The Geopolitics of Cybersecurity

Cybersecurity is not just a technical issue but also a geopolitical one. International and regional cooperation among States must undergird efforts to create a safer, more secure and interoperable cyberspace for our citizens.

By some accounts, espionage has existed since 500 B.C. Chefs in charge of cooking feasts in the ancient Mediterranean city of Sybaris (or modern day southern Italy) protested against competitors copying their prized recipes. City leaders then afforded these chefs exclusive rights to their recipes for a year, recording one of the earliest examples of intellectual property rights protection.

At around the same time, Sun Tzu wrote his seminal treatise The Art of War in China. Among its 13 chapters, an entire (and indeed, the final) chapter was devoted to spy-craft and intelligence collection.

The conduct of such clandestine operations has existed since the ancient times. What has changed since those days is the evolution of technology, but the core concept of espionage has persisted till today – both states and enterprises have secrets that others want to get their hands on.

In today’s digital environment, our data and assets are increasingly being stored in computer systems and networks – and now, the cloud. The threats don’t come from the nearby cities or neighbouring states – the digital environment has flattened or collapsed geography as we understand it.

In recent years, countries have increasingly embarked on our digital transformation journeys, as we seek to reap dividends for our societies’ way of life and further unlock economic potential and opportunities.

The speed of digitalisation has only accelerated further since the COVID-19 pandemic, resulting in greater reliance on the digital realm for how we live, work and interact. Espionage, data theft and attempts to disrupt our day-to-day services have also increasingly gone digital.

As our dependency on digital tools and online spaces grow, we have also become more vulnerable to malicious cyber activities and exposed to greater cybercrime and cybersecurity risks.

Cybersecurity: An Issue of Geopolitical Importance

Cybersecurity undergirds our digital progress, precisely because its implementation strengthens the defences of our systems and networks against malicious actors looking to exfiltrate our data or take down key services critical to our daily lives.

We cannot afford to backtrack on digitalisation, or eschew the use of these technologies because of cyber threats. In fact, we should embrace new technologies, and develop ways to manage the risks while enjoying its benefits. Using an analogy from the physical world, one does not avoid buying a home because of the risk that it can be burgled. Rather, one will find ways to safeguard the property. The same concept must apply in cyberspace.

Importantly, cybersecurity can no longer be considered merely a technical issue, but has spilled over to the geopolitical realm. Critical technologies, starting with basic infocomm technologies and communications infrastructure, to emergent ones such as 5G, cloud computing, artificial intelligence and quantum computing, and the associated cyber risks they portend, provide conduits to impact a country’s national security, economic progress and societal values.

Cyberspace is becoming the new battleground for states to jostle for control over such critical technologies and to set the agenda for technical standards globally. Cyber capabilities and critical technologies are shaping up to be tools of state power to be used against adversaries. Concurrently, malicious actors have strategically targeted key assets and critical infrastructure, such as disabling healthcare services and stealing research on COVID-19 vaccines, while inflicting reputational costs on corporations and governments.

A Cooperative Approach to Cybersecurity

These developments – just in the last three to four years – have heightened the urgency for collaborative regional and global responses to build a secure, trusted and interoperable cyberspace. The transnational and borderless nature of cyber threats inevitably means that States must work together – both internationally and regionally – to safeguard the cybersecurity of our critical infrastructure, businesses and people.

Here in Singapore, we have always supported a rules-based multilateral system in every domain of the global commons – including aviation, maritime and trade. We are keenly aware that the alternative – where might makes right – would be disastrous for a small state like Singapore.

Cyberspace is no exception. A rules-based order is key because it gives all states, big and small, the confidence, predictability and stability essential for economic progress, job creation and technology adoption. In today’s climate, we need more, not less, international collaboration to set the rules of the road in our digital commons.

With its universal membership, and guided by the principle of sovereign equality, the United Nations (UN) is best-placed to host cyber discussions, as well as to develop and implement the global cyber stability and resilience framework – with the consensus of all Member States.

To support these important conversations on international cybersecurity, Singapore has convened the Singapore International Cyber Week (SICW) since 2016, bringing together political and industry leaders, policy-makers and thought leaders from around the world to discuss major digital and cyber policy issues and its related geopolitical challenges.

These include topics like avenues to bridge widening digital divides within and across countries; safeguarding data security and privacy in an evolving cyber threat landscape; fostering a robust ecosystem and talent pipeline for innovation; and deepening international cooperation to combat the scourge of cybercrime.

Amidst the pandemic, this year’s SICW was particularly significant; we convened in a hybrid format – bringing together participants from 60 countries on a virtual platform. Singapore and the United Nations Office of Disarmament Affairs jointly announced the development of a Norms Implementation Checklist. This Checklist outlines steps that countries should take to implement the 11 voluntary and non-binding norms of responsible State behaviour in cyberspace, articulated in the 2015 UN Group of Governmental Experts (GGE) report. The Checklist will allow states to take practicable, actionable steps to implement the agreed norms, beyond broad declarations of acceptance.

At the regional level, regional organisations must support States in the cyber domain and help its members implement what has been agreed upon at the open and inclusive UN discussions.

In Southeast Asia, ASEAN has remained resolute and steadfast in our commitment to cyber stability. It has led the way to create a rules-based multilateral order in cyberspace, through cyber norms implementation and the protection of national and cross-border critical infrastructure supporting essential regional communications, trade, transportation and logistics services.

In 2018, ASEAN was the first – and remains the only – regional grouping to subscribe in-principle to the 11 voluntary, non-binding norms in the 2015 UN GGE report.

Following on from our first-ever ASEAN Leaders’ Statement on Cybersecurity Cooperation issued in the same year, ASEAN has made significant strides in regional cyber capacity building to help its members to manage cyber risks and threats effectively. The ASEAN Cyber Capacity Programme, ASEAN-Singapore Cybersecurity Centre of Excellence, and ASEAN-Japan Cybersecurity Capacity Building Centre are all efforts to achieve this objective.

Moving forward, ASEAN is keen to share our experiences with other countries and regions, toward a safer and more secure global cyberspace for our peoples.

Developing a Networked International System to Protect our Systems

It is clear that no one State can defend against cyber threats alone; indeed, it is a wicked problem that cannot be solved once and for all. But we have to keep trying, as our collective digital future depends on it.

The securing of our systems and networks requires constant, dedicated effort, supported by our international and regional partnerships. It is our collective responsibility.

What is at stake is not just cooking recipes – as in the ancient Mediterranean case – but instead our national security, digital economies, smart nations – in short, our digital way of life.

The article was first published 9 December 2020 on The Diplomat. The author, David Koh, is Singapore’s first Commissioner of Cybersecurity and Chief Executive of the Cyber Security Agency (CSA) of Singapore.