The cyber nexus with EU-Singapore political and security cooperation: Channels for cooperation

In late 2018, the EU and Singapore agreed the Framework Agreement on Partnership and Cooperation to strengthen the joint work that they are already conducting and allow them to strengthen political, economic and sectoral cooperation across several fields (such as counter terrorism and the fight against organised crime) as well as cooperation on global challenges. Given these wider political ambitions to increase cooperation, it is a timely opportunity to consider the inclusion of cybersecurity within future endeavours. That said, a Joint Committee must first be established to ensure the proper functioning and implementation of the Agreement, which must also be ratified by EU Member States and submitted to the European Parliament before entering into force.

So far, EU representatives have actively participated in past cyber conferences and informal workshops organised by think tanks in Singapore. In more recent years, EU officials are attending Singapore International Cyber Week (SICW), which was first launched by the Singapore government in 2016. This includes the latest visit of the Head of Cabinet of European Commission Vice-President Andrus Ansip to SICW 2018. These types of engagements continue to afford exchanges of good practices and insights about both EU and Singapore initiatives, while continuing to create deeper trust between the respective parties.

Beyond such high level visits and informal think tank activity, however, the EU and Singapore could consider a number of other avenues to deepen their future cooperation on cyber-related matters. The EU, on its part for instance, has pursued general cooperative engagements at bilateral level and efforts to deepen dialogue with third countries, including the development of cyber dialogues with its strategic partners. By September 2017, the EU had cyber dialogues with the United States, China, Japan, the Republic of Korea and India. Other cyber dialogues include the EU-Brazil Dialogue covering topics such as international security in cyberspace, cyber resilience, cybercrime, Internet governance and cybersecurity standards.[1] The Singapore government also specifies its commitment to enhance its efforts to forge strong international partnerships as one of four pillars underpinning its 2016 Cybersecurity Strategy.

Both parties could therefore examine the desirability and utility of establishing a regular cyber dialogue. Alternatively, given the planned ratification of their wider Framework Agreement on Partnership and Cooperation, a cyber chapter could be added to its agenda. By way of comparison, the EU and China added a cyber chapter to their joint cooperation agenda - the EU-China 2020 Strategic Agenda for Cooperation.[2]

In addition to a potential Dialogue or cyber chapter, other efforts to facilitate cooperation or complement a Dialogue could be explored. This could, for instance, first include a Memorandum of Understanding (or Memorandum of Cooperation) given Singapore’s recent history of MOU activity. Singapore has already agreed to a number of bilateral MOUs with individual EU Member States such as the Netherlands, France and the United Kingdom. Secondly, and more broadly, the cyber-related aspects within other policy fields such as counter-terrorism that are prioritised under the Framework Agreement could also be examined under that umbrella.

Nonetheless, scholars warn that not all EU partnerships have delivered equally. With this in mind, it may thus be prudent for Singapore and the EU to first set out their stall about what is realistically desirable, achievable and deliverable to avoid future disappointment. For example, the EU-United States partnership is highly developed with several annual dialogues on various aspects of cyber policies (even where there are bones of contention and trust deficits) whereas partnerships with countries like Japan and Canada are less ambitious but nevertheless productive.[3] On the other hand, where there is a mutual trust deficit in partnerships, such as with Russia and China, these cyber partnerships focus mainly on confidence building measures.[4] The rationale behind these partnerships can be different, ranging from results-oriented to process-oriented partnerships – in other words, tangible deliverables vis-à-vis keeping the dialogue open on contentious issues in an attempt to build mutual confidence.[5] In all likelihood, the EU and Singapore may find that the nature of their future cyber partnership will be both results- and process-oriented. In other words, producing concrete deliverables while also building and maintaining mutual trust and sustaining confidence.

Enhancing EU-SG cyber cooperation: Identifying areas of mutual interest

Both parties can use such avenues to cooperate effectively by identifying common priorities and emerging questions of mutual interest where each can learn from the other. Other EU cyber dialogues explore themes under workstreams such as cyber resilience, cybercrime, Internet governance, cybersecurity standards, and international cybersecurity issues (the 2017 EU Cyber Strategy notably delineates that international cybersecurity issues should be prioritised in EU external engagements). Any number of contemporary challenges facing both parties could be mutually agreed and prioritised under these types of policy workstreams at technical, operational and strategic levels. On Singapore’s part, a close examination of its recent MOUs and Memorandums of Cooperation could further unfurl present-day examples of the Government’s top priorities in its international engagement.

