Countries struggle to find the ideal balance between their protection and their freedom of expression
For the latest Cambodian Business news, visit Khmer Times Business
While Cambodia has made impressive gains on its neighbours in many respects over the last decade, the digital arena is one in which other countries have ploughed ahead, leaving Phnom Penh deliberating over how best to catch up, say observers.
They argue there’s no sense in rushing legal proceedings solely for the sake of political bragging rights, especially in relation to regulations as complex as the Cybercrime Law, which currently exists in a draft form. However, the bill shows no sign of developing further anytime soon and the Ministry of Interior’s Anti-Cybercrime Department director Chea Pov declined to comment on progress made.
Those responsible must take into account the lessons being learned in Vietnam, Thailand, Malaysia and Singapore, where new cyber laws have recently come into effect. Their successes and failures present a legislative labyrinth for Cambodia to navigate, but the growing threat of cybercrime within the region highlights the urgency.
Cybersecurity experts Kaspersky published findings that suggest local threats, such as malware that is spread through infected devices, are in fact declining in Cambodia, with 21,962,421 attacks detected in 2018, down from 26,329,551 in 2017. Despite last year’s significant drop in volume of local threats, 68.2 percent of the Kingdom’s users were still attacked, compared with 70.3 percent in 2017.
However, the threat of cybercrime is constantly mutating to meet the growing sophistication of anti-virus software and digital literacy. The Kaspersky report goes on to detail that 1,754,138 web-based threats were detected in the Kingdom in 2017. Last year that figure increased by more than 161 percent, with 4,590,076 attacks detected and 30.5 percent of users affected.
A representative for Kaspersky explains that there are no means of determining either the costs or the targets of these attacks, but notes that regionally Cambodia is less dramatically affected. In Vietnam, for instance, Kaspersky detected 110,004,727 web threats last year alone, whereas 30,203,943 were detected in Thailand in the same year.
Clearly, the threat to Cambodians is growing, as Kaspersky’s Security Researcher Suguru Ishimaru suggests, “The increase in online threats between 2017 and 2018 can be concluded as a global trend, where potential factors can range from rising incidents of mobile threats, banking trojans, coin miners, adware, and riskware.”
These pose significant threats to individuals and to businesses. While banking trojans will seek to gain unfettered access to confidential information through online banking platforms, coin miner viruses will infect a computer or device and use it to generate cryptocurrency for hackers – a practice that could put the owner of the infected device at risk legally. Adware is often harder to detect. It essentially gathers personal data from a user and redirects him or her to marketing websites that then create personalised adverts based on the person’s data. Riskware is the term given to any legitimate programme that could be exploited by a hacker to copy, edit or delete data, as well as allow other disruptive behaviour.
Threat is real
According to Singapore-based cybersecurity company Group-IB’s Vice-President of International Business Nicholas Palmer, “Southeast Asia is one of the most actively attacked regions in the world.
“ In just one year, 21 state-sponsored groups, which is more than in the United States and Europe combined, were detected in this area.
“Therefore, looking at some incidents that have taken place, I believe it is an opportune moment for governments to look at ways to provide a template or guideline for businesses to not only better protect citizens’ data but also better defend the networks against attacks from advanced persistent threats, we are excited to see more governments such as Singapore bridging this gap.”
While Singapore’s most recent law on the matter, the Cybersecurity Act signed on February 5, 2018, came into effect on August 31 of the same year, it has been regarded as the golden standard in ASEAN legislative circles. It created a regulating body, the Commissioner of Cybersecurity, and provided a regulatory framework for reporting threats with a specific purpose of protecting private data in Critical Information Infrastructures (CIIs) in a bid to preserve 11 key sectors: energy, information communications, water, healthcare, banking and finance, security and emergency services, aviation, land transport, maritime, government and, lastly, media.
However, the need for the law was underlined in bold following a cyber attack on Singhealth, one of the nation’s largest healthcare groups. The medical details of more than 1,500,000 people – including Prime Minister Lee Hsien Loong – were stolen, with some critics calling for more stringent controls amid fears the new law will create more financial burdens for companies complying with it.
