Southeast Asia (SEA) has become a hub for digital growth and innovation in recent years, largely due to better internet connectivity and smartphone adoption. In an industry study published in 2020, the region’s internet economy was predicted to reach $200 billion by 2025. Further, as per a report by Google, Temasek Holdings, and Bain & Company, Southeast Asia’s digital economy is growing fast and its internet sectors are expected to surpass $300 billion by 2025. Further, in the face of social restrictions and lockdowns caused by the Covid-19 outbreak, many businesses, big and small, had to shift their presence online.

However, with the growth of internet connections and widespread usage, cybersecurity threats are also on the rise in the Southeast Asian region. This risk is heightened as Southeast Asian member countries become more integrated via trade, capital flow and connectivity, driven by the fourth industrial revolution. A report by global management consultants AT Kearney revealed that South Asian countries were also being used as launchpads for cyberattacks, with Indonesia, Malaysia and Vietnam being global hotspots for malware attacks. Additionally, Singapore was the victim of three major cyberattacks in 2020, including the Ministry of Defence cyber breach in February, WannaCry ransomware attacks in May, and Petya ransomware attacks in June.

Therefore, as cybersecurity threats become more complex, they require greater efforts from various stakeholders to combat them.

Improving cybersecurity

There are many challenges facing Southeast Asian countries when it comes to improving their cybersecurity, including a lack of governance and skilled personnel. Lack of attribution capability also increases the risk of cyber incidents or cyber-enabled information conflicts within the region.

Further, many Southeast Asian countries lack a strategic mindset, policy preparedness, and institutional oversight regarding cybersecurity. There is a low level of cyber resilience in the region, especially when it comes to policy, governance and cybersecurity. Moreover, there is little or no coordination between the national police (for cybercrime), interior ministry (for critical infrastructure), telecommunications ministry (for breaches) and military (for cyber conflicts).

An absence of a unifying framework often leads to significant underinvestment. It is difficult to collaborate and share intelligence within and between countries due to the absence of a unified regional governance framework. Additionally, businesses have underestimated the value at risk, resulting in inadequate investments in cybersecurity. In the private sector, cyber risk is still perceived as an information technology (IT) issue rather than a business one, so regional businesses do not have a comprehensive approach to cybersecurity.

In this regard, four issues must be addressed:

  • The growing interconnectedness across the region and geographical dispersion of the physical supply chain will intensify systemic risk, making the region only as strong as its weakest link.
  • Diverging national priorities and varying paces of digital evolution will continue to foster a sustained pattern of underinvestment.
  • Limited sharing of threat intelligence, often because of mistrust and a lack of transparency, will lead to even more porous cyber defence mechanism.
  • Technological evolution will render threat monitoring and response more complex, particularly given the rise of encryption, multi-cloud operations, the proliferation of internet of things (IoT), etc.

These four issues will aggravate the current, unprepared situation in the region. If the region fails to address these issues, the value at risk for Southeast Asian nations will be significant. In addition, cybersecurity concerns have the potential to derail the region’s digital innovation agenda, one of the core pillars for its success in the digital economy.

Investing to combat cyberthreats

Cyberattacks have a devastating financial impact. The Asia Pacific Risk Centre predicts that the global cost of data breaches will reach $2.1 trillion by 2019. Vietnam registered 1.68 million IP (Internet protocol) blocks, placing it fifth among countries where the IoT attacks have originated from.

Southeast Asian nations need to increase spending on cybersecurity to combat digital threats, a new report says. In doing so, the top 1,000 companies in the region may lose about $750 billion in market capitalisation and derail digital innovation. Last year alone, total cybersecurity expenditure in Southeast Asia was estimated at $1.9 billion. By 2025, this figure is expected to reach $5.45 billion. Despite this, the region remains vulnerable to attacks, as it is underinvested in comparison to other markets overseas.

Regional initiatives

Singapore tops the list in terms of cybersecurity spending, allocating 0.22 per cent of its gross domestic product (GDP) to cybersecurity, making it the only country in the region to spend more than the global average of 0.13 per cent, for its ageing population. Fortinet statistics indicate that 40 per cent of all crime-related activities in Singapore are cybercrimes. Viruses are the most common form of attack. Singapore’s Cyber Security Agency also reported an increase in ransomware and botnet cases. Singapore’s manufacturing, retail and healthcare sectors were mostly targeted by ransomware, while the tech, banking and social network sectors were targeted by phishing.

Malaysia and Thailand follow Singapore in terms of spending on cybersecurity, and spend 0.08 per cent and 0.05 per cent of their GDP respectively. The government of Malaysia has been hailed as one of the most progressive nations in Southeast Asia in terms of cybersecurity strategy due to the establishment of a national agency to coordinate the cybersecurity agenda, the preparation of a cybersecurity bill, and a comprehensive plan to develop cybersecurity professionals to meet growing demands.

Further, the Indonesian government has created the National Cyber Security Agency mainly to prevent and respond to cyberattacks. Similarly, the Philippines’ Department of Information and Communications Technology (DICT) released the National Cybersecurity Plan 2022 (NCSP). The NCSP is intended to shape the policy of the government on cybersecurity and the crafting of guidelines, and to provide a coherent set of implementation plans, programmes and activities to be shared with all stakeholders.

The primary goals of the NCSP 2022 include:

  • assuring the continuous operation of the Philippines’ critical infostructure, and public and military networks;
  • implementing cyber resiliency measures to enhance the ability to respond to threats before, during and after attacks;
  • effective coordination with law enforcement agencies; and
  • a cybersecurity-educated society.

Additionally, the DICT has launched the National Cybersecurity Plan 2022. The plan aims to improve critical data infrastructure security and resilience. In the first component, valued at $10 million, a National Computer Emergency Response Team (NCERT) as well as a Security Operations Center (SOC) has been created. The SOC is a government think tank that studies and addresses online threat development and risk management issues. An additional $40 million is being spent on implementing cybersecurity infrastructure, including hardware and software, as well as capacity-building training for all local and national government agencies.

Meanwhile, Vietnam has developed a cybersecurity strategy to deter and prevent cyberattacks, focusing on national key networks such as transport, bankin and aviation. One of its responsibilities is protecting the national sovereignty in cyberspace and information technology. Vietnam also revealed it has a 10,000-strong military cyber warfare unit that counters “wrong” internet views, illustrating the concerns shared by many Southeast Asian countries about cyber-enabled information warfare.


The governments in the region can take a variety of precautionary measures to protect their respective digital spaces from cybercriminals. Southeast Asian countries should invest in training and capacity building with an emphasis on high quality information and communication technology (ICT) infrastructure and highly skilled talent to combat such intrusions.

Further, a cyber-secured economic zone aligned with international cybersecurity standards should be established to secure the supply chain from design to delivery while ensuring the safety of these transfers. As a means of ensuring wider stability amid rising cybercrime intrusions, this would safeguard trade throughout the region.

Net, net, the regional effort to combat cybercrime in the Southeast Asia region has a long way to go. While governments should develop measures to effectively implement and enforce breach disclosure laws, companies should rethink long-entrenched security approaches.