There is no international definition of these concepts in cyberspace Armed attack Use of force Act of war Traditional definitions require physical damage or physical injury Rules of Law of Armed Conflict / International Humanitarian Law(but in cyber?) Distinction – must distinguish between civilians and military targets Proportionality – must avoid excessive harm to civilians / objects Military necessity – allows force that is reasonable, lawful (see above), and operationally justified Limitation – prohibits tactics that cause unnecessary suffering Humane treatment – e.g., of captured prisoners Do we need a Binding Legal Instrument? US - No new international legal instrument needed, can interpret existing law   China - States must reach international consensus, new international legal instruments EU - No new international legal instrument needed, can interpret existing law   ASEAN chooses its own terms on norms/law ASEAN supported both UNGGE and OEWG tracks in 2018 – Indonesia, Singapore, and the Philippines said both processes were not incompatible ASEAN has always followed its instinct of creating an internationally agreed, rules-based order based on its own interests, which is consistent with other arenas where international law or rules are unsettled ASEAN may even consider plurilateral treaties What ASEAN states need to move forward Common language related to cyberspace Legislation that can be translated across members Capacity building in Cyber issues, policy making, critical infrastructure protection (ASCCE) and Military operations (ADMM Cyber and Information COE) Confidence building measures e.g., CERT-CERT communications, contact lists More participation from states, academia, and civil society What is Cybersecurity – C, I, A? Cybersecurity or Information Security? Activities of foreign political, economic, military, intelligence, and information entities The striving of countries toward dominance in the world information space Development (by states) of information war concepts that create means for dangerous attack on the information spheres of other countries Infringing the state’s control over information flows and public opinion (called “cyber sovereignty”) ASEAN leaders Value the principles of “mutual respect” and “non-interference” View sovereignty as sacrosanct principle among ASEAN member states Do not define ‘sovereignty’ – this provides flexibility in foreign and domestic policy ASEAN member states also attach great importance to the creation of an international rules-based order, which includes forming and adhering to international law and norms. like the UN Convention of the Law of the Sea or UNCLOS.

3. Adopted Norms
Support development of cyber
norms, referring to 2015
UNGGE
Propose
mechanism
Singapore would propose
a mechanism to enhance
ASEAN cyber coordination
Agree to move
Agreed to move forward
on a formal cybersecurity
coordination mechanism
Checklist
Singapore + United
Nations to draw up a
checklist of steps to
implement cyber norms
Design by PresentationGo

4. 4
Capacity building for international cyber norms in southeast asia

5. NO.
NORMS ACTION PLANS
ACTION ITEMS/
ACTIVITIES
EXISTING ASEAN-
RELATED
DOCUMENTS/
INITIATIVES
CHALLENGES
CAPACITIES
REQUIRED
TIME FRAME
LEAD ASEAN
COUNTRY
INTERESTED
PARTNERS
(state,
organisation
etc.)
(a) (b) (c) (d) (e) (f) (g) (h) (i)
1. Cooperate in
developing and
applying measures
to increase stability
and security in the
use of ICTs and to
prevent ICT
practices that are
acknowledged to be
harmful or that
may pose threats to
international peace
and security.
Example:
Active
participation in
regional and
international
fora in security
in the use of
ICTs.
Example:
Conduct training
and exercises
concerning the
security in the
use of ICTs
among AMS.
Encourage
bilateral
agreements
/MoUs on ICTs
security among
AMS.
Example:
Annual ASEAN-
Japan Table Top
Exercise
ARF Work Plan on
Security of and in
the use of ICTs
ASEAN Charter
Treaty of Amity
and Cooperation
Example:
Funding
Expertise to
develop the
scenario.
Identifying
partners.
Different level
of capabilities
between
states.
Example:
Fund to host the
training
Fund to fund
participants
Expert trainers
Equivalent
legislations,
infrastructure
and expertise

