on

* Threat landscape in ASEAN Region
With information and communication technologies developing, terrorists are increasingly targeting critical infrastructures in order to accomplish their objectives. In Malaysia, a ISIS-related hacker group, called AnonGhost, hacked the Facebook and Twitter accounts of the Royal Malaysian Police by changing the profile photo and cover image. In addition, The Cyber Caliphate hacking group attempted to hack the Malaysia Airlines website in January 2015 causing the website to become inaccessible. Because of the super-connectivity of cyberspace, in order for countries to keep their critical infrastructure secure, cooperation at public-private and international level became essential.

* Background and Objectives
International efforts have been concerted to deal with cybersecurity threats of critical infrastructures. UN General Assembly adopted resolutions on "Creation of a global culture of cybersecurity and the protection of critical information infrastructures" in 2004, and "Creation of a global culture of cybersecurity and taking stock of national efforts to protect critical information infrastructures" in 2010. Furthermore, UNGGEs are continuously discussing this matter and publishing reports since 2004. In the ASEAN region, leaders of both ASEAN and Australia in March 2018 agreed to promote cooperation on cybersecurity by signing a Memorandum of Understanding to combat international terrorism and their use of ICTs to spread their ideology. The ASEAN-Japan Cybersecurity Capacity Building Centre has been established in 2018 to develop the cybersecurity workforce in ASEAN. In 2019, ASEAN Singapore Cybersecurity Centre of Excellence (ASCCE) has been established to conduct training and research, to train national CERTs in ASEAN, and to promote information-sharing between national CERTs. Incorporating these efforts, our team would like to suggest practical and effective cooperative measures to protect critical infrastructures from terrorists use of ICTs.

* Solutions

Here are some solutions to protect critical infrastructures from terrorist use of ICTs.

   •Self-assessment

As first step, countries should establish their own understanding of their critical infrastructure as below.
•Determine the scope and definition of your critical infrastructures (such as transportation, water and food supplies, public health, energy, finance, emergency services).
•Assess the role of ICTs in your critical infrastructures.
•Identify the possible cybersecurity threats against your critical infrastructures from terrorists and its impact on your economy, national security, critical infrastructures and civil society that must be managed.
•Determine the goals of critical infrastructure protection and examine the current level of implementation.
•Seek the major international partner states and private entities to develop your security goals.

   •Cooperative measures 1: Exchange of information

According to the 4th UNGGE recommendations, “States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs…” Information sharing as below is necessary before and after the terrorists attacks on critical infrastructures. Before the attacks, states need develop their own strategies and capabilities by sharing information on their vulnerabilities and best practices. In investigating cyber activities of terrorists, it is essential to share information on digital footprint which may be left during their activities.
•Share information regarding vulnerabilities of your critical infrastructures and the possible threats and incidents against them from terrorists.
•Share best practices in keep critical infrastructures secure from cyber threats of terrorists.
•Cooperate in information-sharing requests from other States in investigating the use of ICTs for terrorists.
•Facilitate the tracing of attacks on critical information infrastructures and, where appropriate, the disclosure of tracing information to other States.

   •Cooperative measures 2: Capacity building

According to the 4th UNGGE Report, States are encouraged to further work in capacity-building, such as on forensics or on cooperative measures to address the criminal or terrorist use of ICTs. Some States may lack sufficient capacity to protect their critical infrastructure from terrorist use of ICTs. A lack of capacity, however, can make it an unwitting safe haven for malicious actors such as terrorists. Accordingly, states should cooperate in building capacity for the protection of critical infrastructures as follows.
•Conduct training and exercises to enhance response capabilities and to test continuity and contingency plans in the event of critical infrastructure attacks.
•Develop and coordinate emergency warning systems.
•Spread understanding that critical infrastructure protection is shared responsibility, meaning all States can learn from each other about the threats that they face and contribute to the effective response against the threats.

   •Cooperative measures 3: Public-private partnership

Cyberspace is used by diverse stakeholders, including governments, entrepreneurs and individuals. Cyber terrorism poses security threats to all of these stakeholders so public-private partnership is essential to secure the peaceful use of ICTs.
•Determine key stakeholders with a role in cybersecurity and critical information infrastructure protection
•For effective administration of the large amount of critical infrastructure, prioritize already identified critical infrastructure private actors, primarily the owners and operators of the privately owned critical infrastructures.
•Raise awareness to facilitate stakeholders’ understanding of the nature and extent of their critical information infrastructures and the role each must play in protecting them.
•Promote partnerships among stakeholders, both public and private, to share and analyze critical infrastructure information in order to prevent, investigate and respond to damage to or attacks on such infrastructures.
•Establish mutual reporting system and adjust and simplify the procedure of submission and approval of public-private partnership project proposals, including small-value PPPs in the critical infrastructure protection field.
•Involve the state bodies in the monitoring and control of public-private partnership critical infrastructure related projects.

Jinhyoung Hong, Dahea KIM, Han Ahrum CHONG