Just weeks ago, the Marriott hotel group disclosed that it had been the victim of a massive data breach, with the loss of records on more than 500 million guests to hackers. Investigations are continuing and signs point to the breach being a state-sponsored operation.
Whatever the outcome of the probe, the scale of the theft should be a spur to Asean in getting its act together in the area of cyber security. There is much at stake.
The fastest-growing Internet region in the world, Asean is gearing up to be the world’s fourth-largest economy by 2030. A key driver of that growth is the digital economy, which stood at US$10 billion (S$13.7 billion) last year and is expected to rise to more than US$80 billion by 2025. These figures are just the explicit trade numbers from e-commerce alone, while in reality, the economic impact of activities in the digital sphere is much wider.
But Asean is not as prepared as it should be in maximising the opportunities offered by the digital economy or curtailing the threats to be found in cyberspace. The latter includes not just hacking and privacy breaches but ransomware scams, terrorism and the dissemination of fake news. The price of failure is not just monetary but also damage to the social fabric of the region.
Part of Asean’s problem is that its cyber defences are uneven among its 10 member states. The 2017 Global Cyber-security Index ranked Singapore at No. 1 and Malaysia at No. 3, while Vietnam, Cambodia and Myanmar languish at the bottom of the league.
As with the rest of the world, the biggest challenge for Asean in cyber security is finding the people to build and maintain the defences. According to CSO, a US-based research institution on cyber security, there will be approximately 3.5 million unfilled cyber-security jobs globally by 2021. Malaysia, alone, needs 10,000 cyber-security professionals by 2020. It currently has about 6,000.
WHY THE SHORTAGE?
First, acquiring any skill, let alone those in the area of cyber security, requires years of honing and development. The earlier training is started, the greater the accrued impact. But cyber-security issues are largely not taught in schools worldwide, which shrinks the pool of potential recruits. While Singapore has led commendable initiatives in developing the Asean Cyber Capacity Programme, the region still lacks a collaborative education strategy. Furthermore, aside from Singapore and Malaysia, the other Asean member states have not forged any strategy to develop cyber-security talent at the national level; their interventions have largely been ad hoc capacity-building training sessions and seminars.
Such piecemeal efforts are insufficient in building up the required numbers of practitioners able to carry out the most basic tasks of gate-keeping.
The need for cyber-security practitioners exists broadly at two levels: Almost all organisations today require ground-level personnel to ensure the day-to-day security of devices by warding off threats as they come in. At a higher level, organisations require managers well versed in how the cyber-security ecosystem works and able to come up with pre-emptive measures and strategies. Apart from Singapore, and to some extent Malaysia and Thailand, Asean nations have failed to address the issue from the root level.
Earlier this year, the Thai government approved US$10 million for the training of 1,000 cyber-security personnel. While the effort is timely, a better approach would have been to incorporate cyber education in curricula at school and college levels. The US government’s recent initiatives can serve as a good example, as it has allocated US$125 million in grants to primary and secondary schools, and designated almost 200 colleges and universities as National Centres of Academic Excellence in Cyber Defence.
FUNDING AND TECH ILLITERACY
A second major problem facing Asean cyber-security concerns funding: Most members simply do not invest enough. Last year, countries worldwide spent 0.13 per cent of their gross domestic product on cyber security, whereas Asean as a whole spent a mere 0.06 per cent (US$1.9 billion). But it is not enough to throw money at the problem, not especially given the pace at which the technology is evolving.
A third major problem is tech illiteracy. Most government officials in the region have yet to internalise the need for robust cyber-security systems.
A recent study by Venafi, a cyber-security firm, found that 63 per cent of IT experts believe government officials lack basic understanding of the risks in the digital sphere.
Dr Peter Singer, a leading global cyber-security expert, cited a former secretary of US homeland security who did not use e-mail at all; it wasn’t a fear of privacy or security – it was because she just didn’t think it was useful. More recently, Japan’s Cyber-security Minister Yoshitaka Sakurada admitted that he has never used a computer. Such tech illiteracy will need to be overcome and mindsets changed if cyber security is to be treated seriously in its own right, and not just an expense item in the national budget.
THE WAY FORWARD
Asean needs to first mobilise resources to identify the exact skill and capacity gaps in its cyber-security sector. In the short run, for those member states with a large shortage of experts, outsourcing IT security to third-party operators might be a feasible solution. However, given the ever-changing threat landscape, questions remain as to whether the third parties are capable of ensuring the security of the entrusted data. BitDefender, a cyber-security firm, was hacked in 2015, compromising the data of 400 million customer’s accounts.
It should also be noted that simply solving the skills shortage issue is not a complete solution. Human errors are one of the most common reasons leading to a hack or data breach. Last year, hackers gained access to the personal accounts of a threat analyst at cyber-security firm Mandiant. While the hacking was limited to the defacing of his social media accounts, it is indeed alarming that hackers could gain access to personal details of an employee of a firm entrusted with the security of hundreds of global corporations.
One lesson to be drawn from this is that while lapses will occur, it is more reason still to build up sturdier defences, especially in the face of new and more menacing cyberthreats. For Asean to do so, convergence in policies and technical capabilities is critical. It is not enough to rely on one or two leading members to do the heavy lifting as weak links in a blocwide cyber architecture will render all vulnerable.
Syed Munir Khasru is the Chairman of the international think tank The Institute for Policy, Advocacy, and Governance (IPAG).