Cyber Capabilities in the Indo-Pacific: Shared Ambitions, Different Means?

A Complex Chessboard for Cyber Capabilities: The Indo-Pacific

Louise Marie Hurel

Comprising approximately 40 economies, the Indo-Pacific is set to represent over 50% of the world’s GDP by 2040, with China, Japan, India, South Korea and Australia’s combined GDPs already totalling more than the whole of the EU put together. Throughout the past years, this vast and diverse region has also become central to strategic engagement by Five Eyes countries on a range of topics. Canada, the UK, the US, Australia and others have published their own strategies for the Indo-Pacific and forged security partnerships such as the trilateral AUKUS initiative, which have also focused on ‘developing a range of capabilities, to share and increase interoperability between […] armed forces’ – with a dedicated a pillar for cyber capabilities, AI, quantum and other emerging technologies.

But beyond economic, defence-focused or external incentives, the Indo-Pacific region forms a chessboard for complex technological disputes over the production of semiconductors in Taiwan, US-China geopolitical clashes concerning the latter’s state-linked cyber operations, thorny concerns around the conflation of cyber security and content control and moderation, as well as increasing cyber threats from both state and non-state actors. At the same time, ASEAN and other cross-regional efforts such as the Quad grouping have also sought to address some of these challenges by focusing on cyber capacity building, critical infrastructure protection and building shared resilience.

However, cyberspace has become a reflection of tensions within the region. Earlier this year, a reported leak from a Chinese company showed that the country had been conducting cyber espionage campaigns against multiple governments in the region. This included telecom service providers in Pakistan, Mongolia and Malaysia, as well as various parts of the Indian government. India, meanwhile, has sought to ramp up its own capabilities through the establishment of a National Cyber Agency in 2018, as well as conducting advanced persistent threat (APT) operations. At the same time, Pakistan has not fallen short of developing capacities in this area, with the alleged Pakistan-linked APT36 group targeting organisations in India. Moreover, in Southeast Asia, Vietnam-linked APT32 has targeted human rights defenders within the country as well as organisations in the Philippines and Laos.

While far from being devoid of challenges, countries in the region have nonetheless committed to norms for responsible state behaviour at the UN. The question that remains, however, is how they will attempt (or not) to reconcile the commitment to such norms with the development of cyber capabilities such as the establishment of cyber commands, the use of offensive cyber capabilities, or having a more active posture when it comes to responding to and preventing cyber operations.

While one might not exclude the other, this does raise the question of how states should be held accountable when they (explicitly or implicitly) seek to enhance their cyber capabilities, be it for domestic or international use. Additionally, some countries in the region – especially those beyond China and North Korea – can often be overlooked in their ongoing development of capacities to act and engage in cyber operations, and this calls for a deeper analysis of other Indo-Pacific economies.

In this piece, we gather experts from the region to reflect on the often-thorny relationship between state responsibility and the development of capacities to conduct cyber operations, the internal justifications countries have devised to legitimise doing so, and the institutions devised to support such capacities.

India’s Strategic Ambiguity in Cyberspace and Cyber Operations

Arindrajit Basu

India’s security doctrines have always been shrouded in strategic ambiguity. Unsurprisingly, the development and deployment of cyber capabilities has been no exception. While external analysts and former officials have acknowledged the state’s capacity to conduct cyber operations or orchestrate India-backed hacktivist groups against geopolitical adversaries, there has been no overarching pronouncement or ‘cyber doctrine’ guiding these developments.

However, military doctrines have acknowledged the tactical necessity of integrating cyber capabilities with kinetic warfare, although they have stopped short of articulating clear objectives or normative rules of engagement. Despite the often-challenging task of reading between the lines regarding mandate and legality of operations, India has allegedly used cyber capabilities such as cyber intrusive tools for both domestic and external surveillance. This has been seen in recent reports which have further highlighted India’s use of targeted surveillance capabilities such as the NSO group’s Pegasus spyware against geopolitical adversaries and internal opposition figures, although the government has issued clear denials.

Even so, India is trying to project itself as a responsible global power, including in cyberspace. This projection comes not from grand proclamations but through subtle diplomacy. For example, unlike several other countries, India is yet to publish a clear statement on how international law applies in cyberspace. However, the country has engaged in concerted cyber diplomacy both bilaterally and through ‘minilateral’ partnerships like the Quadrilateral Security Dialogue, the Counter Ransomware Initiative and the G20. In multilateral forums, India has consistently emphasised issues that most closely mirror its geopolitical interests, including cyber terrorism, the protection of critical information infrastructure, and capacity-building. The overarching global objective lies in what I have assessed elsewhere as ‘ideological agnosticism and selective engagement’ – that is, maintaining flexibility on doctrinal questions and evading controversial normative debates while tactically engaging on less controversial issues and working with partners to shore up India’s cyber security posture and existing capabilities. Relatedly, there appears to be limited appetite for a public discussion of its doctrine or capabilities. While India’s present strategy appears to be working as it reaps the dividends of its geopolitical ‘sweet spot’, its aspirations for global leadership must be underpinned by demonstrable commitments to the UN framework on responsible state behaviour, both in word and deed.

