Background
The expected successful conclusion of the negotiations by ASEAN governments to create the Digital Economy Framework Agreement (DEFA) this year offers the promise to double the region’s digital economy, with estimations as high as US$2 trillion by 2030. However, as ASEAN’s digital economy grows, increased connectivity and technological advancements have led to a rise in sophistication and frequency of cyberthreats. Estimations project the top 1,000 ASEAN companies could lose US$750 billion in market capitalization due to cybersecurity challenges. Hence, strengthening cybersecurity frameworks has been at the forefront of ASEAN policymakers’ agendas. ASEAN’s regional cybersecurity initiatives are guided by its Cybersecurity Cooperation Strategy. Last year, the 9th ASEAN Ministerial Conference on Cybersecurity launched the physical facility of the ASEAN Regional Computer Emergency Response Team (CERT) based in Singapore. Several capacity-building and counter-cybercrime meetings and workshops involving ASEAN members, external sovereign counterparts, and private stakeholders were also held in 2024.
Fragmentation in Southeast Asia's Cybersecurity Landscape
Contrary to the growing regional consensus in the area, the cybersecurity landscape remains fragmented at the national level. Across ASEAN member states, cybersecurity maturity levels and rate of regulatory developments are uneven, posing challenges to a substantive coordinated regional response.
National Cybersecurity Laws and Strategies
Brunei, Malaysia, Singapore, Thailand, and Vietnam have national laws, strategies, and supporting policies on data privacy. The Government of Malaysia recently introduced its national cybersecurity law in 2024. Key provisions include licensing requirements for service providers, additional compliance and regulatory requirements for national critical information infrastructure (CII), and extraterritorial application for CIIs.
Last year, the Government of Singapore amended its 2018 Cybersecurity Act, updating the responsibilities and oversight of CII owners, including computer systems located outside the country under specific conditions. The amendment also expanded the cybersecurity regulator’s (CSA) oversight into new entity categories, such as sensitive information (“Entities of Special Cybersecurity Interest”), national interest (“Systems of Temporary Cybersecurity Concern”), and digital infrastructure (“Foundational Digital Infrastructure Service”). In 2023, the Government of Indonesia issued Cyber Incident and Crisis Management regulations for Vital Information Infrastructure and Electronic System Providers, covering monitoring, contingency plans, and response teams. The Indonesian government is also looking to pass its Cybersecurity and Resilience Law as part of the 2025 Priority National Legislation Program.
The Government of the Philippines released its National Cybersecurity Plan for 2023 to 2028, while Myanmar is looking to implement its Cybersecurity Law this year. Laos is drafting its cybersecurity law and is looking to amend its combating cybercrime law. Cambodia is still finalizing its cybersecurity law.
Brunei, Indonesia, Malaysia, Singapore, Thailand, and Vietnam also have dedicated cybersecurity agencies that oversee, coordinate, and regulate cybersecurity initiatives across government and private entities. In comparison, Cambodia, Myanmar, and the Philippines delegate cybersecurity duties across related agencies such as ICT, telecommunications, and national security.
Data Governance and Privacy
Current ASEAN cybersecurity policies contain varying degrees of data localization and privacy requirements. Broad definitions surrounding “national interest,” “national security,” and content deemed “inappropriate for public viewing” have raised concerns among ASEAN stakeholders. There have been censorship worries over Cambodia, Laos, and Myanmar’s draft laws. Singapore, Thailand, and Vietnam have also been cited for their governments’ extensive access to private data. Data localization requirements could also place excessive burdens on foreign businesses. The recent amendments to Malaysia’s Communications and Multimedia Act 1998 (CMA), introducing a new regulatory framework for social media services and internet messaging providers to increase “internet safety”, have raised concerns regarding the Malaysian Communications and Multimedia Commission’s (MCMC’s) licensing regime. The amendment has generated substantial discourse around the framework enabling extensive government oversight of content shared on Content Application Service Providers (CASPs), imposing disproportionate punitive measures, increasing compliance costs, and undermining the principles of freedom of expression. Overall, such requirements entail additional obligations for investors, added regulatory and political uncertainty, and potential reputational costs in dealing with rights to data privacy and freedom of expression.
