Cyber Resilience of Countries in Asia-Pacific

The Asia Pacific region accounted for 35.9 percent of the global number of cybersecurity events in the first half of 2018 — the highest in the world — and is subject to 27.2 percent of compromised data records worldwide in the same period.

The rapid growth of connectivity and the velocity of digital transformation make the region particularly vulnerable to cyberattacks. According to Internet Society’s Survey on Policy Issues in Asia-Pacific in 2018, cybersecurity is the top Internet policy concern for the region’s Internet users. While these issues require states to improve their cyber capacity maturity, cybersecurity is still an evolving sector in the region, with a visible gap between different countries.

Almost half of Asia-Pacific states have no national cybersecurity strategies. However, some of them have blueprints that cover some aspects of cybersecurity, such as digital government masterplan and some others have legal provisions on cybercrime or data privacy laws.

Our Smart Citizen Cyber Resilience research is looking into the cyber resilience posture of 14 nation-states in Asia-Pacific across different levels of commitment to cybersecurity, cyber capacity maturity, and human development. As resilience is broadly understood as the ability of a system to absorb and withstand shocks, resume operations under disruption, and recover quickly after disruptions, within the cyber domain, resilience could be understood as the capacity to recover from and adapt to the effects of adverse cyber events. While measures to evaluate national cyber resilience vary, our research is more interested in the application of the whole-of-society approach to the cyber resilience posture. Our research focuses on understanding the inclusion of civil society stakeholders which are often excluded from the national cybersecurity discourse and processes, and in the strategic level of the cyber resilience posture.

We find that countries like Australia, Japan, Malaysia, New Zealand, Singapore, and South Korea are more systematic, comprehensive, and detailed in the articulation of their national cybersecurity strategies vis-à-vis defined problems and challenges. In terms of incorporating a resilience perspective in the cybersecurity strategy, Singapore, New Zealand, and the Philippines are more elaborate in describing the desired state of resilience and in defining the measures that are needed to achieve cyber resilience. Countries like Bangladesh, Japan, and Malaysia mandate all organizations in the private and public sector to develop a business continuity plan for ensuring continuous operations and provision of crucial services in the face of successful cyberattacks. Other countries identify the resilience of the critical information infrastructure, critical sectors, cyberspace ecosystem, or the nation-state as their strategic goals.

All countries under review recognize cybersecurity, and by extension, cyber resilience as the responsibility of all members of the society. However, only a few explicitly recognizes the role of civil society stakeholders and provides avenues for their participation in strengthening national cyber resilience. Some of these countries encourage third-sector organizations to participate in information sharing on cyber threats, outreach activities to promote cyber hygiene practices, evaluating cybercrime law, and joining the national incident response team. Even so, clearer defined roles and more avenues are available for the private sector who owns and operates the vast majority of national critical infrastructure, and academia.

Around the world, there is increasing recognition of the importance of broadening the scope of cybersecurity to include a resilience perspective. Operationalizing this perspective at the whole-of-society level so that all national cybersecurity stakeholders, including civil society stakeholders, can participate in building and maintaining cyber resilience is important. To achieve this, understanding national cyber resilience posture and the extent to which civil society stakeholders are considered in national cybersecurity strategies is a key starting point.