Krisman, Khanisa Cyber Security Cooperation A Secure ...

www.ssoar.info

A Secure Connection: Finding the Form of ASEANCyber Security CooperationKrisman, Khanisa

Veröffentlichungsversion / Published VersionZeitschriftenartikel / journal article

Empfohlene Zitierung / Suggested Citation:Krisman, K. (2013). A Secure Connection: Finding the Form of ASEAN Cyber Security Cooperation. Journal of ASEANStudies, 1(1), 41-53. https://nbn-resolving.org/urn:nbn:de:0168-ssoar-441755

Nutzungsbedingungen:Dieser Text wird unter einer CC BY-NC Lizenz (Namensnennung-Nicht-kommerziell) zur Verfügung gestellt. Nähere Auskünfte zuden CC-Lizenzen finden Sie hier:https://creativecommons.org/licenses/by-nc/4.0/deed.de

Terms of use:This document is made available under a CC BY-NC Licence(Attribution-NonCommercial). For more Information see:https://creativecommons.org/licenses/by-nc/4.0

http://www.ssoar.info

https://nbn-resolving.org/urn:nbn:de:0168-ssoar-441755

https://creativecommons.org/licenses/by-nc/4.0/deed.de

https://creativecommons.org/licenses/by-nc/4.0

Journal of ASEAN Studies, Vol.1,No.1 (2013), pp. 41–53©2013 by CBDS Bina Nusantara University and Indonesian Association for International RelationsISSN 2338-1361 print / ISSN2338-1353 electronic

A Secure Connection:Finding the Form of ASEAN Cyber SecurityCooperation

Khanisa Centre for Political Studies, Indonesia Institute of Sciences (LIPI)

AbstractInternet security is somehow being understated in ASEAN’s strategy facing 2015. ASEANConnectivity as the blue print of ASEAN’s development strategy to strengthen the regionalbond has not put proper attention in building security for guiding the connectivity planamong ASEAN member countries. This paper will discuss the future of cyber securitycooperation particularly as ASEAN is planning to connect the region through ICT. Thispaper will try to analyse what kind of framework ASEAN will need on preparation to widenits security agenda to cyber world in the future to complete its preparation of being connected.

Keywords: Internet Security, Cooperation, ASEAN

Introduction

As the wave of technology andmodernity changes the way of our daily life,it has changed the world’s perception someof its values as well. One of the icons of thistechnological development is the internetwhich at first serves as the communicationnetwork in the cold war (Ryan, 2010, p. 14).The internet nowadays also has created anew realm, cyberspace, and in the era ofhigh-speed connection, many peoplelabelled the cyberspace as a lawless andborderless world of which freedom is themain issue. Anyone supposed to be free tobe connected, search for anything they needfrom every source they find and transformtheir creation in digital form. Some peopleeven go beyond and use the internet to getwhat they need in illegal ways. This can be

a general description of what will be latercategorized as cybercrime.

Although there are still manydiscussions about the interpretation ofcyber-crime due to its vast scope ofinfringement, it is important to have a basicunderstanding about what cybercrimereally is. Using computer as a tool tocommit a crime is not necessarily called acybercrime. There is a difference ofcybercrime and computer crime.Cybercrime is not only a crime committedwith digital instrument, but it alsoconnected to the network of digitalcommunication (Gerkce, 2011, p. 26). Theconnectivity issue makes cybercrime morecomplex to deal with. As a measure to avertthe future damage caused by cybercrime,laws and regulations governing thecyberspace are created to prevent them to

42 A Secure Connection

happen. Some of the first emerged in the1990s, like Britain’s Computer Misuse Act(1990), Ireland’s The Criminal Damage Act(1991), Malaysia’s Computer Crimes Act(1997) (Singh, 2007, p. 79) and until now thegrowth of such laws and legislationscontinues as cybercrime expands. But thevolume of cybercrime threats also goesparallel with the counter measuresformulated by the government.Nevertheless, cybercrime developed andextended its complexity and the actors alsogetting well-organized.

The international community hasacknowledged that this new threat can beglobal level security issues as many of thehigh scale businesses and administrationsare run on digitalized systems which arefragile enough to be ruined by virusescreated by hackers. Due to that reason, theinternet nowadays is treated more than acommunication channel; as it has nowincluded on a country “territorial” space.The awareness to treat cyber security moreseriously can be seen as some countriesstarted to build cyber security cooperation.The first convention arranging suchcooperation is the 2001 Convention onCybercrime held in Budapest by theCouncil of Europe; with 39 countries haveratified the convention (Council of EuropeTreaty Office, 2013).

Unfortunately, an arrangement like theCouncil of Europe’s Convention onCybercrime is commonly preferred bydemocratic and developed countries. Fordeveloping region especially in SoutheastAsia, this kind of cooperation will have towait to be prioritized. In Southeast Asia,some of the countries may have developedin cyber technology and at the same timehave cybercrime prevention unit. Othersmay have not gone that far. Countries inSoutheast Asia seem to be unprepared todesign cyber security cooperation as aconsequence of gaps in development of

Information and CommunicationsTechnology (ICT).

