Published daily by the Lowy Institute

Filling the gaps in ASEAN and EU cybercrime cooperation

The two regional bodies are teaming up to counter cybersecurity threats, but it’s no simple task.

A hackathon in Warsaw, Poland, September 2019 (Jaap Arriens/NurPhoto via Getty Images)
A hackathon in Warsaw, Poland, September 2019 (Jaap Arriens/NurPhoto via Getty Images)

The recent takedown of a major hacking network has demonstrated the importance of international cooperation in fighting cybercrime. Defined as criminal activity that either targets or uses a computer network or an electronic device, primarily but not always for financial profit, cybercrime has been on the rise since the start of the Covid-19 pandemic, targeting critical infrastructure worldwide, including healthcare and medical care facilities. It is estimated that there is one attack every 39 seconds and that at least 90 countries around the world are only in the early stages of addressing cybersecurity issues.

Yet even as cybercrime continues to proliferate around the world, there currently exists no binding multilateral agreement that has been able to bring most countries together to address the problem. Differing priorities and views on critical principles of cyberspace mean that countries often fail to reach consensus.

Given this fragmentation, international cooperation in cyberspace has been shifting from global platforms to regional organisations and like-minded states.

Regional organisations seem particularly well-suited to crafting solutions to global cybersecurity threats, which target individuals, corporations and governments, as well as the networks on which they operate. Neighbouring countries are more likely to share similarities and interests: they are more likely to have interconnected infrastructures and economies that leave them vulnerable to similar threat actors and cyberattacks that spill across borders. Recognising these commonalities makes it easier to work towards a joint strategy, develop shared standards and coordinate incident response and capacity building.

While EU member states have adopted a common cybercrime framework, capabilities and national priorities vary greatly across ASEAN, creating a marked disparity in legislation and enforcement among member states.

The European Union (EU) and the Association of Southeast Asian Nations (ASEAN) are two of the most successful regional organisations, both founded to foster peace and seek economic integration of their member states into a single market. Despite structural differences, they share common ground, such as on human rights, based on the EU Charter of Fundamental Rights and ASEAN Declaration of Human Rights.

Both regions also aim to benefit from growth driven by information and communications technology, and they are actively cooperating to promote mutual ICT-driven growth through various agreements and mechanisms, such as the ASEAN-EU Dialogue on Science and Technology and the Enhanced Regional EU-ASEAN Dialogue Instrument (E-READI) (2016-2024). Key areas of cooperation include high-performance computing, nanotechnology and intelligent transport systems, as well as a bloc-to-bloc aviation agreement.

The effects of this collaboration will be further enhanced by free trade agreements between the EU and ASEAN member states, and by the cascading effect of the EU’s General Data Protection Regulation Policy (GDPR) on the national legislation of third countries to allow for the free flow of data across borders.

Nonetheless, as ASEAN and the EU become increasingly dependent on cyberspace and enhance cooperation to boost ICT-driven growth, they will also expose themselves to new vulnerabilities and security risks.

To tackle these challenges, the two blocs are engaged in cybersecurity strategic cooperation and capacity-building initiatives through ASEAN-led platforms, bilateral agreements and EU-funded research and innovation projects. In 2019, the ASEAN-EU Statement on Cybersecurity Cooperation recognised the growing role of ICTs in all aspects of society and the challenges associated with it, underscoring the need to strengthen cooperation to prevent and counter malicious cyber activities.

Despite the incremental progress on overall cybersecurity cooperation, several obstacles remain within the ASEAN-EU partnership to prevent and combat cybercrime. These include cooperation in the investigation and prosecution of cybercrime and the collection and sharing of electronic evidence (e-evidence).

The Budapest Convention is currently the only existing multilateral legal instrument addressing cybercrimes and international cooperation in cyberspace. While EU member states have implemented its provisions, the Convention has failed to reach universal consensus: only 65 states have ratified it to date, and it has been dismissed by key global players for various reasons, such as its perceived violation of the principle of state sovereignty. The Philippines has been the only ASEAN member state to ratify it.

Enhancing ASEAN-EU cybercrime cooperation also presents structural challenges. While EU member states have adopted a common cybercrime framework, capabilities and national priorities vary greatly across ASEAN, creating a marked disparity in legislation and enforcement among member states. There are also important differences with respect to the definition of criminal conduct in cyberspace and the collection of electronic evidence for cybercrime investigations, making cross-border cooperation a complicated process.

These circumstances pose several questions on how ASEAN and the EU will engage in cooperation as they become more interconnected and vulnerable to cyber incidents due to the increased threat attack surface (i.e., the amount of software and hardware vulnerabilities an unauthorized user can use to access and steal data). There are a number of steps ASEAN and the EU can take to minimise the attack surface and enhance their cybersecurity cooperation moving forward.

As noted in a recent article, ASEAN member states should aim to streamline the process for exchanging e-evidence between receiving and requesting countries to ensure effective coordination. In the long run, ASEAN could consider drafting a regional cybercrime convention, aiming to establish common cybercrime policies and institutions to foster cross-border cooperation in line with its own values.

As ASEAN member states harmonise their cybercrime laws and standards, the EU should consider negotiating a mutual legal assistance (MLA) treaty with ASEAN. Though often considered too complex and lengthy, MLA treaties are the only mechanism that can tie together the laws of receiving and requesting countries.

Such an agreement should aim to facilitate the collection of e-evidence for investigations or proceedings concerning criminal offences related to computer systems and data across ASEAN and the EU – overcoming the disagreements encountered within the Budapest Convention.

These measures would allow ASEAN and the EU to fill important gaps of their cybercrime cooperation and enhance overall cyber resilience. As the two regions become more interconnected, it is crucial to build a more secure and resilient cyberspace that can serve as an enabler for economic progress and improved living standards across both regions.

You may also be interested in