Expert Speak Digital Frontiers
Published on Oct 18, 2016
The ASEAN Agreement aims to promote security and stability in cyberspace consistent with norms of responsible state behaviour
Cyber capacity-building in ASEAN: Importance of confidence-building measures In August 2016, Singapore and the United States agreed to enhance their strategic partnership and announce a memorandum of understanding on cybersecurity cooperation.<1> Their joint statement reaffirmed that both parties agree to deepen information exchange and sharing, conduct new bilateral initiatives on critical infrastructure cybersecurity and continue to cooperate on cybercrime, cyber defence and regional capacity-building activities, including through joint exercises, regular exchanges and visits, joint research & development and capability development as well as regional cyber capacity-building programmes or initiatives.<2> Building on the joint statement, the US and Singapore then co-hosted a workshop on cybersecurity for ASEAN member-countries.<3> This regional cyber capacity-building initiative was part of the US-Singapore Third Country Training Program that works with ASEAN on a number of areas, including non-traditional security threats. The workshop focused on several important baseline themes in the cyber field, including:
  • The need for multistakeholder cooperation;
  • How to expand access and affordability while integrating cybersecurity;
  • Elements of an effective national cybersecurity strategy;
  • Broad concepts involved in developing and implementing a national cybersecurity strategy;
  • National incident management, including the role of a national computer emergency response team (CERT);
  • Establishing, managing and maintaining computer security incident response teams (CSIRTs);
  • Confidence-building measures (CBMs);
  • Promoting a culture of cybersecurity through awareness campaigns;
  • How to increase the size and capability of a workforce;
  • Supporting an open and secure internet and how this fosters economic growth and social development;
  • How industry deals with incident responses to better facilitate public-private collaboration; and
  • How government can increase collaboration with private and tech sectors, including for critical infrastructure protection.
This commentary includes some points that were made in the session on CBMs to provide a basic overview for ASEAN countries and to address the session questions.<4> It does so through four short sections that seek to lay the foundation for a case example of a non-ASEAN member-country like Japan. The main questions outlined for the session were: a) a brief overview of CBMs; b) communicating strategic goals and objectives to stakeholders and partners as a CBM; and c) how can policy and diplomacy contribute to cybersecurity.

< style="color: #163449;">General Background <5>

CBMs are generally used as tools to improve stability by reducing sources of mistrust, misunderstanding, miscalculation, tension or hostilities and by reinforcing the existing level of confidence. For instance, an overarching goal of military CBMs is to facilitate increased transparency, better information exchanges and restrain military intervention, thus enhancing situational awareness and common understanding. Nevertheless, while CBMs might aim to deescalate an unintended conflict, they may have limited use in cases of intentional conflict. The purpose of non-military CBMs is to build trust between communities like law-enforcement authorities, incident responders and civil society through actions spread across political, economic, environmental, social or cultural fields. Some traditional CBMs can therefore be adapted to the cyber field while taking its more unique characteristics into account. Why Cyber CBMs should be Important to ASEAN For many years, several processes have aimed to reduce the risk of conflict in this space by: a) clarifying how international law applies to cyberspace; b) developing norms of responsible state behaviour; and c) developing CBMs. In early 2016, within what has become known as the Sunnylands Declaration (the Joint Statement of the US–ASEAN Special Leaders’ Summit), the heads of state or government of the 10 ASEAN members and the US reaffirmed that there is a “shared commitment to promote security and stability in cyberspace consistent with norms of responsible state behaviour.”<6> This is now a central aspect of the US-ASEAN strategic partnership to enable peace, prosperity and security in the Asia-Pacific region. However, at the bilateral level, the recent US-Singapore joint statement for instance, countries now endorse a common approach to international cyber stability, affirming that international law applies to state conduct in cyberspace and committing themselves to promote voluntary norms of responsible behaviour in cyberspace. They assert that these norms of behaviour include: a) no country should conduct or knowingly support online activity that intentionally damages critical infrastructure or otherwise impairs the use of critical infrastructure to provide services to the public; b) no country should conduct or knowingly support activity intended to prevent national CSIRTs from responding to cyber incidents or use these teams to enable online activity that is intended to cause harm; c) every country should cooperate, consistent with its domestic law and international obligations, with requests for assistance from other states in mitigating malicious cyber activity emanating from its territory; and d) no country should conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to its companies or commercial sectors. Cyber CBMs are part of this normative approach to build stability in cyberspace.<7> While they are not norms, cyber CBMs aim to achieve several goals such as:
  • Providing practical tools to help manage international expectations in the norms building process.
  • Helping ensure that states do in fact have the same understanding of their norm commitments.
  • Assisting in achieving such norms of behaviour through the highly interlinked nature of norms and CBMs..
  • Improving predictability and mutual understanding where there are concerns over misunderstanding or perhaps false attribution in the use of information and communications technologies.
  • Creating an international environment of stability so that economic and social development can flourish.
Several inherent challenges associated with the cyber field validate the need for cyber CBMs. For instance, many of these technologies may be hard to detect or count, rendering state capabilities hard to assess. Many states have either begun to increase their use of these types of capabilities or have at least expressed an interest in doing so, a point reiterated in the workshop. Moreover, the fact that non-state actors may be involved in cybercrimes complicates matters. Thus, for shaping cyber CBMs, political will and commitment to prevent conflict, investment in resilience and skills and strong legal systems of ASEAN countries are needed.<8>