Despite these gaps and differences,ASEAN has planned three regionalblueprints; in one of them is in the political-security field which includes the ASEANRegional Forum, an establishment topromote peace and security in the widerEast-Asia region which also deals with theunconventional security issue likecybercrime. ASEAN also put ICTdevelopment as integral part of the ASEANConnectivity. The development of ICTshould not only address on strengthening ofthe network but also the prevention fromthreats or attacks on that network. Likemany ASEAN cooperation, ASEAN have tostruggle to synchronize the point of view ofits members on the importance of suchcooperation. Since each member countries isin different phase of their ICT developmentand their dealings with cybercrime.

In this paper, the author argues thatASEAN have to be prepared for dynamicchanges in the security field which makescyber domain as one of its source of newthreat and regional security framework hasto be designed to cope with such issue as itis a transnational type of disturbance thatinter-state cooperation is nedeed. Based onthat argument, this paper firstly will discussabout the aspect of the growth of ICT in theregion of Southeast Asia to know how farICT impacting ASEAN member states, andthe later part of this paper will assess howASEAN, as a regional organization, build itscyber security agenda. The question is“what kind of cyber security cooperationshould be implemented in region?”

For answering the question, the authorexamines several formal documents such asConvention of Cybercrime, NATO’s Policyon cyber defence, APCERT framework andalso ASEAN’s Charter and documentationfrom ASEAN’s meetings and forums. Thisapproach is substantial to know whether

Journal of ASEAN Studies 43

the existed framework will be suitable to betaken building foundation for ASEAN’sfuture cyber security cooperation. Somereports and news also used to recognize thecurrent trends and situation in the issue ofcyber security and cybercrime.

Although not specifically discusstheoretical topic of security in latersegments, this paper is built on the authorperspective of dynamic changes inInternational Relations especially in thefield of security. In the author’s opinion, theneed of cyber security is caused by theenlargement domain of dwelling andinteraction of the internet user which as notonly consist by individuals but alsogovernmental bodies and privatecorporations, with all the affairs running onthe virtual world, rules and guidance areneeded to ensure all the parties will notharmed or be harmed by each other.

ICT and Cyber Security in ASEAN

The growth of ICT in Southeast Asia isactually not too far behind the US, Europeand countries in Northeast-Asia like Japanand Republic of Korea. According toASEAN E-Commerce Database Projectreleased in 2010, ASEAN represent 6percent of the Internet world users and thesum of global penetration level of ASEANmembers countries are 20 percent, withBrunei Darussalam, Singapore andMalaysia having the biggest share ofinternet penetration, and Indonesia,Philippines, and Vietnam having thegreatest numbers of internet user.

Although compared to global number ofinternet users, 6 percent seems small andinsignificant, one cannot forget that ASEANis holding almost one-tenth (9 percent to beprecise) of the world population, far abovethe population of 28 member countriesEuropean Union combined. With thispercentage, ASEAN is in a good position to

build an advanced ICT region with internetbusinesses run on it or quoting the reportreleased in the ASEAN E-CommerceDatabase Project, “...undoubtedly a goodenvironment for the E-Commerce” (ASEANE-Commerce Database Project, 2010, p. 68).

Moreover, ASEAN has made aconsiderable progress in ICT development.ASEAN incorporates ICT development asone of the connectivity aspect in its recentmaster plan on building of ASEANCommunity 2015. The Master Plan onASEAN Connectivity encompassesphysical, institutional and people-to-peopleconnectivity with ICT as integral part ofphysical connectivity. The most recentASEAN master plan released in 2011 is theASEAN ICT Master Plan which gives moredetailed information on how ASEAN wantsto develop its ICT sector.

ASEAN’s vision to build the ICT sectoris to create a technologically advance andwell-connected region. But ASEAN’sdevelopment on ICT is lacking inincorporating the security aspect. Knowingthe important yet fragile system of ICT,ASEAN needs to be ready to face cyberthreat that might occur. So far, nine out often ASEAN member countries haveComputer Emergency Response Team(CERT), the only country remained is Laoswho has not establish their CERT. CERTs ofthe nine countries also are members of AsiaPacific Computer Emergency ResponseTeam (APCERT), a regional organizationconsist of 29 teams of CERT (21 teams arefull member and 8 teams are generalmember) from 22 Asia Pacific Countries(APCERT, n.d.). The existence of CERTteam is vital to be “cyber police” to securethe national cyberspace, and thecooperation among them is needed to builda network to fight cybercrime.

With proper instruments available inmost of ASEAN member countries, thequestion remains whether the instrumentsare compatible enough to deal with the


reality of cyber threat.

Table 1. ASEAN Internet Penetration

No.

