ARF, and how to change the tune of the cyber debate
14 Oct 2013|

There’s no underestimating the significance of the first ever ASEAN Regional Forum workshop on cyber security held in China, which I was fortunate enough to be part of. So frequently the accused protagonist in cyberspace, China was now co-hosting a workshop with Malaysia to try and work through potential cooperative paths to deal with cyber challenges. Or at least that’s what the premise of the workshop was.

The title of the workshop; ‘Measures to Enhance Cyber Security—Legal and Cultural Aspects’ hinted that this was going to be a challenging discussion—China has different views to many western nations on how the Internet should be governed. Its preference is a strict, state-led legal framework, and discussions of culture are always going to be polarising. In his opening remarks to the workshop Chinese Assistant Foreign Minister Zheng Zeguang said:

Everything is connected in the cyber world. In the face of the challenges of cyber security, countries are all interdependent in a ‘community of common destiny’, and no country can stay immune… To tackle cyber security challenges requires the coordinated efforts of the international community.

This was encouraging and it’s certainly true that collaborative approaches will be needed in cyberspace to make progress on creating rules of the road. However, this was followed by the Chinese perspective on how those rules should be formed:

…while technical standards and industrial norms mattered most in the early stage of the Internet, we need laws and regulations to guide its current development… International cyber governance should follow the principles of state sovereignty and non-interference in other’s internal affairs.

Absent from this opening speech was a direct recognition of the work of the UN Group of Governmental Experts on information and telecommunications in the context of international security. In June 2013 the group affirmed that international law does apply to states’ use of cyberspace. They also encouraged increasing work on confidence building measures, capacity building and transparency measures. But clearly referenced throughout this speech (and others from Chinese and Russian participants through the day) was their 2011 proposed International Code of Conduct, which has largely been dismissed by the US, EU and other likeminded nations because it aims to stake out more ground for control of the Internet by nation-states. The document’s preamble states that ‘policy authority for Internet-related public issues is the sovereign right of States’, with no mention of the private sector and broader civil society. There were even proposals from Chinese speakers for an ASEAN Regional Code of Conduct along similar lines to that described above—in my mind, an avenue that shouldn’t be encouraged.

It became evident that the ARF was following a similar template to other international dialogues on cyber issues I’ve attended before. China and a selection of partners, including Russia, advocate a state-led legal approach, while most Western states advocate the ‘multi-stakeholder’ approach which shies away from legally binding agreements and advocates the promotion of norms of behaviour in cyberspace. Yet in contrast to other dialogues, in the ARF context you have a number of nations who are undecided on the best pathway forward for their own national strategies on cyber security, let alone how they’re going to approach the question of international governance.

Among many reasons related to their regional strategic positioning, the US and China are increasingly focused on ASEAN, and the topic of ‘cyber security’ is one of those issues where both are looking to exert influence regionally.

The issue of culture in cyberspace was addressed within Zheng’s speech as well, and is clearly a lever that China is looking to utilise when rebuffing the US/western focus on a free and open internet and human rights issues online:

… [the] difference in cultural background and tradition is an important cause of diverse Internet policies among countries… we should attach more importance to the cultural elements behind the Internet public policies of different countries…

During the discussions on cultural differences in cyberspace, the debate was best described as respectful, yet robust, and felt like certain nations were using it as another way of saying ‘keep your noses out of our business’. I sense that in the upcoming Seoul Cyberspace Conference next week, this issue of cultural differences in cyberspace will be pursued by the Chinese and certain other ASEAN member states as a way of pushing back on calls to keep the Internet free, open and accessible to all.

However, all’s not lost. It was evident that there were similar understandings of what the risks and threats were in cyberspace, and that there’s clear support for progressing an ARF Workplan which would begin to put practical measures in place through the region for building capacity, confidence and transparency measures. There was a great deal of enthusiasm from all sides of room to begin activities in these areas. And, as I mentioned in my first post on this issue, this practical work will build relationships, change mindsets and hopefully over time begin creating norms of responsible behaviour in cyberspace.

Tobias Feakin is a senior analyst at ASPI and Director of the International Cyber Policy Centre.