Singapore International Cyber Week (SICW) is many things to many people. Part tech conference, part diplomatic convening, it is also a space for technical drills and games, and a venue where thousands of experts, practitioners, policymakers, and vendors from around the world meet under one roof for three days of presentations, plenaries, exhibits, and technical exercises. The multi-track event has long been a fixture on the cybersecurity calendar, not least given Singaporeās important role as the regionās cybersecurity hub.
Against the buzzy backdrop of SICW, the Stimson Center co-convened a roundtable on October 22: āCyber Accountability in Asia: Navigating Norms and Legal Frameworks,ā with Global Affairs Canada, the Centre for International Law at the National University of Singapore (CIL-NUS), and the Centre of Excellence for National Security (CENS), S. Rajaratnam School of International Studies (RSIS).
The event was an opportunity to generate further consideration about accountability in the cyber domain by presenting draft recommendations from a forthcoming report about how Asia-Pacific countries view the topic of cyber accountability, building on discussion started at a regional workshop held in Bangkok last April. More than 40 participants from over 10 countries and diverse stakeholder organizers attended the event.
Cyber Program Director Allison Pytlak introduced Stimsonās ongoing cyber accountability work and reinforced the programās approach as inclusive of accountability in its positive and negative forms. The accountability baseline for much of Stimsonās work is often predicated on global frameworks such as the UN Framework for Responsible State Behavior, comprised of existing international law, 11 behavioral norms, confidence-building measures (CBMs), and capacity-building, the latter of which has been emphasized consistently as foundational for accountability.
Report author Mark B. Manantan presented his work on the report so far, describing the state of cyber accountability in Asia as āpatchy but trending upwards.ā Asia Pacific is digitalizing rapidly but unevenly across its diverse economies and geographies. The confluence of deepening US-China strategic competition, regional flashpoints like the South China Sea, the Myanmar crisis, and rapid digital transformation makes ASEAN Member States more vulnerable to geopolitically motivated cyberattacks, and wide-spread ransomware, cybercrime, and online scams. Yet at the same time, there are many positive developments and tools to draw on, including more countries developing national interpretations of international law in the context of cyberspace; the establishment of the ASEAN Computer Emergency Response Team (CERT); and the 2024 ASEAN Voluntary Norms Checklist to support implementation of the 11 UN cyber norms.
Respondents Danielle Yeow (CIL-NUS) and Dr. Benjamin Ang (RSIS) offered reactions to the draft findings and their own views on accountability. Ang neatly outlined the relationship between positive and negative accountability by observing that the actions of positive accountability can prevent the need for negative accountability actions. Yeow spoke of Singaporeās recent attribution of cyber threat actor UNC3886, a first for the country, as an example of an action that āsignals seriousness while preserving ambiguity.ā She further raised questions about how accountability interacts with other concepts or principles such as due diligence or duty of prevention and queried if context and culture lead to differences in substantive and practical approaches to accountability.
In his closing remarks, Frederic Margotton of Global Affairs Canada underlined that accountability in cyberspace is not only about consequences but about shared responsibility ā building trust, transparency, and resilience across digital ecosystems.
Highlights From the Discussion
- Ambassador Taewoo E. Lee, Cyber Ambassador for the Republic of Korea, shared about the recent publication of Koreaās national statement interpreting how international law applies to Koreaās conduct in cyberspace and further reflected on the importance of accountability.
- Gp. Capt. Tawatchai Makpanich, Director of CPSB Thailand, spoke about his countryās recently released statement on international law and announced Thailandās intention to sign the UN Cybercrime Convention at its opening for signature ceremony, which took place in Hanoi on October 25-26.
- There was some discussion about the potential value of a common statement from ASEAN member states on the applicability of international law, and that such statements āmake a first stepā by offering transparency and predictability for state cyber behavior.
- Attribution of responsibility for a cyberattack was a prominent aspect of the discussion. Some participants stressed attribution can take many actions and formats, and that public ānaming and shamingā statements need not be viewed as the only or preferred format. Others noted attribution is valuable to signal what is unacceptable cyber behavior and to demonstrate action to constituents or citizens.Ā Countries that do issue public attribution statements often do so collectively rather than unilaterally, or in combination with other tools and levers for accountability.
- Some participants referenced the role that common evidentiary standards could play in strengthening attribution practice and mitigating concerns about politicization.
- There are different ways of approaching accountability, depending on the threat actors. Recent trends point to a higher level of malicious cyber activity coming from criminal actors rather than nation-states ā but states, especially those providing āsafe havens,ā have a role in bringing accountability for such criminal or other non-state actors. More research, and political effort, for non-state actor cyber accountability is needed.
- It was noted that having a wider cyber accountability toolkit will necessitate having the capacity to use those tools effectively, and in ways that can actually change behavior. It was also noted that presently there are many cyber capacity-building initiatives occurring in the region, potentially with overlap and redundancy.
- Regional organizations can often better account for different levels of cyber maturity and be more agile in responding to threats or advancing accountability than global ones; for example, many regional organizations have preexisting points of contact networks and CBMs.
What Next?
The Stimson Center will publish its report about regional perspectives on cyber accountability in early 2026. The report will be grounded in existing national and regional policy and practice across four dimensions of accountability (Law, Norms, Attribution, and Capacity-Building) with a special focus on Cambodia, Lao, the Philippines, Thailand, and Vietnam.
