Chapter 10

Cybercrime and Cyber security in ASEAN

Lennon Chang

L.Chang
School of Social Sciences, Monash University, Victoria 3800, Australia
e-mail: lennon.chang@monash.edu.au

Cybercrime has become a world concern. According to unofficial statistics, the

projected loss of cybercrime will reach USD 2 trillions by 2019 (Forbes 2016). It
affects not only individual but also corporates and states as a whole. Its transnational
and anonymity characters make it hard to investigate. The blurred line between
national security and crime also contribute to the complexity in international
collaboration on crime investigation.
Among all the regions in the world, Asia has the most internet users. More than half
of the internet users in the world are in Asia. The number of internet users in Asia has
almost doubled since 2011 and is still increasing (Miniwatts Marketing Group 2016).
The member countries of the Association of Southeast-Asia Nations (ASEAN) have
definitely contributed significantly to the increase in internet users in Asia. The
Association of Southeast-Asia Nations was formed in 1967 by Indonesia, Malaysia,
the Philippines, Singapore, and Thailand to promote regional security and
cooperation. It has ten member states now including Brunei, Cambodia, Indonesia,
Laos, Malaysia, Burma, Philippines, Singapore, Thailand and Vietnam. All ASEAN
member states have had a dramatic increase in internet subscribers. This is especially
the case for countries like Myanmar, which has recently opened to the world and
privatized the internet provider. Of course, the region has become a new field for
hackers and cyber criminals.

Being an emerging cybercrime market, there is still limited research that looks into
cybercrime and cyber security in the ASEAN region. What are the trends in and
challenges of cybercrime in ASEAN? Are current conventions such as Council of
Europe’s Convention on Cybercrime appropriate for ASEAN? What are the
challenges faced by ASEAN countries when collaborating internationally against
cybercrime? This chapter aims to answer these questions and to consider whether the
strategies developed in the global north are relevant to ASEAN. This paper will
provide an overview of cybercrime trends in ASEAN, assess current measures
adopted by ASEAN countries in combatting cybercrime, and make policy
recommendations to strengthen those measures.

Development of the internet in ASEAN countries

According to World Internet Statistics, an estimated 3.6 billion people, about half of

1
the world’s population, are internet users. With approximately 1.8 billion users, the
Asia region has more than 55% of the world’s internet users, and that number is
increasing (Miniwatts Marketing Group 2016).
ASEAN countries have no doubt contributed significantly to the increase in internet
users in Asia. As can be seen in Figure 1, all countries in ASEAN have had a large
increase in internet subscribers. The proportion of internet users in Thailand has
increased from 23 internet users per 1000 residents in 2013 to about 350 users per
1000 residents in 2014. According to the Bangkok Post, this is attributed to the rapid
growth in the number of smartphones and households with a broadband connection,
as they have become more affordable (Leesa-Nguansuk, 2013). 
A similar trend can be seen in Brunei Darussalam, Myanmar, Singapore and Vietnam.
In Myanmar, the 2014 opening of the mobile telecommunications market resulted in
two foreign telecommunication companies, Qatar’s Ooredoo and Norway’s Telenor,
entering the market. In 2016, another license was issued to a consortium led by a
Vietnamese mobile network operator Viettel (Hammond and Trautwein, 2016). With
the introduction of competition, the price of subscriber identification module (SIM)
cards collapsed from USD 2000 in 2009 to K1500 (approximately USD 1.5) in 2014.
Suddenly, Myanmar became the fourth fastest growing mobile market in the third
quarter of 2015 with an estimated 36 million mobile subscribers (Ericsson 2015;
Motlagh 2014; Trautwein 2015).

The digital divide remains large among ASEAN countries. This refers to ‘the gap
between individuals, households, businesses and geographic areas at different socio-
economic levels with regard both to their opportunities to access information and
communication technologies (ICTs) and to their use of the internet for a wide variety
of activities (OECD (2001:5)). It has impeded the ability of regional forums to
strengthen member states’ collective actions on combating cybercrime and cyber
security threats (Nasu and Trezise, 2015; Rees, 2010). Narrowing the digital divide is
an important step towards economic development (Evers and Gerke, 2013). It would

2
also help narrow the cyber security capacity gap among ASEAN countries and
thereby help improve cyber security in ASEAN. Despite the increasing number of
internet users in ASEAN, there is a large diversity in participation levels in ASEAN
countries. According to ASEAN statistics, Singapore, with about 82% of the total
population as internet users, has the highest density of internet users among the
ASEAN countries. Brunei Darussalam and Malaysia follow with 70% of their citizens
internet users. However, only about 20% of Indonesia and Myanmar’s citizens are
online users and less than 20% in Cambodia and Laos. There is a need to reduce the
digital divide both within and between countries.