As a starting point, there are a number of cyber themes that both the EU and Singapore currently prioritise which could be offered as areas to explore in future engagements. First, like the EU’s continuing efforts to enhance concrete cyber resilience, the Singapore Cybersecurity Strategy specifies the country’s ambitions to strengthen the resilience of its critical information infrastructure as well as mobilising businesses and the community to make cyberspace safer – dealing with the fallout from the SingHealth cyber attack in 2018 with the loss of patients’ data is still fresh in everyone’s mind. Second, the country’s strategy identifies Singapore’s goal to develop a skilled workforce, much like the EU’s recognition of the need to increase its cyber skills base on account of concerns about major predicted shortfalls. For this reason, the EU Cyber ETEE platform was launched in 2018 for cyber defence training, education and exercises. Singapore, too, has some interesting development programmes such as MINDEF’s Cyber NSF Scheme, the Cybersecurity Associates and Technologists (CSAT) programme, and the Cyber Security Academy.

Third, exchanges could take place to examine both parties’ policies, strategy documents, and legislation such as the EU’s many cyber-related documents and its NIS Directive, as well as the Singapore Cybersecurity Act of 2018 that aims to establish a legal framework for the oversight and maintenance of national cybersecurity. The Act has four key objectives, namely (1) Strengthening the protection of CII against cyber attacks; (2) Authorising the Cyber Security Agency to prevent and respond to cybersecurity threats and incidents; (3) Establishing a framework for sharing cybersecurity information; and (4) Establishing a light-touch licensing framework for cybersecurity service providers.

Fourth, promoting cyber hygiene and awareness raising are common interests for both Singapore and the EU. Singapore could, for instance, provide insights about its endeavours to enhance cyber hygiene through its initiatives on Internet hygiene rating and benchmark tools. Fifth, Singapore continues to engage with the EU on cybercrime through, for example, the annual INTERPOL-Europol Cybercrime Conference, which was held during the Government’s SICW in 2018. Discussions could also consider Singapore’s National Cybercrime Action Plan as well as the Budapest Convention on Cybercrime given the country’s interest in the Convention Committee and the EU’s position that this Convention is the most ideal instrument for cybercrime.

Given that the EU is prioritising international security issues in cyberspace within its international engagements and Singapore is now promoting the application of international law and implementation of norms, the area of conflict prevention and cyber stability could be explored together.[6] Such discussions would most likely include how international law, including the UN Charter, applies in cyberspace; the implementation of the UN GGE 11 voluntary non-binding norms, rules and principles of responsible state behaviour; and the implementation of regional confidence building measures (CBMs). Moreover, the EU Institute for Security Studies EU Cyber Direct project is currently supporting EU cyber diplomacy efforts through dialogues with EU strategic partners and engaging with the regions of Latin America and the Asia Pacific. This project brings together governments and non-governmental actors to explore the main issues surrounding international law in cyberspace, norms of responsible state behaviour and CBMs through workshops, conferences and meetings to contribute to a better understanding of EU cyber diplomacy and cyber resilience policies.

Other exchanges on good practices could similarly examine mutually challenging and highly contemporary questions such as countering and mitigating hybrid threats. Current EU policies are, for instance, focusing on the need to raise awareness about online disinformation campaigns and fake news on social media aimed at undermining democratic processes and European values. In recent days, the Council adopted conclusions on securing free and fair European elections given concerns about the upcoming European elections in May 2019. These conclusions lay out the Council’s response to a broad range of threats, following the Commission’s package in September 2018 and the Joint Action Plan against Disinformation by the Commission and High Representative in December. Singapore, too, continues to closely examine these risks following the establishment of the Select Committee on Deliberate Online Falsehoods which recommended in September of last year that new laws be enacted, that public education be more guided and technology companies should better police their platforms. Other contemporary challenges include the need for secure IoT given the country’s Smart Nation Programme and planned investments in IoT. Again, EU policy documents similarly outline the body’s worries about the rise in risks associated with IoT.

