CYBER SECURITY OPPORTUNITIES IN THE ASEAN REGION - Austrade
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
CYBER SECURITY OPPORTUNITIES IN THE ASEAN REGION
CONTENTS
Australian Cyber Security: 03 Malaysia 19
Protecting Innovation, Growth and Prosperity
Vietnam 23
Prospects for Australian cyber security in ASEAN03
Philippines 27
Cyber Security in Asean: 07
Background and Context Further information 32
Regional initiatives in cyber security 07 Trade events 33
Initiatives to increase collaboration 08 About Austrade 34
Singapore 09 About AustCyber 35
Indonesia 15
Disclaimer Copyright © Commonwealth of Australia 2019
This report has been prepared by the Commonwealth of Australia
represented by the Australian Trade and Investment Commission
(Austrade). The report is a general overview and is not intended to
The material in this document is licensed under a Creative Commons
provide exhaustive coverage of the topic. The information is made
Attribution – 4.0 International licence, with the exception of:
available on the understanding that the Commonwealth of Australia is
• the Australian Trade and Investment Commission’s logo
not providing professional advice.
• any third party material
While care has been taken to ensure the information in this report • any material protected by a trade mark
is accurate, the Commonwealth does not accept any liability for any • any images and photographs.
loss arising from reliance on the information, or from any error or
More information on this CC BY licence is set out at the creative
omission, in the report.
commons website: https://creativecommons.org/licenses/by/4.0/
Any person relying on this information does so at their own risk. legalcode. Enquiries about this licence and any use of this document
The Commonwealth recommends the person exercise their own skill can be sent to marketing-comms-helpline@austrade.gov.au.
and care, including obtaining professional advice, in relation to their
use of the information for their purposes. Attribution
The Commonwealth does not endorse any company or activity Before reusing any part of this document, including reproduction,
referred to in the report, and does not accept responsibility for any public display, public performance, distribution, dissemination,
losses suffered in connection with any company or its activities. communication, or importation, you must comply with the Attribution
requirements under the CC BY licence.
Using the Commonwealth Coat of Arms
The terms of use for the Coat of Arms are available from the It’s an
Honour website (itsanhonour.gov.au).
18-19-227. Published August 2019.
Cyber Security Opportunities in the ASEAN Region 01
02
AUSTRALIAN CYBER SECURITY:
PROTECTING INNOVATION,
GROWTH AND PROSPERITY
Australia is a cyber security innovator. Today, ›› Formal cyber security cooperation memoranda of
Australian cyber security expertise is at the forefront understanding (MOUs) signed with the Singaporean
of global developments in safety and security in the Government (June 2017) and the Indonesian
online environment. This prominence is supported Government (August 2018).
by Australia’s robust legislation, advanced law-
Engagement with ASEAN regional cyber security
enforcement capability, rigorous policy development
regimes provides an entry point for Australian
and strong technical defences.
expertise. At a commercial level, the potential market
The strong focus on cyber security by Australian for cyber security services in ASEAN is projected to
government and industry has led to the development almost triple over the next 5–6 years and reach
of new and innovative solutions that have commercial A$7.3 billion by 2025 (see Figure 1).
potential in global markets. Many Australian cyber
Each market in ASEAN offers a different level of cyber
security products can be easily incorporated into
security readiness across both government and
existing systems and platforms. This creates major new
business. As a result, each market is different – some,
opportunities for Australian cyber security products
markedly so. For example, Singapore is a large and
and expertise in Australia’s local Indo-Pacific region
competitive cyber security market servicing both local
– and the member countries of the Association of
and multinational business. The Singaporean cyber
Southeast Asian Nations (ASEAN).
security market alone is projected to be worth
A$913 million by 2020.
Prospects for Australian cyber security By contrast, large markets like Indonesia, the
in ASEAN Philippines and Vietnam are only now experiencing
rapid digitisation of core business processes in
Australia has a strong foundation of government- businesses and public institutions. This is driving
to-government cooperation with ASEAN member the adoption of modern cyber security services and
countries: Indonesia, Malaysia, Vietnam, Thailand, solutions in many institutions for the first time.
Myanmar, Laos, Cambodia, Singapore, the Philippines
Worldwide spending on information security – a
and Brunei. This international cooperation aims to
subset of the broader cybersecurity market – products
build resilience to cyber threats across the region.
and services exceeded A$162 billion (US$114 billion) in
It includes:
2018, an increase of 12.4 percent from 2017, according
›› The ASEAN–Australia Cyber Policy Dialogue to Gartner, Inc. For 2019, Gartner forecasts the market
launched in March 2018 will grow to A$176 billion and A$124 billion in 2022.1
Cyber Security Opportunities in the ASEAN Region 03
The Australian Trade and Investment Commission is the Australian Government’s agency
for promoting trade, investment and education. Working through nine offices across
ASEAN, Austrade helps Australian businesses to identify commercial opportunities
and to reduce the time, cost and risk of doing business overseas.
ASEAN represents an This report follows the successful business delegation
exciting growth opportunity to Singapore and Jakarta jointly delivered by
for Australian services and AustCyber and Austrade in 2018. It seeks to bring a
technology businesses, new level of detail for the Australian cyber security
because of its combination industry about the opportunities, challenges and latest
of scale, diversity and rapid trends across the diverse markets of the region.
modernisation. The region
Austrade sees it as an important priority to support the
brings together developed
success and profitability of Australian cyber security
markets such as Singapore and Malaysia with large
firms in ASEAN. We look forward to continuing this
and growing markets like Indonesia, Thailand, Vietnam
work together for the benefit of the Australian cyber
and the Philippines.
security industry.
Austrade works in partnership with AustCyber across
ASEAN, supporting Australian cyber security firms to Sally-Ann Watts
identify opportunities, build business relationships and General Manager ASEAN, Austrade
establish new markets.
04 Cyber Security Opportunities in the ASEAN Region
Established in 2017 as an independent, not-for-profit organisation, AustCyber is an
enabler for cyber security research and development in Australia, and part of the
federal government’s Industry Growth Centres initiative.
