The Importance of Multistakeholder Cooperation

The landmark release of ASEAN’s cyber norms checklist in October 2024, championed by Malaysia and Singapore, translated the United Nations’ eleven norms of responsible state behaviour in cyberspace into practical steps. ASEAN member states now have a structured way to implement cyber norms, focusing on political endorsements and safeguarding critical infrastructure.

“The real challenge isn’t adoption; it’s implementation. Making these principles work in the real world requires more than government buy-in; it demands broad cooperation across sectors and countries.”

One of the biggest hurdles is embedding these norms into the operations of defense, law enforcement, and intelligence agencies. Southeast Asia’s cyber capabilities are expanding, but transparency remains a sticking point. Militaries, intelligence agencies, and law enforcement are embracing cyber tools but are reluctant to discuss operations and strategies. These institutions often see cyber norms as constraints rather than mechanisms for stability.

Civil Society Dialogue and Transparency

Recognizing these challenges, in August 2024, experts from Australia, ASEAN member states, and Timor-Leste gathered in Kuala Lumpur for a civil society dialogue sponsored by the Australia-ASEAN Centre. Discussions highlighted that transparency, information sharing, and collaborative threat assessments reduce misperceptions and strengthen trust among ASEAN members.

Governments cannot implement cyber norms alone. They must collaborate with those who build, manage, and depend on digital infrastructure, as well as with advocates for digital rights, privacy, and cybersecurity. Private sector actors, particularly technology firms that manage critical information infrastructure, need to be engaged to ensure that cyber norms are not only socialized but also practical, enforceable, and aligned with the rapidly evolving cyber landscape. Industry-driven initiatives, such as sector-specific security standards for critical infrastructure, can support government-led efforts by introducing adaptable and enforceable cybersecurity measures.

The Role of Academia and Think Tanks

Academia and think tanks play a crucial role by supporting capacity-building programs and offering research and policy insights that help shape decision-making. They can assess the success of policy measures, including progress in norms operationalization, and function as informal intermediaries between governments seeking to communicate issues indirectly.

For ASEAN’s cyber norms to take root, multistakeholder engagement must be institutionalized through regular dialogues that include government and non-government actors. ASEAN has long used these mechanisms to navigate complex security challenges. Applying them to cyber governance will ensure that all member states, regardless of their cyber capabilities, have a say in shaping the region’s approach to cybersecurity.

Measuring Progress and Engaging Local Stakeholders

Beyond dialogues, ASEAN needs a regional model of cyber norms maturity to measure their progress in implementing UN cyber norms. Such a model would consider factors such as cybersecurity infrastructure, legal frameworks, and policy development. A structured roadmap would enable ASEAN states to move from basic compliance to advanced implementation, creating a stronger, more cohesive approach to cybersecurity.

Engaging local stakeholders is just as important. Cyber norms shouldn’t just be the domain of policymakers; they must resonate with businesses, academics, and local communities. Bringing small and medium-sized enterprises, universities, and civil society groups into the conversation ensures that cyber norms are implemented in ways that are practical, relevant, and responsive to local challenges. Regular feedback loops will help refine these norms over time, keeping them relevant and adaptive.

Interdisciplinary Approaches and Broader Implications

Discussions on cyber norms must break out of traditional security silos. Cybersecurity challenges intersect with issues such as environmental protection, trade, human rights, and even cultural heritage. ASEAN should take a broader, interdisciplinary approach and incorporate insights from diverse fields to craft comprehensive solutions. For example, protecting critical infrastructure, such as submarine cables, shows that cyber resilience is interconnected with economic and environmental stability.

As a long-standing ASEAN partner, Australia has a key role to play. Recognizing that cyber threats do not respect borders, Australia has been a strong advocate for regional cybersecurity cooperation in Southeast Asia. Australia can offer technical expertise, capacity-building programs, and legal assistance to help ASEAN member states bridge cyber capability gaps and build a resilient digital ecosystem.

The Path Forward

ASEAN’s adoption of the cyber norms checklist is a promising step, but real progress will depend on sustained implementation, capacity-building, and advocacy. Multistakeholder collaboration, including between ASEAN and Australia, will ensure these norms move from paper to practice. Through inclusive engagement and cooperative action, the region can take decisive steps toward a secure, resilient, and rules-based Indo-Pacific cyber landscape.

In the United States, similar efforts are underway. The Biden administration has been actively promoting cybersecurity cooperation with international partners, recognizing the global nature of cyber threats. Initiatives like the Cybersecurity and Infrastructure Security Agency’s (CISA) international partnerships and the Department of Homeland Security’s (DHS) Cybersecurity Advisory Committee highlight the importance of multistakeholder engagement in addressing cybersecurity challenges.

Case Study: The Role of Private Sector in Cybersecurity

In the U.S., the private sector has been instrumental in shaping cybersecurity policies. For instance, the Cybersecurity Information Sharing Act (CISA) of 2015 encourages voluntary sharing of cyber threat information between the government and private companies. This collaboration has led to the development of cybersecurity frameworks that are both practical and enforceable, setting a global standard for cybersecurity best practices.

Similarly, in the European Union, the General Data Protection Regulation (GDPR) has set a high bar for data protection and privacy, influencing global cybersecurity standards. These examples underscore the importance of private sector involvement in shaping effective cybersecurity policies.

Counterarguments and Future Directions

Critics may argue that multistakeholder approaches can lead to slower decision-making processes and potential conflicts of interest. However, the benefits of inclusive engagement far outweigh these challenges. By involving diverse stakeholders, ASEAN can ensure that cyber norms are not only technically sound but also socially and politically acceptable.

Looking ahead, ASEAN should focus on continuous capacity-building and regular updates to its cyber norms checklist. This will help the region stay ahead of emerging cyber threats and adapt to the evolving digital landscape. Additionally, ASEAN should consider establishing a dedicated cybersecurity task force to oversee the implementation of cyber norms and address any challenges that arise.