2011, 222). Furthermore, if ASEAN is serious about taking steps to promote an open, secure and stable ICT environment, then dialogue and cooperation must occur beyond the AMCC and ASEAN’s current partners, while capacity-building efforts must also take place outside the ASEAN Cyber Capacity Programme (ACCP). To promote progress at the global level, ASEAN needs to ensure that its achievements continue to inform other processes, such as the GGE and OEWG.

For cyber norms to be respected, there must be regional mechanisms to monitor and ensure compliance and meaningful consequences for norms violations. Yet, ASEAN’s sensitivities over sovereignty and the principle of non-interference pose hurdles to these goals. Disagreements among UN member states on how best to achieve cybersecurity while safeguarding sovereignty and the need for binding versus non-binding framework have stalled progress in the GGE and OEWG. Judging from Singapore and Indonesia’s positions, these issues have the potential to hamper progress in ASEAN as well.

6. Kenya and South Africa’s statements at the OEWG and their implications for the AU

As some of the more technologically-advanced countries in the continent, Kenya and South Africa face growing cyberthreats and share common interests in furthering cyber norms. Their statements at the OEWG also signal considerable similarities in priorities and threat perception. Kenya and South Africa expressed serious concerns about threats emanating from the malicious use of ICTs, with data breaches, cyber espionage, disinformation, DDoS attacks, damages to critical infrastructure and the use of AI in automated attacks especially highlighted. South Africa also mentioned that it is often targeted by cyberattacks, due to a lack of risk awareness and defences. Consequently, more than 80 per cent of small and medium enterprises that fall victim to cyberattack do not recover due to damages and reputational loss (South Africa 2020).

South Africa noted in its statement that cybersecurity is increasingly a priority for many African countries, but the lack of capacity hinders states’ ability to effectively implement norms and interpret international law’s applicability to cyberspace. This gap threatens states’ responses to cyberthreats and malicious acts individually as well as collectively (South Africa 2020). As part of the solution, Kenya and South Africa argued that developed countries must contribute more to equalise the cybersecurity divide. Kenya asked for international funding of cyber capacity-building ‘for those furthest behind, especially in the developing world’ (Kenya 2021), while South Africa called on developed countries for assistance, including the transfers of ICT skills and cybersecurity risk awareness and mitigation strategies.

Progress on international law and cyber norms in the AU is complicated by the fact that many member states have yet to meet the AU Convention’s requirements regarding states’ obligations to establish cybersecurity frameworks, governance structures and other efforts to promote a culture of cybersecurity and cooperation. While the convention is to provide guidance for member states to draft cybersecurity and data protection laws, governments have to interpret the convention themselves and adopt their own laws at the national level. Yet states have been slow to undertake this process (Turianskyi 2020). Furthermore, less than half of African states have national cybersecurity policies or national CERTs, which has slowed down the potential for further developments (ITU 2021). Nevertheless, the AU Commission has been supporting individual states by collaborating with external partners such as the US Department of State and the Council of Europe to organise workshops on issues of cyber diplomacy, cybercrime and cyber strategies to speed up capacity-building (Amazouz 2020, 206–207).

While Singapore and Indonesia noted the usefulness of ASEAN in promoting rules and principles of responsible state behaviour, neither Kenya nor South Africa made significant references to the AU. Instead, both states pointed to external partners as venues where efforts such as capacity-building should continue. Kenya recognised that ‘a lot of work has already been done, especially by regional blocs.’ But its representative did not suggest that regional organisations take on additional responsibilities and instead maintained that capacity-building efforts should be furthered through the UN or multi-stakeholder organisations such as the Global Forum on Cyber Expertise (GFCE) with ‘members and partners from all geographical regions’ (Kenya 2021). South Africa also focused its statements on the role of global partners. Although its delegation recognised the need for ‘improved explanation and guidance on norms’ during consultations with the AU (South Africa 2020), it did not elaborate on what steps were taken to meet those needs. South Africa did mention, however, that it remains committed to resolving issues of international peace and security through the UN, such as attribution, gaps in international law, and mechanisms for dispute resolution. On capacity-building, South Africa spoke in support of bringing in partners with ‘different backgrounds, knowledge, and strengths,’ such as through the University of Oxford’s Global Cyber Security Capacity Centre (South Africa 2020).