Australia’s cyber security Our Sector Competitiveness Plan, published in
sector is one of the newest 2018, outlines a strategic action plan that can be
sectors of the economy. It implemented to foster the growth of Australia’s
is the cornerstone of both cyber security sector and capitalise on Australia’s
Australia’s national cyber competitive advantage within the global digital
resilience and prosperous economy. It is available at: austcyber.com/resources/
economic future, driven by sector-competitiveness-plan.
digital change. AustCyber
AustCyber’s partnership with Austrade on the
brings together businesses and researchers to develop
development of these market insight reports is an
the next generation of products and services that are
important step in helping Australian cyber security
needed to live and work securely in our increasingly
companies to scale and grow. Together, we will
connected world.
deepen existing commercial pathways and develop
AustCyber’s mandate is to grow a robust and new export opportunities with our regional partners to
competitive cyber security sector that delivers bring Australian cyber security to the world stage.
economic, as well as security, benefits. AustCyber
is maximising the potential of innovative and deep- Michelle Price
tech cyber security scale-ups, expanding commercial Chief Executive Officer, AustCyber
opportunities for cyber security across the entire
Australian economy, and bringing Australian cyber
security products and services to the global market.
Cyber Security Opportunities in the ASEAN Region 05
06
CYBER SECURITY IN ASEAN:
BACKGROUND AND CONTEXT
The ASEAN region presents an excellent strategic and The need to protect fast-evolving digital economies
commercial opportunity for Australian cyber security creates a vast, addressable market for cyber
firms. The region is already a core part of the world’s specialists. The US-based Asia Pacific Risk Centre
economy. ASEAN economies are fast growing and projects that the global cost of data breaches to
the region’s population is growing rapidly as well: the businesses in the region will be approximately
region is set to become the equivalent of the world’s A$2.8 trillion by 2020. 5
fourth-largest economy by 2030, with a current
population of around 637 million people. 2 Digital
disruption across the region has been rapid, and the
Regional initiatives in cyber security
demand for digital goods and services is accelerating.
As ASEAN economies thrive, their digital threat Two factors make it difficult for law-enforcement
landscape has expanded. This has triggered demand authorities to investigate cybercrime and malicious
for all types of cyber security and across all types of cyber attacks in the region: the complexity of motives
organisations – from government agencies to app for the attacks; and the fact that most are cross-border
developers. According to A.T. Kearney, countries within operations. The key to success in combatting such
ASEAN are being used as a launch pad for malicious cybercrime therefore must include the harmonisation
cyber activities. Vietnam, Indonesia and Malaysia are of laws against cybercrime and a commitment
global hotspots for malware attacks.3 to collaboration.
Figure 1. Spending on ASEAN cyber security
6 CAGR 2015–2025
■ Singapore 12%
■ Malaysia 15%
5 ■ Indonesia 23%
■ Thailand 12%
■ Philippines 19%
4 ■ Vietnam 16%
■ Rest of Asia 17%
Spending US$ bn
3
2
1
0
2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025
Source: A.T. Kearney4
Cyber Security Opportunities in the ASEAN Region 07
ASEAN is increasingly focused on the threats and Initiatives to increase collaboration
opportunities presented by cyberspace, and the need
for regional cooperation. For example:
To bolster cyber security protection, ASEAN members
›› Last year ASEAN Leaders released a joint are considering cooperation in four key areas:
Statement on Cybersecurity Cooperation, affirming
1. I mplementing a rapid action cyber security
the need to build close cooperation and develop
(RAC) framework, to elevate cyber security on
capacity-building initiatives.6
the regional policy agenda. The RAC comprises a
›› The ASEAN Political–Security Community 12-point action agenda for governments to address
Blueprint 2025 also addressed the need to combat rifts in policies, strategies and legislation related to
cybercrimes through regional collaboration.7 cyber security.
This blueprint advocates the strengthening of 2. Sustaining a commitment to cyber security,
cooperation between all 10 ASEAN member states which should include reducing the regional cyber
in battling cybercrimes, taking into account the security spending gap. It should also include
need to develop or improve appropriate laws to using a cyber-hygiene dashboard to define and
address cybercrimes. The blueprint also advocates track metrics.
fortifying public–private partnerships to enhance
3. Encouraging public–private alliances that foster a
information sharing.
risk-centric mindset in the corporate sector, creating
Currently, only Singapore, Malaysia, Thailand and a threat-sharing intelligence culture and bringing
Vietnam have drafted cyber security bills. Some cyber resilience to the supply chain.
member states have executed data protection or
4. Addressing the shortage of cyber security skills,
privacy laws, but according to A.T. Kearney8 not all
and enhancing global-local partnerships within
countries in ASEAN have made substantial progress.
the industry. This includes adopting research and
Of particular regional concern is the lack of investment development in innovative technologies, which is
in cyber security among ASEAN countries. Spending seen as an essential enabler for tackling unforeseen
on cyber security in ASEAN is estimated to have been threats.11
A$2.54 billion in 2018, which is only approximately
0.06 per cent of regional gross domestic product (GDP).9
In contrast, Australia alone spent an estimated A$3.8
billion in 2018 – a figure expected to grow in 2019.10
08 Cyber Security Opportunities in the ASEAN RegionSINGAPORE
Overview training in cybersecurity skillsets; and joint
cybersecurity exercises with a focus on the protection
of Critical Information Infrastructure. It also includes
Singapore has established itself as a global financial
collaboration on regional cyber capacity building and
centre and a regional trade hub. Today, Singapore has
confidence-building measures.12
the world’s second-busiest port and the city’s financial
sector is a gateway for investments from across the
Asia Pacific. Its pro-business environment and forward-
looking economic policies make the country attractive Singapore’s cyber security environment
as a springboard to emerging markets in Asia. More
than 4,200 global businesses have set up regional
In 2013, Singapore launched the five-year National
headquarters operations in Singapore.
