Cyber Resilience in the Indo-Pacific

Introduction
Karthik Nachiappan

India’s Cyber Resilience: Strategy, Financing, and Collaboration
Arindrajit Basu

Indonesia’s Cybersecurity Resilience
Gatra Priyandita

Japan’s Shift in the Cyber Domain toward a Proactive Defense Posture
Dai Mochinaga

Cyber Resilience in South Korea
Dongyoun Cho

Introduction

by Karthik Nachiappan

This Asia Policy roundtable maps and analyzes the state of cyber resilience in four key Indo-Pacific countries—India, Indonesia, Japan, and South Korea—by identifying and assessing the political and institutional conditions underpinning cybersecurity (cybersecurity strategies, laws, institutions, financing, and agencies) and how they interact with each other to deter and mitigate threats online. This introduction lays out the motivations to study cyber resilience in the Indo-Pacific. The four subsequent essays in this roundtable are framed around questions that measure and identify these countries’ cyber resilience—how they resist, recover, and adapt from malicious cyber activities.

The Rise of Cyberthreats

Intense security competition and rapid digitalization in the Indo-Pacific have increased cyber vulnerabilities, especially cyberattacks, cyber espionage, cybercrime, disinformation, and the targeting of critical public and private infrastructure. Data fraud and theft are rising: 35% of firms in the Asia-Pacific suffered data breaches costing $1–$20 million in 2023.[1] According to a Nord VPN survey, the United States experienced nearly 200 serious cyberattacks on its government agencies between 2006 and 2021, which was the most for any country (followed by the United Kingdom, India, Australia, and Japan).[2]

Some Asian countries are being used as sites to launch cyberattacks as hotspots with vulnerable infrastructure or as highly connected hubs to initiate and execute attacks. Russian and North Korean cyber activities and artificial intelligence–powered threats complicate Indo-Pacific cybersecurity.[3] China’s tensions with countries such as India, Japan, and South Korea are acquiring a cyber dimension. In 2023 the U.S. government released a threat assessment that alleged Beijing was using cyber capabilities for espionage, malign influence, and information operations to advance Chinese views and interests. Such threats are generally increasing.[4] Besides China, North Korea, and Russia, other states are backing various advanced persistent threats (APTs) to conduct cyberoperations.

Across the subregion, governments, private-sector firms, and other organizations have been targeted by sophisticated cyber campaigns to compromise computer systems and networks. Such APTs generally manifest through stealth attacks against critical targets in various countries. Vietnam, Indonesia, and India, for example, have suffered cyberattacks targeting government agencies, military establishments, financial institutions, and critical infrastructure.[5] In 2023 the Asia-Pacific region experienced the highest surge in cyberattacks with an average of 1,835 per organization, above the global average of 1,250.[6] Southeast Asia is experiencing a notable cybercrime epidemic, with malicious actors operating from there stealing approximately $64 billion worldwide. Cybercrime has increased by 82% in Southeast Asia, and a recent report revealed that the region experienced 68 documented attacks out of 86 global APT campaigns in 2024.[7]

Prevailing cyberthreats are seldom restricted to state actors and boundaries, however. Some governments support cyberoperations through nonstate actors and “hacktivist” proxies. Online information operations to roil domestic politics during election campaigns are rising, for example. During Taiwan’s 2024 presidential election, China allegedly conducted a “broad range of information operations” to attempt to tilt the outcome in Beijing’s favor.[8] Disinformation pervaded the 2022 Philippine national election, with Marcos and Duterte deploying different narratives to gain an advantage.[9] A potential hot war in Asia would likely have the features of a hybrid war, consisting of physical combat, information warfare, and cyberwarfare, compelling countries to draft cybersecurity strategies. The regional cyber landscape is fractious.

Most Asian countries are facing the need to renew and revamp their cyber architectures through concerted domestic action and international cooperation. Governments and firms can connect and integrate digitally to the extent they trust the network security of their partners. The Indo-Pacific is home to over half of the world’s internet users, who are largely young and mobile; over 90% of these users access the internet through their phones.[10] This teeming digital landscape is home to sectors and firms experiencing rapid growth.[11] Digital service exports of Asia-Pacific economies constituted nearly $958 billion in 2022.[12] The brisk growth in digital trade, digital capital flows, and related cyber linkages across Asia render cybersecurity an essential task that government and nongovernmental actors must collectively pursue. The response must be comprehensive, involving domestic and international stakeholders to grasp and mitigate such threats. Achieving cyber resilience, however, requires a comprehensive approach that includes enhancing governance, risk management, data protection rules, and regional and international coordination, as well as constantly upgrading digital infrastructure.[13] Cyber resilience is how countries resist, recover from, and adapt their digital infrastructure as a result of cyberthreats.

