APEC’s forthcoming cybersecurity framework continues to take shape following the recent 52nd Telecommunications and Information Working Group meeting in Auckland, New Zealand, where another round of deliberations has brought forth a draft terms of reference that is currently under review by APEC economies.
Led by the Security and Prosperity Steering Group (SPSG), the proposal has matured conceptually since it was first brought forward at the 51st TEL meeting in May this year. Earlier discussions were kept broad and amorphous but by TEL 52, member economies were much more keen to move away from defining ‘cybersecurity’ to focusing on what can and should be achieved through the framework. Notably, participants agreed that it should accord with APEC’s objectives: facilitating cross-border trade, investment and economic growth.
There is some lingering skepticism on the necessity of a regional framework for cybersecurity, but on the whole, stakeholders at the session saw a role for APEC in promoting dialogue and coordination, addressing policy gaps, and in potentially providing a set of voluntary standards that can perhaps become building blocks for carrying out better cybersecurity mechanisms.
The current draft TOR reflects these sentiments. It seeks to develop a common language for cybersecurity measures, first by collecting existing practices in APEC economies, and putting the best ones into a repository for others to refer to. A similar approach is taken by the US National Institute of Standards and Technology (NIST) framework—an early resource for the SPSG. It also draws from the shared features of several domestic cybersecurity policies presented at the session—by the US, Malaysia, Chinese Taipei, the Philippines and New Zealand: It puts critical infrastructure protection as its first priority, along with partnerships with different sectors, information-sharing, and capacity building.
A decade ago, APEC came up with the Strategy for a Trusted, Secure and Sustainable Online Environment (TSSOE), which fundamentally treats cybsecurity as a means to encourage more people to access and use the Internet. The document, while still deemed highly relevant in today’s times, has thus far been underutilised, and is perceived to have had little influence on domestic cybersecurity agendas. The proposed framework does not abandon the TSSOE but builds upon its principles and focus areas: national strategy development, mutual assistance, and international collaboration, particularly in raising awareness among end-users, incident response and recovery, and research on security measures for new technologies.
The SPSG aims to have the APEC Cybersecurity Framework ready for approval by the 53rd TEL meeting in Peru next year. The bulk of the work will be done intercessionally, with member economies mapping out key aspects of their domestic frameworks onto the agreed reference structure, as well as contributing new work areas for consideration. Thus far, the working group is off to a good start. Underpinning its momentum is a recognition that forward-looking international policies, such as the OECD’s newly revised guidelines, are starting to take a risk-based approach to security amidst a constantly evolving threat landscape, moving away from building walls towards fostering confidence in an open and interconnected environment.