Challenges faced by small states in imposing consequences for malicious cyber activities
Benjamin Ang [Senior Fellow; Head of the Centre of Excellence for National Security (CENS), S. Rajaratnam School of International Studies (RSIS)]
► Two of the most notable cyberattacks on Southeast Asian states occurred in different countries but share one commonality: neither country has attributed the identity of the cyberattacker.
► Singapore and Vietnam are not the only Southeast Asian countries that have been cyberattacked but have not made attributions. There may be reasons why these small states have not made attribution of their cyber attackers. Attribution can be difficult to achieve because of technical reasons, and small states may lack the resources to investigate. Small states may also choose not to name the attackers for national security reasons, or to avoid escalating tensions with other countries. In contrast, the United States policy has been to publicly attribute cyber operations to foreign state actors, by formal statements, indictments, and sanctions.
► International cooperation between states may be more useful to small states in imposing consequences for malicious cyber activities, such as retorsion or coercive countermeasures.
► Despite all the challenges, it was noted at the Global Cyber Peace Regime conference in Seoul in 2023 that there is a growing recognition of the need for international cooperation in the attribution of cyberattacks. An independent international body for attribution of cyberattacks could help to address these challenges by providing a neutral forum for the investigation and attribution of cyberattacks and imposing consequences for malicious cyber activity.