The Prevalence of Cybercrime in ASEAN

Since 2014, we can see a dramatic increase in the number of internet users in all
ASEAN countries, especially Brunei Darussalam, Cambodia, Myanmar, the
Philippines, Singapore, Thailand and Vietnam. As in the rest of the world, in the
ASEAN countries the internet is bringing about changes in the way people live their
lives. Some are becoming addicted to the internet and are spending more and more
time using their phone. This is not only the case in big cities. In rural areas of
Myanmar, one can often see people (even children) using their phone facebooking or
playing online games. At the same time, we can expect to see the emergence and
growth of cybercrime and other information security concerns.
It is difficult to find reliable statistics to show the seriousness of cybercrime and
malicious computer activities. There is still no systematic and scientific research or
survey that addresses cybercrime in Asia. Existing cybercrime statistics are mostly
published by commercial information security companies and organisations, like
Symantec, AV-test, and Trend Micro, using malicious computer activity statistics to
quantify cybercrime and information security problems. They record malicious
computer activities initiated by malicious software (malware) such as viruses,
Trojans, worms and bots (Broadhurst and Chang, 2012; IBM, 2009; Trend Micro,
2009). As ASEAN countries are not their main clients, it is rare for commercial
companies to report on malicious activities in all ASEAN countries.
Malicious computer activities in ASEAN The available statistics on malicious activity
in the region are from several years ago. Symantec produced a cyber threat report for
the Asia and Pacific region regularly in 2007-2009. These reports showed cyber
threats and malicious activity among ASEAN countries were not as serious as those in
countries like the People’s Republic of China, South Korea, India, Taiwan and Japan.
In 2008, for example, four ASEAN countries (Thailand, Vietnam, Singapore and the
Philippines) were listed among the top ten countries for malicious activity in the Asia
and Pacific region. That said, total malicious activity in these countries comprised
around only 10 % of the malicious computer activity in the Asia and Pacific region as
a whole. The top five countries, China, South Korea, India, Taiwan and Japan,
comprised 70% of the malicious computer activity in this region (Symantec, 2009).
The situation will have changed with the growth in internet use in ASEAN countries.
Microsoft detects malicious or potentially unwanted software globally through
computers that run Microsoft real-time security software. The Malware Infection
Index 2016 shows that ASEAN countries are among the countries most subject to

3
malware threat in the Asia Pacific region. Indonesia is ranked second on the list after
Pakistan. Vietnam, the Philippines, and Cambodia are ranked 5th, 6th and 7th
respectively while Thailand, Malaysia and Singapore are ranked 10th, 11th and 12th
respectively (Microsoft 2016a). In the period July to December 2015, Microsoft data
(2016b, p.86) shows that, compared with countries in East Asia, countries in
Southeast Asia had higher encounter rates - the percentage of computers running
Microsoft real-time security software that report malware or potentially unwanted
software, or reporting a specific threat. Six ASEAN countries were included in the
Microsoft Security Intelligence Report, including Thailand, Singapore, Malaysia,
Philippines, Vietnam and Indonesia. From the statistics reported in Microsoft Security
Report (Vol 20): Regional Threat Assessment, we can see that the encounter rate in
these countries increases between quarter one (Q1) and quarter four (Q4) of 2015.
Singapore is the only country among the six ASEAN countries with the encounter rate
(19.8% in Q4, up from 15.0% in Q1) lower than the worldwide encounter rate (20.6 in
Q4, up from 17.5% in Q1). The encounter rates of Thailand and Malaysia are around
35% in Q4 of 2015, and 47.7% in the Philippines and 50.7% in Vietnam. Indonesia
has the highest encounter rate, with more than 60% of computers that run Microsoft
real-time security software reported detecting malware or potentially unwanted
software. In term of the categories of malware, trojan and worms are the most
common malwares in this region and ransomware is becoming popular (Microsoft
2016c).
For unspecified reasons, Myanmar was not included in the surveys (possibly because
of the very limited penetration rate before 2013). Nevertheless, cybercrime is present
in Myanmar. In October 2010, Myanmar’s then main Internet provider, the Ministry
of Post and Telecommunication, was under serious Distributed Denial of Service
attacks (DDoS) — a type of attack that makes the targeted system/service unavailable
by flooding its bandwidth or resources. The attacks happened from 25 October 2010,
right before Myanmar’s first national election in 20 years. These attacks were
believed to be significantly larger than the Estonia attack in 2007 and Myanmar’s
military was suspected of being behind the attacks to restrict the flow of information
over the election period (BBC 2010). In 2013, Google warned news reporters
covering Myanmar that their Gmail accounts might come under state-sponsored
attacks (O’Toole 2013). Both cases were suspected of being “state-sponsored” and
linked to the military. Nonetheless, we should be careful making claims on state-
sponsored cybercrime without sufficient evidence. The Myanmar Times said such
claims could cause more harm to society than the cybercrime itself:
“[s]ome attacks might look like they are state-sponsored as the attacks might target
only certain types of information or certain people. Nonetheless, they might be
conducted by patriots, not the government. Therefore, I think it might be dangerous to
warn users about ‘state-sponsored’ attacks unless they have very strong evidence to
prove it, or if they have a special reason to issue such a warning. These warnings
might not help in future crime investigations, but might cause further harm.”
(O’Toole 2013, p.3).

