WIREDGOV

As geopolitical tensions grow, governments across the Indo-Pacific region are racing to develop their cyber capabilities in order to ensure their future security and prosperity. But what implications does this have for norms on responsible state behaviour and transparency around cyber operations?

A Complex Chessboard for Cyber Capabilities: The Indo-Pacific

Louise Marie Hurel

Comprising approximately 40 economies, the Indo-Pacific is set to represent over 50% of the world’s GDP by 2040, with China, Japan, India, South Korea and Australia’s combined GDPs already totalling more than the whole of the EU put together. Throughout the past years, this vast and diverse region has also become central to strategic engagement by Five Eyes countries on a range of topics. Canada, the UK, the US, Australia and others have published their own strategies for the Indo-Pacific and forged security partnerships such as the trilateral AUKUS initiative, which have also focused on ‘developing a range of capabilities, to share and increase interoperability between […] armed forces’ – with a dedicated a pillar for cyber capabilities, AI, quantum and other emerging technologies.

But beyond economic, defence-focused or external incentives, the Indo-Pacific region forms a chessboard for complex technological disputes over the production of semiconductors in Taiwan, US-China geopolitical clashes concerning the latter’s state-linked cyber operations, thorny concerns around the conflation of cyber security and content control and moderation, as well as increasing cyber threats from both state and non-state actors. At the same time, ASEAN and other cross-regional efforts such as the Quad grouping have also sought to address some of these challenges by focusing on cyber capacity building, critical infrastructure protection and building shared resilience.

However, cyberspace has become a reflection of tensions within the region. Earlier this year, a reported leak from a Chinese company showed that the country had been conducting cyber espionage campaigns against multiple governments in the region. This included telecom service providers in Pakistan, Mongolia and Malaysia, as well as various parts of the Indian government. India, meanwhile, has sought to ramp up its own capabilities through the establishment of a National Cyber Agency in 2018, as well as conducting advanced persistent threat (APT) operations. At the same time, Pakistan has not fallen short of developing capacities in this area, with the alleged Pakistan-linked APT36 group targeting organisations in India. Moreover, in Southeast Asia, Vietnam-linked APT32 has targeted human rights defenders within the country as well as organisations in the Philippines and Laos.

The Indo-Pacific region forms a chessboard for complex technological disputes over the production of semiconductors in Taiwan, US-China geopolitical clashes concerning the latter’s state-linked cyber operations, thorny concerns around the conflation of cyber security and content control and moderation, as well as increasing cyber threats from both state and non-state actors

While far from being devoid of challenges, countries in the region have nonetheless committed to norms for responsible state behaviour at the UN. The question that remains, however, is how they will attempt (or not) to reconcile the commitment to such norms with the development of cyber capabilities such as the establishment of cyber commands, the use of offensive cyber capabilities, or having a more active posture when it comes to responding to and preventing cyber operations.

While one might not exclude the other, this does raise the question of how states should be held accountable when they (explicitly or implicitly) seek to enhance their cyber capabilities, be it for domestic or international use. Additionally, some countries in the region – especially those beyond China and North Korea – can often be overlooked in their ongoing development of capacities to act and engage in cyber operations, and this calls for a deeper analysis of other Indo-Pacific economies.

In this piece, we gather experts from the region to reflect on the often-thorny relationship between state responsibility and the development of capacities to conduct cyber operations, the internal justifications countries have devised to legitimise doing so, and the institutions devised to support such capacities.

India’s Strategic Ambiguity in Cyberspace and Cyber Operations

Arindrajit Basu

India’s security doctrines have always been shrouded in strategic ambiguity. Unsurprisingly, the development and deployment of cyber capabilities has been no exception. While external analysts and former officials have acknowledged the state’s capacity to conduct cyber operations or orchestrate India-backed hacktivist groups against geopolitical adversaries, there has been no overarching pronouncement or ‘cyber doctrine’ guiding these developments.

However, military doctrines have acknowledged the tactical necessity of integrating cyber capabilities with kinetic warfare, although they have stopped short of articulating clear objectives or normative rules of engagement. Despite the often-challenging task of reading between the lines regarding mandate and legality of operations, India has allegedly used cyber capabilities such as cyber intrusive tools for both domestic and external surveillance. This has been seen in recent reports which have further highlighted India’s use of targeted surveillance capabilities such as the NSO group’s Pegasus spyware against geopolitical adversaries and internal opposition figures, although the government has issued clear denials.

