The State of the Cybersecurity Climate in the Asia-Pacific

Laura Breckon | Former Cyber & Technology Fellow (January-June 2021)

The decision has been made – Malaysia has just announced that Swedish telecommunications giant, Ericsson, will be undertaking Malaysia’s 5G network rollout. The contract for its deployment is estimated to bring the service into operation by the end of 2021. This follows a tight tender race against a number of big names in the telecoms industry. Once again, China’s 5G champion, Huawei, appeared to be a lead contender in the process yet did not triumph - Malaysia set their sights elsewhere. Such an outcome is reflective of an ongoing cybersecurity dialogue surrounding the use of Chinese technologies in foreign critical infrastructure, particularly in the Asia-Pacific region.


As the economic climate of the COVID-19 pandemic pushed many workers to relying digital workplace resources and facilities, 2020 saw an exponential increase of hostile cyber events. Perhaps most notoriously, the Solarwinds hack which affected, among others, government and military structures, law firms, political organisations, logistics companies, as well as energy infrastructure and suppliers, compromising an unprecedented amount of data and security systems. A review of the causes and extent of the damage of this event is still under assessment, but preliminary reports point to this being a coordinated event. Cyber-attacks, both state and non-state orchestrated, are becoming an all too present reality. Justifiably, cybersecurity in both the public and private sectors has become a significantly heightened priority.


Multiple developments in the Asia-Pacific regional cybersecurity field have evolved since the beginning of 2021. Predominantly, a dialogue based in apparent geopolitical rivalry seems to sit at its core. Australia and the United States have formally condemned (based on tenuously - if at all - proven facts) alleging espionage activities on the part of China and their participating in foreign cyber and major infrastructure projects abroad. Coordinated hedging behaviours can be perceived among China’s Asia-Pacific neighbours, in accordance with such dialogue. An increase in activities among ‘The Quad’ (Japan, Australia, India, and the United States’ ‘Quadrilateral Security Dialogue’) has been central to this. Leaders of these states met for the first time during the 2021 G7 Summit to discuss military, economic, and technological development policies in the Asia-Pacific region, with cyber warfare a central concern. Such discussions among NATO states has incited a review of the ‘Tallinn Manual on the International Law Applicable to Cyber Operations’ – a collection of international law recommendations on international norms of cyber warfare and operations. This has been remarked as a posturing response to perceived threats of Russian and Chinese cyber activities.


Within the private sector, multi-national organisations are similarly treading carefully as they work to bolster their internal and external cybersecurity policies. This involves raising questions as to who bears liability for the outages of services. In June this year, cloud-computing and content delivery company, Fastly, had the effects of a ‘bug’ in the system triggered which took down 85% of their customers’ network in one fell swoop. Though quickly resolved, Amazon alone lost $32 million dollars of revenue in this hour of disruption. Such occurrences raise questions in enterprise resource planning and procurement negotiations regarding the need to accommodate multiple backup systems to revert to in instances of such failures as a market norm. It also highlights the vulnerability of security system homogeny across technology networks. In a context of a polarised Asia-Pacific digital economy, the threat of infiltrative and disruptive malware has become a mainstream due diligence consideration for company boards in Australia, and one which is increasingly difficult to reconcile with domestic regulatory requirements.


In April 2021, Australia proposed an ‘International Cyber and Critical Technology Engagement Strategy’ to the Indo-Pacific theatre. The basis for this proposal is to institute a values-based set of norms in engaging in cyber operations – for both states and private entities to adhere to – to foster peace and good will in an increasingly hostile environment. This includes the proposal of potential requirements of the Australian Commonwealth to comply with an ‘Essential Eight’ cyber security controls. Such a scheme is reliant on cooperation Silicon Valley’s Big Tech, as much as regional giants such as China’s Alibaba Group Holdings, Huawei Technologies, and Tencent Holdings. Not only are these major investors in the region, and major investment attractions for foreign, blue-chip private equity institutions, but they are also tightly regulated and state-held by the People’s Republic of China. Australia’s strategy is complicated by these factors and will require cooperation in this space.


Summarily, corporate cooperation with states will be central to the effective achievement of cohesive cybersecurity norms in the Asia-Pacific. As it stands, hedging behaviours are perceptible, for better or for worse, against certain entities in this theatre. Australia, along with fellow Quad members, have asserted clear stances in this domain, however it must be acknowledged that technology giants will be decisive players in shaping the status quo in the region moving into the future. The selection of Swedish Ericsson over Huawei demonstrates reflects well potential local scepticism of Chinese interests in the region and their security implications. In any case, while negotiating global and regional norms, some compromise between interests may need to be made.


Laura Breckon is the Former Cyber & Technology Fellow (January-June 2021) for Young Australians in International Affairs