Advanced persistent threat An Advanced Persistent Threat (APT) is a set of

computer hacking processes targeting specific entities to steal their data, and is one of
the biggest threats in the region. Fireeye (2015) identified malware that was
developed to target computers in ASEAN. The mission for these APTs is to steal
trade secrets, intellectual property and other confidential information from leading
companies in the region. State classified information and intelligence, such as

4
information related to the disputed South China Sea, were also the target for these
APTs during the survey period. Similarly, in 2015 Microsoft identified Gamarue, a
computer worm which allows hackers to control infected computers, as particularly
prevalent in the ASEAN region, especially in Indonesia. PLATINUM is another
malware discovered by Microsoft targeting South and Southeast Asian countries
(Microsoft 2016d). Since 2009, PLATINUM has conducted several cyber espionage
activities, targeting governments and related organisations in South and Southeast
Asia. Through spear phishing, sending emails or electronic communications scams
targeted towards a specific individual, organization or business, they tried to gain
access to the target organisation’s network using social engineering methods. Instead
of targeting the official email accounts, they targeted the non-official or private
account of the users in the organisation to avoid detection. Similar to Gamarue,
PLATINUM was developed to steal sensitive intellectual property related to
government interests, rather than direct financial gains (Microsoft 2016d). This
malware is especially popular in Malaysia and Indonesia.
ATM heists Sophisticated malware was also used by international organised crime
syndicates to steal money from Automatic Teller Machines (ATMs) in ASEAN
countries, including Thailand and Malaysia. Prakash (2014) reported that 18 ATMs in
Malaysia were hacked by a Latin American gang and caused a loss of RM 3.1 million
(approximately USD 7.3 million). In 2016 in Thailand, the state-owned Government
Savings Bank was hacked and 12.29 million Baht from 21 ATMs was stolen. More
than 3,000 ATMs were temporarily shut down for inspection and caused considerable
disruption. It was found that Dubbed Ripper, a new malware, was installed in many
ATMs and used by the hackers (Constantin 2016). Similar modus operandi were used
to hack ATMs in New York in 2013 and Taiwan in 2016, with losses of USD 2,4
millions and NTD 83 million respectively (Santora 2013; Chung 2016) and it was
believed that those heists were related to each other and linked to the Microsoft XP
system, for which Microsoft is no longer providing updates and vulnerability patches.
ATM scamming is also a popular type of cybercrime in ASEAN countries. In 2014 in
Myanmar, for example, a group of five foreigners (one British and four Indians) were
accused of illegally withdrawing money from ATMs in Yangon, using cloned ATM
cards. It was estimated by Myanmar police that 25.2 million kyats (approximately
USD 24,000) were withdrawn from six local banks. In December 2014 a similar event
occurred and a Bulgarian national was arrested for allegedly stealing nearly
US$38,500 (Toe Wai Aung 2016). With the development of e-payment and online
banking, cybercrime can be expected to increase in Myanmar.
Political attack/hackitivist Political intensions are often behind cyber attacks in the
ASEAN region. Extensive malware campaigns were launched during the 2016 South
China Sea dispute in which China, Vietnam and the Philippines had overlapping
territorial claims.1 In one instance, the computer system of Vietnam Airlines was
hacked and the personal details of more than 400,000 of its frequent flyers were
posted online. At around the same time, the flight information monitor screens at the
Hanoi and Ho Chi Minh City international airports were defaced with messages about
the dispute. The public announcement systems in those airports were also hacked and
similar messages were broadcast (Davis 2016).

1
In 2012 Myanmar hackers launched a similar attack against Bangladesh when Myanmar lost a lawsuit
over disputed territorial claims (Unleash Research Labs 2016)

5
The Philippines Department of Justice (DOJ), organisers of the Asia-Pacific
Economic Cooperation (APEC) summit and a reputable international law firm were
also targets for cyber attacks over the South China Sea dispute. A malicious program
“NanHaiShu” has been identified as behind the attack, targeting public and private
organizations. “NanHaiShu” is a type of APT that has been used to install Remote
Access Trojans (RAT) into target systems through spear-phishing emails. The RAT
allows the infected computers to send system information to the Command and
Control servers. The Command and Control servers can also manipulate the infected
computers to download information form the infected system. Although there is no
evidence on whether China is involved in the attacks, it is believed that these
organisations were targeted because of their involvement in the South China Sea
dispute (Asok 2016; F-secure 2016).
Hacktivist actions are also prevalent in the ASEAN region and several have been
launched targeting neighboring countries. In 2013, a hacktivists group in Indonesia,
Anonymous Indonesia, launched attacks against Australian public and private sector
websites in response to revelations by Edward Snowden that espionage had been
conducted by Australian embassies in Asia. Over 200 websites with the .au address
were defaced with the message “Stop spying on Indonesia!” and offensive images
(RT 2013).
Hacktivism is also popular in Myanmar, despite the short history of the internet in
Myanmar. Facebook and other private forums are believed to be the main channels for
hackers to coordinate attacks. In January 2016, internet vigilantes (netilantes)
launched a massive DDoS attack on nearly 300 Thai government websites which were
brought down. It is believed that the Myanmar netilante group, Blink Hacker Group
(BHG), was responsible for the attacks. The attacks were in response to the Thai
government’s arrest of two Myanmar migrant workers accused of murdering two
tourists in Koh Tao, Thailand (Long 2016; Unleash Research Lab 2016).
According to Frontier, a Myanmar weekly news magazine, in 2016 the Myanmar
hacktivist group Cyberroot and other Myanmar hackers launched DDoS attacks
against Bangladesh government agencies. The attacks on Bangladeshi government
websites were in response to the Bangladeshi Cyber Army’s declaration of “war”
against Myanmar for the alleged mistreatment of Rohingya Muslims (Coe 2016).