Country InternetPenetration

Internet Users Population

Brunei Darussalam 81% (1) 318.900 395.027Singapore 78% (2) 3.658.400 4.701.069Malaysia 65% (3) 16.902.600 26.160.256Philippines 30% (2) 29.700.000 99.900.177Vietnam 27% (3) 24.269.083 89.571.130Thailand 26% 17.486.400 66.404.688Indonesia 12% (1) 30.000.000 242.968.

342Lao PDR 8% 527.400 6.993.767Cambodia 1,3% 13.800.000 173.675Myanmar 0,2% 53.414.374 110.000

ASEAN 20% 604.308.830 123.146.458(Table from ASEAN E-Commerce Database Project, 2010, p. 14)

Evolution of the New Threats

Before discussing about the evolution ofcybercrime, knowing types of that newthreat is useful to know. The author willrefer to the typology of Council of Europe’sConvention of Cyber Crime held inBudapest on 2001. The convention dividesfour basic types of offences, they are: (1)“Offences against the Confidentiality,integrity, and availability of Computer dataand systems” (including illegal access,illegal interception, data interference,system interference, misuse of device), (2)“Computer related offences” (computerrelated forgery, computer related fraud), (3)“Content related offences” (including childpornography), and (4) “Offences related toinfringements of copyright and relatedrights”.

These offences are the formal typologyfor popular terms like hacking, phishing,spreading worm, trojan, malware, orspyware, and illegal downloading.

“A Good Decade for Cybercrime”, a

report released by McAfee in 2010, coveringthe growth of trends of cybercrime all overthe world shows dynamic changes oncyber-crime that occurred. Ten years turnsout to be a sufficient time to see howcybercrime motives are adapting to currentsituation that time. Divided by four timeperiods, the years from 2000 to 2010captured some specific advancements of theuse of internet follows by the cybercrimegrew along the way. The first period (2000-2003) featured crimes like DistributedDenial of Service (DDoS), Macro viruses,identity theft through unsecured Wi-Fi andharmful MP3 downloads. These kinds ofdisturbances are still minor compared towhat second period caused. The secondperiod (2004-2005) was the time whencybercrime actors tend not only to show offtheir skill to manipulate digital world butthe goal is to make profit from their crime.The spread of adware, spyware, rootkit, andbotnets started to threaten personal usersand companies for their capability instealing important financial information, as


well as damaging their system. The thirdperiod (2006-2008) was when the actorsstarted to assemble and act as an organizedgroup. In this period the transnationalnature of cyber became increasingly clear,since the group can spread beyond acountry border and only connected throughcyber space. The last period (2009-2010)captured the recent phenomenal trend ofinternet product, the Social Network Sites(SNS) that can cause a serious problemthrough personal information theft, thespread of fraud post or massage, andharmful links (McAfee, 2010, p. 4-6).

In line with the McAfee 2010 report thatpredicts cybercrime will go mobile in thenear future, some other reports also showthe cybercrime threat is escalated beyondPC. Norton Cybercrime Report released in2012 stating this issue, giving the number oftwo-third adults use mobile gadget toaccess the internet, and two-third of thatamount do not provide their gadget withsecurity tools, the report also wrote that themobile vulnerability is growing twice as bigfrom 2010 to 2011 (Symantec, 2012).

These reports show that cybercrimethreats have escalated in many level, andthe complexity rises when it grew strongenough to threat national security. Somecases of cybercrimes are addressed to attackthe government institution, and as the trendof cybercrime evolves to a bigger schemethe term “cyber war” becomes popular.However, there is still a debate about thevalidity to call the “cyber war” as “war”. Anarticle by Professor Sean Lawson written inForbes on 2011 pictured one of the debatesbetween the supporter and the opponent inthe issue (Lawson, 2011). Dr. Thomas Rid,who is not agreeing on the term “cyberwar”, stated his disbelieve clearly from hisessay’s title “Cyber War Will Not TakePlace.” The base of his stand point isClausewitz’s theory of war. According toRid, cyber war doesn’t meet the mainelement of war, that are violent,

instrumental, and political (Rid, 2011, p. 10).Meanwhile, Jeffrey Carr, countering thisargument in his blog post titled “Clausewitzand Cyber War”, assert the approach ofusing a conventional war theory to analysecyber war is not suitable since changeshappen in the world. In his book writtenbefore this debate, “Inside Cyber Warfare”(2010) Carr also explains thoroughly aboutthis trends and the implication to globalcommunity.

Despite the debate on the validity of theterm cyber war, the effect of cybercrime insmall scheme as well as enormous scheme isdevastating, caused a major economic lost,even endanger diplomatic relation. A reportreleased by KMPG in 2011, featureseconomic lost in some countries, showingstaggering numbers, range from EUR 17Million (US$ 22 Million) in Germanyphishing activity in 2010, US$ 560 million inUS information lost calculation in 2009 toGBP 27 billion (US$ 43) from UK annualcost (KPMG, 2011, p. 8).

In the issue of cybercrime isendangering diplomatic relation, cyber warin eastern part of Europe, Middle Eastconflict which is “going-cyber” or hostilitybetween United States and China that isalso spread to cyberspace are the evidencesof political motives that might drive theattack.