Developing Cyber Resilience in the Indo-Pacific

What is the state of cyber resilience in the Indo-Pacific? This question is pivotal to gauge how Asian countries can withstand cyber risks and vulnerabilities, recover rapidly, and adapt to better defend their digital infrastructure. Yet we lack an effective understanding and assessment of how specific Asian countries are dealing with cyberthreats domestically—i.e., instituting the necessary institutional changes to bolster their cyber capacities and capabilities. There is discernable variation in how countries deal with cybersecurity risks, with gaps between states on capacity and preparedness. We need to analyze cyber architectures across specific Indo-Pacific countries to ascertain how they fare concerning resilience, what specific aspects—resistance, recovery, or adaptation—they should focus on, and how they move toward that objective.

This roundtable shows that cyber resilience in the Indo-Pacific is checkered, characterized by progressive moves in regional countries to protect their cyberspace despite differences in how they manage and mitigate cyberthreats. These differences are a product of states’ strategic circumstances that compel domestic changes to bolster cybersecurity. External pressures alone, however, are insufficient for this task; such pressures to improve cybersecurity must be backed and leveraged politically from within a state. Looking at India, Indonesia, Japan, and South Korea, we can see that all four countries have invested in building capacious and responsive institutions to monitor cyber incidents and have instilled the need to remain consultative and collaborative with domestic and international counterparts. In other words, all four countries have acquired sufficient capability to resist cyberattacks. However, differences exist between the four countries in the other two pillars of resilience—recovery and adaptation. Japan and South Korea have made iterative changes to bolster their cybersecurity, largely driven by an imperative to deter growing cyberthreats, whereas India and Indonesia have yet to make that strategic choice, opting instead to manage and mitigate existing risks.

Japan and South Korea have crossed a threshold with robust cybersecurity strategies necessitated by a deteriorating regional security environment and interest in supporting a rules-based international order that remains congruent with the U.S.-led Indo-Pacific security logic. This inclination supports prioritizing recovery and adaptation to deter and mitigate cyberthreats. India and Indonesia have yet to reach this level largely due to different political and developmental logic driving cyber governance. Yet, this seemingly constrained state does not imply little regard to bolster cybersecurity. New Delhi and Jakarta are making domestic changes and forming strategic partnerships to address cyber vulnerabilities.

The essays in the roundtable, summarized in brief below, unpack how these four countries—India, Indonesia, Japan, and South Korea—fare on the three aspects of cyber resilience: resistance, recovery, and adaptation.

Arindrajit Basu argues that India has developed adequate institutional mechanisms to govern its cyberspace, beefing up its cyber incident response and recovery institutions and establishing partnerships on cyber activities with other countries. This institutional prioritization accompanies India’s “exposure to an increased number, range, and sophistication of cyberattacks.” Domestic coordination has increased between the government, private sector, and independent security analysts, raising awareness of cybersecurity issues. However, the lack of a coherent cybersecurity strategy impedes India’s ability to proactively deter cyberthreats and signal its intent as a credible and responsible cybersecurity stakeholder. Clarity will help the government achieve its cyber objectives as India’s digital economy becomes crucial to national security and prosperity. The stakes are high. India’s thriving digital trajectory in an insecure and polarized neighborhood depends on getting cybersecurity right.

Gatra Priyandita claims that Indonesia’s cybersecurity landscape will be tested as “cyber-enabled threats rise.” While Indonesia has acquired a sufficient capacity to resist cyber-enabled threats, it struggles to recover and adapt, leaving its cyberspace vulnerable to exploitation online. Jakarta lacks effective institutional mechanisms to govern Indonesian cyberspace, especially when recovering from cyberattacks. Indonesia’s challenges, however, could be remedied by allocating more resources to cyberdefense and situating cyber laws and rules in a robust institutional framework that supports cybersecurity. The absence of a national cybersecurity law creates a vacuum that leaves the country’s key cyber institution, the Badan Siber dan Sandi Negara (National Cyber and Crypto Agency), particularly vulnerable to political shifts and policy uncertainty that undermine effective cyber “governance, enforcement, and resource allocation.” That said, Jakarta is prioritizing international cooperation on cyber affairs, recognizing that the dynamic and transnational nature of risks encourage new forms of collaboration, capacity building, and diplomacy, particularly on issues such as cyber terrorism.