Sectoral Considerations
ASEAN members have also tackled sectoral policies incorporating cybersecurity, such as e-commerce, banking and finance, social media, e-governance, and military modernization. Other initiatives include certification programs, public awareness campaigns, workshops for targeted stakeholders, and cybersecurity competitions to enhance cybersecurity quality, literacy, and innovation. Given the divergent regulations and requirements across the region, investors will have to carefully navigate the cybersecurity landscape at both the regional and national levels.
Growing Threats From Cyber Scams
Greater regional cybersecurity coordination to counter cyber scam operations is a critical challenge in ASEAN. Cybercrime’s transnational threat has also only become more severe, on par with the illicit drug trade. ASEAN’s geostrategic position has made it a prime target for hackers in the region, while linkages between cybercrime syndicates and ASEAN elites have complicated efforts to address the issue. In a regional survey, global scam operations were among the top concerns for ASEAN constituents at 39.4%. Cybercrimes range from ransomware attacks on key government offices in Indonesia, AI identity fraud in Singapore, transnational cybercrime syndicates in the Golden Triangle Economic Zone and Myanmar’s Kayin State, to human trafficking for forced labor in Cambodia’s scam industry. SMEs and the underbanked are particularly vulnerable amid limited cybersecurity software, low digital literacy, and reliance on informal financial services. American citizens have also been frequently targeted. Analysts estimate that the Mekong countries’ cyber scams generate US$43.8 billion annually or over 40% combined GDP from Cambodia, Laos, and Myanmar.
Looking Ahead: Enhancing Cybersecurity Collaboration and Resiliency
Beyond intraregional collaboration, U.S.-ASEAN cooperation can also provide valuable contributions to bolstering cross-border cybersecurity frameworks and resiliency. During the 5th U.S.-ASEAN Cyber Policy Dialogue in November 2024 and the 5th ASEAN Digital Ministers’ Meeting in January 2025, both sides reiterated their commitment to responsible state behavior, confidence-building in cyberspace, greater regional cybersecurity cooperation, and capacity-building to address cyber scams. While U.S. cybersecurity executive orders remain unchanged, analysts expect a more business-friendly policy directive under Trump. However, the administration’s scaling back of the federal workforce, including the reduction of over 130 staff at the Cybersecurity and Infrastructure Security Agency (CISA) and disbanding the Cyber Safety Review Board (CSRB), may slow U.S.-ASEAN cooperation in investigating and addressing cyber scams. Furthermore, the administration’s pause on foreign aid funding could impact USAID-funded cybersecurity projects in the region, potentially slowing U.S.-ASEAN cooperation in addressing cyber scams.
Despite these challenges, the ASEAN cybersecurity landscape offers many opportunities for growth and investment partnerships. ASEAN members continue to look for opportunities to bridge the digital divide through critical infrastructure projects, such as Thailand’s Cloud First Policy and Vietnam’s broadband initiatives. The lack of cybersecurity talent and awareness among the general public and businesses has also been cited as a key gap in the cybersecurity landscape.
Analysts noted ASEAN businesses’ relative confidence compared to their limited cybersecurity readiness. Despite Singapore’s mature cybersecurity standards and tools, the Cyber Security Agency of Singapore (CSA) reported that only 70% of local businesses adopted such measures due to a lack of knowledge and perceived unlikelihood of being targeted back in 2023. These gaps present opportunities for cybersecurity skills development, primarily for countries such as Malaysia and Indonesia, which aim to develop over 30,000 to 458,043 cybersecurity professionals by 2030.
As ASEAN looks to build its Cybersecurity Cooperation Strategy for 2026-2030, investors can expect extensive initiatives to address ongoing challenges, more expansive information-sharing and collaborative projects, and overall efforts to build a resilient and secured cyberspace.
