South China Morning Post
Advertisement
Advertisement
Illustration: Craig Stephens
Opinion
Elina Noor
Elina Noor

Asean, Beijing must address cyber threats in South China Sea talks

  • For years, Southeast Asian governments have been the target of advanced cyberattacks
  • As Asean and Chinese officials discuss the code of conduct on the South China Sea, they should include the cyber dimension in negotiations on expected standards of behaviour
Elina Noor
Elina Noor
Why you can trust SCMP
As clashes continue to flare up in the South China Sea between China and the Philippines, concern has primarily centred on the risks of escalation – and concomitantly, the prospects of de-escalation – at sea. The Asean foreign ministers’ statement that Indonesia pushed through in the final weekend of its 2023 chairmanship underscored, among other things, the importance of maintaining freedom of navigation in, and overflight above, the maritime sphere of Southeast Asia.
This specific reference to the region’s maritime and air columns echoes many other Association of Southeast Asian Nations documents related to the South China Sea. It relates directly back to the provisions of the United Nations Convention on the Law of the Sea, which Asean states subscribe to. But the reference also serves as an uncomfortable reminder of the various challenges to coastal states’ claims that have taken place.

Tellingly, it says nothing of a domain – cyber – that has enabled these challenges to be asserted repeatedly. For nearly two decades, officials at the Asean secretariat, Southeast Asian governments and key private sector players have been the targets of sophisticated cyber campaigns to compromise computer systems and networks.

These advanced persistent threats (APTs) – stealthy, prolonged attacks launched typically for political rather than financial motivations – have been well documented by cybersecurity companies.

The threat actors are numerous. Sometimes they overlap and piggyback on each other’s malware infrastructure. At other times, they engage in payback. They are well resourced, organised and agile at collecting information to influence decisions.

Southeast Asian governments have been the target of sophistical cyber campaigns to penetrate their computer systems. Photo: Dreamstime/TNS

The threat group behind APT 30, for example, showed remarkable longevity in reusing and refining its tools over 10 years, suggesting either a high degree of adaptability, a lack of the same on the part of their targets, or a combination of both.

APT 30 proved especially active around major Asean events such as the 18th Asean Summit in Jakarta in May 2011, the meeting of senior officials from Asean and China on the implementation of the Declaration of the Conduct of Parties in the South China Sea in June 2012, the Asean-India Commemorative Summit in December 2012, and the 22nd Asean Summit in April 2013.

Another active threat actor in Southeast Asia, Naikon APT, successfully mined information between 2010 and 2015, targeting political, military, legal and intelligence agencies at the highest levels. This uptick in cyber activity was paralleled by rising tensions in the South China Sea as land reclamation, artificial island-building and militarisation activities changed the seascape in and around the Spratly and Paracel group of islands.
It was also a time when there was a spike in reports of swarming and harassment of fishing vessels in the exclusive economic zones of Southeast Asian coastal states, and when the Philippines instituted proceedings against China at the Permanent Court of Arbitration.

It is impossible to directly ascribe developments in the South China Sea to these cyber campaigns. But it is also difficult to separate the two, given the geopolitical context and converging timelines.

05:22

Why the South China Sea dispute remains one of the region’s most pressing issues

Why the South China Sea dispute remains one of the region’s most pressing issues

For Asean governments that have long tiptoed around political and security contestations, attributing these APTs to any one actor would be a diplomatic minefield even though technical experts have traced the tactics, techniques and procedures of these major APTs to specific perpetrators in the region.

As Asean and Chinese officials discuss the specifics of the code of conduct on the South China Sea, it would be remiss to exclude the cyber dimension in negotiations on expected standards of behaviour. After all, any approach to conflict prevention or conflict mitigation in and around the South China Sea must begin with an acknowledgement of the changing nature of conflict itself.

In particular, technology’s growing role in conflict necessitates a rethinking not only of the conventional domains of the battlefield but also its actors, means and methods.

Hackers help Philippines’ understaffed cyberdefence team fight China threat

If the code of conduct is to apply in a comprehensive and forward-looking manner, then the involvement of non-state actors, including the technology giants that underwrite the digital infrastructure used in peacetime and conflict zones, the employment of hybrid tactics, and the integration of machine learning in manned or autonomous systems, are some aspects policymakers will need to consider.

The grey-zone confrontations at sea skirting the use of force or armed attack threshold under international law have their equally problematic analogues in cyberspace. If APTs are little more than espionage campaigns and espionage has generally either been ignored or exempted in international law, then states may have a different suite of options to punish the perpetrators than they would under international law.

States could rely on national laws, diplomatic protests or economic levers but this assumes that governments would even be willing and able to name and shame those responsible in the first place.
Leaders of Asean nations gather at the start of the retreat session of the Asean Summit in Jakarta, Indonesia, on September 5, 2023. In the past, Asean gatherings have been targeted by APTs. Photo: AP

For now, the UN’s 11 norms of responsible state behaviour in cyberspace serve as a compass for conduct in peacetime. They include cooperating to increase security in cyberspace, protecting critical infrastructure, and refraining from harming or commandeering computer emergency response teams. At a minimum, the code of conduct should include a commitment to these 11 norms in the context of the South China Sea.

However, if Asean states are serious about upholding the principles of international law, then government lawyers, together with other crucial stakeholders, will have to deliberate precisely how international law provisions might apply to cyberspace, including the prevailing incidence of APTs.

Asean states may not necessarily have to publish legal position papers but they should at least begin to clarify their own national thinking on these issues. Cyber operations affecting the South China Sea landscape are a reality that can no longer be dismissed.

Elina Noor is a senior fellow in the Asia Programme at Carnegie Endowment for International Peace

Post