Two latest notable examples of EasternEurope cyber war are cyber conflictbetween Russia-Estonia (2007) and Russia-Georgia (2008). The first case was evoked byEstonian government that moved amemorial of Soviet War from Tallin in 27April 2007 that provoke Kremlin’s rage (TheGuardian: Russia accused of unleashingcyber war to disable Estonia, 2007), later theEstonian e-government system andcommercial websites included bankingsystem were heavily attacked. According toEstonian Ministry of Defence some of theattacks, although denied by the Russia, arehosted by Russian state servers. (BBC:


Estonia hit by 'Moscow cyber war', 2007).The latter case between Russia and Georgiais a part of two countries conflict concerningthe two area South Ossetia and Abkhazia(The Guardian: South Ossetia: Georgiapreparing for war, Russia claims, 2008), aswell as launched real military attack, Russiaalso delivered cyber disturbance to severalGeorgia’s state server and commercialwebsites (The Telegraph: Georgia: Russia'conducting cyber war', 2008).

In Middle East conflict, one of the casethat successfully stole the internationalheadlines was the Stuxnet attack addressedto Iran nuclear facility in 2010, the attackwas suspected to be an act from anothercountry (The Guardian: Stuxnet worm is the'work of a national government agency',2010).

Last but not least is the US-China cyberwarfare. As heat of competitiveness fromboth countries rises, the cases of cyber-attack coming from the US and China alsoescalate. The latest news about the attackcame from White House, confirming anattack had been launched to their networksystem (Reuters: White House targeted incyber-attack, 2012). Although the sourcewas not pointed to China by White Houseauthority, but Freebeacon, a Washingtonconservative group, report that the hackerswas linked to Chinese government (BBC:White House confirms cyber-attack on'unclassified' system, 2012).

The cases above shows that cyber-crimetrends are going global and the intensity ofthe attack are increased with lost calculationthat not only threatens economically butalso politically. Considering the risk, if aregion, in this case Southeast Asia, wants toconnect its member ICT infrastructures, asecurity plan must be built to avoid futurecybercrime threat.

Countries in Southeast Asia themselvesare not save from cybercrime threat. As toldabove, with the cyber development in this

region, the threat of cybercrime is parallelwith the advancement. Although most ofthe problems in Southeast Asia countriesthat related to internet are concerning onthe issue of internet freedom that does notmean there is no threat of cybercrime in theregion. Recent Internet Security Threat Reportreleased by Symantec shows that Indonesiaranked in 10th place on cyber-crime source,delivering 2,4 percent cyber treat globally(Kompas: Indonesia Masuk 10 BesarPenyumbang "Cyber Crime" Terbanyak,2012). Another report by Trend MicroIncorporated also picturing the future ofcybercrime threat in the region of AsiaPacific (Okezone: Penjahat Cyber AncamKeamanan di Asia Pasifik, 2012), the reportstated that Vietnam rank in the 3rd ofsource of spam in the region (NetworksAsia: Asia-Pacific security landscape showsa mix of old and new threats, 2012).

Cyber Security Cooperation Models

As Cyber Security become a globalproblem, the need to arrange a cooperationto overcome cybercrime threat is inevitable.Many countries started to realize theimportance of having cooperation to tacklethe growth of cybercrime. This argumentalso implied in a statement by Eun-Ju Kim,the ITU (International CommunicationUnion) Regional Director for Asia and thePacific, “The best way to counter this crimeis through close partnerships andcooperation in an interdependentinformation society” (UNODC, Cybercrimein Asia and the Pacific: Countering aTwenty-First-Century Security Threat)

Dr. Hamadoun Touré in his ITUPublication “Quest for Cyber Peace” (2011)enlists some cooperation addressed to thisissue. Some of them are Council of Europewith Convention on Cybercrime 2001,North Atlantic Treaty Organization (NATO)


with Cyber Defence ManagementAuthority, and United Nation whichimplement cybercrime prevention on someof its branch like the UN Economic andSocial Council and United Nations Office onDrugs and Crime.

From all written above, Council ofEurope’s Convention on Cybercrime (2001)is the earliest international formalcooperation who set the definition,typology, and measures to be taken to copewith cyber-crime. It has signed by 49countries, four are from outside the Europe,and they are Japan, South Africa, Canadaand United States. The numbers who haveratified is 39 countries, as the Belgium as thenewest one, who ratified it in 2012, and twocountries in latest accession status,Australia in 2012 and Dominican in 2013Republic (Council of Europe Treaty Office,2013).

This comprehensively writtenagreement can be a good source to look atwhat ASEAN needs to prepare and socializeamong each member before working on theactual framework of cyber securitycooperation. The most important part to beexamine for the future framework isChapter III of the convention whichincludes article on extradition (article 24),vast scope of mutual assistance in cyberspace (Article 25-35) and activecommunication (article 35). Regulationregarding extradition is important incybercrime is a transnational-based crimewhose offender can launch their attack fromanywhere outside the country. For the latermatters on mutual assistance and activecommunication, these arrangements cananswer the fulfilment of gaps betweenASEAN countries that more advance partieshave the obligation to encourage the regionto stand on the same standard beforeenforcing the cooperation framework.