6. No.
Supports
Norms
Initiative Area Outcome
Existing ASEAN
Initiatives
Sectoral Bodies (Lead
Country)
1. 1 Policy-level table-top
simulation exercise on cyber
incident responses.
Awareness of situations
where cyber-incidents can
lead to international
conflicts is improved.
Output:
ASEAN table-top
simulation exercises on
responding to cyberattacks.
 ARF table-top exercise
on cybersecurity
incidents.
 ADMM Plus table-top
exercise on
cybersecurity incidents.
 ARF ISM on ICTs
Security
(Singapore)
 ADMM Plus EWG
on CS (Malaysia)

7. ACICE (ASEAN Cyber Information Centre of Excellence)
ACICE (ASEAN Cyber Information Centre of Excellence)
to “promote cooperation
on cybersecurity and
information within the
defense sector,
to “promote cooperation
on cybersecurity and
information within the
defense sector,
enhance multilateral
cooperation amongst
ASEAN defense
establishments
enhance multilateral
cooperation amongst
ASEAN defense
establishments
against cyber attacks,
disinformation, and
misinformation.”
against cyber attacks,
disinformation, and
misinformation.”

8. 8
Capacity building for international cyber norms in southeast asia

9. ASEAN
leaders
Value the principles of “mutual
respect” and “non-interference”
View sovereignty as sacrosanct
principle among ASEAN member states
Do not define ‘sovereignty’ – this
provides flexibility in foreign and
domestic policy

10. Cooperation among members and with external
partners (UN, SCO, GCC)
Economic Political Security

11. Potential
• Business
• Information Exchange
• Culture
Risks
• Cybercrime
• Terrorists
• Disinformation

14. Confidentiality
Integrity
CIA Triad
Availability
Confidentiality
- Data breach (SingHealth)
- Trade secrets
Integrity
- Software (Solarwinds)
- Nuclear power plant
(Stuxnet)
Availability
- Ransomware or wiperware
(NotPetya)
- DDOS

15. https://carnegieendowment.org/2023/01/04/no-water-s-edge-russia-s-information-war-and-regime-security-pub-88644

18. Cannot use
force
Except self
defence

20. • Only target military objectives, not civilian objects
Principle of Distinction
• Collateral damage to civilian objects should not be in
excess to the concrete and direct military advantage
Principle of Military Necessity
and Proportionality
• The commander should (reasonably) determine the
effects of the attack
Principle of Precautions in
Attack

23. US China European Union
States have right of self-defence
in cyberspace
Will not define application of
self-defence and IHL, in the
absence of international
consensus
Addressing questions of
applicability of IHL is necessary
for accountability
Applying LOAC in cyber does
not endorse cyber conflict but
reminds states to protect
Applying LOAC to cyber =
legitimises cyber conflict
Applying LOAC in cyber does
not endorse cyber conflict
No new international legal
instrument needed, can
interpret existing law
States must reach international
consensus, new international
legal instruments
No new international legal
instrument needed, can
interpret existing law
Source: EU Cyber Direct

30. APT Target countries Target entities
FunnyDream
(C)
Malaysia, Philippines,
Thailand, Vietnam
High-level government
organisations; political parties
Platinum Indonesia, Malaysia,
Vietnam
Diplomatic and government
entities
Cycldek (C) Laos, Philippines, Thailand,
Vietnam
Government, defence, and energy
sectors
HoneyMyte Myanmar, Singapore,
Vietnam
Government organisations
Finspy Indonesia, Myanmar,
Vietnam
Individuals
PhantomLance Indonesia, Malaysia,
Vietnam
Entities
Zebrocy (R) Malaysia, Thailand Entities [source: Kaspersky]
Economic
and
Geopolitical
intelligence
gathering

31. Digitisation growing faster than
cyber awareness
• Growth of cybercrime during the pandemic
Need for strategy / policy /
institutions to own it
• Cyber Strategy? Cyber Agency?
Lack of resources
• R&D
• Cyber Expertise
Priorities
• Cybercrime?
• Fake news?
Some states have offensive cyber
capability
Language and Culture

32. Concept Perception
Cyber Security
or Information Security?
Threat Perception:
Who are the most serious
Cyber Threats to me?
Priority Perception
What Cyber problem do I fix
first?

36. • Promote
cyber
hygiene
• R&D
• Build
awareness
• Secure the
data
• Policies
• Strategies
• Laws
Government Businesses
Public
Civil
society
and
Academi
a