South Africa and Kenya’s statements suggest that some African states see less potential for the AU to play a leadership role in advancing the ‘rules of the road’ for cyberspace. Without a member state that can provide substantial funding, technical expertise and mentorship, combined with a wide gap in cyber maturity between states, cybersecurity cooperation through the AU may be considered by its member states to be less effective. Moreover, as the AU makes decisions by consensus or, when that is not possible, by a two-thirds majority, achieving an agreement on how international law and cyber norms apply to cyberspace that reflects the views of all fifty-five members is likely to be arduous. This is especially because some African states have not prioritised cybersecurity nor devoted many resources to this issue.

Another concern is the divergence in viewpoints among AU members. Unlike Kenya and South Africa, for example, Zimbabwe explicitly supported the positions of China, Cuba and Russia on ‘cyber sovereignty’ in its written statement. ‘Cyber sovereignty’ (or ‘information sovereignty’) is advocated primarily by China and Russia, and this concept has been used to provide justification for a highly restrictive media environment with pervasive censorship and other controls on information flows (Basu, Poetranto, and Lau 2021). In addition to alignment on cybersecurity, China is Zimbabwe’s biggest source of foreign direct investment (and has deep ties with its military), while Russia and Iran are also top investors in the country (Mutsaka 2020; Gochero and Boopen 2020). Another example is that Egypt and South Africa hold different views regarding the need for binding versus non-binding frameworks to govern cyberspace. Egypt supports binding rules, while South Africa prefers clarifications on existing GGE norms (Egypt 2020, 1; South Africa 2020).

Meaningful advancement in international law and cyber norms in the AU requires states to reach an agreement on the fundamentals of cybersecurity and to have the capacity to mitigate threats; only then can there be further elaboration and operationalisation. Yet the lack of a highly motivated and well-resourced AU member state to lead the way, combined with differing views and levels of technological development, means that progress on cyber ‘rules for the road’ in the African region is likely to continue to be challenging.

7. Conclusion

By analysing the public positions of Indonesia, Kenya, Singapore and South Africa at the 2019–2021 UN OEWG sessions, this paper has highlighted several challenges for ASEAN and the AU in significantly updating or advancing the ‘rules of the road’ for cyberspace. Inequality in ICT development, as well as dissimilarity in economic, social and political aspects, have resulted in varying perceptions of threats and differing conceptualizations of cybersecurity which complicate agreement. These divisions are reflected in the fact that, while ASEAN has subscribed in principle to GGE norms, the AU has not, and many African countries have been less engaged than others in cyber norms processes. There is also persistent disagreement regarding how to safeguard sovereignty in the face of cyberattacks and how exactly international law applies to cyberspace. Meanwhile, the difficulties associated with identifying the origin of cyberattacks (also known as the attribution problem) continue to present a major obstacle for states looking to exercise their sovereignty by tracing back attacks and to ensure compliance with cyber norms (Liaropoulos 2013).

Despite the many challenges, opportunities for further cooperation are present within ASEAN and the AU. Both organisations can focus on the ‘low-hanging fruit’ by operationalising certain norms. For example, by developing CBMs to prevent conflict or conflict-escalation among states through leveraging partnerships in the region and building trust. Trust is especially needed to intensify regional collaboration in implementing norms and CBMs and to achieve the consensus required to ensure the peaceful use of ICTs (Kavanagh 2017, 2).

There is already strong partnership among ASEAN’s national CERTs and the CERTs of its dialogue partners (Australia, China, India, Japan and South Korea), which is facilitated by the ASEAN Network Security Action Council (ANSAC) and the ARF Inter-Sessional Meeting on Security of and in the Use of ICTs (ARF ISM-ICTs). There is also pre-existing cooperation between Japan and ASEAN Computer Security Incident Response Teams (CSIRTs) (CSA Singapore 2019; Matsubara 2017). Additionally, the AU Commission has established a two-year collaboration with the GFCE to help African countries identify and address their cyber capacity needs (GFCE 2021). In addition to engaging in these partnerships, ASEAN and the AU can further knowledge-sharing with global bodies such as the UN, as well as with institutions in other parts of the world (Heinl 2014, 143).