Another example of cyber securitycooperation is offered by NATO with theircyber defence framework. In their

document released in 2011, the alliancedraft their cyber defence agendas not onlyin regard of securing the region in defensivemode trough NATO Cyber DefenceManagement Board and NATO ComputerIncident Response Capability, but alsointegrating it into the national policy of theAlliance members and encouragingeducation in cyber defence sector withNATO Cooperative Cyber Defence Centreof Excellence (NATO 2011).

NATO’s cooperation might seem veryorganized and can be stronglyrecommended for ASEAN to build suchcooperation, but it has to be realized thatNATO and ASEAN have a differentplatform of cooperation. ASEAN is notsecurity alliance and in ASEAN, where non-interference and sovereignty are two ofsome basic principles, defence policy is avery crucial aspect to be interrupted. Eachcountry has their own view and ASEANcannot dictate members’ domestic area. Theframework of ASEAN future cooperationhas to be emphasized on security of theregion as a whole without disturbing itsmember sovereign.

Another example of cooperation, AsiaPacific Computer Emergency ResponseTeam (APCERT), took the form of regionalcooperation. APCERT members are CERTand Computer Security and IncidentResponse Team (CSIRT) of each country,the main legal body in combatingcybercrime. Its missions are enhancingcooperation, developing measures toovercome cases, facilitating in informationsharing, promoting research anddevelopment, assisting conduct on CERT,and providing recommendation on legalissues (APCERT: Missions Statement).Moreover since the members are team ofexperts, APCERT will be able to focus onthe technicalities to overcome cyber threat,event like drill exercise is the one of themain program held annually (APCERT:Operational Framework, p 8).


This model might be the one ASEAN isaiming for, since almost all ASEAN membercountries are also joining APCERT it isprobably easier to use APCERT model andconfigure ASEAN’s cyber securityframework based on that model. However,APCERT is less legitimate than the othertwo previous examples. As mentioned,APCERT members are only technical bodiesof the member states that lacking of politicalpower to make significant policy change. IfASEAN take APCERT format cooperationas a whole, it will only make a cooperationthat will overlap with APCERT agenda andwill not be powerful enough to make anychanges in governmental level.

ASEAN Cyber Security Cooperation in theFuture

The first purpose of ASEAN as writtenin ASEAN Charter “To maintain andenhance peace, security and stability andfurther strengthen peace-oriented values inthe region” (ASEAN Charter, p. 3) wasactually the basic duty of ASEAN. Thispoint imply that ASEAN is actually asecurity community which establishmentdriven by political motive (Luhulima et al,2008, p. 71). ASEAN must be prepared forany security threats that challenge theregion as the security issues evolve fromtime to time. But with conventional securityconflict like border dispute is still on theheadline, ASEAN readiness to entercontemporary security issue is questionable.Yet, ASEAN has planned blueprints andmaster plans for the realization of ASEANCommunity to ensure its path in the beyond2015 will embrace the needs of futuregeneration. In the case of cyber security,unfortunately the designed documents thatsupposed to be related to issue like ASEANPolitical Security Blueprint, Master Plan onASEAN Connectivity and ASEAN ICT

Master Plan 2015 have not point outsignificance idea on how ASEAN cybersecurity will be defined and maintained.

In former documents of ASEANRegional Forum (ARF), ASEAN has notedthe significance of cyberspace issue. It canbe found in ARF discussion since 2004when ARF Seminar on Cyber Terrorismheld in South Korea. But not until themeeting in 2006 13th ARF Meeting, itreleased the Statement on Cooperation inFighting Cyber Attack and Terrorist Misuseof Cyber Space. Although the statement isnot as comprehensive as the Council ofEurope’s Convention on Cybercrime, thestatement already sent a strong messageabout the agreement among ARF’s memberstates to combat the terrorism includingtypes of terrorism using cyber space as itsway for committing their act.

ARF also realize the enormous threat ofthe cybercrime or cyber misuse as statedbelow,

“...terrorist misuse of cyber spaceis a destructive and devastatingform and manifestation of globalterrorism whose magnitude andrapid spread would beexacerbated by the increasingcyber interconnectivity ofcountries in the region;

Recognizing the seriousramifications of an attack viacyber space to criticalinfrastructure on the security ofthe people and on the economicand physical well-being ofcountries in the region” (ARF, theStatement on Cooperation inFighting Cyber Attack andTerrorist Misuse of Cyber Space,2006)

But combining cybercrime with


terrorism can cause confusion since bothhave different context.

Meanwhile many types of cyber misuse,from the small scale of cybercrime to cyberwar, are not necessarily related to the act ofterrorism. Cyber fraud, phishing, piracy canbe driven some other motives that arepurely a crime act and not done by aterrorist group who is usually driven bypolitical motive. By this reasoning, definingcybercrime apart from cyber terrorism isimportant to build basic understanding forcooperation on cyber security.

