29

Cybersecurity in ASEAN: An Urgent Call to Action

As discussed, several ASEAN countries have identified national agencies to drive their

cybersecurity agenda. In others, the process is still ongoing, with CERTs serving as the de

facto agency in charge of cybersecurity. It is important to define who within each country

is responsible for managing and evaluating the cybersecurity strategy and ensure the v

esting of sufficient authority to drive action across sectorial and government department

boundaries. While centralized and decentralized models exist, establishing an

independent

central national agency to define and supervise the security agenda

will foster a strong

enforcement mindset.

An imperative of the Rapid Action Cybersecurity Framework is the definition of a

national cyber-

securitystrategy

by each country with a sharp vision, scope, objectives, and a practical roadmap

for implementation (see sidebar: Australia’s Cybersecurity Policy). In this context, an approach

based on risk identification, risk analysis, and risk evaluation is crucial.

Riskassessments

should

be carried out both at the national and sectorial level.

Definingand identifyingcritical sectors

andcritical information infrastructure

(CII) while engaging with CII owners at the outset is a vital

part of the strategy. A clear set of sector specific risk mitigationmechanisms needs to be put in

place. Assessing and prioritizing high-value assets and determining the probability of breach

should be at the core of such risk assessments.

Enacting

pragmatic cybersecurity legislation or updating it

to current needs is the next step

in the Rapid Action Cybersecurity Framework. While political issues could affect policy

alignment at the regional level, the increasing integration of ASEAN requires a certain level of

harmonization and coordination. Furthermore, because technology is rapidly advancing, the

laws could quickly fall far behind. Adopting a careful approach in collaboration with the private

sector, aimed at regulating human behavior and spreading a cybersecurity culture, is vital to

ensure pragmatic legislation in each country.

To address

cybercrime

, each country must define cybercrime laws and strengthen local law

enforcement. The only existingmultilateral treaty addressing cybercrime is the Budapest

Australia’sCybersecurity Policy

Themain themesofAustralia’s

CyberSecurityStrategy released

in2016areco-leadership, strong

cyber defenses, global responsi-

bilityand influence, andgrowth

and innovation. Akey tenet is the

recognitionof anational cyberse-

curitypartnership that places the

onusongovernment agenciesand

business leaders toset thenational

cybersecurityagenda. Acyber

ambassadorwill identifyopportu-

nities for practical international

cooperationandensureAustralia

hasacoordinated, consistent, and

influential voiceon international

cyber issues.

TheAustralianSignals

Directorate has developed

strategies to help cybersecurity

professionalsmitigate cyberse-

curity incidents. This guidance

addresses targeted cyber

intrusions, ransomware, and

external adversarieswith

destructive intent, malicious

insiders, business email

compromise, and industrial

control systems. This policy has

become standardpractice for

industry stakeholders aswell.

Areas such as escalatedprivilege

management, 48-hour patch

deployment, and application

whitelisting are seen as themost

effective tools for reducing cyber

risk. Recent updates to this policy

have added application

hardening, blockingmacros and

daily backups. These controls

weremandated via a critical

reviewof incidents responded to

by the national CERTs andwere

analyzed tobe themost effective

controls that wouldhave

preventedmore than 85 percent

of the breaches.