Information security and system resilience are strategic issues for every business, with media reports of security breaches in businesses, government agencies and other organisations now a daily occurrence. This is the final in our three part series on the latest developments in relation to cybersecurity. The first note discussed best practices in relation to cybersecurity policy. It highlighted the importance of having established policies in place to ensure that organisations, and their data, are protected. The second reviewed the key elements of an effective crisis management plan to ensure a swift, and effective, response in the event of a cyberbreach. This e-bulletin summarises the steps to be taken to address cybersecurity issues and ensure a coordinated response to a cyberattack, in particular in Asia-Pacific.
The Global Cybersecurity Agenda of the International Telecommunication Union (ITU)
The ITU, the UN's specialised agency for information and communications technology, has consolidated its global alliance with governments, academia and industry experts to promote a culture of cybersecurity awareness and a holistic approach to counter misuse of online networks. 149 ITU Member States have joined the coalition, cooperating among themselves and with the ITU at the global level.
The ITU aims to help countries around the world to address cybersecurity challenges in collaboration with UN agencies, other international organisations and the European Commission and in association with the International Multilateral Partnership against Cyber Threats (IMPACT). Some 50 countries have received assistance to assess their national cybersecurity preparedness and response capabilities since the World Telecommunication Development Conference in 2010.
The ITU is also working with the global Forum for Incident Response and Security Teams (FIRST), the world’s biggest computer incident response teams association, to share best practice on how to develop national incident response capabilities and, through IMPACT, with INTERPOL in order to coordinate with the law enforcement community.
Harmonisation of cybersecurity legal frameworks
A persistent issue with cybersecurity is the lack of harmonisation of cybersecurity-related legislation around the world. The lack of harmonisation makes it difficult to investigate and prosecute offenders if the categorisation of cybercrimes and other misuses of cyberspace differ from country to country.
In response, the ITU is familiarising selected countries with legal aspects of cybersecurity and helping to harmonize their legal frameworks with a view to making them applicable and interoperable around the world.
An example of the ITU’s cybercrime legislation resources is its publication (in six languages) entitled “Understanding Cybercrime: A Guide for Developing Countries and the Toolkit for Cybercrime Legislation”.
Several Asia-Pacific Economic Cooperation (APEC) Member States have signed or ratified the Council of Europe Cybercrime Convention to create a minimum standard for international cybersecurity cooperation.
APEC also published a strategy document in 2002, recognising that dealing with cybersecurity must be addressed by the technology sector, business, government and individual users acting together. The strategy made various recommendations covering (i) legal developments, (ii) information sharing and cooperation initiative, (iii) security and technical guidelines, and (iv) education and public awareness.
Joint action by the ITU and the Association of Southeast Asian Nations (ASEAN) has increased regional cooperation to address cybersecurity challenges. Cooperation on cybersecurity issues was enhanced following an ITU/ASEAN sub-regional workshop held in Myanmar in 2011. The workshop focused on national computer incident response team policies, procedures, best practices, challenges and opportunities.
Cooperation between Asia-Pacific countries on combating cybercrime was consolidated at a regional workshop organized by the ITU and the United Nations Office on Drugs and Crime (UNODC) in Seoul, Republic of Korea in 2011.
In partnership with IMPACT, the ITU has continued to assess the capacity of existing national computer incident response teams of a number of Asia-Pacific countries to manage cybersecurity emergencies, to help set up these teams in countries where they do not exist, and to provide training and material assistance. Afghanistan, Bangladesh, Brunei, Bhutan, Cambodia, Lao, Maldives, Myanmar, Nepal, Sri Lanka and Vietnam, have received various forms of assistance to bolster their cybersecurity in recent years.
Recent developments in Australia include updated regulatory guidance for security of personal information, a report on cyber resilience by the Australian Securities and Investments Commission and proposed law reform to include mandatory breach notification requirements in the Privacy Act.
Following an announcement by the Chinese President in February 2014, China's cybersecurity policy is expected to develop significantly over the coming years.
In September 2014, China's banking regulator issued new cybersecurity rules for banks on how banking hardware and software should be provided, domestic presence requirements for intellectual property and suppliers, source code disclosure, and regulator access. An explanation of these rules was issued by that regulator in February 2015, including postponing the implementation of its requirements on source code disclosure and the domestic presence requirements for intellectual property and suppliers.
The Hong Kong Police Force (HKPF) established its Cyber Security Centre in December 2012 to monitor cyber attacks in Hong Kong, and to undertake counter measures and investigations. The Centre works in close cooperation with the IT sector and conducts on-going reviews and research. The HKPF also maintains close partnerships with INTERPOL and other countries' law enforcement agencies.
Cyber attacks may be prosecuted primarily under the Computer Crimes Ordinance, the Crimes Ordinance and the Theft Ordinance in Hong Kong.
The Hong Kong Monetary Authority's General Principles for Technology Risk Management 2003 provide guidance on security requirements for authorized institutions. The Securities and Futures Commission also issued a circular entitled Mitigating Cybersecurity Risks on 27 November 2014.
The Government of India formulated an umbrella National Cyber Security Policy in 2013. It is a high level document that sets out objectives which needs to be put into action.
In 2005, the Indonesia Security Incident Response Team on Internet Infrastructure/Coordination Center (Id-SIRTII) was set up by the Ministry of Communication and Informatics, the police, the Attorney General, Bank Indonesia and several private sector organisations. Id-SIRTII was established to increase the public's awareness of cybersecurity issues, monitor potential security incidents, support law enforcement and provide technical support to internet users.