ASEAN is yet to have a formalagreement on cyber security beyond theARF statement in 2006. Although the needsof having agreement on cyber security inASEAN is important, agreeing on anunderstanding about security in this regionis never an easy task. The problem of digitaldivide or networking advancement gap,among countries of ASEAN is causingdifferent level of concern in each country.For example for an ICT-advanced countrylike Malaysia, the need of cyber securitymight be critical to be fulfilled. In hisremarks for The Shangri-La Dialogue 2012,Malaysia’s Minister of Defence, Dato' SeriDr. Ahmad ZahidHamidi stated theurgency of to build a more comprehensivecyber-defence as the cyber-attack isincreasing (IISS: Fourth Plenary Session). Inthe other hand, for countries with lownumber of internet users and internetpenetration also not advanced in ICTinfrastructure building such cooperationand agreement might not become theirpriority.

If ASEAN is serious about realizingcyber security cooperation, ASEAN has toknow what kind of cooperation that wouldmeet the need of the region. It has beendiscussed in previous section about threeexamples ASEAN might want to consider.All formats can give beneficial input formaking the framework of future cybersecurity cooperation; however ASEAN

must make some adjustment so theframework will be acceptable to themembers of ASEAN. There are three pointsworth to be taken from those formats.Firstly, ASEAN must stand on the samebasic understanding on defining andtreating the issue of cyber security andcyber threats. Secondly, ASEAN membercountries must willing to put the issue ofcyber security as of their priority area, bydoing so, the policy made in the regionallevel will be easier to implement in nationallevel. Thirdly, cooperation in technical levelmust be taken seriously because networkingsecurity will need to run smoothly if everyparty have the same technical capability.

For the format of cooperation, APCERTactually is a good base for furtherdevelopment of stronger ASEAN cybercooperation in the future. But with theobjective to secure ASEAN’s ICT networkplanned in the Master Plan on ASEANConnectivity and ASEAN ICT Master Plan,cooperation framework like APCERT mustbe strengthen. One of the ways forstrengthening the format of APCERT is byraising the cooperation into higher level,such approach will deliver stronger politicalpower so it will have significant authorityto push its agenda in national governmentlevel. A binding document like Council ofEurope’s Convention of Cybercrime alsocan inspire ASEAN’s cyber securitycooperation framework, however basicunderstanding on the issue must be form inadvance. The future cooperation also has tobe designed carefully that it will respectASEAN’s principles of non-inference andsovereignty.

Conclusion

Picturing ASEAN to be a connectedregion in ICT infrastructure is a great visionit might need for realizing its goal ineconomic and socio-culture pillars. The


vision, as stated in ASEAN ICT Master Plan2015 is heading “Towards an Empoweringand Transformational ICT: Creating anInclusive, Vibrant and Integrated ASEAN”(ASEAN, ASEAN ICT Master Plan 2015, p.12). But this vision came with complexarrangement to be prepared. The first one isto equalize the infrastructure, knowledgeand competence on ICT in ASEAN membercountries, and the second one is to preparethe safety procedure for running aconnected region that lies on ICT.

The establishment of ASEAN ICTconnectivity might be addressed foreconomic and social development of theregion and placed below the pillar ofeconomic with ASEANTelecommunications and IT MinistersMeeting (TELMIN) as the one in charge fordrafting master plan, but this arrangementwill be prone to security implication if itdoes not have a proper protection fromcybercrime threats. For this reason, theagreement on how ASEAN will secure itsfuture ICT connectivity is required.

Since most countries in ASEAN alreadyhave their CERT team, that can be imply thecountries have realized the significance ofsecuring their cyberspace. Cooperationamong those teams is also necessarybecause cybercrime is a contemporarythreat to security which runs on aborderless cyberspace. But to enhance thelevel of cooperation, a more powerful formof formal agreement have to be conductedso ASEAN member countries will have thesame interpretation on defining cybercrimeand ensuring their steps on overcoming theproblem is orginized in the suitableframework. The agreement also have tocover the borderless nature of cybercrime,enables ASEAN member countries toinvestigate cybercrime case in neighbouringcountries in the region and processed thecase according to regional agreement.

Building that agreement might not be an

easy task, since cyber security is not yetconsidered as a priority and issues like stateborder disputes are considered to be morecritical to solve. Moreover, putting cybersecurity as an issue for convention like theCouncil of Europe did in Budapest willrequire ASEAN member states to adjusttheir national law once they ratified theconvention. This adjustment usuallyinitiates domestic debate for its relation tosensitive issues of national security andsovereignty. Hence configuring anacceptable draft for this agreement isnecessary to make sure ASEAN membercountries are willing to sign and ratify it.

