Asia Pacific - Cyber-Security: Managing A Crisis In The Digital Era
Legal News & Analysis – Asia Pacific - Regulatory & Compliance
26 August, 2015
The Global Cyber-security Agenda of the International Telecommunicaion Union (ITU)
The ITU, the UN's specialised agency for information and communications technology, has consolidated its global alliance with governments, academia and industry experts to promote a culture of cyber-security awareness and a holistic approach to counter misuse of online networks. 149 ITU Member States have joined the coalition, cooperating among themselves and with the ITU at the global level.
The ITU aims to help countries around the world to address cyber-security challenges in collaboration with UN agencies, other international organisations and the European Commission and in association with the International Multilateral Partnership against Cyber Threats (IMPACT). Some 50 countries have received assistance to assess their national cyber-security preparedness and response capabilities since the World Telecommunication Development Conference in 2010.
The ITU is also working with the global Forum for Incident Response and Security Teams (FIRST), the world’s biggest computer incident response teams association, to share best practice on how to develop national incident response capabilities and, through IMPACT, with INTERPOL in order to coordinate with the law enforcement community.
Harmonisation of cyber-security legal frameworks
A persistent issue with cyber-security is the lack of harmonisation of cyber-security- related legislation around the world. The lack of harmonisation makes it difficult to investigate and prosecute offenders if the categorisation of cyber-crimes and other misuses of cyber-space differ from country to country.
In response, the ITU is familiarising selected countries with legal aspects of cyber- security and helping to harmonize their legal frameworks with a view to making them applicable and interoperable around the world.
An example of the ITU’s cyber-crime legislation resources is its publication (in six languages) entitled “Understanding Cybercrime: A Guide for Developing Countries and the Toolkit for Cybercrime Legislation”.
Developments in Asia-Pacific
Several Asia-Pacific Economic Cooperation (APEC) Member States have signed or ratified the Council of Europe Cybercrime Convention to create a minimum standard for international cyber-security cooperation.
APEC also published a strategy document in 2002, recognising that dealing with cyber-security must be addressed by the technology sector, business, government and individual users acting together. The strategy document made various recommendations covering (i) legal developments, (ii) information sharing and cooperation initiative, (iii) security and technical guidelines, and (iv) education and public awareness.
Joint action by the ITU and the Association of Southeast Asian Nations (ASEAN) has increased regional cooperation to address cyber-security challenges. Cooperation on cyber-security issues was enhanced following an ITU/ASEAN sub- regional workshop held in Myanmar in 2011. The workshop focused on national computer incident response team policies, procedures, best practices, challenges and opportunities.
Cooperation between Asia-Pacific countries on combating cyber-crime was consolidated at a regional workshop organized by the ITU and the United Nations Office on Drugs and Crime (UNODC) in Seoul, Republic of Korea in 2011.
In partnership with IMPACT, the ITU has continued to assess the capacity of existing national computer incident response teams of a number of Asia-Pacific countries to manage cyber-security emergencies, to help set up these teams in countries where they do not exist, and to provide training and material assistance. Afghanistan, Bangladesh, Bhutan, Brunei, Cambodia, Laos, Maldives, Myanmar, Nepal, Sri Lanka and Vietnam, have received various forms of assistance to bolster their cyber- security in recent years.
The Cyber Security Basic Act, enacted in November 2014 and in force since January 2015, comprehensively outlines the roles and responsibilities of the government in providing an overall national cyber security policy. It ranges from formulating and implementing suitable strategies and guidelines for the various administrative bodies of the government, to overseeing strategic responses to emergency incidents. The Act also encourages infrastructure providers, companies and educational and research institutions to implement appropriate defence measures. The Japanese government will also provide information on cyber- security issues to the public.
Central to this is the legal “upgrading” of the National Information Security Centre into the “National Centre of Incident Readiness and Strategy for Cybersecurity” (NISC), which has greatly strengthened NISC’s powers in coordinating and policing the various ministries in order to ensure cross-uniform strategic implementation of fundamental policies.
NISC proposed a new government cyber-security strategy document and released it for public consultation in May 2015. Cabinet approval was expected in June 2015, but due to information leaks from Japan's pension system, the strategy document is still awaiting approval.
Recent developments in Australia include updated regulatory guidance for security of personal information, a report on cyber resilience by the Australian Securities and Investments Commission and proposed law reform to include mandatory breach notification requirements in the Privacy Act.
Following an announcement by the Chinese President in February 2014, China's cyber-security policy is expected to develop significantly over the coming years.
In September 2014, China's banking regulator issued new cyber-security rules for banks on how banking hardware and software should be provided, domestic presence requirements for intellectual property and suppliers, source code disclosure, and regulator access. An explanation of these rules was issued by that regulator in February 2015; however, in April 2015, the regulator suspended these new rules, pending further amendments.
On 1 July 2015, a new National Security Law was passed, and the law came into force on the same day, declaring cyberspace to be part of China's national security interest. The new law requires key internet and information systems to be "secure and controllable".
On 6 July 2015, China's National People's Congress published a draft cyber security law aimed at safeguarding China's "cyber sovereignty" and protecting personal information. The draft law has also addressed some of the national security concerns that prompted the National Security Law that became effective on 1 July 2015. The draft law contains provisions requiring the core networks and information technology, critical infrastructure and information systems and the data of important sectors in China to be "secure and controllable". The draft law was open for comment until 5 August 2015.