Cyber Security Masterplan 2018 (‘Masterplan’) to
Singapore is also one of the world’s safest cities. further secure Singapore’s cyber environment. The
Across Asia, it is trusted for its integrity, quality, Masterplan is a multi-agency effort led by the Info-
reliability, rule of law and enforcement of intellectual communications Media Development Authority of
property rights. In global terms, Singapore has Singapore (IMDA) under the guidance of the National
exceptionally high regulatory standards. Infocomm Security Committee.
The city-state has not been spared from the rise As a result, the Singapore Cyber Security Agency
of cyber threats and cyberattacks, however, and (CSA) was formed in 2015 to develop a national
the Singaporean Government takes a serious strategy to handle cyber threats. The strategy aims to
view of cyber vulnerabilities. The government has coordinate public and private sector efforts to protect
devised and implemented various policies to bolster national systems in 11 critical sectors from increasing
defences against the growing threat of cyberattacks. cyber threats. These sectors include power, transport,
These include: telecommunications, airports and banking.
›› strengthening the city’s governance and In 2016, the government launched a National Cyber
legislative framework Security Strategy, which sets out Singapore’s vision,
goals and priorities for cyber security. It focuses on
›› addressing the shortage of skilled cyber coordinating action, and facilitating international
security professionals partnerships to ensure resilience and trust in
cyberspace. The strategy sets out its vision, goals
›› upgrading and training new talent
and priorities for cyber security, with a focus on
›› encouraging the development of deep, niche skills coordinated action and the facilitation of international
in cyber security amongst young professionals. partnerships. Singapore’s Ministry of Defence has also
established the Defence Cyber Organisation (DCO)
In June 2017, Singapore signed a MOU with Australia
to monitor and defend the Singapore Armed Forces’
that outlines cybersecurity cooperation in key
(SAF) networks from cyber threats.
areas, including: regular information exchanges on
cybersecurity incidents and threats; the sharing of
best practices to promote innovation in cybersecurity;
Cyber Security Opportunities in the ASEAN Region 09Market trends ›› The attacker used modified open source tools that
evaded anti-virus software.
According to Gartner 13, Singapore’s cyber security ›› The malware that the attacker used fitted the profile
spend is expected to outpace the global growth trend of an advanced persistent threat (APT) group.
in 2019. Spending on information security products
and services in Singapore hit S$1.05 billion
Other recent attacks
(A$1.1 billion) in 2018, and could grow by another
10 per cent to reach S$1.15 billion (A$1.21 billion) in There have been other digital security events, however,
2019. This is up from S$997 million (A$1.05 billion) which have increased awareness of the importance of
in 2017. cyber security in Singapore. These include:
Singapore has recently experienced several high- ›› January 2019: American fraudster Mikhy K
profile digital attacks. In mid-2018, hackers broke into Farrera-Brochez leaked the confidential records
the health records systems of SingHealth, Singapore’s of 14,200 individuals diagnosed with the human
largest healthcare organisation. The hackers stole immunodeficiency virus, including those of 5,400
the personal data of 1.5 million patients as well as Singaporeans and permanent residents.
the outpatient medical records of 160,000 people,
including the medical records of Prime Minister Lee ›› February 2019: Human error led to about 7,700
Hsien Loong. It is considered the most serious breach people receiving the wrong healthcare subsidies
of personal data in Singapore’s history. under the Community Health Assistance Scheme
(Chas).
›› March 2019: A vendor to the Singapore Health
Recent cyber activity Services Authority (HAS) compromised the data of
more than 800,000 blood donors. It was revealed
that the information was illegally accessed and
The 2018 SingHealth cyber attack possibly extracted.
The SingHealth cyber attack was first detected on
July 4, 2018 by database administrators. Illicit access
had occurred more than four months earlier, and was Market access and opportunities
mostly likely gained via a phishing email opened on a
front-end computer at Singapore General Hospital. Market opportunities for Australian cyber security
The attacker then installed customised malware. companies include:
After compromising the initial computer, the attacker ›› Identity and access management
proceeded to distribute malware and steal credentials,
including user accounts and passwords. These ›› Advanced endpoint, network and cloud security
included details that ultimately gave access to the ›› Threat and vulnerability management
Electronic Medical Record (EMR) database. Theft of
personal health data occurred during the period 27 ›› ICS (industrial control systems) and Scada
June to 4 July. (supervisory control and data acquisition) security
›› Critical infrastructure information
Analysis of the attack
›› Artificial intelligence
Post-attack analysis and forensic investigations
revealed that: ›› Data analytics and protection
›› The malware was customised: it was uniquely ›› Internet of things (sensor technology)
tailored to the targeted systems, and had not been
observed elsewhere.
›› Blockchain and distributed ledger technology.
›› There were callbacks to an overseas command and
control server.
10 Cyber Security Opportunities in the ASEAN RegionAssessing market opportunities Qualifying criteria
Australian cyber security companies can investigate
»» All Singapore registered companies
are eligible for the scheme.
market-access opportunities through Singaporean
Government portals and initiatives, as well as through »» Overseas firms that are not registered
business development activities. Government portals in Singapore will need to partner with a
and initiatives include: company registered in Singapore.
»» The project should use Singapore as
1. The Government E-Business portal (GeBIZ):
a base to own, manage and exploit all
This is the Singapore Government’s one-stop
intellectual property rights developed.
e-procurement portal. All the public sector’s
invitations for quotations and tenders are posted
»» The project must not have commenced
at the time of application.
on GeBIZ. Suppliers can search for government
procurement opportunities, download tender Qualifying costs
documents and submit their bids online. Processing
can be completed within 72 hours if all criteria Funding support will be on a reimbursement basis
are met, with a small registration fee involved. for the following expense items: expenditure on
All Singapore Government and statutory boards manpower; equipment; professional services; and
are required to utilise GeBIZ for the purpose of other operating expenditures.
procurement. For more information, visit
Evaluation
gebiz.gov.sg
Proposals received by the Government Secretariat
Australian companies should take note of some key
will be submitted to an evaluation panel. If required,
considerations with regards to the government’s
the panel may convene to seek clarification from the
tendering process:
applicant. Under such circumstances, applicants will
»» Australian companies can tender directly be invited to give a short presentation. Proposals
under the Comprehensive Strategic will be evaluated according to: the quality of the
Partnership agreement, provided they meet proposed solution, including cost reasonableness;
the registration and tendering criteria. commitment from the cyber security end-user;
»» Non-sensitive opportunities are wider applicability; and the benefit to the industry
accessible on the GeBIZ website. team competency.
