Companies need effective information flows to manage and grow their business operations.  But as part of our ongoing work with the 16 governments in the Regional Comprehensive Economic Partnership (RCEP) trade talks, we know that officials often argue that data cannot flow without critical building blocks in place first.  Three important elements include cybersecurity, data privacy and consumer protection.

We have taken on the task of working with companies in the region to develop what we think are sensible regulatory frameworks for each of these areas.  These frameworks will be accompanied by indexes to track Asian government progress towards meeting specific elements.  

The first framework, on cybersecurity, is presented here and reprinted below.  The index to track progress is still under development but should be available on the ATC and ABTA websites shortly.  Companies interested in working with us on these pathways should contact us at info@asiantradecentre.org or info@asiabusiness.trade.

We had planned to present the cybersecurity framework to trade ministers in Singapore this weekend at the ASEAN Economic Ministers meeting.  After all, the first element of the framework argues that trade and economic officials must be involved in the process of setting cybersecurity policy and not default to defense or home affairs alone.  

Unfortunately, ASEAN places cybersecurity matters under the political and security architecture and not in the economic pillar.  It did not fit anywhere on the AEM agenda.

This rather proves the point--cybersecurity cannot simply be placed in the remit of security agencies, but must include a broader set of stakeholders including trade and economic officials.  

Given the current roadblock in ASEAN on the economic front, we used the parallel ministerial negotiations in RCEP to start rolling out this framework.  We believe that effective cybersecurity regulation benefits Asia.

ABTA Supports an Effective Cybersecurity Framework in Asia

The Asia Business Trade Association (ABTA) recognizes that a sensible cybersecurity framework is needed to help ensure that global trade flows can continue to flourish in the 21st century. As the digital economy has grown rapidly around the world, so has the importance of digital trade.

The movement, use and exchange of information not only drives global economic growth, but allows companies—especially small businesses—to incorporate into global value chains and sell goods and services directly to companies and customers around the world. Nevertheless, reliance on information networks has made businesses and governments vulnerable to complex and diverse array of cyber security threats.

Growing in volume, intensity and sophistication, cyber threats are global in nature and can pose serious risks to the global IT ecosystem on which economic growth and global trade depend. As a result, the need to protect information and identify the sources and nature of cyber threats have become a legitimate responsibility of governments seeking to foster trust in the IT ecosystem that underpins the growth of their digital economy.

Moreover, the implementation of cybersecurity policy regimes does not only concern critical economic and national security infrastructure, but the growth of IT and trade ecosystems. Cybersecurity laws and regulations can affect trade facilitation measures, the structure and efficiency of global supply chains, and the exchange of digital products across markets. Thus, while it is important that policymakers take risks seriously, it is instrumental that they ensure that measures improve security and yet do not threaten trade and economic growth.  Trade officials must be part of the solution.

In consideration of: (i) the need for policies that protect government and businesses against cyber threats and (ii) the importance of guaranteeing that those policies do not inhibit the exchange of ICT products and services, the Asia Business Trade Association has developed the following Cybersecurity Framework. The framework offers a series of best practices that governments in the region can follow to regulate their cybersecurity space and ensure they can take full advantage of the opportunities from trade and the digital economy.

1. Adopt a Comprehensive and Inclusive National Cybersecurity Strategy

 A national cybersecurity strategy sets out a nation’s overall approach to cybersecurity and allows it to situate national cybersecurity activities in the context of international cyber activities and of other activities affected by cybersecurity efforts. The strategy should be inclusive by allowing collaboration and coordination among key stakeholders, which include government agencies including trade ministries, industry, and academia and citizen groups. It should be comprehensive by incorporating critical infrastructure cybersecurity strategy and ensuring a functional interagency process. An inclusive and comprehensive strategy will ensure that trade and economic growth is not unduly compromised by an overly strong security focus.

2. Adopt Flexible and Outcome Focused Security Standards

Flexible and outcome focused security standards ensure that those who safeguard data and digitally supported services can better protect their systems. Cybersecurity threats evolve with technology and thus it is important that private and public entities have latitude to develop or adopt the most effective cybersecurity solutions.

Government procurement laws and security standards should specify security outcomes and leave the approach to meeting those outcomes to vendors. Over-reliance on government structures and regulatory enforcement such as domestic preferences and ownership requirements undermine security by restricting evolving security controls and best practices and insert long term barriers to trade, stifling innovation and economic development. For instance, domestic ownership requirement can lock out foreign IT vendors from major industrial sectors, raise costs for consumers, reduce pressures for innovation and discourage international firms from developing local partnerships.

3. Ensure that Regulations, Laws and Policies are Aligned with Internationally Recognized Technical, Certification and Testing Standards

 Timeliness and interoperability are critical for the growth of the information technology sector, which often depends on long and complex supply chains. The adoption of internationally recognized cybersecurity standards allows companies and government bodies to more quickly develop, distribute and adopt newer and more secure products offering consistency and interoperability across markets. The use of domestic technical, certification and testing standards, by contrast, adds extra steps and expenses to production processes and delays products from reaching their market. Thus, incompatible standards can make it difficult or impossible for companies, which depend on consistent and interoperable regulatory frameworks, to do business across Asian economies.

4. Protect the Privacy and Maintain the Integrity of Consumer Data

 Consumer data drives commercial activity online, and thus its protection is instrumental in creating trust and ensuring that emerging opportunities within the digital economy are fully leveraged.  Cyber laws should be carefully attuned to privacy considerations and ensure adequate remedies are available to individuals. Laws requiring the transfer or access to source code, encryption keys, security testing results and other proprietary information as a condition for the import, distribution, sale or use of the product, pose risks to privacy protection and provide little to no added security value. For instance, code or encryption keys disclosed by companies can be targeted by hackers.

5. Ensure the Free Flow of Information Across Borders

Technologies that allow the storage, processing and transfer of information across international borders drive global economic growth and are essential for trade in the digital age. Laws that restrict the cross-border transfer of data or impose data localization requirements make data more vulnerable to cyber attacks, forgo many of the security benefits of cloud computing technologies, and undermine the benefits of information technology that underpin the modern economy.