India’s security doctrines have always been shrouded in strategic ambiguity

Even so, India is trying to project itself as a responsible global power, including in cyberspace. This projection comes not from grand proclamations but through subtle diplomacy. For example, unlike several other countries, India is yet to publish a clear statement on how international law applies in cyberspace. However, the country has engaged in concerted cyber diplomacy both bilaterally and through ‘minilateral’ partnerships like the Quadrilateral Security Dialogue, the Counter Ransomware Initiative and the G20. In multilateral forums, India has consistently emphasised issues that most closely mirror its geopolitical interests, including cyber terrorism, the protection of critical information infrastructure, and capacity-building. The overarching global objective lies in what I have assessed elsewhere as ‘ideological agnosticism and selective engagement’ – that is, maintaining flexibility on doctrinal questions and evading controversial normative debates while tactically engaging on less controversial issues and working with partners to shore up India’s cyber security posture and existing capabilities. Relatedly, there appears to be limited appetite for a public discussion of its doctrine or capabilities. While India’s present strategy appears to be working as it reaps the dividends of its geopolitical ‘sweet spot’, its aspirations for global leadership must be underpinned by demonstrable commitments to the UN framework on responsible state behaviour, both in word and deed.

The Role of Cyber Capabilities in Advancing Vietnam’s Security and Prosperity

Bich Tran

Often overlooked in global cyber security debates, Vietnam has made significant efforts to develop capabilities to advance its interests in cyberspace over the past decade. In 2023, Prime Minister Pham Minh Chinh stressed that ensuring cyber safety and security is an important and long-term task. While motivations might vary, Vietnam has arguably deployed cyber operations to protect the communist regime, defend national sovereignty, and advance its economic interests.

The Communist Party of Vietnam perceives the current cyber landscape as a struggle against what it sees as a ‘peaceful revolution,’ with many dissidents and anti-regime groups using online platforms to further their agendas. Vietnamese officials also regard cyberspace as an important battlefield alongside the air, land, sea and space domains. Cyber attacks from alleged Chinese hackers targeting the country have demonstrated how cyberspace has become a theatre for Vietnam–China territorial disputes.

To address these issues, Vietnam has established two cyber units. Task Force 47, named after Directive No. 47 issued in 2016 by the General Political Department, consists of over 10,000 members. Its mission is to counter what the Party considers ‘wrongful views’ promoted by ‘hostile forces’. The second unit is the Cyberspace Operations Command, established in 2017 and announced in 2018 as a combat unit of the Ministry of National Defence. It is responsible for protecting national sovereignty in cyberspace and maintaining cyber security within the military. While Task Force 47 specialises in anti-disinformation, the Cyberspace Operations Command is concerned with comprehensive cyber security, including technical aspects. In essence, Task Force 47 is primarily concerned with regime security, while the Cyberspace Operations Command focuses on safeguarding national sovereignty.

The Communist Party of Vietnam perceives the current cyber landscape as a struggle against what it sees as a ‘peaceful revolution’, with many dissidents and anti-regime groups using online platforms to further their agendas

The development of cyber capabilities is also essential for Vietnam to reach its goals of becoming an upper middle-income developing country by 2030 and a high-income developed country by 2045. The 2020 National Digital Transformation Programme (NDTP) for the period through 2025, with a vision extending to 2030, set a target for the digital economy to contribute 20% of Vietnam’s GDP by 2025 and 30% by 2030.

The NDTP also aimed to put the country in the top 40 of the Global Cybersecurity Index (GCI) by 2025 and the top 30 by 2030. This goal was surpassed as Vietnam’s ranking jumped from 50th out of 175 countries in 2018 to 25th out of 182 countries in 2020. The 2022 National Cybersecurity Strategy aims to ensure that Vietnam's ranking on the GCI stays between 25th and 30th by 2025.

Besides its own efforts, Vietnam has leveraged external resources to enhance its capabilities through cyber diplomacy. Bilaterally, it has strengthened cyber security cooperation with its partners, such as India, the EU and Australia. Multilaterally, the country has engaged with the international community on cyber security issues to promote its interests in cyberspace and contribute to the development of international norms and rules governing cyber activities.

Japan’s Hesitant Shift Toward Active Cyber Operations

Wilhelm Vosse

Since Japan began to codify its response to the opportunities and growing threats of cyberspace in its information and later cyber security strategies in 2006, its main objective was to strengthen the rule of law in cyberspace. Japan’s primary instrument has long been international cooperation with like-minded countries in bilateral cyber dialogues, regional organisations such as ASEAN, and global mechanisms such as the UN Group of Governmental Experts and the Open-Ended Working Group. Over the last decade, Japan has become one of the most active players in cyber diplomacy, promoting cyber norms, an international legal framework, and responsible behaviour in cyberspace. Japan has limited itself to an almost exclusively diplomatic and normative response to growing security threats because this reflects its inherent pref