The Role of Cyber Capabilities in Advancing Vietnam’s Security and Prosperity

Bich Tran

Often overlooked in global cyber security debates, Vietnam has made significant efforts to develop capabilities to advance its interests in cyberspace over the past decade. In 2023, Prime Minister Pham Minh Chinh stressed that ensuring cyber safety and security is an important and long-term task. While motivations might vary, Vietnam has arguably deployed cyber operations to protect the communist regime, defend national sovereignty, and advance its economic interests.

The Communist Party of Vietnam perceives the current cyber landscape as a struggle against what it sees as a ‘peaceful revolution,’ with many dissidents and anti-regime groups using online platforms to further their agendas. Vietnamese officials also regard cyberspace as an important battlefield alongside the air, land, sea and space domains. Cyber attacks from alleged Chinese hackers targeting the country have demonstrated how cyberspace has become a theatre for Vietnam–China territorial disputes.

To address these issues, Vietnam has established two cyber units. Task Force 47, named after Directive No. 47 issued in 2016 by the General Political Department, consists of over 10,000 members. Its mission is to counter what the Party considers ‘wrongful views’ promoted by ‘hostile forces’. The second unit is the Cyberspace Operations Command, established in 2017 and announced in 2018 as a combat unit of the Ministry of National Defence. It is responsible for protecting national sovereignty in cyberspace and maintaining cyber security within the military. While Task Force 47 specialises in anti-disinformation, the Cyberspace Operations Command is concerned with comprehensive cyber security, including technical aspects. In essence, Task Force 47 is primarily concerned with regime security, while the Cyberspace Operations Command focuses on safeguarding national sovereignty.

The development of cyber capabilities is also essential for Vietnam to reach its goals of becoming an upper middle-income developing country by 2030 and a high-income developed country by 2045. The 2020 National Digital Transformation Programme (NDTP) for the period through 2025, with a vision extending to 2030, set a target for the digital economy to contribute 20% of Vietnam’s GDP by 2025 and 30% by 2030.

The NDTP also aimed to put the country in the top 40 of the Global Cybersecurity Index (GCI) by 2025 and the top 30 by 2030. This goal was surpassed as Vietnam’s ranking jumped from 50th out of 175 countries in 2018 to 25th out of 182 countries in 2020. The 2022 National Cybersecurity Strategy aims to ensure that Vietnam's ranking on the GCI stays between 25th and 30th by 2025.

Besides its own efforts, Vietnam has leveraged external resources to enhance its capabilities through cyber diplomacy. Bilaterally, it has strengthened cyber security cooperation with its partners, such as India, the EU and Australia. Multilaterally, the country has engaged with the international community on cyber security issues to promote its interests in cyberspace and contribute to the development of international norms and rules governing cyber activities.

Japan’s Hesitant Shift Toward Active Cyber Operations

Wilhelm Vosse

Since Japan began to codify its response to the opportunities and growing threats of cyberspace in its information and later cyber security strategies in 2006, its main objective was to strengthen the rule of law in cyberspace. Japan’s primary instrument has long been international cooperation with like-minded countries in bilateral cyber dialogues, regional organisations such as ASEAN, and global mechanisms such as the UN Group of Governmental Experts and the Open-Ended Working Group. Over the last decade, Japan has become one of the most active players in cyber diplomacy, promoting cyber norms, an international legal framework, and responsible behaviour in cyberspace. Japan has limited itself to an almost exclusively diplomatic and normative response to growing security threats because this reflects its inherent preference for non-militaristic foreign and security policy and its general risk-aversiveness. These factors also explain why Japan has responded to cyber attacks against both public and private entities through a crime-based perspective, viewing them as a concern that needs to be taken care by the police and the judiciary. And even in cases such as the 2021 Cybersecurity Strategy that signalled an intent to extend the country’s response through the development of active cyber defence capabilities (ACD), the details remained vague.

However, Russia’s invasion of Ukraine in February 2022 led to a fundamental rethinking of Japan’s security policy. The latest National Security Strategy, issued in December 2022, states for the first time that Japan will introduce an active cyber defence capability, which will include the penetration and neutralisation of the servers of potential attackers. Such language should not be overlooked: it represents a significant leap from Japan’s traditional preference for more passive and risk-averse tactics.

