These advanced persistent threats (APTs) – stealthy, prolonged attacks launched typically for political rather than financial motivations – have been well documented by cybersecurity companies.
The threat actors are numerous. Sometimes they overlap and piggyback on each other’s malware infrastructure. At other times, they engage in payback. They are well resourced, organised and agile at collecting information to influence decisions.
The threat group behind APT 30, for example, showed remarkable longevity in reusing and refining its tools over 10 years, suggesting either a high degree of adaptability, a lack of the same on the part of their targets, or a combination of both.
APT 30 proved especially active around major Asean events such as the 18th Asean Summit in Jakarta in May 2011, the meeting of senior officials from Asean and China on the implementation of the Declaration of the Conduct of Parties in the South China Sea in June 2012, the Asean-India Commemorative Summit in December 2012, and the 22nd Asean Summit in April 2013.
It is impossible to directly ascribe developments in the South China Sea to these cyber campaigns. But it is also difficult to separate the two, given the geopolitical context and converging timelines.
05:22
Why the South China Sea dispute remains one of the region’s most pressing issues
Why the South China Sea dispute remains one of the region’s most pressing issues
For Asean governments that have long tiptoed around political and security contestations, attributing these APTs to any one actor would be a diplomatic minefield even though technical experts have traced the tactics, techniques and procedures of these major APTs to specific perpetrators in the region.
In particular, technology’s growing role in conflict necessitates a rethinking not only of the conventional domains of the battlefield but also its actors, means and methods.
Hackers help Philippines’ understaffed cyberdefence team fight China threat
Hackers help Philippines’ understaffed cyberdefence team fight China threat
The grey-zone confrontations at sea skirting the use of force or armed attack threshold under international law have their equally problematic analogues in cyberspace. If APTs are little more than espionage campaigns and espionage has generally either been ignored or exempted in international law, then states may have a different suite of options to punish the perpetrators than they would under international law.
For now, the UN’s 11 norms of responsible state behaviour in cyberspace serve as a compass for conduct in peacetime. They include cooperating to increase security in cyberspace, protecting critical infrastructure, and refraining from harming or commandeering computer emergency response teams. At a minimum, the code of conduct should include a commitment to these 11 norms in the context of the South China Sea.
However, if Asean states are serious about upholding the principles of international law, then government lawyers, together with other crucial stakeholders, will have to deliberate precisely how international law provisions might apply to cyberspace, including the prevailing incidence of APTs.
Asean states may not necessarily have to publish legal position papers but they should at least begin to clarify their own national thinking on these issues. Cyber operations affecting the South China Sea landscape are a reality that can no longer be dismissed.
Elina Noor is a senior fellow in the Asia Programme at Carnegie Endowment for International Peace
