Navigating cybersecurity amid tech rivalry
Navigating cybersecurity amid tech rivalry
WRITTEN BY FARLINA SAID
17 September 2021
While the US and China slug it out on the technology front, ASEAN member states must weigh their national security concerns against development possibilities. Technological rivalry in innovation and national security can shape a nation’s development and engagement strategy. Developing nations that depend on technology transfers and capacity building programmes to modernise as well as digitise may find themselves caught in a bind especially if rivalries require them to choose sides. Navigating competition, developing nations would require identifying vulnerabilities and strengthening oversight capabilities and technological capacities. Cultivating talent and implementing policies that encourage the development and adoption of new and advanced technologies can be the pathway to economic prosperity.
For developing nations, making the technological leap means building partnerships that would support the construction of infrastructure and growing industries, as well as kick-start innovation bases. Malaysia’s international partnerships generally aim to fulfil development and pandemic recovery plans, with its digitalisation ambitions laid out in the Digital Economic Blueprint, the National 4IR Policy and the National Cybersecurity Strategy. Malaysia has also called for digital collaboration to drive economic recovery, including the areas of digital technology, artificial intelligence and cybersecurity in official statements with Australia, Pakistan and South Korea or ASEAN.
China as a development partner
China has maintained a prominent role in Malaysia’s digital development. Last year, the Malaysia Digital Economy Corporation and Huawei Technologies signed a memorandum of understanding (MoU) aimed at developing Malaysia as a digital hub and as a gateway to digital industries in ASEAN. China’s Huawei is also a partner for cybersecurity, having established a joint steering committee in 2017 with CyberSecurity Malaysia and solidifying relations in a joint lab announced this year.
Southeast Asian states aim to uphold the principle of ‘technological neutrality’ which ensures the right to choose technology most appropriate for a specific need. Thus, when oversight initiatives such as the Blue Dot Network or Trump’s Clean Network Initiative are pushed, ASEAN member states can avoid choosing sides or technology.
While Malaysia recently awarded its 5G infrastructure project to Ericsson, the country’s telco players have pursued collaborations with Huawei as a supplier of 5G radio equipment, services and knowledge. This would include utilising Huawei equipment to upgrade antenna towers, and test interoperability between systems and cybersecurity limitations with Malaysia’s technical cybersecurity arm, Cybersecurity Malaysia. Beyond 5G, Huawei’s partnerships with Malaysia’s leading telcos such as Maxis and Celcom (28.2 per cent and 18.3 per cent mobile market share in 2020, respectively), influential cybersecurity agency’s such as Cybersecurity Malaysia and state governments such as Sabah, Sarawak and Terengganu, provides Huawei with an opportunity to impact Malaysia’s digital development.
Even during COVID-19, the country’s main treatment facility, Sungai Buloh Hospital, installed Huawei’s core cloud services that use big data and AI for diagnosis. China is also involved in projects to stimulate innovation and build talent bases in Malaysia, such as the latest innovation centre in Malaysia by Alibaba Cloud or an MoU with the Human Resources Ministry to enhance cooperation in technical and vocational education training.
However, Malaysia’s digitalisation programmes are taking place against a backdrop of intense technological rivalry between the United States and China. Former US President Donald Trump’s executive order on information security issued in mid-2019 raised national security concerns for the procurement of technology. As technologies process and transmit personal or even sensitive data, their adoption without sufficient oversight can create vulnerabilities for nation-states. Lessons could be learned from Papua New Guinea's experience, where a data centre sponsored by the Chinese government reportedly included outdated encryption software and insufficient firewall coverage, which could have allowed remote access to systems. The lack of sufficient oversight mechanisms — such as a cybersecurity agency well equipped with technology and knowledge — proved to be a weakness in procurement processes.
Chinese tech giants’ reach in the region
China’s rapid technological development was cultivated on the back of technological and knowledge transfers, some of these allegedly stemming from economic espionage dating back to the early 2000s. This came as China became a host country for American and European firms’ research and development activities at the turn of the millennium. In 2018, the Office of the United States Trade Representative published the findings of an investigation into China’s acts, policies and practices related to technology transfers which identified the impact of the Chinese government’s use of foreign ownership restrictions, non-market-based term impositions on US companies, illicit and unfair technology transfer practices, and cyber intrusions on US businesses and economic activities in China. However, former Malaysian deputy international trade and industry minister Ong Kian Ming notes that the lack of concrete proof of China’s alleged spying activities and absence of industrial espionage cases in Malaysia changes the risk calculation.
Developing nations must weigh national security concerns against development possibilities. China’s Digital Silk Road initiatives span infrastructure projects and technological adoption programmes. Thus, the smart train running through Laos equipped with 5G connectivity or Alibaba’s data centre in the Philippines is valued for its utility and benefits for the economy and quality of life. Beyond infrastructure, China’s Alibaba and Tencent are also tied to several of Southeast Asia's tech giants, such as Sea Group, Gojek, Tokopedia and Lazada, which stimulate the region’s digital economy.
Even as China’s technologies proliferate and lead to the adoption of the country’s standards for intellectual property and supply chains, Southeast Asian nations would still gain economically from participating in the value chain. The ASEAN+3 Macroeconomic Research Office notes the feasibility of a China+1 strategy, where companies may opt to retain a presence in China for sophisticated ecosystems built around a specific global value chain while setting up bases in other parts of the world — such as ASEAN — to build resilience in value chains. Participation in value chains could spur projects developing basic infrastructure and human capital, and the strengthening of institutions. In addition, investment by China’s tech giants would appear a positive venture, particularly if oversight mechanisms are nascent or weak.