Tackling Cybercrime in ASEAN

Broadhurst and Chang (2012) argue that cyber crime in the Asia and Pacific region is
conducted for the reasons of “just for fun”, political purposes, or simply to make
money. Although it is hard to deny that some hackers are motivated just for fun or
for self-promotion, we can see from the above that cybercrime in ASEAN has also
been conducted for political purposes. Even for countries like Myanmar that have
only recently developed an internet infrastructure, there is a strong cyber attack
capability. The cross-border character and the complexity of the motives for the
attacks make it hard to investigate cybercrime and malicious cyber attacks in the
region. The key to success in combatting cybercrime, involves the harmonisation of
laws against cybercrime and a commitment to collaboration.

6
Convention on Cybercrime: Budapest Convention The Council of Europe Convention
on Cybercrime, usually referred to as the Budapest Convention, has been recognised
as the first and the only international convention that deals with cybercrime. Drafted
by the Council of Europe, the Budapest Convention aims to expedite collaboration
among states in cybercime investigation and prosecution. It also aims to facilitate the
states’ adoption of adequate international legal instruments against cybercrime
(Broadhurst and Chang, 2012; Council of Europe, 2001a, 2001b). It was opened for
signature for both member states and non-member states of the Council of Europe in
November 2001 and entered into force on 1 July 2004 after it was ratified by five
member countries of the Council of Europe. As in October 2016, 50 countries has
ratified/accessed the Budapest Convention and 5 countries has signed but not yet
ratified (Council of Europe, 2016). Noted by the United Nations Resolution 56/121
and signed and ratified by non-state Members, including the United States, Japan,
Canada, Australia, Sri Lanka, Dominican Republic, Panama and Israel, the Budapest
Convention has established its international, rather than regional, status.
The Budapest Convention includes both substantial and procedural parts of
regulation. The Convention ask its signatories to criminalise offences against the
confidentiality, integrity and availability of computer data including offences such as
illegal access, interception of non-public transmission, interference with computer
data and system, and misused of computer-related devices. It also covers the
traditional offences when carried out through a computer system such as forgery and
fraud. Content-related offences, hate crime and copyright infringement are also
included in the Budapest Conevention. The Convention criminalised the use of
computer systems as vehicles for the sexual exploitation of children and acts of a
racist or xenophobic nature. It also criminalised willful infringement of copyright and
related rights using computer system and for commercial purpose.
In relation to criminal procedures, the Convention requires signatories to exercise
jurisdiction to coordinate when victims are located in different countries. In addition
to common traditional criminal procedures such as search and seizure, the Convention
also creates new measures, such as expedited preservation of data. Other evidence
collection methods, such as real-time collection of traffic data and interception of
content data, are also adapted to allow police and service providers to collect data
during the process of communication. These have been recognised as the most
intrusive powers of the Convention (Csonka, 2000). Despite the fact that the
Convention has emphasized the need to balance the interest of law enforcement and
respect of fundamental human rights, these are usually the main concerns of
signatories.
International cooperation is an important principle emphasised in the Convention. The
Convention requires its contracting states to provide extensive cooperation and to
minimise impediments to the rapid flow of information and evidence “to the widest
extent possible”. It also creates the legal basis for an international computer crime
assistance network; i.e. a network of national contact points permanently available
(the ‘24/7 network’). To ensure the immediate assistance to investigation can be
ensured, the Convention requires its contracting states to establish a contact point
available 24 hours a day, seven days a week. It also required the national network
team to be properly trained.
Being the first and the only convention on Cybercrime, there is no ASEAN country