»» Success is not always dependent on lowest
For more information: csa.gov.sg/programmes/
price. For example, the Government prefers
proof-of-concept-scheme
bidders to provide in-country support, via
a local partnership or a subsidiary. 3. The CSA Singapore Common Criteria Scheme:
The Singapore Common Criteria Scheme (SCCS)
2. The CSA Co-innovation and Development
provides a cost-effective regime for the info-
Proof-of-Concept Funding Scheme: This scheme
communications industry to evaluate and certify
supports the co-development of innovative cyber
their IT products against the CC standard in
security solutions between solution providers and
Singapore. The SCCS is owned and managed
committed cyber security end-users. Through the
by the CSA. For more information: csa.gov.sg/
scheme, CSA provides funding support (based on
programmes/csa-common-criteria
milestone fund disbursement) up to a maximum
of S$500,000 (A$528,000) for up to 12 months.
The scheme aims to catalyse the development of
innovative cyber security solutions with the potential
to meet national cyber security and strategic needs.
The scheme is open to overseas organisations,
however they must partner with Singapore
companies if they do not have a registered
Singaporean entity.
Cyber Security Opportunities in the ASEAN Region 11Government initiatives and agencies 3. To grow Singapore’s cyber security ecosystem
CSA wants to see a strong cyber security sector
in Singapore capable of producing innovative
The Singapore Cyber Security Agency
solutions and talented manpower. CSA aims to
The Singaporean national agency responsible for achieve this by pursuing three objectives:
cyber security is the Cyber Security Agency (CSA). Its »» Establishing a professional workforce: CSA
purpose is to ensure high cyber resiliency for critical wants to encourage existing cybersecurity
infrastructure information, and it aims to create a safer professionals to develop their careers in the
cyberspace for Singaporean citizens, businesses and industry. It aims to achieve this by defining
government. The Singaporean Cyber Security Act clearer career pathways, promoting internationally
(2019) requires CSA to better prevent and respond to recognised certifications, and building strong
cyber-attacks. It also formalises critical infrastructure communities of practice. To grow the workforce,
information-owners responsibilities for cyber resiliency. CSA plans to attract promising students
CSA has three core functions: through scholarship and sponsorship programs.
They will also support new entrants to the
1. To protect critical infrastructure information profession through industry-oriented curricula for
students, and through up-skilling and re-skilling
Since its inception in 2015, CSA has worked closely opportunities for mid-career professionals.
with regulators across 11 sectors to understand the
»» Extending Singapore’s cybersecurity advantage
cyber risks they face and to put measures in place
through strong local companies: CSA wants
to manage these risks, as well as businesses and
to build up the local industry by attracting
individuals. CSA also conducts the multi-sector
and anchoring companies with advanced
Exercise Cyber Star, to test Singapore’s cyber
capabilities. It will also nurture start-ups to
incident management and emergency response
boost the development of niche and advanced
plans. Last July, more than 200 participants
solutions, and to grow local champions to
took part.
sustain strategic areas of interest. CSA will also
develop market opportunities to bring made-
2. To combat cybercrime in-Singapore solutions into the global market.
As a proportion of all crimes, cybercrime in »» Accelerating industry growth via innovation:
Singapore doubled from nearly 8 per cent in 2014 The National Cybersecurity R&D Programme
to 13.7 per cent in 2016. CSA is committed to the has set aside A$200 million from 2013 to 2020
protection of private businesses and individuals to support research into the technological and
through working with other agencies, such as human science aspects of cyber security. CSA
the Singapore Police Force, telecommunications will sustain this effort with world-class R&D
companies and internet service providers (ISPs). facilities and talent-development programs. They
will promote R&D collaboration between the
The implementation of ‘security-by-design’ Singapore Government, academia and industry.
policies is being complemented with highly
skilled professionals who can carry out security
validation processes rigorously and proficiently.
The introduction of CREST penetration testing Collaboration between industry
certifications and accreditations in Singapore and government
is one mechanism for raising professional
competency standards. To expand Singapore’s cyber security industry, the
CSA encourages industry partners with advanced
research and engineering capabilities to anchor their
advanced cyber security operations and activities
in Singapore. This involves the active support of
Singapore’s Economic Development Board (EDB). It
also leverages Singapore’s pro-business climate, and
an educated and highly skilled workforce.
12 Cyber Security Opportunities in the ASEAN RegionGovernment support for cyber security R&D Developing cyber security manpower
At the same time, CSA also supports the National At a global level, it is estimated there will be
Cybersecurity R&D (NCR) Programme. It aims to bring 3.5 million unfilled cyber security jobs by 2021.14 It is
together government agencies, academia, research also estimated there will be a potential talent gap of up
institutes and industry to collaborate on cyber security to 3,400 cyber security professionals in Singapore by
research. CSA has also recently launched a funding 2020.15 The Singaporean Government have established
scheme for proof-of-concept projects. This scheme initiatives to develop cyber security talent, including:
aims to support the development of innovative cyber
security solutions by Singapore-registered companies
›› Increasing the number of cyber security
scholarships available under the National
that would meet national cyber security needs.