Dai Mochinaga argues that Japan has considerably upgraded its domestic cyber architecture and posture in recent years. The country’s trajectory from a largely defensive cyber actor to a constructive and proactive cyber stakeholder has been driven by domestic political pressure, national security considerations, demands to protect civilian infrastructure, and adaptable cyberthreats. Tokyo’s active cyberdefense approach in its 2022 National Security Strategy signifies a fundamental shift, bringing Japan closer to the U.S. cyberdefense approach. However, this shift in Japan’s cybersecurity architecture also arrives with “significant organizational and budgetary changes,” which raises thorny implementation quandaries, given the proliferation of actors involved in cyberdefense. These trade-offs must be overcome to ensure that Japan’s cyber posture remains fit for purpose as threats mount. As well, Japan must sustain progress to successfully defend itself against cyberthreats, with or without sufficient U.S. pressure. Tokyo must also balance this ostensibly assertive cyber posture with international norms and its desire to uphold the international rules-based order.

Finally, Dongyoun Cho argues that a robust cybersecurity approach enables South Korea to resist, recover, and adapt to imminent and evolving cyberthreats. A challenging cyber landscape—characterized by persistent attacks from China, North Korea, and Russia—has compelled South Korean officials to institute an ambitious and comprehensive cybersecurity strategy that emphasizes efficient incident response mechanisms and international cyber partnerships to bolster resilience. However, as Cho highlights, a critical issue lies in South Korea’s fragmented governance model, which is built on a patchwork of sector-specific laws that address information protection and cyberdefense across the government, civil, and military domains. While this approach allows for tailored regulations for specific sectors—such as public institutions, telecommunications, critical infrastructure, finance, military, high-tech industries, healthcare, and small and medium-sized enterprises—it lacks a unified and comprehensive foundational law. This gap hinders the creation of a cohesive national cybersecurity strategy and impedes cross-sectoral coordination. Cho cautions that progress cannot be taken for granted in an increasingly interconnected and vulnerable digital world, underscoring the urgency of addressing these governance challenges to achieve cyber resilience.

The four Indo-Pacific countries featured in this roundtable—India, Indonesia, Japan, and South Korea—are independently and jointly working to strengthen cybersecurity and cyber resilience. Institutional changes have occurred. Investments are largely increasing to improve cybersecurity. Laws and regulations governing cyberspace are being passed or considered. All four governments are working with international partners to bolster their cyber capacities. Resistance has improved across the four countries, but differences remain in their capabilities for recovery and adaptation, constrained by domestic political and strategic forces. The critical factor that significantly and decisively shapes the pivot toward greater cyber resilience is embedding the recovery and adaptation dimensions into a strategic paradigm that optimizes defensive measures with sufficient offensive capabilities in an increasingly hostile cyber landscape.

This decision, however, is not shaped by cybersecurity pressures alone but also by underlying strategic motivations. Japan’s and South Korea’s push to transform their cyber strategies and align them with the U.S. regional deterrence strategy enables Seoul and Tokyo to manage and deter cyber risks. That said, they must also ensure that adequate institutional space exists to pivot their strategies as emergent threats surface. Given diplomatic traditions that prize autonomy and space, India and Indonesia will likely resist announcing their cybersecurity strategies. While New Delhi and Jakarta have made incremental and profound changes to their cybersecurity postures, constraints that manifest through institutional gaps, resources, and strategy could limit their capabilities to mitigate and recover from extant threats. Yet their amenable attitude toward strategic cyber partnerships could help address gaps in threat perceptions, acquire information on cyberattacks and hostile actors, and neutralize them.

This roundtable suggests that the regional cybersecurity context appears fluid with intense security competition intersecting with digitalization. The digital space, in effect, becomes an arena, tool, and weapon through which countries jostle for greater influence and balance in the Indo-Pacific. However, there is no silver bullet for these and other Asian countries to manage and mitigate cyberthreats. Digitalization will only accelerate. Emerging technologies such as artificial intelligence and quantum computing could both help address and further complicate cybersecurity.

While defending against cyberthreats, states must prioritize resistance and recovery and double down on adaptation or measures to protect digital infrastructures over the long term. This can happen through domestic coordination and international cyber cooperation, helping countries fill gaps and information asymmetries when cyber disruptions occur. The four countries featured in this roundtable have extensive and proliferating international cyber partnerships. It will be important to sustain these over time.

Karthik Nachiappan is a Fellow in the Institute of South Asian Studies at the National University of Singapore (Singapore) and a Nonresident Senior Fellow at the Asia Pacific Foundation of Canada. His research focuses on India’s geoeconomics, such as how trade, technology, and climate change issues affect Indian foreign policy and what impact these policies have on Indo-Pacific security. He is the author of Does India Negotiate? (2020).

Arindrajit Basu is a PhD Candidate at Leiden University (the Netherlands).

Gatra Priyandita is a Senior Analyst in the Cyber, Technology, and Security Program at the Australian Strategic Policy Institute (Australia). His primary research areas are cyber diplomacy and the military applications of emerging technology.

Dai Mochinaga is an Associate Professor at the Department of Systems Engineering and Science at Shibaura Institute of Technology (Japan). Prior to this, he was a researcher at Mitsubishi Research Institute and an analyst at the Japan Computer Emergency Response Team (JPCERT) Coordination Center. His analysis focuses on global cybersecurity, technology policy, and regulatory issues.