Lastly, EU-Singapore cyber cooperative efforts that can further complement deeper interregional EU-ASEAN/ARF engagement in order to support global stability, enhance regional capacity building and implement regional cyber CBMs warrant deeper consideration. This is timely given the recent push in ASEAN for better coordination and greater attention to norms, CBMs and capacity building,

In broad terms, the EU already views Singapore as central to its engagement in Southeast Asia. This logic most likely extends to its wider Asia Pacific engagement. The 22^nd EU-ASEAN Ministerial Meeting, which was held in late January, confirmed then that the EU has a genuine strategic interest in strengthening its relationship with ASEAN and Council conclusions confirm the determination to deepen relations in 2019. This builds upon the EU’s prior 2015 strategy on ASEAN and the EU as well as the EU-ASEAN Plan of Action (2018-2022), which lays out cooperation across areas of mutual interest. EU-ASEAN relations are due to be upgraded to a strategic partnership when mutually agreed, building on their common interests in strengthening the rules-based international order and in effective multilateralism. Indeed, at the January meeting, both bodies agreed in principle to upgrade their relations to a Strategic Partnership. Furthermore, the EU is restating its commitment to enhanced security cooperation in and with Asia, and now reiterates its offer to contribute substantially to policy and security/defence related forums such as ASEAN, the ARF, the East Asia Summit and the ADMM-Plus.

In working together to move this relationship to the strategic level, the field of cybersecurity could be one area ripe for mutually beneficial cooperation. This is especially the case where EU strategic objectives in cyber also include increasing its engagement with international organisations, capacity building and the implementation of regional CBMs. Indeed, the EU’s High Representative for Foreign Affairs and Security Policy, Federica Mogherini, explains that in line with these ambitions, the EU and ASEAN will continue to explore new areas in which to cooperate and learn from each other, specifically citing cybersecurity (a sentiment echoed by EU Foreign Ministers).

Singapore continues to engage proactively with ASEAN and the ARF, pursuing its ongoing regional cyber capacity building efforts, which include the implementation of cyber CBMs. In fact, the EU and Singapore have each co-hosted past ARF workshops on international cybersecurity and they could continue such joint endeavours on regional CBMs under the ARF Inter-Sessional Meeting on Security of and in the Use of Information and Communication Technology. Moreover, Singapore’s current position as coordinator for ASEAN-EU dialogue relations until 2021 means that there could be even more space for the EU to engage with Singapore on regional cyber-related subjects. In fact, the Singaporean Prime Minister, Lee Hsien Loong, explained in October 2018 that both the EU and ASEAN have much to share and learn from each other in common challenges like cybersecurity.

Such endeavours can build upon the EU’s history of regional engagement given its work with ASEAN on crisis response and disaster management, including through support to the ASEAN Centre for Humanitarian Assistance. It is thus a positive development that, given some of their common objectives, the EU has already expressed an interest in engaging with the new Singapore-ASEAN Cyber Centre of Excellence. Like Singapore, the EU identifies that fast evolving cyber threats mean that there is a need for training, as well as policy and legislation development efforts, well functioning CERTs and cybercrime units in all countries. Thus, as highlighted in previous posts, by establishing this new centre, Singapore can enable third parties like the EU to more concretely engage with other regional stakeholders in areas that include: (a) training and research on strategy, legislation and norms; (b) increasing technical expertise among CERTs; and (c) increasing information sharing among CERTs.

Other region-specific areas to potentially explore together include exchanges about the development of regional level cybersecurity crisis response frameworks for large scale cross border incidents in the EU and ASEAN regions. For instance, the EU Blueprint in the Recommendation within the 2017 cyber strategy package sets out the objectives and modes of cooperation between the EU Member States and between Member States and relevant EU institutions, services, agencies and bodies when responding to large scale cybersecurity incidents and crises. While a number of ASEAN workshops have already been conducted on crisis management, there could be value in exploring the feasibility of a framework for crisis response that is suited to the very different institutional structures of ASEAN. Likewise, the development of a regional EU framework for diplomatic responses to cyber incidents (the EU “cyber diplomacy toolbox”) may also be noteworthy for fellow ASEAN experts. That said, while aspects of the toolbox may be adopted, other aspects might not feasible or desirable for ASEAN members given the structural make-up of the forum. For example, and in conclusion, while there is value in examining whether ASEAN Member States can develop an ASEAN mechanism for signalling to act as a deterrent, the group of states may not have a mandate to issue sanctions.

___

The author: Caitríona Heinl is Executive Strategist & Lead Strategist for Asia Pacific at EXEDEC​​​​​​​