Infocomm Scholarship Programme in conjunction
For more information, visit: nrf.gov.sg/programmes/
with industry partners
national-cybersecurity-r-d-programme
›› Supporting the Cyber Security Associates and
Supporting cyber security startups Technologists (CSAT) Programme, which aims to
facilitate the conversion of professionals in related
CSA aims to grow the pipeline of cyber security
fields – such as ICT and engineering – to cyber
startups in Singapore. CSA and the Infocomm Media
security professionals. (Under the CSAT Programme,
Development Authority (IMDA) will be supporting
industry partners provide on-the-job training for
SingTel Innov8 and NUS Enterprise, in building up
fresh and experienced professionals to help them
Singapore’s first cyber security start-up incubation hub.
prepare for cyber security roles.)
Other innovation-focused programs are also being
delivered in Singapore by local entities including Block ›› Establishing the Cyber Security Agency of
71. For more information, visit: ice71.sg Singapore (CSA) Academy, which partners with
leading industry training providers to provide
intermediate- to advanced-level training in niche
cyber areas that are currently not available in the
market.
Cyber Security Opportunities in the ASEAN Region 1314
INDONESIA
Overview markets. The market is less competitive but growing
fast, as established industries – which include banking,
retail, health, public services and infrastructure –
With the establishment of a national cyber security
become networked and digitally enabled.
agency, Badan Siber dan Sandi Negara (BSSN), in
January 2018, cyber security officially became part of Although there is an increased focus on cyber security,
Indonesia’s critical infrastructure. BSSN is now creating many institutions in Indonesia continue to under-invest
standards for industry to support the resilience of or face skills shortage-related barriers to implementing
Indonesian business and government. sophisticated cyber security solutions. This includes
the skills shortages in technical teams and senior
International collaboration is a core element in
management. Indonesia has been estimated to
Indonesia’s cyber security strategy. In September 2018,
spend 1.6 per cent of GDP on digital infrastructure
Indonesia signed a bilateral MOU on cyber security
(compared to 4.5 per cent in Malaysia or 6.6 per cent
cooperation with Australia. This made Indonesia only
in Singapore).16 This provides significant scope for an
the second country to establish a formalised cyber
acceleration in cyber security spending in Indonesia.
security relationship with Australia – after Singapore.
The MOU affirms Indonesia’s view of Australia as a
partner in building its cyber security resilience, and
establishes policy and capacity building support as a Market trends
foundation for commercial engagement.
In Indonesia, a combination of rapid commercial Indonesia represents an emerging opportunity for a
modernisation, an increasing awareness of cyber range of Australian cyber security capabilities. Overall,
security risks, and a paucity of domestic solutions is Indonesia’s cyber security spending is forecast to
generating great interest in global cyber solutions. This increase from A$350 million to A$1 billion17 between
trend is apparent across a range of sectors including 2018 and 2025. Australian companies should note,
finance, e-commerce, enterprise and digital consumer however, that the opportunities differ markedly from
services. In addition, there is strong interest from those found in established and competitive markets
universities and training institutions to improve their such as the United States or Singapore.
cyber security training capabilities, which would enable
A widespread trend in Indonesian business is the
Indonesia to add to its existing professional workforce.
digital modernisation of organisations such as banks,
hospitals and other large corporations. In the first
instance, this involves shifting organisations from
Indonesia’s cyber security environment paper-based systems to integrated networks. In
many sectors, these integrated networks are linked
to online government systems – for example, for
Indonesia accounts for 40 per cent of the population
public procurement, or for public health services, or
of ASEAN and approximately the same proportion
for payments.
of the region’s gross domestic product. Despite the
heavy use of mobile internet – and digital consumer
and business services – the addressable market for
cyber security solutions is smaller than in established
Cyber Security Opportunities in the ASEAN Region 15Alongside progressive digitalisation, Indonesia is Opportunities for Australian companies
experiencing a new wave of large scale digital-first
In terms of cyber security, the two largest sources of
businesses. These include businesses involved in
demand are probably financial services companies
health, education and fintech, as well as e-commerce
and the public sector. From work undertaken by
businesses. In general, these businesses are heavily
Austrade across a range of sectors, it appears that
internationalised in terms of internal technology
opportunities can be divided into three categories:
development. They deal with large volumes of sensitive
data and engage with large numbers of users via ›› Industries
mobile devices. They seek cutting edge capabilities
»» Established industries that are modernising their
and security for their competitive advantage.
operations and need to deliver basic security in
Indonesia can be a challenging market to enter from a networked environment. This includes sectors
a regulatory perspective. It should be noted that such as banking, telecommunications and health.
almost all new entrants work with Indonesian partners. »» Digital-first, high-growth businesses that
Key Indonesian industries rely on a wide range of seek sophisticated and cutting edge solutions
established solutions integrators and other businesses comparable to international best practice.
for their technology needs, and commonly work with This group includes fintechs, e-commerce
highly regarded international firms. platforms and digital health providers.
»» Public sector organisations. Austrade
has observed that cyber security services
Recent cyber activity are in particular demand in several areas of
ICT. This applies to organisations involved
in government services, banking, fintech,
It is estimated that more than 232 million cyber attacks
telecommunications, health and resources.
occurred in Indonesia in 2018.18 This makes Indonesia
one of the world’s most-targeted countries for cyber ›› Personnel
attacks. »» Skilling for cyber security. With demand
exceeding supply for cyber security skills –
As governments, private sector businesses and other
and cyber security-literate IT professionals –
institutions become networked organisations – and
Indonesian businesses face critical and growing
as individuals conduct more of their affairs online and
talent shortages. Austrade has engaged with a
via mobile phones – digital vulnerability has become a
range of businesses that have growing skills needs
critical issue. To increase Indonesia’s cyber resilience,
as well as local universities and training providers.
investment is required across multiple areas, including
policy, regulation, corporate capability and workforce »» Potential partners. Austrade has identified
skills. a range of providers looking for education
partnerships to bridge the skills gap.
Opportunities include train-the-trainer
models, short courses, visiting lecturers and
Market access and opportunities the delivery of Australian certifications. Key
players include Hacktiv8 and Purwadhika.
In general, Indonesian businesses are already
internationalised in terms of their software and ICT.