7
that signed and/or ratified the Budapest Convention. That said, eight out of ten
ASEAN member countries, except Laos and Cambodia, have enacted legislation to
regulate cybercrime and these cybercrime laws are aligned with the requirement of the
Budapest Convention (Microsoft 2007; UNCATD 2013). Laos has passed “Law on
Prevention and Combating Cybercrime” in September 2014. This is the first
cybercrime law passed by the Laos Government and is aligned with the Budapest
Convention. Cambodia is by far the only ASEAN member state that has not passed a
proper cybercrime law. The alignment of domestic laws of most ASEAN member
stats with the Budapest Convention provides a good basis for collaboration in
combating cross-boarder crime. Nonetheless, without accession to the Convention,
each country will need to build bi-lateral cooperation agreements. It will be time
consuming and will not be able to prove a broader multilateral structure for cross-
border collaboration against cybercrime.
ASEAN and ASEAN Regional Forum One goal for the establishment of the
Association of Southeast-Asia Nation is to promote regional security and build
collaboration among Southeast-Asia countries to enhance regional resilience.
According to the 1967 ASEAN Declaration (Bangkok Declaration), ASEAN is
established to promote regional peace and stability and to promote active
collaboration and mutual assistance on matters of common interest (ASEAN 1967). In
1976, the Treaty of Amity and Cooperation in Southeast Asia was signed and
enforced by the leaders of ASEAN founding member (Singapore, Indonesia,
Malaysia, Philippines and Thailand). Six fundamental principles were established to
“promote perpetual peace, everlasting amity and cooperation among their peoples
which would contribute to their strength, solidarity and closer relationship” (Article
1). “Renunciation of the threat or use of force” and “effective cooperation among
themselves” are two key principles that guide contracting countries (ASEAN 1976).
And the ASEAN Charter adopted in 2007 reaffirmed these commitments to regional
security and collaboration.
Although cyber security might not be a concern at the time when ASEAN was
established and was not mentioned in the Bangkok Declaration, the Treaty of Amity
and Cooperation in Southeast Asia and the ASEAN Charter, these agreements and
Charter had built a good basis for regional collaboration against cybercrime and
promoting regional cyber security.
Cybercrime and cyber security has become an important topic in several ASEAN
meetings. In the 2004 Joint Communique of the Fourth ASEAN Ministerial Meeting
on Transnational Crime, the ASEAN ministers has recognised cybercrime as
increasing transnational crime that affects ASEAN’s security and urge for effective
legal cooperation in combating transnational crime of this kind (ASEAN 2004). Also,
in the Plan of Action to Implement the Joint Declaration on ASEAN-China Strategic
Partnership for Peace and Prosperity 2003, the formulation of “cooperative and
emergency response procedures for purposes of maintaining and enhancing
cybersecurity, and preventing and combating cybercrime” is a key part for the
Information and Communication Technology Collaboration between ASEAN and
China. This has been reaffirmed in the Plan of Action to Implement the Joint
Declaration on ASEAN-China Strategic Partnership for Peace and Prosperity (2016-
2020) (ASEAN 2015)

8
The ASEAN Telecommunication and IT Ministers meetings (TELMIN) played a key
role in the formulation of ASEAN’s internet and cyber security policy. It focuses
mainly on ICT capacity building and collaboration among ASEAN member states
(Portnoy and Goodman 2009). In September 2003, the Singapore Declaration was
adopted by the TELMIN at the 3rd Meeting of the ASEAN Telecommunications and
IT Ministers (TELMIN). The Declaration set up an “action agenda to harness
technological advances in Information and Communications Technology” (ASEAN
2016). In the action agenda, the TELMIN decided that all ASEAN member states
should establish national Computer Emergency Response Teams (CERTs) by 2005, a
platform to coordinate computer incident information reporting and sharing (ASEAN
2016). The establishment of CERTs has been seen as the mutual agreed performance
criteria among ASEAN member states. And, in the 2008 ASEAN Economic
Community Blueprint, intensifying capacity building and training of national CERTs
and strengthen cooperation and coverage of ASEAN regional cyber- security network
had been listed as a priority action for ASEAN member states in 2008-2009.
Nonetheless, the goal of establishing national CERTs was not achieved until February
2012 when LaoCERT was launched.

In the ASEAN ICT Masterplan 2015 (AIM 2015), the TELMIN has outline the vision
for ASEAN in 2011-2015. The goal of this masterplan is to make ASEAN to become
a global ICT hub and make it an ideal region for economic activities (ASEAN 2011,
p.10). Cyber security and cybercrime related issues have been emphasised in various
initiatives proposed. To ensure the integrity and preparedness of network across
ASEA, AIM20 15 aims to establish a common minimum standard for net work
security. Also, an ASEAN Network Security Action Council were proposed to be
established to promote CERTs information sharing and cooperation (initiative 4.2)
and to promote public and private partnership on cyber security. AIM 2015 also
focuses on raising cyber security awareness though public education. The ASEAN
Cyberkid Camps were held in Kuala Lumpur (Malaysia) in 2012 and 2013 and in
Bandung (Indonisia) in 2015 with primary-aged participants from most of the
ASEAN member states (ASEAN 2011, 2015). These items remain critical in the
ASEAN ICT Masterplan 2020 and Master Plan on ASEAN Connectivity 2025.

The ASEAN Regional Forum (ARF) is an important platform for dialogues on

combating cybercrime and promoting cyber security in the region. To advance
regional and international dialogues and cooperation to promote peace and prosperity
across the ASEAN region, ASEAN established the ARF. It comprised 27 member
states from the Asia-Pacific region2. ARF holds regular meetings, workshops, and
seminars on topics related to cyber terrorism and cyber crime and issued several
statements in relation to combating cybercrime. In 2006, ARF issued the Statement on
Cooperation in Fighting Cyber Attack and Terrorist Misuse of Cyberspace. It
recognised “the serious ramifications of an attack via cyber space to critical
infrastructure on the security of the people and on the economic and physical well-
being of countries in the region” and acknowledge that the terrorist misuse of
2
27 members are the 10 ASEAN member states (Brunei, Cambodia, Indonesia, Laos, Malaysia,
Burma, Philippines, Singapore, Thailand and Vietnam), the 10 ASEAN dialogue partners (Australia,
Canada, China, the European Union, India, Japan, New Zealand, the Republic of Korea, Russia and the
United States), one ASEAN observer (Papua New Guinea), as well as the Democratic People’s
Republic of Korea, Mongolia, Pakistan, Timor-Leste, Bangladesh and Sri Lanka. See
http://dfat.gov.au/international-relations/regional-architecture/Pages/asean-regional-forum-arf.aspx.
Last accessed on 25 November 2016.