*****

About Author

Khanisa, SIP – Graduated from Bachelordegree in International RelationsDepartment of Faculty of Social andPolitical Science, Gadjah Mada University in2010, she is currently taking Master degreein Graduate Studies in International Affairsat College of Asia and The Pacific,Australian National University. Her workas a researcher started in 2011 as juniorresearcher in Centre for Political Studies(Pusat Penelitian Politik-P2P) at IndonesianInstitute of Sciences (Lembaga IlmuPengetahuan Indonesia). Her researchinterests are the significance of andInformation and CommunicationsTechnology (ICT) and social media ininternational relations and issues regardingthe region of Southeast Asia and ASEAN.

Acknowledgement

The author would like to express hergratitude to Dr C. P. F. Luhulima for hisinput and suggestions in writing this paper.


Notes

This paper was presented on 7 November2012 at The First International Conferenceon Business, International Relations, andDiplomacy 2012, in Binus University Jakartawith the same title, later revision is added tomeet current situation and updates.

References

ASEAN Regional Forum 28 July 2006,Statement on Cooperation in Fighting CyberAttack and Terrorist Misuse of Cyber Space,ARF Chairman's Statements and Report,viewed 27 July 2013,<http://aseanregionalforum.asean.org/files/library/ARF%20Chairman%27s%20Statements%20and%20Reports/The%20Thirteenth%20ASEAN%20Regional%20Forum,%202005-2006/ARF%20Statement%20on%20Cooperation%20in%20Fighting%20Cyber%20Attack%20and%20Terrorist%20Misuse%20of%20Cybe%20Space%20(Final).doc>

ASEAN Telecommunications and ICTSenior Officials' Meeting 10 November 2010,The ASEAN E-Commerce Database Project(Ref No. DTI/ASEANTELSOM/01), ASEAN,viewed 27 July 2013,<http://www.asean.org/images/2012/publications/ASEAN%20eCommerce%20Database%20Project.pdf>

Asia Pasific Computer EmergencyResponse Team 2010, Asia-Pasific ComputerEmergency Response Team (APCERT)Operational Framework, Asia PasificComputer Emergency Response Team,viewed 27 July 2013,<http://www.apcert.org/documents/pdf/OPFW_3March10.pdf>

Asia Pasific Computer Emergencyresponse Team, Member Teams, Asia PasificComputer Emergency Response Team,viewed 27 July 2013,

<http://www.apcert.org/about/structure/members.html>

Asia Pasific Computer Emergencyresponse Team, Mission Statement, AsiaPasific Computer Emergency ResponseTeam, viewed 27 July 2013,<http://www.apcert.org/about/mission/index.html>

Association of Southeast Asian Nations2007, The ASEAN Charter, Association ofSoutheast Asian Nations, viewed 27 July2013, <http://www.aseansec.org/wp-content/uploads/2013/06/ASEAN-Charter-1.pdf>

Association of Southeast Asian Nations2011, Master Plan on ASEAN Connectivity ,Association of Southeast Asian Nations,viewed 27 July 2013,<http://www.aseansec.org/wp-content/uploads/2013/06/ASEAN-Charter-1.pdf>

British Broadcasting Corporation2007, Estonia hit by 'Moscow cyber war', BBCNews online (Last updated: 15:21 GMT 17May 2007), viewed 27 July 2013, available at<http://news.bbc.co.uk/2/hi/europe/6665145.stm>

British Broadcasting Corporation2012, White House confirms cyber-attack on'unclassified' system, BBC News online (Lastupdated: 20:21 GMT 1 October 2012),viewed 27 July 2013, available at<http://www.bbc.co.uk/news/world-us-canada-19794745>

Carr, J 2010, Inside Cyber Warfare, O’Reily Media Inc , Sebastopol, CA.

Carr, J. 2011, ‘Clausewitz and CyberWar’, weblog post, October 23, viewed 1October 2012,<http://jeffreycarr.blogspot.com/2011/10/clausewitz-and-cyber-war.html>

Chadbourn, M. 2012, White Housetargeted in cyber attack, Reuters News online,(Last Updated: 3:28pm EDT 1 October2012), viewed 27 July 2013, available at<http://www.reuters.com/article/2012/10/01/


net-us-usa-whitehouse-cybersecurity-idUSBRE89016O20121001>

Council of Europe 2001, Conventionon Cybercrime, Council of Europe, viewed 26July 2013,<http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm>

Council of Europe Treaty Office 2013,Council of Europe, Budapest, viewed 26July 2013<http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=&CL=ENG>

Gercke, M 2011, UnderstandingCybercrime: A Guide for Developing Countries.