< style="color: #163449;">Nature of Cyber CBMs

A simple framework proposal for ASEAN  was mooted by the US in the past as a CBM structure in which measures are developed and implemented in sequence.<9> This includes: 1) transparency CBMs; 2) cooperative measures; and 3) stability and restraint measures. First, transparency measures aim to reduce suspicion as well as to increase confidence and predictability of state behaviour. Some examples include crisis communication mechanisms, information exchanges on national policies and structures, communicating national strategies, and information-sharing on threats. Second, cooperative measures might aim to combine transparency and communication efforts to promote joint procedures. In this case, some examples include assistance in resilience and capacity-building initiatives to strengthen collective capacity, development of national strategies, assisting CERTs and implementing legislation. Third, stability and restraint measures aim to strengthen states’ commitment to refrain from certain destabilising activities; in other words, to limit, criminalise or exclude destabilising and offensive activities. A recent strategic dossier by the International Institute for Strategic Studies  explains that these measures must be implemented in line with international law, and practices developed can lead to binding international norms.<10> It outlines that if politically binding CBMs are implemented on a consistent basis over a significant period of time, this may lead to new rules in customary international law. In addition, given a focus of the workshop on cyber capacity-building, emphasis should be laid on the argument that the implementation of CBMs can be assisted through capacity building.<11> In other words, capacity-building can help if countries want to commit (or have already committed) to certain CBMs and norms but they do not necessarily have the actual capacity to do so. In a region like ASEAN that comprises highly diverse members — including for example, both developing and developed countries — this is an abiding argument. There is now a recognised need for deeper capacity-building to ensure real progress in the implementation of CBMs and norms across the region.

