As the countries comprising the Association of Southeast Asian Nations (ASEAN) undergo rapid digitalization, they are becoming increasingly susceptible to data breaches and the theft of sensitive or confidential information.
Between 2021 and 2022, the number of “cyber threats” (i.e. acts that seek to undermine the security of an information system or systems) in the region, including data breaches, increased by more than 80 per cent. In 2023, Southeast Asian businesses reportedly experienced more than 36,000 online attacks on average daily.
Recognizing the growing number and complexity of cyber threats in Southeast Asia, Canada and ASEAN agreed to enhance cybersecurity collaboration during the launch of their Strategic Partnership in 2023. This commitment built on Canada’s Cybersecurity and Digital Technology Diplomacy project announced as part of its 2022 Indo-Pacific Strategy, which dedicates C$47.4 million over five years to enhance the Indo-Pacific's cyber capabilities and advance regional cyber co-operation through the deployment of cyber attachés to the region.
While Canada has committed to working with ASEAN to strengthen regional cyber capabilities, it will also need to carefully examine national-level strengths, weaknesses, approaches, and policies. As shown in the 2023 National Cyber Security Index (NCSI) — an evaluation of countries’ ability to prevent cyberattacks and address cyber threats — there are vast differences within Southeast Asia’s cyber capacities.
For example, while Malaysia, the region’s most cyber-competent nation, ranked 22nd, Myanmar came in last place in the region at 152nd. Other major Southeast Asian countries were somewhere in between, with Singapore ranked 31st, the Philippines in 48th, and Vietnam in 93rd.
Furthermore, despite ASEAN's various regional cyber initiatives, the implementation of these frameworks has remained highly fragmented. According to Elina Noor, senior fellow of the Asia program at the Carnegie Endowment for International Peace, there are two main reasons for this fragmentation. The first is the “differing levels of technological maturity and resources among the ASEAN member states,” and the second is that Southeast Asian states are reluctant to publicly disclose information about their own cyber capacities and limitations.
This hesitancy, coupled with the lack of enforcement mechanisms built into ASEAN’s cyber strategies, means that the bloc’s cyber frameworks are difficult to enact region-wide.
Having a more granular picture of these national-level factors can help Canada develop a more precise and, thus, more effective set of cyber diplomacy initiatives in Southeast Asia, whether through ASEAN or bilaterally.
This Explainer explores the cases of Singapore and the Philippines to highlight the diversity of cyber breaches faced by Southeast Asia, how these governments are responding to these threats, and opportunities for further Canadian partnerships in this area.
Singapore: Sophisticated threats met by sophisticated responses
Singapore boasts one of the highest rates of digitalization in Southeast Asia. Through state-led programs such as the Smart Nation Initiative, it has pushed for the digitization of government services by providing citizens with online access to numerous public services. Examples include an electronic tax filing system, an app to book medical appointments and check personal medical histories, and a judiciary website allowing citizens to access court documents. These digital technologies make life easier for Singaporeans and underline the government’s broader goal of digitalizing the city-state. Additionally, as Southeast Asia’s business hub, Singapore serves as the regional headquarters for about 4,200 multinational firms.
These two factors — the high concentration of regional and foreign conglomerates and the high level of digitalization — have made it a major target for cybercriminals. For example, in 2018, hackers stole the personal information of around 1.5 million individuals, including the information of then-prime minister Lee Hsien Loong. The hackers infiltrated the website of SingHealth, the nation’s largest group of health care institutions. The stolen information included patients’ addresses, dates of birth, and National Registration Identity Card (NRIC) numbers.
The following year, an unnamed hacker illegally obtained the personal information of more than 1,300 National University of Singapore graduates. The stolen data included NRIC numbers, work and personal phone numbers, and vehicle registration numbers.
According to a 2023 report by the Smart Nation and Digital Government Office, the Singaporean agency responsible for implementing the country’s digital transformation, government data breaches are increasing. In the public sector, breaches rose from 75 in 2019 to 182 in 2022.
Breaches within the private sector also rose to 137 in 2021, compared to 89 cases the previous year. One of the most high-profile breaches involved the Marina Bay Sands resort, which was hacked in 2023, publicly exposing the personal data of 665,000 customers.
How has Singapore responded?
Although Singapore’s business hub status makes it a target for cybercrime, the government has been proactive in implementing regulations and creating agencies to counter information theft for both businesses and individuals. For example:
- In 2013, it launched the National Cyber Security Masterplan 2018, which built on prior the goals of previous masterplans in upgrading the city-state’s cyber defence capabilities, while fortifying ‘cyber resilience’ by increasing knowledge among businesses and individuals.
- In 2015, the government created the Cyber Security Agency (CSA) to supervise, synchronize, and enhance national cyber defence capabilities. The CSA works with the government, industries, private sectors, and individuals to nurture cyber knowledge among all stakeholders.
- In 2018, Singapore enacted the Cybersecurity Act, which focused on identifying “critical information infrastructure” (CII), sectors that provide essential services such as energy, banking, and telecommunications. According to the Act, CII operators must implement robust cybersecurity standards to protect against data breaches and other cyberattacks.
- In 2021, the government amended the Personal Data Protection Act (PDPA), which regulates the collection and use of individuals’ personal information, to provide further guidelines on reporting a data breach. In such instances, the organization must notify the Personal Data Protection Commission. The organization is then required to notify affected individuals and provide details of the steps being taken to address the data breach.
- In 2023, the Cybersecurity Act was amended to include additional digital infrastructure vital to Singapore’s economy. Digital infrastructure critical for the nation's daily operations — including data centres, e-payment systems, and digital government services — must comply with the safety protocols outlined in the Cybersecurity Act. CII operators who fail to report cyberattacks “without reasonable excuse” are subject to a maximum fine of C$200,000, or 10 per cent of the organization’s annual revenues.