Currently, the island city-state requires CII owners to abide by the Cybersecurity Act (2018), the Personal Data Protection Act (2012), the Computer Misuse Act (2007) and sector-specific regulations.
Singapore-based cybersecurity expert, Ali Fazeli of Infinity Forensics, notes that until Singhealth was attacked, concern for the security of data was limited.
“I don’t think cybersecurity was taken seriously until recently,” he says. “Data breaches or cyber attacks can have a variety of costs for local companies – not always just financial damages.”
Fazeli goes on to say that the Singhealth breach highlighted the risks people had been taking, but still believes more needs to be done to raise awareness, provide training and protect businesses and people.
Diverse legislation
Singapore’s laws appear to have passed with limited controversy, but ASEAN member states are notoriously diverse across many measures and standards, so it perhaps should come as no surprise that other regional efforts have been less successful and more divisive.
Thailand, a country many feel is more comparable with Cambodia than Singapore, enacted its Cybersecurity Act in February 2019, but the motivations are – according to Josef Benedict of Civicus, an NGO strengthening civil society – more sinister. The law grants the state wide-reaching powers, including data or hardware seizure of anyone suspected of committing cybercrimes.
“No provision has been made for citizens to appeal [against] such seizures,” writes Benedict,
“The purported justification is to prevent government websites and databases from being hacked, but the reality is that this law infringes on people’s right to privacy.”
Where Singapore’s cybersecurity legislation seeks to regulate those responsible for the public’s private data, Thailand shifts the spotlight on to the individual and introduces what Benedict decries as vaguely worded laws that are too broad in scope and difficult to interpret.
He is not alone in his fears for Southeast Asia’s digital platforms.
A Vietnamese journalist familiar with the 2019 Law on Cybersecurity explains that new legislation wasn’t needed for Hanoi to silence critics, because it’s already proven its capacity for such authoritarianism.
Instead, he explains, the new law was introduced as a tool to coerce Facebook and Google into complying with the Vietnamese government’s determination to control content online.
This, he argues, makes it easier to tighten authorities’ grip on digital spaces of expression.
“China is always eager to export this censorship model overseas and, in Southeast Asia, it seems that Vietnam is the most eager to import the China censorship model,” he says,
“So this law seems to be a part of that and, actually, if you read the two versions of the two laws from the two countries, you won’t see much difference.”
China’s influence has been growing steadily in Cambodia over the past five years, but whether or not the Kingdom’s draft law will follow in the footsteps of Singapore or the more restrictive approaches of Thailand and Vietnam remains to be seen.
“In Southeast Asia he [Prime Minister Hun Sen] seems to be the leader that is most willing to go the Chinese way,” suggests the journalist who requested not to be named, “I mean, when it comes to the economic benefits from China, Hun Sen was more than happy to receive it and dismisses the pretext that he had been bought by China.”
Privacy, civil liberty fears
In a statement released online, Jeff Paine, managing director of Asia Internet Coalition (AIC) condemned the Vietnamese government’s decision, claiming the economic impact of such laws had not been thought through.
“The Asia Internet Coalition is deeply concerned by the draft implementation decree of Vietnam’s cybersecurity law because it raises serious privacy and civil liberty concerns for the people of Vietnam and stands to significantly damage the country’s economic growth prospects.”
The implementation of this new law “will have serious consequences for economic growth, investor confidence and opportunities for local businesses,” adds Paine, “Data is the backbone of the digital economy and drives Industry 4.0 ambitions.”
It is not yet known the level of consultation that Cambodian officials have had with the private sector, civil society or regional allies, but given the level of secrecy surrounding the new bill, critics argue it’s likely that the Kingdom will adopt similarly draconian measures as Vietnam and Thailand.
Following a media release highlighting heightened cooperation between Cambodia and Russia on the matter of cybercrime, Konstantin Dremov, press attache of the Russian Federation in Phnom Penh, states that the two nations cooperate actively, but “The Russian side provides assistance in preparing and educating Cambodian personnel in this sphere. At the same time, Russia does not participate in drawing up Cambodia’s cybercrime law.”
It is believed that, along with the US government, private sector giants such as Amazon, Facebook and Google have offered to review the law, but – as with all things related to Cambodia’s latest legislative effort – the details remain deliberately obfuscated.