9
cyberspace can be destructive. It stresses the need for public and private collaboration
in identifying, preventing, and mitigating cyber-attacks and terrorist misuse of cyber-
space. It also urged its members to work together to improve their capacity against
cybercrime (ARF, 2006). The 2012 Statement on Cooperation in Ensuring Cyber
Security reaffirmed the 2006 Statement and ask its members to take into account the
“UN General Assembly resolutions on the developments in the field of information
and telecommunications in the context of international security, aimed at combating
the use of ICTs for criminal or terrorist purposes and purposes inconsistent with the
objectives of maintaining international stability and security”.

Conclusion: Challenges Ahead

This chapter outlined the cybercrime problems and the ways that ASEAN member
states used to tackle cybercrime. The past few years can be seen as the developing
years for the technology and internet in most ASEAN countries. We can see the
number of internet users have boost since 2012, especially to the developing and
underdeveloped countries like Myanmar, Vietnam and Cambodia. However, the
digital divine reminds a big problem to ASEAN and might impede the process of the
ASEAN Master plans.

From the discussion above, we can summarise that Cambodia is the only country that
still do not have proper cybercrime law (a draft is under review at the moment). Other
ASEAN member states all have proper cybercrime laws that are aligned with the
Budapest Convention. This provided ASEAN member states a good basis for
collaboration against cybercrime. As none of the ASEAN member state is a signatory
to the Budapest Convention, each state might need to build their own bi-lateral
agreement on cybercrime investigation with other countries (Bullwinke 2005). That
said, the ASEAN and the ASEAN Regional Forum make up some of the problem.

The establishment of CERTs had been identified as a key initiative in the Master
Plans and the ARF Statements. Heinl (2014) suggested to establish a robust ASEAN
CERT to enhance incident reporting and information sharing. As Chang (2012)
argues, a regional CERT might not always be able to play a good role in exchanging
information among states. It still relies highly on the relationship between countries,
especially when it comes to seeking help in passing related evidence for hacking or
other cybercrime events.

Furthermore, before considering the establishment of an ASEAN CERT, one should

consider whether the CERTs are functioning. Although all ASEAN member states
have national CERT, not all of them are functioning well. For countries like Myanmar
and Laos, the maintaining of CERT is not on their priority yet. Lacking manpower
and resources, the CERT can only do very little. In Myanmar for example, the
national CERT is under the Ministry of Communication and Information Technology
and it will be difficult for them to request other government agencies to report
computer incidents. That is, rather than establishing a regional CERT, ASEAN
should consider enhancing the capacity of national CERTs and ensure that they have
sufficient resources and manpower.

Cyber security awareness has been addressed in the ASEAN Master Plan 2015 and

10
2020. This initiative is important to all the member states. It is especially important to
those countries that had the internet booming in the past few years, such as Myanmar.
In Myanmar, cyber security is still not a concern to most users. They usually share
their passwords with their friend or the agents that sells sim cards. With the
emergence of online payment system, we can foresee that Myanmar is facing a big
problem and will cause great damage to the online payment system or even the
financial sector. There is a urgent need for these countries and the ASEAN to put
more efforts onto the cyber security awareness education. Although the Cyberkid
Camp might help some kids to learn about cyber security, only a few kids will be able
to attend the Camp. There should be more general education provided to the general
public, though raising awareness campaign, advertisement and education. The donor
countries might also consider to invest their aids and donations onto educating the
general public on their cyber security awareness.

The Budapest Convention and the ASEAN Master plans provide the ASEAN member
states a good basis to develop their national strategies and policies against cybercrime
and building cyber security. Nonetheless, cyber security is still not a priority to some
countries in the region due to the resources and the digital divine. Although the
Master plans and statements had emphasised these parts, there is still much to be
done. Future policies and strategies by the ASEAN and ARF might need to take these
elements into deeper consideration as these are the keys to make the ASEAN to be the
“global ICT hub”.

References

ASEAN (1967). The Asean Declaration (Bangkok Declaration) Bangkok, 8 August

1967. Retrieved 20 Nov 2016, <http://asean.org/the-asean-declaration-bangkok-
declaration-bangkok-8-august-1967/>. Accessed November 2016.
ASEAN (1976). Treaty of Amity and Cooperation in Southeast Asia Indonesia, 24
February 1976. Retrieved 20 Nov 2016, <http://asean.org/treaty-amity-cooperation-
southeast-asia-indonesia-24-february-1976/>. Accessed November 2016.
ASEAN (2004). Joint Communique of the Fourth ASEAN Ministerial Meeting on
Transnational Crime (AMMTC), Bangkok. <http://asean.org/joint-communique-of-
the-fourth-asean-ministerial-meeting-on-transnational-crime-ammtc-bangkok/>.
Accessed November 2016.

