► Two of the most notable cyberattacks on Southeast Asian states occurred in different countries but share one commonality: neither country has attributed the identity of the cyberattacker.

► Singapore and Vietnam are not the only Southeast Asian countries that have been cyberattacked but have not made attributions. There may be reasons why these small states have not made attribution of their cyber attackers. Attribution can be difficult to achieve because of technical reasons, and small states may lack the resources to investigate. Small states may also choose not to name the attackers for national security reasons, or to avoid escalating tensions with other countries. In contrast, the United States policy has been to publicly attribute cyber operations to foreign state actors, by formal statements, indictments, and sanctions.

► International cooperation between states may be more useful to small states in imposing consequences for malicious cyber activities, such as retorsion or coercive countermeasures.

► Despite all the challenges, it was noted at the Global Cyber Peace Regime conference in Seoul in 2023 that there is a growing recognition of the need for international cooperation in the attribution of cyberattacks. An independent international body for attribution of cyberattacks could help to address these challenges by providing a neutral forum for the investigation and attribution of cyberattacks and imposing consequences for malicious cyber activity.

Two of the most notable cyberattacks on Southeast Asian states occurred in different countries but share one commonality: neither country has attributed the identity of the cyberattacker.

In July 2016, Vietnam’s two major airports, Noi Bai in Hanoi, and Tan Son Nhat in Ho Chi Minh City, were targeted by a cyberattack that caused airports’ websites and departure boards to display incorrect information and political messages. The Vietnamese government has not publicly attributed this attack to any specific group or individual, and has even urged their local cyber community not to take “provocative actions” against foreign entities.

In July 2018, attackers breached the networks of SingHealth, Singapore’s largest healthcare institution group, and stole the personal data of 1.5 million patients, including Prime Minister Lee Hsien Loong. The Cyber Security Agency of Singapore (CSA) determined that the attacker was an Advanced Persistent Threat (APT) group. However, the Singaporean government has not publicly attributed the attack to any specific state, group, or individual. Instead, the government said that “appropriate action” had been taken.

Singapore and Vietnam are not the only Southeast Asian countries that have been cyberattacked but have not made attributions. Kaspersky found a wide-scale APT campaign against users Myanmar and the Philippines.  DAS-Security (security firm based in Zhejiang, China) reported that an APT had targeted the Philippines military and Cambodia’s Ministry of Economy and Finance. Group IB (security firm based in Singapore) identified an APT targeting the military in the Philippines and Malaysia, as well as government organisations in Cambodia and Indonesia.

There may be reasons why these small states have not made attribution of their cyber attackers.  Attribution can be difficult to achieve because of technical reasons, and small states may lack the resources to investigate. Small states may also choose not to name the attackers for national security reasons, or to avoid escalating tensions with other countries. Experts suggest that a victim state may instead first signal that they have capability to discover and resolve cyberattacks, so that the attacker backs off. The victim state can still escalate and name the attacker if the attacks persist.

In contrast, the United States policy has been to publicly attribute cyber operations to foreign state actors, by formal statements, indictments, and sanctions. For example, in July 2021, they attributed “malicious cyber activity and irresponsible state behaviour” to the People’s Republic of China. US officials usually cite “deterrence, cost-imposition, and accountability” as reasons. In some cases, the intention is to “name and shame” the attacker, to embarrass or expose it to international criticism, so  that it will stop the actions. Some experts believe that these tactics influenced China to enter a bilateral agreement with the US in 2015 to not conduct commercial cyber espionage.

The public attribution of cyberattacks can also serve other functions: It can signal to the adversary that the victim country is aware of the attack, clarify how international law applies to cyberspace, build customary international law through state practice, and help establish a normative framework for responsible state behaviour.

There are several criticisms of “name and shame” actions. The accused country may retaliate which can further escalate the situation and lead to a breakdown in international relations. This is exacerbated by the difficulty of producing conclusive evidence to identify the attacker. Attributing a cyberattack to a major power can also lead to economic sanctions and other trade restrictions.

These risks are much greater for small states than for major powers such as the United States. As a thought experiment, what could a small state like Singapore do, if it determined that a state-sponsored actor from one of the major powers – the United States, Russia, or China –was responsible for a cyberattack?

To alleviate some of these concerns, some suggest the private sector can help in attribution. Private sector companies have advanced technical capabilities to attribute malicious cyber activity to nation-states or state-sponsored actors. They can also share information about the tactics, techniques, and procedures (TTPs) used, and indicators of compromise (IOCs) that identify the source of the attack, whereas governments may not be able to do so for national security reasons. However, there are risks that private sector attribution, if not coordinated, may interfere with national foreign policy, or compromise military or law enforcement operations.

Even when private sector companies can make a technical attribution tracing the attacker, public attribution is still a political decision, and governments may have their own reasons to distance themselves. For example, Symantec reported that it had identified the group responsible for the SingHealth breach as a state-sponsored group which has been stealing sensitive information from Singapore organisations since 2017. In response to the report, the Cyber Security Agency of Singapore (CSA) responded that “cyber security companies regularly produce such reports based on their own intel and research for their various stakeholders” and since it was “an independent investigation report by a commercial entity, the CSA has no comment on its contents”.

International cooperation between states may be more useful to small states in imposing consequences for malicious cyber activities, such as retorsion or coercive countermeasures. Experts suggest voluntary collective action by like-minded states can impose accountability, starting with diplomatic action by collective engagement.

Even so, small states may still hesitate to take voluntary collective action. They may fear that sharing information on cyberattacks could compromise their national security or reveal sensitive information. They may also be reluctant to risk trade or diplomatic relations with attackers who are also major trading partners.

For such states, it may be better to refer cases to an independent international body for attribution. Microsoft and RAND Corporation have called for an international body of technical experts, from governments and the private sector, which can provide peer-reviewed technical attribution for major cyberattacks. Council for Foreign Relations further proposes an “independent, international cyber court or arbitrage method” for state level cyber conflicts which would be “recognized and respected by all parties”.  The latter requirement poses significant challenges, as accused countries may still claim that the attributions are politically motivated and try to discredit the body.

Nonetheless, an independent international body could be more palatable to small states, especially if the body can impose consequences on a global scale, such as diplomatic action or sanctions. On one hand, voluntary collective action still requires small states to be involved, analogous to a neighbourhood group challenging a criminal gang that is threatening their neighbourhood, bearing the risk that the gang may retaliate against them. On the other hand, small states could hand over investigations to an independent international body that could impose consequences, analogous to citizens reporting to a case to the police, who can investigate and arrest a gang threatening their neighbourhood. This analogy is of course limited and needs further refinement, so suggestions are most welcome.

Despite all the challenges, it was noted at the Global Cyber Peace Regime conference in Seoul in 2023 that there is a growing recognition of the need for international cooperation in the attribution of cyberattacks. An independent international body for attribution of cyberattacks could help to address these challenges by providing a neutral forum for the investigation and attribution of cyberattacks and imposing consequences for malicious cyber activity. Such a body could also help to build trust between countries and promote international cooperation in building a rules-based order in cyberspace.