< style="color: #163449;">State Efforts

Several cyber CBM efforts have been initiated at global, regional and bilateral levels over the past few years. These include the work of the Organization for Security and Cooperation in Europe (OSCE), UN Group of Governmental Experts (UN GGE), ASEAN Regional Forum (ARF) and the Organization of American States (OAS). In chronological order, participating states of the OSCE agreed to a set of 11 voluntary measures in 2013, most of which are related to transparency.<12> For example, they agreed to voluntarily share information on measures taken to ensure an open, interoperable, secure and reliable internet. They also agreed to voluntarily share information on national organisations, strategies and policies. Both of these CBMs were subject to analysis at the workshop for ASEAN members. The 2013 UN GGE consensus report then underlined the need for such measures in its recommendations for CBMs (Indonesia was a member of this group).<13> The report asserted that voluntary CBMs can promote trust and assurance, increase predictability and reduce misperception. It recommended that states should consider developing practical CBMs to increase transparency, predictability and cooperation. The latest UN GGE report of 2015 built on the 2013 CBMs (Malaysia was a member of this group).<14> Analysts expect that this could provide a framework for regional organisations to possibly use or adapt, if necessary, taking regional nuances into account (like those in Southeast Asia and ASEAN). The ARF adopted a work plan in 2015 to focus on practical CBMs to develop trust and confidence in the region; ASEAN members could also consult the OAS work in this area to craft good practices.<15> In the first half of 2016, OSCE participating states laid out a further set of CBMs.<16> One such measure includes voluntarily sharing national views of categories of critical ICT-enabled infrastructure, another timely topic of discussion for ASEAN at the workshop. Other CBMs may be established bilaterally. It may include  extending a traditional hotline to include cybersecurity like US-Russia agreements to do so. Over the near future, however, there are concerns, in academia at least, that measures developed in regional or international forums may evolve differently, perhaps causing further complexity.<17> These are challenges that need to be considered by ASEAN going forward, as it continues work to develop and implement CBMs. This essay originally appeared in the third volume of Digital Debates: The CyFy Journal
<1> Channel News Asia, “Singapore, US enhance strategic partnership”,, 3 August 2016. <2>Ibid. <3>United States-Singapore Workshop on Cybersecurity for ASEAN countries, Singapore, 16-18 August 2016. <4> As one of the trainers within the group on CBMs, this material presents the bulk of the author’s commentary for the United States-Singapore Workshop on Cybersecurity for ASEAN countries, Singapore, 16-18 August 2016. <5> For a fuller analysis of these issues, see Patryk Pawlak’s recent article, “Confidence Building Measures in Cyberspace: Current Debates and Trends.”, 2016. <6>Sunnylands Declaration, “Joint Statement of the U.S.-ASEAN Special Leaders’ Summit: Sunnylands Declaration”, Principle no.12,, 15-16 February 2016. <7> For the full overview of normative approaches to international cybersecurity, see the IISS Strategic Dossier, “Evolution of the Cyber Domain: The Implications for National and Global Security”,, December 2015. <8> Ibid. <9> Ibid. For full analysis, see Pawlak2016. <10> IISS Strategic Dossier, Evolution of the Cyber Domain. <11> See arguments within Pawlak 2016. <12> Organization for Security and Co-operation in Europe. 2013. “INITIAL SET OF OSCE CONFIDENCE-BUILDING MEASURES TOREDUCE THE RISKS OF CONFLICT STEMMING FROM THE USEOF INFORMATION AND COMMUNICATION TECHNOLOGIES.” Decision No. 1106, Permanent Council, 3 December. <13> UN General Assembly, Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, A/68/98, 24 June 2013. <14>UN General Assembly, Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security,A/70/174, 22 July 2015. <15>ASEAN REGIONAL FORUM WORK PLAN ON SECURITY OF AND IN THE USE OF INFORMATION AND COMMUNICATIONS TECHNOLOGIES (ICTs),, 7 May 2015. <16>Organization for Security and Co-operation in Europe. 2016 . “OSCE CONFIDENCE-BUILDING MEASURES TO REDUCE THE RISKS OF CONFLICT STEMMING FROM THE USE OF INFORMATION AND COMMUNICATION TECHNOLOGIES.” DECISION No. 1202, Permanent Council, 10 March. <17>Pawlak, Patryk. 2016. “Confidence Building Measures in Cyberspace: Current Debates and Trends.” In International Cyber Norms: Legal, Policy and Industry Perspectives, edited by Anna-Maria Osula and Henry Rõigas, 129-153. Tallinn: NATO CCDCOE Publications.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.