ASEAN (2011). ASEAN ICT Masterplan 2015. Jakarta: ASEAN Secretariat.

ASEAN (2012). Plan of Action to Implement the Joint Declaration on ASEAN-China

Strategic Partnership for Peace and Prosperity. <http://asean.org/?static_post=plan-of-
action-to-implement-the-joint-declaration-on-asean-china-strategic-partnership-for-
peace-and-prosperity>. Accessed November 2016.

ASEAN (2015). ASEAN ICT Masterplan 2015 Completion Report. Jakarta: ASEAN
Secretariat.

11
ASEAN (2015). Plan of Action to Implement the Joint Declaration on ASEAN-China
Strategic Partnership for Peace and Prosperity (2016-2020).
<http://www.asean.org/storage/images/2015/November/27th-summit/ASEAN-China
%20POA%20%202016-2020.pdf>. Accessed November 2016.

ASEAN (2016). ASEAN Telecommunications and IT Ministers Meeting (TELMIN).

Retrieved 20 Nov 2016, <http://asean.org/asean-economic-community/asean-
telecommunications-and-it-ministers-meeting-telmin/>. Accessed November 2016.

ASEAN Regional Forum (ARF) (2006). ASEAN Regional Forum Statement on

Cooperation in Fighting Cyber Attack and Terrorist Misuse of Cyberspace. Retrieved
20 Nov 2016, <http://www.mofa.go.jp/region/asia-paci/asean/conference/arf/
state0607-3.html>. Accessed November 2016.

Ashok, I. (2016, August 5). China-based hackers suspected of targeting Philippines

DOJ over South China Sea dispute. International Business Times,
<http://www.ibtimes.co.uk/china-based-hackers-suspected-targeting-philippines-doj-
over-south-china-sea-dispute-1574496>. Accessed November 2016.
Aung, T. (2016) High Court to hear ATM fraud allegations. Myanmar Times,
retrieved 10 October 2016, <http://www.mmtimes.com/index.php/national-
news/yangon/19104-high-court-to-hear-atm-fraud-allegations.html>. Accessed
November 2016.

BBC (2010). Burma hit by massive net attack ahead of election.

<http://www.bbc.com/news/technology-11693214>. Accessed November 2016.
Broadhurst, R. and Chang, L. (2012). Cybercrime in Asia: Trend and challenges.
In R. Broadhurst & P. Grabosky (Eds.), Cyber-crime: The Challenge in Asia (pp. 269-
302). Hong Kong: Hong Kong University Press.

Chang, L. (2012). Cybecrime in the Greater China Region: Regulatory Responses

and Crime Prevention across the Taiwan Strait. Cheltenham: Edward Elgar.
Chung, L. (2016, August 6). How Taiwanese police cracked NT$83 million ATM
heist. South China Morning Post, <http://www.scmp.com/news/china/money-
wealth/article/1999019/how-taiwanese-police-cracked-nt83-million-atm-heist>.
Accessed November 2016.
Coe, J (2016, January 5). The cyber wars. Frontier, retrieved 15 October 2016,
<http://frontiermyanmar.net/en/features/the-cyber-wars>. Accessed November 2016.
Constantin, L. (2016, 30 August). Sophisticated malware possibly tied to recent ATM
heists in Thailand. ComputerWorld,
<http://www.computerworld.com.my/resource/security/sophisticated-malware-
possibly-tied-to-recent-atm-heists-in-thailand/>. Accessed November 2016.
Council of Europe. (2016). Convention on Cybercrime: Explanatory Report.
Retrieved 10 November 2016.
<http://conventions.coe.int/Treaty/en/Reports/Html/185.htm>. Accessed November
2016.

