Can Small States Contribute to a Rules-based Order in Cyberspace?
There is an old African proverb that says when elephants fight, the grass suffers.
In the context of U.S.-China contestation, small countries–the proverbial grass–do not want to be put in a position where they have to choose sides. That the elephants are clashing most acutely in the digital domain is causing consternation, because all countries–large and small, developed and developing–are benefitting immensely from digitalisation and do not want the digital domain to be viewed as a zero-sum game.
Digitalisation can and should result in win-win outcomes where the global community leverages innovation and interdependencies toward an interoperable cyberspace that benefits all our communities. It is through interdependencies and interoperability that we have a stake in one another’s success, thus creating a more stable international environment. Technology bifurcation, which creates segregated and siloed technology ecosystems, prevents us from reaping the maximum potential of digitalisation and consequently diminishes its economic and societal opportunities.
For small States like Singapore, it is in our interests to develop a cyberspace that is rules-based, interoperable, and secure. Digital connectivity fuelled by data will allow small States to transcend limitations in natural resources, land, and manpower. Overcoming these constraints will be vital to small States in the digital age.
This also means that small States can have an outsized impact in shaping the rules, norms and principles of operating in cyberspace, because physical size becomes secondary to a country’s online presence.
An example of a small State punching above its weight in the digital domain is Estonia. As part of its rotating Presidency of the United Nations Security Council (UNSC), Estonia elevated cybersecurity as a key issue of concern and organised the first-ever UNSC formal meeting on cybersecurity in June 2021, also known as the UNSC Debate on Cybersecurity: Maintaining international peace and security. The Tallinn Manual – a study by academia of how international law could apply to cyberspace – is so named in no small part to
Estonia’s thought leadership in this domain.
Small States can contribute to a rules-based cyberspace in three ways – through policy, partnerships, and platforms.
Forward-Looking Policy
Cybersecurity starts at home. States need to have the requisite domestic cybersecurity regulatory policies, regimes, and capacities to implement cyber best practices.
For example, Singapore enacted the Cybersecurity Act, which establishes a legal framework requiring the implementation of mandatory cybersecurity measures and reporting of incidents by Critical Information Infrastructure owners.
These regulations are augmented by several masterplans and initiatives rolled out to strengthen the resilience of our Critical Information Infrastructure and create a safer cyberspace. This includes the Safer Cyberspace Masterplan which articulates Singapore’s vision to secure our core digital infrastructure, safeguard digital activities, and empower a cyber-savvy citizenry.
Recognising the exponential growth of Internet of Things (IoT) devices like smart home hubs and web cameras, Singapore launched the Cybersecurity Labelling Scheme to work with the industry to raise the security of such devices and improve transparency for consumers to choose more secure products. We welcome international partners and industry to work with us to internationalise the labelling of IoT devices for a more secure global cyberspace.
Collaborative Partnerships
Cyber is inherently transnational and global; no State can adequately address cyber threats by itself. It is imperative for small States to work together and strive to achieve common desired outcomes.
This is where regional organisations, like the Association of Southeast Asian Nations (ASEAN), provide crucial platforms to exchange information on emerging and existing threats, implement Confidence-Building Measures (CBMs), and build capacity. It is thus timely that ASEAN Member States establish an ASEAN Computer Emergency Response Team (CERT) and the ASEAN CERT Information Exchange Mechanism to facilitate the exchange of threat and attack-related information among national CERTs, and foster CERT-related capacity building and coordination.
ASEAN remains, to date, the only regional organisation that has subscribed in principle to the UN’s 11 voluntary, non-binding norms of responsible State behaviour in cyberspace. ASEAN is also developing a concrete plan of action to implement these norms. Such an action-oriented approach working through strong and enduring partnerships among States allow us to collectively mitigate the risks and threats in cyberspace.
Public-private partnerships are also crucial to enhance global cyber resilience. The Singapore-U.S. Joint Cyber Security Working Group is one such platform for the Cyber Security Agency of Singapore (CSA), the U.S. government and the industry to come together and work towards strengthening collaborations and efforts to address dynamic cyber threats.
Inclusive Multi-stakeholder Platforms
A rules-based multilateral system with the UN at its core is our best hope to build a secure, resilient and interoperable cyberspace. This is why Singapore participated actively in the sixth United Nations Group of Governmental Experts (UNGGE) and the inaugural Open-Ended Working Group (OEWG) on international security in cyberspace.
As the first-ever inclusive UN platform on cybersecurity, the OEWG saw many small and developing States come well-prepared to make substantive contributions on cyber issues that mattered to them. This is necessary to add different perspectives to the ongoing conversations, allow for more robust discussions, and make consensus decisions toward raising the global cybersecurity posture.
Small and developing countries are increasingly keen to co-create a secure, resilient and interoperable cyberspace. However, States alone do not have all the answers for the dynamic cybersecurity problems we face. From my experience chairing the OEWG informal intersessional multi-stakeholder meeting in December 2019, the private sector, non-governmental organisations and academia also have views that States should consider. These stakeholders should be involved and engaged in cybersecurity discourse going forward.
In recognition of the need to strengthen the multi-stakeholder nature of cyber discussions, Singapore has organised the Singapore International Cyber Week (SICW) annually since 2016 for both State and non-State stakeholders to deliberate and collaborate on key cyber issues. The 6th SICW will be held this year from 4 to 8 October and is aptly themed: Living with Covid-19 – Reimagining digital security risks and opportunities. We welcome international counterparts and industry to participate actively and shape our secure and prosperous digital future together.
Small States as Leaders
As Jared Cohen and Richard Fontaine aptly pointed out in Foreign Affairs,[1] small countries are often well-placed to lead multilateral efforts with more powerful nations, a phenomenon they have termed “microlateralism.”
It is timely to recognise that geographically small States have as much stake in the digital space as any other country or private sector technology firm, if not more.
To truly achieve a rules-based multilateral order in cyberspace, we must start mainstreaming “microlateralism” and acknowledging that the actions and commitments of small States count. Our vision of a rules-based cyberspace depends on it.
David Koh is Singapore’s first Commissioner of Cybersecurity and Chief Executive of the Cyber Security Agency of Singapore (CSA).