To overcome some of the regional challenges that have been identified, this paper suggests that ASEAN and the AU expand cybersecurity cooperation with countries or groups of countries that have much higher levels of cyber maturity. ASEAN has made strides in this regard as it has signed agreements on cooperation with the European Union (EU) and Japan in 2019 and 2020 respectively (Benincasa 2021). The AU has similarly engaged in consultations with the EU to strengthen their cooperation on cyberspace issues (EUISS 2021). For these relationships to be fruitful, however, states must at least clarify their medium- and long-term cybersecurity priorities and strategies, as well as specify and obtain the resources required to achieve them. Crucially, regional organisations, like their global counterparts, must ensure multi-stakeholder participation, as civil society and private sector actors (among others) play a key role in sustaining cyber peace and security (Meyer 2020, 354).

The promotion of international law and cyber norms through regional organisations has created fears of ‘competing silos’ or worse – the abandonment by states of efforts to reach a global agreement (Henriksen 2019, 6). Although these worries are understandable, the opposite could turn out to be true. Instead of causing further logjam, regular exchanges on cybersecurity issues in regional organisations are expected to build the knowledge, trust and confidence needed for global negotiations and norm-implementation processes to show some success. This is because efforts at the regional level complement (instead of supplant) those at the global level. The activities of ASEAN and AU member countries have thus far enriched UN deliberations on the content and interpretation of international law and cyber norms, as well as shed light on areas of potential cooperation.

The OEWG process continues with another iteration (2021–2025) that will hold its first substantive meeting in December 2021. It remains to be seen if a highly motivated AU member state will significantly advance regional cooperation and greater investments on the ‘rules of the road’ for cyberspace, as Singapore has in ASEAN. Future research should consider broadening the analysis to other (non-swing or non-digital decider) states and states that have participated in the OEWG but have not delivered statements at every meeting – for example, Egypt and Mauritius. Egypt has participated in three GGEs, is one of two main co-sponsors of a proposed Programme of Action to establish a permanent UN forum for cyber norms discussions and has made investments in ‘technologies of digital surveillance’ (Hassib and Shires 2021, 1; GIP Digital Watch 2020). Meanwhile, Mauritius, as the first African country to ratify the Budapest Convention, was one of the first African countries to adopt cybercrime legislation in 2003 and has a comprehensive national cyber policy to coordinate cybersecurity efforts (Turianskyi 2020).

The OEWG has broadened the participation of UN member states in cybersecurity-related discussions. In March 2021, UN member states reached a consensus to endorse an OEWG report with recommendations for advancing peace and security in cyberspace. With many countries being involved in the OEWG, the analysis of Indonesia, Kenya, Singapore and South Africa as well as ASEAN and the AU offered in this paper is only a first step towards a better understanding of the regional challenges and opportunities to further the ‘rules of the road’ for cyberspace. A more extensive examination of the positions of other regional institutions and Global South countries in the OEWG and their potential impact on the future of cyberspace governance is required.

Acknowledgements

Professor Ronald J. Deibert, the director of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy, provided supervision and guidance on this project. Many thanks to the reviewers, copyeditor, and co-editors at the Journal of Cyber Policy for helpful comments.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Additional information

Notes on contributors

Irene Poetranto

Irene Poetranto is a senior researcher at the Citizen Lab, based at the University of Toronto’s Munk School of Global Affairs & Public Policy, and a PhD Candidate in the Department of Political Science, University of Toronto. Twitter: @irenepoet

Justin Lau

Justin Lau is a research assistant at the Citizen Lab, based at the University of Toronto’s Munk School of Global Affairs & Public Policy, and a graduate of the Munk School’s Master of Global Affairs Program.

Josh Gold

Josh Gold is a visiting fellow at the Canadian International Council (CIC). In 2020 Josh worked as a research assistant at the Citizen Lab, and was a non-resident visiting fellow at the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). Twitter: @joshgold3

Notes

1 Maurer and Morgus (2014) consider the following countries as ‘swing states’: Albania, Argentina, Armenia, Belarus (an outlier), Botswana, Brazil, Colombia, Costa Rica, Dominican Republic, Georgia, Ghana, India, Indonesia, Jamaica, Kenya, Malaysia, Mexico, Moldova, Mongolia, Namibia, Panama, Peru, Philippines, Serbia, Singapore, South Africa, South Korea, Tunisia, Turkey and Uruguay.