Dongyoun Cho is an Assistant Professor in the Department of Military Studies at Seokyeong University in Seoul (Republic of Korea).

Endnotes

[1] “Cybersecurity in Asia Pacific: Rising Threats and GenAI Adoption,” PWC, Global Digital Trust Insights, May 29, 2024, https://www.pwc.com/gx/en/issues/cybersecurity/global-digital-trustinsights/asia-pacific.html.

[2] Rieko Miki, “Quad Countries to Bolster Cyber Defense with Information-Sharing,” Nikkei Asia, April 25, 2023.

[3] Cybersecurity broadly refers to what countries, firms, and organizations do to protect their networks, systems, infrastructure, and data from attacks and unauthorized access. Dan Craigen, Nadia Diakun-Thibault, and Randy Purse, “Defining Cybersecurity,” Technology Innovation Management Review 4, no. 10 (2014): 13–21.

[4] International Telecommunication Union Development Sector, Global Cybersecurity Index 2020 (Geneva: International Telecommunication Union, 2021), https://www.itu.int/epublications/publication/D-STR-GCI.01-2021-HTM-E.

[5] Vivek Gullapalli, “Why Is the Asia Pacific Region a Target for Cybercrime—and What Can Be Done About It?” World Economic Forum, June 12, 2023, https://www.weforum.org/agenda/2023/06/asia-pacific-region-the-new-ground-zero-cybercrime.

[6] “Global Cyberattacks Continue to Rise with Africa and APAC Suffering Most,” Check Point Research, April 27, 2024, https://blog.checkpoint.com/research/global-cyberattacks-continue-to-rise.

[7] USIP Senior Study Group, “Transnational Crime in Southeast Asia: A Growing Threat to Global Peace and Security,” United States Institute of Peace, May 2024, 13.

[8] Russell Hsiao, “A Preliminary Assessment of CCP Political Warfare in Taiwan’s 2024 Elections,” Global Taiwan Institute, Global Taiwan Brief 9, no. 1, January 10, 2024, https://globaltaiwan.org/
issues/vol-9-issue-1.

[9] Aries A. Arugay and Maria Elize H. Mendoza, “Digital Autocratisation and Electoral Disinformation in the Philippines,” ISEAS Perspective, no. 53 (2024), https://www.iseas.edu.sg/wp-content/uploads/2024/06/ISEAS_Perspective_2024_53.pdf.

[10] Trisha Ray et al., “The Digital Indo-Pacific: Regional Connectivity and Resilience,” Observer Research Foundation, February 15, 2021, https://www.orfonline.org/research/the-digital-indo-pacific-regional-connectivity-and-resilience.

[11] Digital growth is accelerating across the region. According to a study by the Boston Consulting Group, ASEAN’s digital economy could be $1 trillion by 2030 if current trends persist, and a recent McKinsey report claims that by 2025 India’s digital economy could be worth $350–$440 billion. See “Study on the Asean Digital Economy Framework Agreement,” Boston Consulting Group, October 21, 2023, 3, https://asean.org/wp-content/uploads/2023/10/ASEAN-Digital-Economy-Framework-Agreement-Public-Summary_Final-published-version-1.pdf; and “Digital India:Technology to Transform a Connected Nation,” McKinsey Global Institute, 2019, 1.

[12] Economic and Social Commission for Asia and the Pacific, UN Conference on Trade and Development, and UN Industrial Development Organization, Asia-Pacific Trade and Investment Report 2023/24: Unleashing Digital Trade and Investment for Sustainable Development (Geneva: United Nations, 2023), https://www.unescap.org/kp/APTIR2023.

[13] If cybersecurity is largely understood as the defense and protection of digital networks from cyberthreats and disruptions, it is generally accompanied by cyber resilience that has a wider systemic focus and covers institutions, measures, and protocols that countries institute to resist cyberattacks. Cyber resilience requires a strong focus on leadership, people, and process to make necessary adjustments in a fluid internet domain complicated with threats. Misael Sousa de Araujo, Bruna Aparecida Souza Machado, and Francisco Uchoa Passos, “Resilience in the Context of Cyber Security: A Review of the Fundamental Concepts and Relevance,” in “Progress and Research in Cybersecurity and Data Privacy,” ed. Chuanyi Liu et al., special issue, Applied Sciences 14, no. 5 (2024): 2116. See also Matthias Bossardt, “Cyber Resilience: Creating Competitive Advantages and Promoting Trust,” KPMG, 2020, https://assets.kpmg.com/content/dam/kpmgsites/ch/pdf/blcnews-cyber-resilience.pdf.coredownload.inline.pdf.