Halliday, J. 2010, Stuxnet worm is the'work of a national government agency', TheGuardian online, (Last Update: 00.35 AEST25 September 2010), viewed 27 July 2013,available at<http://www.guardian.co.uk/technology/2010/sep/24/stuxnet-worm-national-agency>

International Telecommunication Union,Cybercrime Legislation Resources, Geneva,Switzerland: InternationalTelecomunication Union, viewed 27 July2013, <http://www.itu.int/ITU-D/cyb/cybersecurity/docs/ITU_Guide_A5_12072011.pdf>

KPMG International 2011, CyberCrime - A Growing Challenge for Governments.Issues Monitor, vol. 8, July, KPMGInternational, viewed 27 July 2013,<http://www.kpmg.com/Global/en/IssuesAndInsights/ArticlesPublications/Documents/cyber-crime.pdf>

Lawson, S. 2011, Cyber War and theExpanding Definition of War, sites, October26. Forbes, viewed 27 July 2013,<http://www.forbes.com/sites/seanlawson/2011/10/26/cyber-war-and-the-expanding-definition-of-war/>

Luhulima, CPF, et al, 2008,Masyarakat Asia Tenggara MenujuKomunitasASEAN 2015, Yogyakarta and Jakarta,PustakaPelajar and P2P-LIPI, Indonesia.

Luthfi, A 2012. Penjahat CyberAncamKeamanan di Asia Pasifik, Okezoneonline, (Last Update: 12:03 GMT+7 15Agustus 2012), viewed 27 July 2013,available at:<http://techno.okezone.com/read/2012/08/15/55/677948/penjahat-cyber-ancam-keamanan-di-asia-pasifik>

NATO 2011, Defending the Networks:The NATO Policy on Cyber Defence,NATO, Belgium, viewed 26 July 2013<http://www.nato.int/nato_static/assets/pdf/pdf_2011_09/20111004_110914-policy-cyberdefence.pdf>.

Networks Asia. 2012. Asia-Pacificsecurity landscape shows a mix of old and newthreats, Networks Asia online, (Last Update: 25July 2012), viewed 27 July 2013, available at:<http://www.networksasia.net/content/asia-pacific-security-landscape-shows-mix-old-and-new-threats>

Norton by Symantec 2012, 2012Norton Cybercrime Report, Norton, viewed 27July 2013, <http://now-static.norton.com/now/en/pu/images/Promotions/2012/cybercrimeReport/2012_Norton_Cybercrime_Report_Master_FINAL_050912.pdf>

Panji, A. 2012, Indonesia Masuk 10Besar Penyumbang "Cyber Crime" Terbanyak,Kompas online. (Last Update: 09:40 GMT+716 May 2012), viewed 27 July 2013, availableat:<http://tekno.kompas.com/read/2012/05/16/09403718/Indonesia.Masuk.10.Besar.Penyumbang.Cyber.Crime.Terbanyak>

Rid, T 2012,‘Cyber War Will NotTake Place’,Journal of Strategic Studies, vol35, no 1, 5-32.

Ryan, J 2010, A History of The Internetand Digital Future, Reaktion Books, London,UK.

Singh, P Kr 2007, Laws on CyberCrimes Alongwith IT Act and Relevant Rules,Book Enclave, Jaipur, India.


Swaine, J 2008, Georgia: Russia'conducting cyber war'. The Telegraph online.(Last Update: 11:11AM BST 11 Aug 2008),viewed 27 July 2013, availableat:<http://www.telegraph.co.uk/news/worldnews/europe/georgia/2539157/Georgia-Russia-conducting-cyber-war.html>

The 10th ASEAN TELMIN 2011,ASEAN ICT Masterplan 2015, ASEAN,viewed 27 July 2013,<http://www.asean.org/images/2012/publications/ASEAN%20ICT%20Masterplan%20%28AIM2015%29.pdf>

The International Institute for StrategicStudies - Dato' Seri Dr. AhmadZahidHamidi 3 June 2012, Remarks on TheInternational Institute for Strategic Studies, TheShangri-la Dialogue 2012, The InternationalInstitute for Strategic Studies, viewed 27July 2013,<http://www.iiss.org/conferences/the-shangri-la-dialogue/shangri-la-dialogue-2012/speeches/fourth-plenary-session/ahmad-zahid-hamidi/>

Touré, HI 2011, The Quest For CyberPeace, International Telecommunication

Union and World Federation of Scientists,Geneva, Switzerland, viewed 27 July 2013,<http://www.itu.int/dms_pub/itu-s/opb/gen/S-GEN-WFS.01-1-2011-PDF-E.pdf>

Traynor, I 2007, Russia accused ofunleashing cyberwar to disable Estonia, TheGuardian online, (Last Update: 17 May2007), viewed 27 July 2013, available at:<http://www.guardian.co.uk/world/2007/may/17/topstories3.russia>

United Nations Office on Drugs andCrime 20 October 2011, Cybercrime in Asiaand the Pacific: countering a twenty-first-century security threat. United Nations,viewed 27 July 2013,<http://www.unodc.org/unodc/en/frontpage/2011/October/cybercrime-in-asia-pacific_-countering-a-21st-century-security-threat.html>

Womack, H 2008, South Ossetia:Georgia preparing for war, Russia claims, TheGuardian online, (Last Update: 8 August2008), viewed 27 July 2013, available at :<http://www.guardian.co.uk/world/2008/aug/08/georgia.russia>