2 Morgus, Woolbright, and Sherman (2018) list the following countries as ‘digital deciders’: Albania, Argentina, Armenia, Bolivia, Bosnia and Herzegovina, Botswana, Brazil, Colombia, Congo (Republic of), Costa Rica, Cote d’Ivoire, Dominican Republic, Ecuador, El Salvador, Georgia, Ghana, Guatemala, Honduras, India, Indonesia, Iraq, Jamaica, Jordan, Kenya, Kuwait, Kyrgyz Republic, Lebanon, Macedonia, Malaysia, Mexico, Mongolia, Morocco, Namibia, Nicaragua, Nigeria, Pakistan, Panama, Papua New Guinea, Paraguay, Peru, Philippines, Republic of Moldova, Serbia, Singapore, South Africa, Sri Lanka, Thailand, Tunisia, Ukraine and Uruguay.

3 Three substantive sessions of the OEWG took place in September 2019, February 2020 and March 2021.

4 The NAM is an alliance established by a group of newly independent states in Asia and Africa following the 1955 Asia-Africa Bandung Conference in Indonesia. These states did not side with either major power during the Cold War but were instead ‘non-aligned’ in international affairs. See Waters (2001, 153).

5 For a list of all written statements, see https://un.org/disarmament/open-ended-working-group/. For the recordings of OEWG meetings, see https://webtv.un.org/. Please contact the authors for information on timestamps of Indonesia, Kenya, Singapore and South Africa’s public statements at the OEWG meetings.

6 Formally known as the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security.

7 The AU was officially instituted in 2002 after its predecessor, the OAU, was disbanded to make way for a new continental organisation that could build on its work (Murithi 2005). Article 4 of the AU’s Constitutive Act outlines the particular conditions under which member states can intervene in the sovereign affairs of other member states (Sarkin 2016).

8 AU members include Algeria, Angola, Benin, Botswana, Burkina Faso, Burundi, Cameroon, Cabo Verde, Central African Republic, Chad, Comoros, Congo, the Democratic Republic of Congo, Cote d’Ivoire, Djibouti, Equatorial Guinea, Egypt, Eritrea, Ethiopia, Gabon, Gambia, Ghana, Guinea, Guinea-Bissau. Kenya, the Kingdom of Lesotho, Liberia, Libya, Madagascar, Malawi, Mali, Mauritania, Mauritius, Morocco, Mozambique, Namibia, Niger, Nigeria, Rwanda, Saharawi Arab Democratic Republic, Sao Tome and Principe, Senegal, Seychelles, Sierra Leone, Somalia, South Africa, South Sudan, Sudan, Kingdom of Swaziland, Tanzania, Togo, Tunisia, Uganda, Zambia and Zimbabwe (NTI 2019a).

9 As of September 2021, eight countries have ratified the treaty: Angola, Ghana, Guinea, Mozambique, Mauritius, Namibia, Rwanda and Senegal. And 11 countries signed but did not ratify the treaty: Benin, Chad, Comoros, Congo, Guinea-Bissau, Mauritania, Sierra Leone, Sao Tome and Principe, Togo, Tunisia and Zambia.

10 ASEAN was established in 1967 by Indonesia, Malaysia, the Philippines, Singapore and Thailand.

Brunei Darussalam joined in 1984, Vietnam in 1995, Laos and Myanmar in 1997, and Cambodia in April 1999 (NTI 2019b).

11 The ARF comprises 27 members: the 10 ASEAN member states (Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam); the 10 ASEAN dialogue partners (Australia, Canada, China, the European Union, India, Japan, New Zealand, the Republic of Korea, Russia and the United States); Bangladesh, the Democratic People's Republic of Korea, Mongolia, Pakistan, Sri Lanka and Timor-Leste; and one ASEAN observer (Papua New Guinea) (Medina 2020).

12 As a comparison, Singapore ranks first in Southeast Asia and fourth globally in the 2020 ITU Global Cybersecurity Index, while Indonesia ranks sixth regionally and twenty-fourth globally (ITU 2021, 29).