Advertisement
South China Sea
OpinionComment
Elina Noor
Elina Noor

Opinion | Asean, Beijing must address cyber threats in South China Sea talks

  • For years, Southeast Asian governments have been the target of advanced cyberattacks
  • As Asean and Chinese officials discuss the code of conduct on the South China Sea, they should include the cyber dimension in negotiations on expected standards of behaviour

Reading Time:4 minutes
Why you can trust SCMP
Illustration: Craig Stephens
Elina Noor
As clashes continue to flare up in the South China Sea between China and the Philippines, concern has primarily centred on the risks of escalation – and concomitantly, the prospects of de-escalation – at sea. The Asean foreign ministers’ statement that Indonesia pushed through in the final weekend of its 2023 chairmanship underscored, among other things, the importance of maintaining freedom of navigation in, and overflight above, the maritime sphere of Southeast Asia.
Advertisement
This specific reference to the region’s maritime and air columns echoes many other Association of Southeast Asian Nations documents related to the South China Sea. It relates directly back to the provisions of the United Nations Convention on the Law of the Sea, which Asean states subscribe to. But the reference also serves as an uncomfortable reminder of the various challenges to coastal states’ claims that have taken place.

Tellingly, it says nothing of a domain – cyber – that has enabled these challenges to be asserted repeatedly. For nearly two decades, officials at the Asean secretariat, Southeast Asian governments and key private sector players have been the targets of sophisticated cyber campaigns to compromise computer systems and networks.

These advanced persistent threats (APTs) – stealthy, prolonged attacks launched typically for political rather than financial motivations – have been well documented by cybersecurity companies.

The threat actors are numerous. Sometimes they overlap and piggyback on each other’s malware infrastructure. At other times, they engage in payback. They are well resourced, organised and agile at collecting information to influence decisions.

Southeast Asian governments have been the target of sophistical cyber campaigns to penetrate their computer systems. Photo: Dreamstime/TNS
Southeast Asian governments have been the target of sophistical cyber campaigns to penetrate their computer systems. Photo: Dreamstime/TNS

The threat group behind APT 30, for example, showed remarkable longevity in reusing and refining its tools over 10 years, suggesting either a high degree of adaptability, a lack of the same on the part of their targets, or a combination of both.

Advertisement