Farlina Said and Farah Nabilah explore ways to enhance ASEAN’s cybersecurity and intellectual property protection mechanisms to strengthen the region’s digital economy.
The successful implementation of the ASEAN Digital Economy Framework Agreement (DEFA) is expected to grow the regional digital economy to US$2 trillion by 2030 and enhance digital integration in ASEAN. The framework agreement covers nine core elements that include cross border data flows, digital trade, and cybersecurity. Focusing on these aspects could substantially enhance cybersecurity, personal data protection, and intellectual property (IP) protection across the region.
DEFA aims to enhance digital interoperability, create a safe online environment, and increase the participation of Micro, Small, and Medium Enterprises (MSMEs) in the digital economy. Emphasising inclusivity and regional integration, the DEFA’s dual focus includes offering greater access to the ASEAN market, for both domestic and foreign investors and empowering digital companies from ASEAN member states (AMS) to scale up activities in the region. As such, DEFA’s binding agreements would need to incorporate elements of both horizontal and vertical integration. The former refers to alignments and standardisations across the region while the latter seeks global interoperability. This may frame the DEFA as a principles-based trade agreement seeking harmonisation in digital economy areas. This is unlike other trade agreements that may focus on promoting economic activities through other means such as more traditional forms of market access like tariff elimination.
Numerous dialogues and written work on DEFA’s scope have underscored the multifaceted scope of DEFA, particularly in the areas of cybersecurity, data governance and IP protection. The 10th AEC Dialogue with businesses and stakeholders emphasised that DEFA could aim for common frameworks, standards and principles for online safety, cybersecurity and data protection. The Center for Indonesian Policy Studies (CIPS) echoes this perspective, specifically on cross-border protection mechanisms. DEFA’s goals can align with ASEAN-wide agreements such as the Regional Comprehensive Economic Partnership (RCEP) and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP). However, there are gaps in areas such as control and use of data, source codes and algorithms in existing agreements.
The DEFA covers the digital core and digital-enabled economy, which includes hardware, software and services. Figure 1 depicts various considerations for digital trade, with digital governance and economic policy forming the premises for relevant trade rules. Notably, the key considerations include the frameworks and capacities needed, such as laws for safety in cloud usage or bodies to regulate competition.
Figure 1. Key Considerations for the Digital Economy Ecosystem
There may be certain challenges in addressing these elements within a DEFA framework such as the variations in industrial structures, level of digital maturity and gaps in the capability of cybersecurity and data protection institutions. A deeper look at ASEAN’s regulatory environment reveals that regulations currently exist in areas that underpin the DEFA’s foundation. These regulations pertain to cybersecurity, data protection, and IP protection. They have either been fully enacted or are still in the drafting stage. Despite the presence of such laws, barriers to greater harmonisation could exist in the form of data localisation regulations, government procurement policies, license requirements, local content rules, IP protection, and taxation laws.
DEFA negotiations could be impacted due to regulatory gaps amongst AMS. An example is Brunei’s draft laws on personal data protection which do not precisely articulate the country’s approach to data management in the area of cloud computing – that is, whether Brunei subscribes to data residency or data localisation practices. However, other areas may feature commonalities in principle or practice. Cambodia’s draft cybersecurity legislation bears similar approaches to Malaysia’s recently passed cybersecurity bill. The headstart in harmonisation could perhaps be traced to various conversations in ASEAN’s digital sector discussing frameworks pertaining to personal data protection, digital data governance and cross-border data flows. Despite this, there can be different priorities in existing legislation which needs to be addressed. IP protection for instance could have varying interpretations stemming from history, industrial development policies, and national priorities.
The DEFA’s intention to grow the digital economy can only be realised if it is built on an ecosystem of stability and trust. Enabling digital trade requires addressing gaps in cybersecurity, particularly in the protection of critical infrastructure and systems such as submarine cables and addressing security in business sectors vulnerable to threats such as ransomware attacks. Furthermore, the digital environment comes with emerging social issues resulting from misinformation and disinformation, data mining, or scams. Weak cybersecurity practices could undermine IP protection, especially if information stolen is of high value for competitors in the value chain. An Australia Strategic Policy Institute report indicates a rise in cyber-espionage activities between 2014 to 2016. As ASEAN aims to realise its knowledge economy, raising cybersecurity is necessary for greater resilience in the digital economy ecosystem.
Therefore, to position ASEAN as a competitive region in digital economy, two recommendations are proposed.
Firstly, there is a need to elevate cybersecurity baselines across sectors for ASEAN to meet rising challenges in the digital sphere. In 2023, disruptions at DBS and Citibank’s data centres affected 2.5 million payments, despite both companies having disaster recovery plans in place. Additionally, IBM’s X-Force Threat Intelligence Index 2024 reveals that 85 per cent of global attacks on critical sectors could have been mitigated through measures like patching and multi-factor authentication systems. ASEAN has already laid the groundwork for cybersecurity, with documents such as the Cyber Security Cooperation Strategy and the ASEAN Critical Information Infrastructure Framework 2020. This has helped to facilitate regional coordination, standards harmonisation and information sharing mechanisms. However, ASEAN’s cybersecurity baselines emphasise the protection of systems but does not focus on their recovery or on anticipating attacks. This would mean that companies and industries may invest in the technologies needed to protect their systems but may not develop processes to improve the resilience of systems. This can be on the part of governance, such as gaps in regional legislation that do not have mandatory data breach notification laws, or in the enterprise who are reactive to cyber incidences and experience. As the Internet-of-Things permeate in sectors such as agriculture or education, cyber resiliency across sectors is necessary to strengthen protection, lest there be differences in cybersecurity maturity and baselines.
Secondly, emerging technologies such as AI, challenges IP paradigms, especially as computer codes are typically registered under copyright laws or ‘literary works’. Furthermore, weak IP protection ecosystems could impact jobs displaced by Generative AI. The advent of new technologies such as AI introduces new elements for consideration under IP protection and, there is a need to broaden existing definitions to enhance governance. Currently, algorithms which form the backbone of AI may not qualify for patent application unless it is applied to solve a problem. Even then, it could depend on the legislation as algorithms have to fulfil criteria such as demonstrating technical effect or claim they constitute a mathematical method with real-world effects. Secondly, generative AI such as ChatGPT raises concerns of utilising data or information without the permission of authors to produce output. This would mean the need for discussions on governance and oversight mechanisms at the data training stages, or even a licensing regime needed to prevent works taken without credit. Finding optimal ways to protect IP vis-а-vis emerging technologies across ASEAN is necessary for the digital economy.
The DEFA is expected to propel ASEAN closer to achieving its objectives of a more holistic economic community while realising a digitally vibrant and prosperous region. It has the potential to increase dynamism in ASEAN’s digital economy by having a focus on data policies or technical standards. Essentially building an environment of trust is important for ASEAN’s digital economy. By prioritising cybersecurity, data governance, and IP protection within the DEFA framework, ASEAN can create a more conducive environment for digital innovation and ensure greater economic growth in the region.
This article first appeared in Fulcrum on 4 July 2024.
