There has been a massive structural shift towards digitalisation in Southeast Asia (SEA) in the post-Covid-19 era. This accelerated digitalisation presents ripe opportunities for cybercrimes in a region that has been a hotbed of cyberattacks. However, governments in SEA are now initiating regulatory measures to tackle the issue of cybercrimes. A look at the cyberthreat landscape and mitigation measures across SEA countries…
Malaysia
Cybersecurity remains one of Malaysia’s top concerns as cybercrime rates have almost doubled since the pandemic. According to CyberSecurity Malaysia, an average of 31 cybersecurity cases including fraud, data breaches and hacking take place every day in the country. The country faced a total loss of RM 539 million in 2019 as 13,000 cybercrime cases were reported, which rose to 17,000 cases in 2020 and to over 20,000 in 2021. Besides the government sector, the banking, financial services and insurance (BFSI) and healthcare sectors were among the most targeted industries. Data by the Ministry of Communications and Digital reveals that the country lost RM 600 million to cybercrime in 2022.
Cyber Coordination and Command Centre, a central coordination and command facility responsible for managing cybersecurity at the national level, including mitigation, preparedness and response functions at a strategic and tactical level. Besides, Cybersecurity Malaysia and Malaysian Computer Emergency Response Team jointly initiated an operation service called Cyber999 Help Centre to help internet users report computer security issues and incidents. In March 2023, the government launched #BeCyberSmart, a cybersecurity campaign, and PROTECT 360, an all-in-one network security solution application.
Singapore
According to Check Point Research, there were nearly 2 million attacks in Singapore in Q2 2022. Ransomware and data theft were the two most common attacks. The average cost of a cybersecurity attack in the country is approximately SGD 1.7 million per breach, the highest in the Asia-Pacific region. With effect from April 11, 2022, the government mandated all cybersecurity service providers who provide licensable cybersecurity services to be licensed under the Cybersecurity Act, which covers penetration testing services and managed security operations centre monitoring services. Further, the Cyber Security Agency (CSA) of Singapore set up the Cybersecurity Services Regulation Office in April 2022 to administer the licensing framework for cybersecurity service providers.
Thailand
According to the National Cyber Security Agency, the number of cybersecurity threats in Thailand increased dramatically from 135 incidents in 2021 to over 772 incidents in 2022, with most being breaches occurring through educational and public sector websites. Vulnerabilities detected in both software and IT devices were identified 57.7 billion times in the fourth quarter of 2022, accounting for 1.94 per cent of those detected worldwide. The Government of Thailand passed the Personal Data Protection Act (PDPA) and the Cybersecurity Act in 2019. The Cybersecurity Act aims to enforce legal safeguards to ensure the security of cyberspace and, in particular, sets out a cybersecurity risk assessment plan to prevent and mitigate cybersecurity threats. The PDPA sets standards for personal data protection and is largely based on the European Union’s General Data Protection Regulation with the intention of having equitable standards.
Philippines
According to the Department of Information and Communications Technology, the Philippines ranked fourth among countries with the highest incidents of cyberattacks worldwide in 2022. About 3,000 cyberattacks were monitored in the country from 2020 to 2022 alone, and almost half of them were targeted at the government’s systems and networks. The Philippine government launched the National Cybersecurity Plan 2022. The plan aims to implement and enforce mechanisms towards a cybersecurity-educated and cyber-resilient society, secure infrastructure and networks, and ensure effective coordination with law enforcement agencies when there has been a breach. Further, the governments of the Philippines and Japan signed a memorandum of cooperation in February 2023 to strengthen cooperation and development in cybersecurity, among other things.
Indonesia
Indonesia has become one of SEA’s most targeted nations for ransomware attacks. The National Cyber and Encryption Agency (BSSN) stated that the number of cyberattacks in 2022 reached almost 1 billion, more than double the 495 million recorded in 2020. Most traffic anomalies was from malware activities. The Indonesian government promulgated the Personal Data Protection Law in 2022. Besides, BSSN is forming the Computer Security Incident Response Team (CSIRT) to prevent, handle, and respond to cybersecurity threats in institutions and agencies. As of March 2023, there were already 59 CSIRTs formed in government institutions/ agencies, according to BSSN data.
Cambodia and Laos
Other SEA countries, too, are making progress towards strengthening their cybersecurity infrastructure. The Government of Cambodia has drafted a law to curb the growing incidents of cybercrime. In 2022, the Japan International Cooperation Agency signed a record of discussions with the Government of Cambodia for the Project for Improvement of Cyber Resilience, a technical cooperation project.
Besides, the Government of Laos has enacted legislation to protect users of online services and ensure safety in cyberspace, including the Law on Cyber Crime and the Electronic Data Protection Law. Cooperation with national and international development partners is one of the eight highlighted points in the Lao National Digital Economy Strategy for 2021-2030. In August 2022, the Law on Cybersecurity was issued by the Vietnamese government. The government also issued a national cybersecurity strategy in August 2022 to respond to challenges and crimes in cyberspace. The strategy sets objectives for 2025 and provides a vision for 2030.
The way forward
The evolution of technologies and innovations has plagued the most strategically deployed security networks with new-age threats. SEA’s cybersecurity regime is still relatively nascent with a small cybersecurity workforce. Going forward, the proliferation of 5G networks and other new-age technologies will necessitate proactive measures by governments and businesses in these countries to address the rise in cyberthreats.