›› Technologies
Approximately 60 per cent of ICT and software »» Implementing and securing the cloud.
solutions in Indonesia are foreign-sourced and 30 Indonesian businesses that have traditionally
per cent are jointly developed with Indonesian firms.19 worked with local data storage and single data
There are only a few domestically developed cyber centres are increasingly adopting cloud solutions
security technologies or solutions, which indicates for data and computing. Ongoing uncertainty
that ICT is an area in which foreign businesses can about data sovereignty rules is a key consideration
succeed commercially. across a range of industries however, so local
cloud solutions are often preferred or required.
Currently, the key players in cloud migrations
are Microsoft, Telkomtelstra and Alibaba.
16 Cyber Security Opportunities in the ASEAN Region»» Mobile applications and identify authentication. Education and training for a cyber
Mobile web and native applications are a resilient economy
key channel for all industries as mobile and
The availability of cyber security skills is a key
digital services are enthusiastically adopted by
challenge in Indonesia. Demand for cyber security
consumers. Digital banking and payments are
professionals is not currently being met by the
heavily mobile-focused, and so are e-commerce
workforce or by local institutions. The essential building
activities. Consequently, the mobile phone is a
blocks of a cyber security workforce – in terms of the
key source of user identification for almost all new
national curriculum or established courses – are only
mass-market services. In Indonesia, most apps are
partially developed.
developed for Android first as this mobile operating
system has a market share of over 90 per cent. For example, Kominfo estimates that Indonesia’s digital
»» Big data and data analytics. A range of leading industry requires 600,000 newly skilled workers per
Indonesian firms are looking to advanced artificial year to support the full range of Indonesian corporates,
intelligence (AI) to drive innovative features public institutions and small to medium businesses
and other competitive advantage. For example, with established IT functions. 20 This is well beyond the
Bukalapak (an online shopfront platform and one capacity of current universities and delivery models.
of Indonesia’s four tech unicorns) has built a R&D
centre focused on AI to support its business. A commercial pathway to the delivery of high-standard
Meanwhile, the scale of Indonesia’s e-commerce qualifications or other skilling outcomes in cyber
and ride-sharing businesses in general create security (such as digital forensics and related areas)
large volumes of consumer data. Solutions for data is not yet clear. However, this is an area where new
protection, AI and identity management all have partnerships with international education institutions
relevance to this trend. Key players include Kata.ai. are being actively explored by a range of Indonesian
firms and institutions.
Government initiatives and agencies
The two main government institutions responsible
for cyber security matters are BSSN and Kominfo
(the Ministry of Communications and Information
Technology). The Indonesian Government is proactive
in terms of policy development and in developing
improved standards for industry. For example, BSSN
has identified 10 areas of critical national infrastructure
that are vulnerable to cyber attack. These 10 areas
are now subject to priority action by the Government,
and comprise: law enforcement; energy and mineral
resources; transportation; finance and banking; health;
ICT; agriculture; defence; emergency response; and
water treatment.
In 2007, Kominfo also established an agency that
specifically focusses on telecommunication networks
security, called ID-SIRTII. Its duties include monitoring,
early warning and detection systems, and legal action
regarding cybersecurity disputes. ID-SIRTII is also
responsible for creating a secure environment for
internet-based communications within the country.
It serves as a coordination centre for issues related to
cybersecurity.
Cyber Security Opportunities in the ASEAN Region 1718
MALAYSIA
Overview European solution and equipment providers, who
operate in Malaysia through traditional distributor
models.
Information security is becoming a top priority across
Malaysia’s government organisations and industry. Key providers in the market include; FORTINET, DXC
As a result, Malaysia’s cyber security landscape is set Technology, Palo Alto Networks, Cyber Test Systems
to develop into a strategic and expansive network of and WISEKEY International Holding, among others.
government regulatory bodies, training agencies and Recent corporate activities include:
private services providers.
›› Cyber Test Systems (France), which provided
Currently, Malaysia is outpacing its ASEAN neighbours some US$578,000-worth of hardware to simulate
in terms of international engagement for company highly complex cyber-attacks in a hyper realistic
emergency response teams (CERTs), cybercrime environment for the Asia Pacific University’s Cyber
awareness and digital economy. Malaysia is also Security Talent Zone
currently developing the ASEAN Regional Forum
(ARF) Cyber Security Work Plan, which is a joint plan ›› DXC Technology (USA), an end-to-end IT services
for cyber security among ARF member countries. company, which opened its DXC Next Generation
To that end, Malaysia – together with Australia – has Security Operations Center (SOC) in Kuala Lumpur
developed the Cyber Point of Contact. This database to support its expansion into the Asia-Pacific
contains a list of liaison officers in member countries
›› WISEKEY International Holding Ltd
who can provide assistance and cooperation during
(Switzerland), a cyber-security IoT platform
cyber threat incidents or attacks.
company, will establish a Centre of Excellence
Malaysia’s digital economy agenda has raised the in Malaysia to support the creation of a tailored
profile of information security in Malaysia. The demand ‘Trusted Blockchain as a Service Platform’ through
for cyber security solutions is growing, and an its strategic partnership with Cendee Sdn Bhd
increasing number of enterprises are delaying digital (Malaysia).
transformation projects because of the fear of cyber
In light of global trends, there is now a push for cyber
risks. While a dedicated cyber security bill is currently
security across industry sectors. However, creating a
under review, there are several applicable laws in
formalised strategy for information security remains
place that contain critical cyber policies that govern
an undervalued priority in Malaysian businesses. In
cybercrimes, information security requirements, and
general, there are currently no minimum protective
incident reporting requirements in Malaysia. 21
measures across critical sectors, although the
government has stipulated ISO/IEC 27001 Information
Security Management Systems as the baseline
Malaysia’s cyber security environment standard for information security.
