Asean, Beijing must address cyber threats in South China Sea talks

Tellingly, it says nothing of a domain – cyber – that has enabled these challenges to be asserted repeatedly. For nearly two decades, officials at the Asean secretariat, Southeast Asian governments and key private sector players have been the targets of sophisticated cyber campaigns to compromise computer systems and networks.

These advanced persistent threats (APTs) – stealthy, prolonged attacks launched typically for political rather than financial motivations – have been well documented by cybersecurity companies.

The threat actors are numerous. Sometimes they overlap and piggyback on each other’s malware infrastructure. At other times, they engage in payback. They are well resourced, organised and agile at collecting information to influence decisions.

The threat group behind APT 30, for example, showed remarkable longevity in reusing and refining its tools over 10 years, suggesting either a high degree of adaptability, a lack of the same on the part of their targets, or a combination of both.

APT 30 proved especially active around major Asean events such as the 18th Asean Summit in Jakarta in May 2011, the meeting of senior officials from Asean and China on the implementation of the Declaration of the Conduct of Parties in the South China Sea in June 2012, the Asean-India Commemorative Summit in December 2012, and the 22nd Asean Summit in April 2013.

It is impossible to directly ascribe developments in the South China Sea to these cyber campaigns. But it is also difficult to separate the two, given the geopolitical context and converging timelines.

05:22

Why the South China Sea dispute remains one of the region’s most pressing issues

For Asean governments that have long tiptoed around political and security contestations,