Indonesia ranks as one of the world’s top countries for originating cyber attacks with 36.6 million such attacks recorded in the past three years. Laws against cyber attacks are set out in Law No. 11 Year 2008 regarding Electronic Information and Transactions (EIT Law) (with an implementing regulation having been issued in 2012).
In early 2015, Indonesia announced that it would form a National Cyber Agency (NCA) to coordinate an integrated defence against rising cyber attacks.
The Cyber Security Basic Act, enacted in January 2015, comprehensively outlines the roles and responsibilities of the government in providing an overall national cyber security policy. It ranges from formulating and implementing suitable strategies and guidelines for the various administrative bodies of the government, to overseeing strategic responses to emergency incidents. The Act also encourages infrastructure providers, companies and educational and research institutions to implement appropriate defence measures. The Japanese government will also provide information on cyber security issues to the public.
Central to this is the legal “upgrading” of the National Information Security Centre into the “National Centre of Incident Readiness and Strategy for Cybersecurity” (NISC), which has greatly strengthened NISC’s powers in coordinating and policing the various ministries in order to ensure cross-uniform strategic implementation of fundamental policies.
NISC will propose a new government cybersecurity strategy document which is expected to be released for public consultation in May 2015 and for approval by the Cabinet in around June 2015.
CyberSecurity Malaysia is the national cyber security specialist agency under the Ministry of Science, Technology and Innovation (MOSTI). The Malaysian Computer Emergency Response Team (MyCERT) is a department within CyberSecurity Malaysia. MyCERT provides assistance in handling incidents such as intrusion, identity theft, malware infection, cyber harassment and other computer security related incidents. MyCERT works closely with law enforcement agencies such as the Royal Malaysian Police, Securities Commission, and Bank Negara Malaysia and also has close collaborations with internet service providers, computer security incident response teams and various computer security initiatives worldwide.
The Malaysian Administrative Modernisation and Management Planning Unit (MAMPU) has issued circulars in relation to the government’s information and communications technology. It was stated in one of their circulars that all public sector agencies managing information and communications technology infrastructure are required to establish a Computer Emergency Response Team (CERT) to enhance the management of information and communications technology security incidents in their respective agencies.
Cyber attacks are an offence under the Computer Crimes Act 1997.
There are other cybersecurity requirements/initiatives which may be contained under industry specific laws e.g. the banking and insurance industry regulated by Central Bank rules and requirements.
The Cybercrime Prevention Act was enacted in 2012. Various cybercrime offences have been created and additional powers have been given to law enforcement agencies to prevent and deal with cybercrime offences. The Philippine National Bureau of Investigation and the Philippine National Police are required to establish cybercrime units to exclusively handle cybercrime cases.
The Office of Cybercrime was established under the Department of Justice to act as the national central authority in international mutual assistance and extradition matters relating to cybercrime. It also oversees the Cybercrime Investigation and Coordination Centre, which is the national unit responsible for policy coordination among concerned agencies and formulating and enforcing the national cybersecurity plan.
Singapore's National Cyber Security Master Plan 2018 aims to strengthen critical technological infrastructure, test the cybersecurity readiness of key industry sectors and incorporate cybersecurity learning into appropriate higher education courses.
Singapore's new Cyber Security Agency (CSA) commenced work on 1 April 2015, and oversees this work. The new CSA follows the establishment of an INTERPOL cybercrime centre in Singapore in 2014.
Cyber attacks may constitute an offence under the Computer Misuse and Cybersecurity Act in Singapore.
The Monetary Authority of Singapore's Technology Risk Management Guidelines 2013 apply to security measures by financial institutions for computer systems, networks, data centres.
In April 2013, a bill of the National Anti-Cyberterrorism Act was proposed to assist in the detection of attacks and empower the South Korean National Intelligence Service to create and enforce anti-cybercrime policies. However, the bill has not been legislated yet.
In May 2000, the National Security Council formulated the National Information and Communication Infrastructure Security Mechanism Plan to consolidate and expedite the development of Taiwan’s information and communication security infrastructure. In addition, the National Information & Communication Security Taskforce was established in 2001.
Cyber attacks are a criminal offence under the Criminal Code (Offences Against Computer Security).
Taiwan also has specific rules in relation to cybersecurity which apply to financial institutions.
There have been a number of legislative initiatives in Thailand since the start of 2015, including the tabling of the Computer-related Crime Bill (amendment), Cybersecurity Bill and Personal Data Protection Bill. Under these initiatives, a National Cybersecurity Committee would be established to determine approaches and measures for responding to and tackling cyber threats.
Cyber attacks are a criminal offence under the 2007 Computer Crimes Act.
Vietnam is tabling a draft of the Law on Information Security in Vietnam’s National Assembly.
The Ministry of Information and Communications, the communications authority in Vietnam, established the Vietnam Computer Emergency Response Team (Vncert), which is the task force to deal with cybersecurity issues at the national level.
In 2011, the State Bank of Vietnam issued compulsory requirements for information security, including human resources, hardware, software, access management, data recovery and disaster protection plan.
Our corporate crime and investigations, IT and privacy teams are currently advising on a number of cyber security matters across Asia Pacific, Europe and the UK and the US. We are a global leader in this field and act for multinational and regional organisations on cyber-crime and security issues, including compliance, risk and crisis prevention and management, regulatory actions and related disputes. Please contact us for further information.
Legal counsel in various countries contributed to this article, including Mani Chengappa & Mathur in India, Hiswara Bunjamin & Tandjung (HBT) in Indonesia, Vascodagama in Japan, Skrine in Malaysia, Castillo Laman Tan Pantaleon & San Jose in the Philippines, Lee&Ko in South Korea, Lee and Li in Taiwan and Frasers in Vietnam.