This is Part 2 of a 3 part series. Read Part 1 and Part 3 here.
Cybersecurity has risen to the top of both national and international agendas. Government leaders from all over the world said that without cybersecurity there is no real national security. The boom of the digital economy and the digitalisation of businesses and society especially during the COVID-19 pandemic has now put the private sector at the centre of cybersecurity debates. Recent data mismanagements, or the revelations that social media sites compromised the data of millions of their users, highlight the central role that the private sector plays in cybersecurity. Undeniably, corporations are key players in the digital realm whether it is as distributors of malicious software, victims of cyber-attacks, or first responders to security breaches.
In the issue of cyber insecurity, the question lingers; what is the role of the private sector in cybersecurity policies, and how can this co-exist with the traditional responsibilities of government? On a podcast by the Centre for Strategic and International Studies (CSIS), co-hosts Jim Lewis and Chris Painter talked with David Koh, Chief Executive of the Cyber Security Agency of Singapore (CSA). They discussed the integration between the private and public sectors in improving cybersecurity capacities.
Mr Koh recalled that he hosted one inter-sessional meeting which was attended by 100 States, 114 non-governmental stakeholders from the private sector, civil society academia, as well as the technical community. He said that he was fundamentally shocked as to how many people from all over the world, from many dimensions, were committed and so deeply involved and had such great ideas on cybersecurity. For him, this only shows that dealing with cyber requires a multi-stakeholder strategy. For example, most internet infrastructure is being controlled/managed by private industries. A partnership between both public and private sectors can help in trying to boost cyber resiliency policies and programmes.
Furthermore, a lot of the technologies coming out are from industries, academes, and civil societies. Therefore, a multi-stakeholder engagement is an ideal method to improve cyber resilience on a bigger scale. Mr Koh noted that at an intellectual level, everyone understands cyber so everyone must also be committed to trying to find viable solutions. He also emphasised that cybersecurity is the key factor in achieving an open and secured internet environment that can help boost domestic and international economies.
Mr Koh said that countries have different perspectives and angles about cybersecurity. Therefore, the UN OEWG gave both private and public sectors the platform to voice their varying ideas regarding cybersecurity. The forum also helped in terms of building the cyber capacities of ASEAN and other developing countries.
Mr Koh and the CSA view cyber capacity building as a collective effort. For the agency, cybersecurity is only as good as its weakest link. Therefore, Singapore has made it a point that they include ASEAN countries in this endeavour to fully improve cyber resiliency in the region. First, CSA is very interested in cybersecurity awareness-raising efforts in ASEAN. Secondly, CSA has a strong interest in facilitating the sharing of best practices and capacity building efforts in ASEAN. Likewise, non-member countries of the ASEAN can also do dialogue with the association so there will be a broader agreement that cyber resiliency is an urgent concern for everyone. The CSA believes that things will be much more effective if they are properly coordinated on a much larger scale.
To support cyber capacity-building efforts, Singapore launched the ASEAN-Singapore Cybersecurity Centre of Excellence (ASCCE), an extension of the ASEAN Cyber Capacity Programme (ACCP). It aims to build more secure and resilient cyberspace through capacity building programmes for ASEAN senior policy and technical officials with decision-making responsibilities. The ASCCE seeks to fulfil three principal functions:
- Conduct research and provide pieces of training in areas spanning international law, cyber strategy, legislation, cyber norms, and other cybersecurity policy issues
- Provide CERT-related technical training as well as facilitate the exchange of open-source cyber threat and attack-related information and best practices
- Conduct virtual cyber defence training and exercises
The ASCCE undertakes a modular, multi-disciplinary and multi-stakeholder approach to deliver these programmes. The ASCCE engages top cyber experts and trainers and collaborates with ASEAN member states, ASEAN dialogue partners and other international partners including Australia, Canada, the European Union, Japan, New Zealand, the Republic of Korea, the United Kingdom, and the United States, in designing and delivering cybersecurity capacity-building programmes.
The ASCCE delivers programmes in consultation with the International Advisory Panel (IAP) comprising senior representatives from key partner countries and international organisations. The ASCCE will also review and further develop its training curriculum with the support of the International Programme Committee (IPC), which comprises experts from participating countries and international organisations.
Mr Koh and the CSA continue to follow the four Ms when building cybersecurity capacities. First is a multi-disciplinary approach, where capacity-building programmes cover not only technical and operational subjects but policy topics as well for a holistic approach to cybersecurity. The second is multi-stakeholder, where it is recognised that governments need support from industries in the private sector. The third is modular where programmes should build upon and incrementally increase the difficulty level to develop the capacities and proficiencies of the participants and lastly is a matrix, where agencies like the CSA can measure the effectiveness of their campaigns over time.