12
Csonka, P. (2000). The draft Council of Europe Convention on Cybercrime: A
response to the challenge of crime in the age of the Internet? Computer Law &
Security Report, 16, 329-330.
Davis, B. (2016, August 13). Hacking attack at Vietnam airports: Another chapter in
South China Sea dispute. Forbes,
<http://www.forbes.com/sites/davisbrett/2016/08/13/hacking-attack-at-vietnam-
airports-another-chapter-in-south-china-sea-dispute/#40679eb64248>. Accessed
November 2016.
Ericsson (2015) Ericsson Mobility Report: On the Pulse of the Networked Society.
Retrieved 9 September 2016, <http://www.ericsson.com/res/docs/2015/mobility-
report/ericsson-mobility-report-nov-2015.pdf>. Accessed November 2016.
Evers, Hans-Dieter and Gerke, Solvay (2013). Local Knowledge and the Digital
Divide: Focus on Southeast Asia. Brunei Darussalam: Institute of Asian Studies,
University Brunei Darussalam.
F-Secure (2016). Nanhaishu: RATing the South China Sea. Retrieved 10 October
2016, <https://www.f-secure.com/documents/996508/1030745/nanhaishu_
whitepaper.pdf>. Accessed November 2016.
Hammond, C., & Trautwein, C. (2016) Viettel picked for fourth telecoms tie-up with
military partner. Myanmar Times, 25 March.
<http://www.mmtimes.com/index.php/business/technology/19662-viettel-nears-
contract-for-fourth-telecoms-operator.html>. Accessed November 2016.
Heinl, C. (2014). Regional cybersecurity: Moving toward a resilient ASEAN cyber
security Regime. Asia Policy, 18: 131-159.
IBM (2009). IBM Internet Security Systems X- Force 2009 Mid-Year Trend and Risk
Report. Somers, NY: IBM Corporate.
Leesa-Nguansuk, S. (2013) Internet users 'will double' this year. Bangkok Post, 5 July.
Retrieve 9 September 2016, from http://www.bangkokpost.com/tech/local-
news/358404/internet-users-will-double-this-year
Long, K. (2016). Govt. firms dismiss hacking report. MM Times,
<http://www.mmtimes.com/index.php/national-news/19200-govt-firms-dismiss-
hacking-report.html>. Accessed November 2016.
Microsft (2016d). Microsoft Security Intelligence Report (Vol. 20): PLATINUM:
Targeted attacks in South and Southeast Asia. Seattle: Microsoft.
Microsoft (2016a). Malware Infection Index 2016 highlights key threats undermining
cybersecurity in Asia Pacific: Microsoft.
Microsoft (2016b). Microsoft Security Intelligence Report (Vol. 20). Seattle:
Microsoft.
Microsoft (2016c). Microsoft Security Intelligence Report (Vol. 20): Regional Threat
Assessment. Seattle: Microsoft.
Microsoft. (2007). Asia Pacific Legislative Analysis: Current and Pending Online

13
Safety and Cybercrime Laws. A Study by Microsoft.
<http://www.itu.int/ITU-D/cyb/cybersecurity/docs/microsoft_asia_pacific_
legislative_analysis.pdf>. Access November 2016.

Miniwatts Marketing Group. (2011). Internet World Stats. Retrieved 25 August,

2011, <http://www.internetworldstats.com/stats.htm>. Accessed November 2016.

Miniwatts Marketing Group. (2016). Internet World Stats.

<http://www.internetworldstats.com/stats.htmhttp://www.internetworldstats.com/stats
.htm>. Accessed November 2016.
Morgan, S. (2016, January 17). Cyber crime costs projected to reach $2 trillion by
2019. Forbes, <http://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-
costs-projected-to-reach-2-trillion-by-2019/#3b3683cf3bb0>. Accessed November
2016.
Motlagh, J. (2014). When a SIM card goes from $2,000 to $1.50. Bloomberg, 30
September. <http://www.bloomberg.com/news/articles/2014-09-29/myanmar-opens-
its-mobile-phone-market-cuing-carrier-frenzy>. Accessed November 2016
Nasu, H and Trezise, H. (2015). Cyber security in the Asia-Pacific. In N.Tsagourias,
& R.Buchan, R. (Eds.) Research Handbook on International Law and Cyberspace (pp
446-464). Cheltenham: Edward Elgar.
OECD (2001). Understanding the Digital Divide. OECD, Paris.
Portnoy, M. and Goodman, S. (2009). Global Initiatives to Secure Cyberspace: An
Emerging Landscape. New York: Springer.
Prakash, G. (2014, October 2). Banks knew ATMs were open to attacks, source
claims. Malaymail Online, <http://www.themalaymailonline.com/malaysia/article/
banks-knew-atms-were-open-to-attacks-source-claims>. Accessed November 2016.
Rees, N. (2010). EU and ASEAN: Issues of regional security. International Politics,
47(3): 402-418.
RT (2013, November 5). Indonesian 'Anonymous' hackers deface scores of Australian
websites in revenge over spying. RT News, <https://www.rt.com/news/anonymous-
indonesia-australia-hack-167/>. Accessed November 2016.
Santora, M. (2013, May 9). In hours, thieves took $45 Million in A.T.M. scheme.
New York Times, <http://www.nytimes.com/2013/05/10/nyregion/eight-charged-in-
45-million-global-cyber-bank-thefts.html>. Accessed November 2016.
Symantec. (2009). Symantec APJ Internet Security Threat Report XIII: Trend for
2008. Cupertino, CA: Symantec Corporation.
Trautwein, C. (2015). Myanmar named fourth-fastest-growing mobile market in the
world by Ericsson. Myanmar Times, 25 March.
<http://www.mmtimes.com/index.php/business/technology/17727-myanmar-named-
fourth-fastest-growing-mobile-market-in-the-world-by-ericsson.html>. Accessed
November 2016.
Trend Micro (2009). Trend Micro 2008 Annual Threat Roundup and 2009 Forecast.

14
Cupertino, CA: Trend Micro Inc.
Unleash Research Labs (2016). Unleashed: Unveiling cyberwar in Myanmar.
<http://unleashed.blinkhackergroup.org/op-its-time/3/>. Accessed November 2016.

15