The Philippines: Geopolitical tensions become a cybersecurity vulnerability
A major source of the Philippines’ cybersecurity threats stems from its status as a claimant in the South China Sea dispute, making it a prime target for attacks by foreign entities, especially China. Many of the cyberattacks originating from China-based servers are aimed at the Philippines’ government institutions.
While the Chinese government has publicly denied involvement, Manila has traced cyberattacks back to servers operated by Chinese state-owned telecom company China Unicom, suggesting evidence of Beijing attempting to obtain confidential information and weaken government institutions. At the same time, the absence of more robust data protection regulations has made the nation a popular target for cybercriminals seeking to steal personal data for monetary gains.
Between 2021 and 2023, the Philippines’ National Computer Emergency Response Team responded to 3,470 cybersecurity incidents, 61 per cent of which targeted government institutions.
In April 2023, it was disclosed that the Philippine National Police, the National Bureau of Investigation, and the Bureau of Internal Revenue had all been hacked. The damage included the theft of 1.3 million records, including employee records, birth certificates, and tax identification numbers. Although the perpetrator of the attack is either unknown or has not been disclosed, the stolen data eventually reached the Russian black market. Similarly, the Philippine Health Insurance Corporation (PhilHealth) was targeted in a major ransomware attack in 2023, leading to the breach of up to 20 million members’ personal data. The hackers had requested C$405,000 from the Filipino government to return the stolen information but later released the data on the dark web after failing to obtain the ransom.
In February 2024, the Department of Information and Communications Technology (DICT) announced that the government had successfully fended off an attempted cyberattack on the servers of the Overseas Workers Welfare Administration (OWWA). Between December 2023 and February 2024, DICT recorded at least 17,000 hacking attempts targeting the OWWA and traced these attacks to devices using IP addresses in China. Other victims in 2023 included the Philippine Statistics Authority, the Department of Science and Technology, and the websites of the Senate and House of Representatives.
How has the Philippines responded?
In response to these continued cyber breaches against individuals and institutions, the Philippine government has undertaken the following:
- In 2016, it created the National Privacy Commission (NPC) to administer more stringent requirements for individuals and entities when collecting or processing personal data. Under the new guidelines, the NPC and affected data subjects must be notified within 72 hours of a personal data breach. Failure to notify can result in a fine ranging from C$12,000 to C$24,000 and imprisonment of up to five years.
- In January 2024, the Rules on Voluntary Administrative Site Blocking became effective. Under this law, internet service providers can block websites that distribute copyrighted content or pirated materials. By blocking such content, the law seeks to prevent cyberattacks such as online scams and data breaches.
- In February 2024, the government approved the 2023-2028 National Cybersecurity Plan (NCSP), which seeks to identify the country’s critical information infrastructure, develop a national cybersecurity threat database, and fortify the cybersecurity response and investigation teams.
Despite implementing regulations to better protect and notify individuals of data breaches, the Philippines’ current cyber framework fails to fortify its institutions against state- and non-state-sponsored cyberattacks.
The Philippines’ technical and organizational measures are, for the time being, inadequate to address the frequency and intensity of data breaches. For example, following the PhilHealth cyberattack, DICT Undersecretary Jeffrey Ian Dy stated that the country’s National Computer Emergency Response Team was operating above its capacity in responding to 3,000 cybersecurity-related incidents nationwide between January and August 2023 alone. Citing the vast shortage of workers and resources, Dy had called for creating cybersecurity response teams for each national government agency.
While the country’s cybersecurity plan seeks to build the Philippines’ cyber capacity by enhancing national and local cyber resilience by creating local cyber emergency response teams, there is no detailed plan for when these response teams will be established.
How is Canada helping to enhance the cyber resilience of Southeast Asia?
Recognizing the vast difference in cyber readiness among Southeast Asian states, Canada is currently engaging both multilaterally and bilaterally by establishing cyber partnerships with ASEAN and with select member states.
In 2023, Canada participated in the ASEAN Ministerial Conference on Cybersecurity Special Session with ASEAN Dialogue Partners, emphasizing the need for increased trust between the government and the private sector.
At the same time, Canada renewed the Canada-Singapore Cybersecurity Memorandum of Understanding (MOU) in 2023, with both sides agreeing to strengthen bilateral co-operation to counter local and international cyber threats through information exchange, capacity-building, and skills development.
In 2023, the Philippines and Canada signed an MOU to increase co-operation between Canada’s Office of the Privacy Commissioner and the Philippines’ National Privacy Commission in fortifying data protection protocols. The agreement includes joint efforts on cross-border data breach investigations and sharing knowledge and training on privacy and data protection issues. During a public address at an APF Canada event in Vancouver, the Philippines’ Secretary of Foreign Affairs Enrique Manalo emphasized Canada-Philippines co-operation in artificial intelligence and cybersecurity.
Similar to Canada’s provision of the Dark Vessel Detection system in the Philippines to combat the ongoing illegal fishing in the South China Sea, cybersecurity partnerships offer another practical response to the region's rising nontraditional security challenges. With cyber threats becoming increasingly complex and more frequent globally, Canada’s contribution to enhancing Southeast Asia's cybersecurity is expected to strengthen ASEAN-Canada ties and enhance Ottawa’s presence in the strategically important region.
- Edited by Erin Williams, Senior Program Manager, Vina Nadjibulla, Vice-President Research & Strategy, and Ted Fraser, Senior Editor, APF Canada.