In addition, the sector is fragmented in terms of
Malaysia has a wealth of home-grown, professional ICT the multitude of government agencies, regulatory
security services that primarily provide consultative frameworks and a wider strategy for the nation’s
and penetration-testing services. This solid foundation cyber security. The market is moving towards a
has been complemented by traditional US and
Cyber Security Opportunities in the ASEAN Region 19robust partnership model, merging the provision of Malaysia’s digital economy
local services with foreign technology to provide
comprehensive solutions to meet growing information
The World Bank has ranked Malaysia second in
security needs.
ASEAN and 23rd in the world for digital economic
development. Malaysians are among the most digitally
connected in the world, and the Malaysian government
Market trends has invested heavily in digital technologies to
modernise its systems and processes.
According to the Ministry of Communication and In recent years, ‘Industry 4.0’ technologies and
Multimedia, Malaysia is one of the top-three markets e-commerce have been key drivers for development
for cyber security in ASEAN. Spending on technology across government and industries in Malaysia.
products and services in Malaysia was forecast to The Malaysian Government is eight years into an
exceed A$22.4 billion (US$15.6 billion) in 2018. 22 ambitious 10-year digital economic transformation
plan and has introduced several policies to realise the
Malaysia is largely a professional security services
potential of the digital economy.
market with well-established, managed-security
service providers engaged by both government The Malaysian Digital Economy Corporation has been
and private industries. Malaysian enterprises are the lead agency on this issue since 1996 and supports
prone to use penetration tests to test the security of a number of initiatives that seek to enhance digital
their applications, network or systems, and to meet business. These include: MSC Malaysia Cybercentres;
compliance needs – whether internal or mandated by Digital Hubs and Cybercities; the Commercial Vehicle
government. Licensing Framework for ride-sharing services such as
Uber; the P2P Financing Framework; and the Fintech
An expanding threat landscape is driving the demand
Regulatory Sandbox.
for professional security services and a growing
shortage of cyber professionals. Other trends include:
›› In the secure content management market
(specifically email and web security), Malaysia
Recent cyber activity
continues to be ranked second in ASEAN, holding
24.4 per cent of market share and recording In 2017, Malaysia experienced a large leakage of user
13.3 per cent growth during 2017. information from more than 46 million mobile users. 23
The incident has prompted businesses to pay more
›› Malaysian organisations spent US$10.4 million on attention to user data protection and compliance.
sandboxing solutions or 17.6 per cent of the 2017
market share in ASEAN. In 2017, spending on cyber Over 8,000 cybercrime cases were reported in 2018. 24
security saw a tremendous, year-on-year increase Targeted security incidents included fraud, intrusions,
of 44.9 per cent. This made the Malaysia cyber cyber harassment and distributed denial of service
security industry the fastest growing in the ASEAN (DDoS) attacks. As a result, cyber security awareness
bloc. is on the rise, with Malaysia forecasted to register an
accelerating growth rate in its cyber security industry,
›› Malaysia’s cyber security industry is forecast to and a CAGR of 13.1 per cent between 2017 and 2022.
grow at 28.9 per cent (CAGR) between 2017 and This will deliver ASEAN’s largest cyber security market
2022 and generate US$37 million by 2022. This by 2022, with a 22.2 per cent market share.
equates to 15.2 per cent of the overall regional
market share, which means Malaysia will remain the
second-largest market in the ASEAN region.
›› The cloud-based services segment is likely to grow
briskly from 2017–2022, at a CAGR of 39 per cent.
The adoption of on-premises solutions however
continues to take precedence over cloud-based
services.
20 Cyber Security Opportunities in the ASEAN RegionMarket access and opportunities Key customer segments in Malaysia include:
›› Banking, financial services and insurance (BFSI)
There are currently multiple opportunities for
internationally based cyber security organisations ›› Government
to sell services in Malaysia. These include a market
›› Service providers
need for hardware and software to counter advanced
persistent threats (APTs), as well as general attacks on ›› ICT-enabled services
information technology (IT) and operational technology
(OT). There is also demand for: ›› Power and energy companies.
›› Cyber security solutions in the financial and
telecommunications sectors, and government-
linked agencies
Government initiatives and agencies
›› The development of information-exchange A national awareness plan for the management of
mechanisms, and subsequent promotion cyber security and cyber crime is being developed by
the National Cyber Security Agency (NACSA), and is
›› Improved reporting of information security events
expected to be implemented in January 2020.
›› Improved responses to information The plan will target children, youths, adults and
security incidents parents, as well as organisations.
›› Standardised information security policy, In addition, the Malaysian Government has instigated a
business continuity management and risk number of industry and collaborative programs:
management frameworks
›› CyberSecurity Malaysia (CSM) has signed the
›› Standardised minimum or mandatory information relevant terms of reference to become the first
security requirements corporate supporter in Asia to join The Intelligence
Network26 – an industry initiative launched by BAE
›› Extending the breadth and depth of information
Systems in July 2018.
security education and awareness programmes
›› In April 2019, CSM launched the Cyber security
›› Building capacity in qualified and experienced
Malaysia Collaboration Programme (CCP), a
information security professionals and law
public–private partnership for Malaysia-registered
enforcement personnel.
companies that provide cyber security products
The demand for cyber security talent in Malaysia will and services.
likely hit 10,500 by 2020.
›› Bank Negara Malaysia (BNM) is slated to launch
its Risk Management in Technology policy this year,
to provide guidelines for financial institutions to
Customer segments combat the rise in cyber crime.
BNM issued the exposure draft of its Risk Management
One curious aspect to the cyber security market in
in Technology policy in September 2018. This policy
Malaysia is that the priority placed on information
outlined BNM’s expectations for risk management
security has at times been a roadblock to digital
frameworks and optimal practices for financial
transformation projects. In effect, organisations delay
institutions based on their size and complexity.
creating new digital capabilities for fear of creating
The policy would apply to all licensed financial
security vulnerabilities.
institutions when adopting new technological
In a recent study by Microsoft, it was revealed that innovations, including banks, insurers, takaful operators
more than half of organisations surveyed in Malaysia (who conform to sharia protocols for insurance
have either experienced a cyber security incident and financiers), prescribed development financial
(17 per cent) or are not sure if they have had one, as institutions, operators of a designated payment system
they have not performed proper forensics or a data- and eligible issuers of e-money.
breach assessment (36 per cent). 25
Cyber Security Opportunities in the ASEAN Region 2122
VIETNAM
Overview There is a general recognition within the Vietnamese
information technology (IT) industry that foreign
companies have been particularly successful at
The Vietnamese Government views digital
providing quality cyber security solutions in Vietnam,
transformation across the broader economy as critical
in comparison to domestic competitors.
to continued growth and prosperity. It has a national
agenda for utilising ‘Industry 4.0’ technologies to
improve productivity and accelerate economic growth.