The Hong Kong Police Force (HKPF) established its Cyber Security Centre in December 2012 to monitor cyber-attacks in Hong Kong, and to undertake counter-measures and investigations. The Centre works in close cooperation with the IT sector and conducts on-going reviews and research. The HKPF also maintains close partnerships with INTERPOL and other countries' law enforcement agencies.
Cyber-attacks may be prosecuted primarily under the Computer Crimes Ordinance, the Crimes Ordinance and the Theft Ordinance in
The Hong Kong Monetary Authority's General Principles for Technology Risk Management 2003 provide guidance on security requirements for authorized institutions. The Securities and Futures Commission also issued a circular entitled Mitigating Cybersecurity Risks on 27 November 2014.
The Government of India formulated an umbrella National Cyber Security Policy in 2013. It is a high level document that sets out objectives which needs to be put into action.
In 2005, the Indonesia Security Incident Response Team on Internet Infrastructure/Coordination Center (Id-SIRTII/CC) was set up by the Ministry of Communication and Informatics, the police, the Attorney General, Bank Indonesia and several private sector organisations. Id-SIRTII/CC was established to increase the public's awareness of cyber-security issues, monitor potential security incidents, support law enforcement and provide technical support to internet users.
Indonesia ranks as one of the world’s top countries for originating cyber-attacks with 36.6 million such attacks recorded in the past three years. Laws against cyber-attacks are set out in Law No. 11 Year 2008 regarding Electronic Information and Transactions (EIT Law) (with an implementing regulation having been issued in 2012).
In early 2015, Indonesia announced that it would form a National Cyber Agency (NCA) to coordinate an integrated defence against rising cyber-attacks.
CyberSecurity Malaysia is the national cyber-security specialist agency under the Ministry of Science, Technology and Innovation (MOSTI). The Malaysian Computer Emergency Response Team (MyCERT) is a department within CyberSecurity Malaysia. MyCERT provides assistance in handling incidents such as intrusion, identity theft, malware infection, cyber-harassment and other computer security related incidents. MyCERT works closely with law enforcement agencies such as the Royal Malaysian Police, Securities Commission, and Bank Negara Malaysia and also has close collaborations with internet service providers, computer security incident response teams and various computer security initiatives worldwide.
The Malaysian Administrative Modernisation and Management Planning Unit (MAMPU) has issued circulars in relation to the government’s information and communications technology. It was stated in one of their circulars that all public sector agencies managing information and communications technology infrastructure are required to establish a Computer Emergency Response Team (CERT) to enhance the management of information and communications technology security incidents in their respective agencies.
Cyber-attacks are an offence under the Computer Crimes Act 1997.
There are other cyber-security requirements/initiatives which may be contained under industry specific laws e.g. the banking and insurance industry regulated by Central Bank rules and requirements.
The Cybercrime Prevention Act was enacted in 2012. Various cybercrime offences have been created and additional powers have been given to law enforcement agencies to prevent and deal with cybercrime offences. The Philippine National Bureau of Investigation and the Philippine National Police are required to establish cybercrime units to exclusively handle cybercrime cases.
The Office of Cybercrime was established under the Department of Justice to act as the national central authority in international mutual assistance and extradition matters relating to cybercrime. It also oversees the Cybercrime Investigation and Coordination Centre, which is the national unit responsible for policy coordination among concerned agencies and formulating and enforcing the national cyber-security plan.
Singapore's National Cyber Security Master Plan 2018 aims to strengthen critical technological infrastructure, test the cyber- security readiness of key industry sectors and incorporate cyber-security learning into appropriate higher education courses.
Singapore's new Cyber Security Agency (CSA) commenced work on 1 April 2015, and oversees this work. The new CSA follows the establishment of an INTERPOL cyber-crime centre in Singapore in 2014.
Cyber-attacks may constitute an offence under the Computer Misuse and Cybersecurity Act in Singapore.
The Monetary Authority of Singapore's Technology Risk Management Guidelines 2013 apply to security measures by financial institutions for computer systems, networks, data centres.
In April 2013, a bill of the National Anti-Cyberterrorism Act was proposed to assist in the detection of attacks and empower the South Korean National Intelligence Service to create and enforce anti-cybercrime policies. However, the bill has not been legislated yet.
In May 2000, the National Security Council formulated the National Information and Communication Infrastructure Security Mechanism Plan to consolidate and expedite the development of Taiwan’s information and communication security infrastructure. In addition, the National Information & Communication Security Taskforce was established in 2001.
Cyber-attacks are a criminal offence under the Criminal Code (Offences Against Computer Security). Taiwan also has specific rules in relation to cyber-security which apply to financial institutions.
There have been a number of legislative initiatives in Thailand since the start of 2015, including the tabling of the Computer- related Crime Bill (amendment), Cybersecurity Bill and Personal Data Protection Bill. Under these initiatives, a National Cybersecurity Committee would be established to determine approaches and measures for responding to and tackling cyber- threats.
Cyber-attacks are a criminal offence under the 2007 Computer Crimes Act.
Vietnam is tabling a draft law on information security in Vietnam’s National Assembly.
The Ministry of Information and Communications, the communications authority in Vietnam, established the Vietnam Computer Emergency Response Team (Vncert), which is the task force to deal with cyber-security issues at the national level.
In 2011, the State Bank of Vietnam issued compulsory requirements for information security, including human resources, hardware, software, access management, data recovery and disaster protection plan.
For further information, please contact:
Graeme Preston, Partner, Herbert Smith Freehills