But beyond words, the government has also committed to further investments in this area. Funding and personnel for the Ministry of Defense’s Cyber Defence Command to prepare and conduct such cyber operations are planned to be significantly increased until 2027. Still, this remains an ambitious plan. The commitment to develop ACD has triggered questions in parliament about what active cyber defence operations really entail and whether the government is willing to accept potential counterattacks. This debate is still ongoing, but it can be assumed that active measures will only be deployed after other diplomatic measures have been exhausted.

Apart from the risk of potentially triggering dangerous responses from countries like China or North Korea, Japan needs to fundamentally strengthen the security of its domestic critical information infrastructure before embarking on this route. Going from planning to operationalisation might be a bigger challenge than expected, as it is already struggling to find qualified personnel and still needs to revise privacy and other laws to make such operations legal in Japan. To what extent Japan is willing to take the risks of active or offensive cyber operations remains to be seen.

Australia’s Evolving Perspective on Cyber Operations

Mike Bareja

In 2016, the Australian government confirmed its offensive cyber capability, making Australia one of the few countries to make such activity publicly known. The Australian Signals Directorate (ASD) leads Australia’s offensive cyber capabilities, probably sharing capabilities with the Australian Defence Force’s Cyber Warfare Division. This capability is growing. Announced in 2022, an A$10 billion budget increase over 10 years for project REDSPICE will triple Australia’s offensive cyber capability.

Australian cyber operations align with international norms such as those set by the UN framework of responsible state behaviour in cyberspace. They also comply with Australian and international law.

ASD’s primary legislation is the Intelligence Services Act 2001, which sets out its purpose (functions) and the authorisations it must obtain for this activity. The legislation also says that the agency must abide by the law and only act in the performance of its functions. Otherwise, an employee is liable to face civil and criminal legal action.

All Australian intelligence agencies have robust oversight, including through Parliamentary committees. The Inspector-General of Intelligence and Security (IGIS) also scrutinises ASD’s intelligence activities for legality and propriety. The IGIS works to ensure that each activity is legal, reasonable and proportional, and publishes an unclassified, publicly available annual report of their findings.

The Cyber Security Strategy 2023–2030, released in August 2023, states that while ‘details of specific offensive cyber capabilities and operations remain classified, we are committed to transparency about the rights and obligations that govern their use’. However, the Australian government remains vague about these details and what strategic objectives guide its use of offensive cyber.

What has been made public is that offensive cyber is used to support military operations, disrupt cybercrime and ‘enable ASD to manipulate, disrupt or degrade our adversaries’ capability’. The Strategy also states that Australia will ‘amplify our domestic law enforcement and offensive cyber activities to make Australia a harder target for cyber criminals’.

Although Australia has made small improvements to the transparency of its offensive cyber capabilities, more must be done. Public dialogue and increased accountability on these capabilities will promote international engagement on states’ rights and obligations in this realm; facilitate collaboration between policymakers, academics and the private sector on responsible and effective cyber capabilities; and help improve the ability of offensive cyber to act as a deterrent.

Accountability and Transparency: From Mirage to Commitment?

Gatra Priyandita

While the approaches vary, a common thread among these countries is the recognition of cyberspace as a critical domain of national security and international engagement. From the Russian invasion of Ukraine and concerns about foreign surveillance to regime security considerations, the shifting landscape of global cyber security underscores the diverse approaches countries are adopting to harness their cyber capabilities. While not all of these countries have been transparent about the motivations driving their cyber capability development, their approaches demonstrate that the global framework on responsible state behaviour in cyberspace is insufficient – on its own – to ensure that states comply. The ability to deter cyber-enabled threats from state actors also requires investments in cyber capabilities. Given that military power is ultimately needed reinforce international law and norms, this is, of course, unsurprising.

But for cyber capabilities to be effective instruments of diplomacy, states must also be transparent about their intentions. As with military power, developing cyber capabilities without some degree of transparency creates uncertainties, which breed distrust. While no state is expected to be completely open about the systems that make up its cyber security capabilities, it remains important that states demonstrate their commitment to the UN global framework of responsible state behaviour in cyberspace by establishing clear doctrines, ensuring rigorous oversight, and fostering transparency through engagements with both international and domestic partners. These elements not only enhance operational effectiveness but also contribute to the stability and security of the global cyber environment. As countries continue to evolve their cyber strategies, it is fundamental that they work to develop trust through confidence-building.

The views expressed in this Commentary are the authors’, and do not represent those of RUSI or any other institution.

Have an idea for a Commentary you’d like to write for us? Send a short pitch to commentaries@rusi.org and we’ll get back to you if it fits into our research interests. Full guidelines for contributors can be found here.