Recent government policy aims to develop new digital Market trends
infrastructure, including in government services, and
to promote the development of Vietnam’s ICT industry
There is a national movement across government and
and innovation ecosystem.
industry in Vietnam towards digital transformation.
Vietnam’s public and private sector cyber security When combined with relatively weak existing
capabilities are still relatively weak, however. This cyber security capabilities, the result is that many
presents a challenge, particularly as Vietnam attracts organisations are actively looking for quality cyber
increasing attention from hackers. In addition, there is security solutions. In particular, this includes
a shortage of cyber security personnel who are skilled organisations in financial services, healthcare, small
and knowledgeable. Nevertheless, cyber security and medium-sized enterprises, and government
software and services vendors are likely to find multiple agencies.
opportunities for growth in Vietnam, as spending on
A related trend is the increased adoption of cloud
cyber security increases faster than elsewhere in the
services computing. Today, an increased awareness
ASEAN region – by 16 per cent per year.
of the benefits of cloud-based services among
decision makers in the public and private sectors
means that cloud computing delivery models are
Vietnam’s cyber security environment becoming popular.
According to research by the National University of
Vietnam’s cyber security spending is forecast to Singapore Lew Kwan Yew School of Public Policy,
increase from A$156 million to A$466 million between 57 per cent of firms with more than 50 employees
2018 and 2025. 27 This means Vietnam’s cyber security were using cloud services by 2017. In the public
industry will experience one of the highest spending sector, 62 per cent of central government agencies
growth rates in the ASEAN region, with CAGR of 16 per and 45 per cent of local agencies use at least one
cent between 2015 and 2025. 28 Increased investment cloud service.
in cyber security capabilities will address gaps in
infrastructure security and lead to the development of
more sophisticated managed services.
Cyber Security Opportunities in the ASEAN Region 23Recent cyber activity Market access and opportunities
According to the Vietnam Computer Emergency A business license is likely to be required from the
Response Team (VNCERT), which is part of the Ministry Ministry of Information and Communications (MIC) in
of Information & Communications (MIC), Vietnam Vietnam in order to provide cyber information security
recorded 4,035 cyber attacks in the year to May 2019. services and products in Vietnam (see Decree No.
Vietnam’s computer networks suffered more than 108/2016/ND–CP for detailed regulations). To date, MIC
10,000 cyberattacks in 2017, causing losses of about has granted licenses to 56 companies to provide cyber
VND12.3 trillion (A$785 million). 29 There were over security solutions in Vietnam.
136,000 cyber security incidents in 2016, a four-fold
increase compared to 2015. In addition, according to Customer segments
the Vietnam Information Security Association (VNISA)
survey, about 3.2 million ransomware attacks were ›› Financial services
reported in 2014, and 3.8 million in 2015.
There is considerable potential for cyber security growth
International rankings indicate that Vietnam currently in Vietnam, as banks, insurers and asset managers all
scores poorly for cyber security in multiple areas: modernise to keep pace with the demand for digital
services and competition. It is expected that there will be
›› According to the Asia Cloud Computing increasing investments in Vietnam in online and mobile
Association’s Cloud Readiness Index 2018, payment systems, both front (mobile) and back-end
Vietnam’s score breakdown shows a weakness in (e-commerce), as well as the broader mobile banking
terms of cyber security and privacy.30 ecosystem. Leading players include large state-owned and
commercial banks, as well as small privately owned banks.
›› Vietnam registered 1.68 million IP blocks from
December 2015 to November 2016, and the country Currently, banks and financial services providers are
is number five in the world’s top countries from working with third party cyber security vendors to
which attacks against IoT devices originated in provide solutions to help them safeguard their data.
2016.31
The State Bank of Vietnam (SBV) encourages
›› According to the Security Index published by the cooperation between commercial banks and fintech
International Telecommunication Union of the companies. It also encourages enhancements to
United Nations, Vietnam ranks 101st among 193 cyber security and data management to safeguard
countries on ensuring cyber security, down 25 levels consumers’ interests and stabilise the banking system.
compared with 2016.32 SBV is pursuing financial inclusion in Vietnam, with
a focus on the development of digital payments to
›› According to Kaspersky,33 in quarter three of
reach out to a wider demographic. This means SBV will
2017, Vietnam ranked 2nd in the world in terms
pay increasing attention to the security and safety of
of computer malware with a 71 per cent infection
e-banking, mobile banking and digital transactions.
rate. At least 85 million malware items have been
identified in computer systems in Vietnam.34 ›› Healthcare
›› Vietnam ranks 14th in the world in terms of malware Connected healthcare is becoming a feature of the health
attacks through the internet.35 industry in Vietnam. The Vietnam Ministry of Health is
driving a national agenda towards smart healthcare, and
A shortage of qualified IT security professionals
one of the current initiatives is the implementation of
contributes to the challenges all companies face in
healthcare information systems. The Ministry plans to roll
ramping up their internal cyber security offering. Today,
out electronic medical records to all hospitals in 2019.
companies both large and small are starting to realise
that cyber security services must become an integral ›› Government
part of their normal internal IT department’s function.
The public sector has a central role in IT spending
in Vietnam. Currently, there is interest in the public
sector in implementing ‘Industry 4.0’ technologies and
applications, adopting e-government solutions and
implementing cyber security strategies.
24 Cyber Security Opportunities in the ASEAN RegionYou can also read