The decoupling of supply chains and rivalry in data governance could benefit Southeast Asia. In 2020, a McKinsey report on multinational enterprises in China explored the trend for MNEs to build supply-chain resilience and identified ways to navigate technological rivalry including through dual sourcing of raw materials, increased inventory of critical products and nearshoring, and expanding supplier bases. Since 2019, the decoupling of supply chains has led to the relocation of GoerTek to Vietnam in 2020 and in the same year, Chinese tech firms, such as Bytedance, Alibaba and Tencent, to invest in Singapore as part of a strategy to use Southeast Asia to further their global ambitions.
Being plugged into a physical or digital supply chain could impact growth trajectories, as any disruption would affect livelihoods and economic health. The development of different standards by China, the US and the EU bifurcates the development of technologies and complicates technological interoperability. For developing nations, this might mean that if a country uses Ericsson for a 5G backbone but also utilises Huawei at different parts of a telco tower, additional technologies would have to be produced to allow interoperability by bridging technological or standard gaps. To address this issue, Southeast Asian states aim to uphold the principle of ‘technological neutrality’ which ensures the right to choose technology most appropriate for a specific need. Thus, when oversight initiatives such as the Blue Dot Network or Trump’s Clean Network Initiative are pushed, ASEAN member states can avoid choosing sides or technology.
The situation is also complicated by claims of national security breaches from nations that could be deemed as political and are not easily verified by states lacking the capacity, technological knowledge and oversight mechanisms. For instance, the case of the US Department of Justice’s indictment of four PRC nationals having traced their activities in countries such as the US, Germany, the UK, Indonesia and Malaysia among others received support from the UK, EU and NATO. In particular, the UK and EU detected similar activities in their systems, particularly those conducted by APT40 and APT31. While Malaysia has issued a warning for APT40 in the past, direct attribution from developing nations may be difficult to predict as standards and procedures for evidence would have to be harmonised. In this current state of affairs, China deems the indictment an ‘independent investigation’ with evidence not submitted or unclear. The solution lies in building and harmonising cybersecurity practices that would guide decisions and decision-making processes while offering solutions to both technical and political situations.
ASEAN must set cybersecurity goals
This has been ASEAN’s stance for the last few years. In 2018, ASEAN endorsed the 11 norms of responsible state behaviour introduced by a United Nations Group of Governmental Experts in 2015. The norms recommend and limit state behaviours, including moves not to damage critical infrastructure, to cooperate to stop crime and terrorism and preventing the misuse of ICTs in a state. For ASEAN, the implementation of these norms means looking at gaps within domestic laws, structuring or restructuring the role and responsibilities of government agencies, as well as building greater technical and knowledge capacities.
Last year, against the backdrop of geopolitical tensions the opening speech by Singapore Minister for Communications of Information and Minister-in-Charge of Cybersecurity, S Iswaran at the ASEAN Ministerial Conference on Cybersecurity cited the need for a rules-based regional order. In tandem, the first tasks of the ASEAN Digital Ministers’ Meeting were to address data management and cross-border data flows. While serving as a guide, the ASEAN Data Management Framework aims to build cybersecurity awareness among small and medium enterprises, which account for between 88.8 and 99.9 per cent of establishments in each member state.
The push for technological adoption would require small and medium enterprises to manage their cyber hygiene, particularly in data management. The development of data-transfer mechanisms would force states to develop governance regimes that could differentiate between data that should and could be processed in the cloud and those deemed too sensitive to cross borders. ASEAN member states must commit to the timeframes and goals, lest the pace of technology and exploitation overtake regulatory frameworks, cooperation and oversight.
Developing a robust international engagement plan
What is lacking now is a political solution to cybersecurity practices. There is a need for a clear strategic goal on channels of cooperation and the mechanisms to assess, construct and execute the appropriate responses. Malaysia’s Cyber Security Strategy 2020-24 outlines a cybersecurity international engagement plan to deploy diplomatic tools to protect systems and information. The engagement plan should also examine how states respond to data breaches or cyber operations, particularly those attributed to state actors.
In an era where attacks take place below the threshold of force, breaches of systems to collect information divide scholars on their impact on state sovereignty. Ambiguity surrounding rules of engagement mean there are different levels of response when taking into account systems and their impact on nations. The EU provides just one example of an engagement plan through its sanctions regime as part of a wider cyber diplomacy toolbox to respond to malicious cyber activities such as cyber-enabled theft of intellectual property. However, Malaysia’s engagement plan lacks attention and updates, perhaps due to its focus on building capabilities and connectivity.
The technological rivalry could push operational standards in different directions, complicate system interoperability and encourage innovation mercantilist activities. Developing nations such as Malaysia, still grappling with infrastructure development, connectivity and building cybersecurity awareness need to stay the course and build mechanisms that navigate the growing complexities of tech rivalry.
DISCLAIMER: All views expressed are those of the writer and do not necessarily represent that of the 9DASHLINE.com platform.
Author biography
Farlina Said is an Analyst at the Institute of Strategic and International Studies (ISIS) Malaysia, a premier think-tank established in 1983. ISIS Malaysia engages actively in Track Two diplomacy and is a key founding member of several regional networks which promote the exchange of views and collaboration that feed into policymaking. Image credit: Flickr/Yuri Samoilov.