The cyberwar between Thailand and Cambodia highlights the challenges faced by ASEAN in bridging the loopholes in international law to curb the abuse of cyberspace by state and non-state actors.
In late July, Thailand and Cambodia 爆发了激烈的边境冲突,两国的黑客组织也互相发动网络攻击。
From May 28 to June 10, the Cambodian hacker group AnonSecKh (also known as ANON-KH or Bl4ckCyb3r) claimed to have launched 73 politically motivated distributed denial-of-service (DDoS) attacks against Thai government agencies, military institutions, and key private enterprises. Among them, about 30% were targeted at government websites, 26% at military infrastructure, and the rest at key private enterprises.
At the same time, the Thai hacker group BlackEye-Thai is said to have attacked almost all online systems of the Cambodian government since mid-July. Another group, KH Night Mare, recently leaked about 800 gigabytes of data related to Cambodian government officials and claimed to have fully hacked the Cambodian government's highest-secret servers.
These non-state actors use the anonymity of cyberspace to launch attacks that are in line with national interests, leaving a layer of plausible deniability for their backers. This strategy blurs the line between state and non-state responsibilities, complicating the process of holding those responsible and the perpetrators accountable.
However, despite the inability to hold the perpetrators accountable, this has not stopped the two sides from accusing each other. Cambodia recently accused Thai hackers of attacking their government websites, while Thailand accused Cambodia of using North Korean cyber resources for its actions. It is reported that Thailand has set up a 24-hour "cyber war room" to collaborate with the military and cyber security agencies to monitor and mitigate cyber attacks related to the border conflict, and at the same time counter the false information allegedly originating from Cambodia.
Although such cyber operations in inter-state conflicts are not new, for example, cyber attacks are frequent in the ongoing Russia-Ukraine conflict, cyber attacks between Southeast Asian countries are very rare. The cyber attacks between Thailand and Cambodia not only complicate the diplomatic efforts to ease the current tense situation but also expose a disturbing reality: in other parts of Southeast Asia, if countries are vulnerable and resource-scarce, cross-border hostility may develop into cyber-related "gray zone" operations, which are close to all-out cyber wars.
Cyber attacks against government websites, financial systems, especially critical infrastructure, can have destructive consequences for the public. If the enemy's cyber attacks are combined with malicious information warfare, it will further undermine the public's trust in the government. Given these impacts, it is crucial to hold the attackers accountable.
However, the existing international legal framework is insufficient to regulate the cyber behavior of state and non-state actors in international disputes. Although it is generally believed that the principles of the Charter of the United Nations, international humanitarian law, and human rights treaties apply to cyber operations, key definitional issues, such as what constitutes "the use of force" in cyber behavior or what situations can be regarded as an "armed attack," remain unresolved and are highly controversial in international legal discussions.
In addition, for the existing international law to apply to cyber warfare, the premise is that state responsibility can be clearly attributed; but for cyber operations carried out through agents or hacker groups, this state-centered legal framework will fail. Even principles like due diligence - that states have the responsibility to prevent harmful cyber activities within their territory - are difficult to be effective unless there are bilateral intelligence-sharing and technical cooperation arrangements that allow a state to alert another state when it is under a cyber invasion originating from that state. However, such mechanisms are often weakened when conflicts break out between two countries.
Efforts such as the Tallinn Manual, which aims to explain how existing international law applies to cyber operations, are not binding. Regional arrangements such as the "ASEAN List of Cyber Norms for Responsible State Behavior" are also of little use due to the lack of binding force and verification mechanisms. This list also lacks discussions on cyber behavior when disputes or tensions occur between ASEAN member states, creating a vacuum in relevant laws and norms. The lack of dispute settlement mechanisms or technical confidence-building measures in the ASEAN region exacerbates this vulnerability.
Looking to the future, ASEAN has both opportunities and limitations in implementing forward-looking cyber initiatives. Through sectoral institutions such as the ASEAN Cybersecurity Cooperation Strategy and the ASEAN Ministerial Meeting on Cybersecurity, ASEAN can integrate some of the principles of the Tallinn Manual into regional codes of conduct that are in line with the geopolitics and actual situation in Southeast Asia. However, due to the principle of non-interference and the uneven cyber capabilities of member states, ASEAN's ability to transform the legal framework into an enforceable mechanism is still limited.
Nevertheless, ASEAN should take practical measures to gradually narrow the gap between the ideal legal norms and actual actions. One way is to maximize the role of the ASEAN Regional Computer Emergency Response Team (ASEAN Regional CERT). This team was established and operated in Singapore last year and aims to serve as a regional hub for cyber security cooperation, strengthening coordination and information sharing among member states, while enhancing capacity building, promoting partnerships, and improving the collective ability to resist cyber threats.
However, these measures do not clearly address the situation of state or non-state cyber attacks between member states. To make up for this deficiency, the ASEAN Regional CERT can be used to develop voluntary, transparent, and confidence-building measures tailored to the ASEAN geopolitical environment. For example, carrying out coordinated public responsibility attribution statements or information-sharing agreements can help establish a responsible behavior pattern. Even in the absence of a binding law enforcement mechanism, such initiatives can gradually cultivate a culture of accountability and reduce the strategic ambiguity that can be exploited by state-supported cyber attackers. These initiatives can not only improve the situational awareness ability but also lay the foundation for coordinated responses to cyber incidents, even if it is difficult to prove whether a state is responsible.
The success of ASEAN may not lie in 照搬西方的法律框架,but in formulating a unique hybrid approach to managing regional cyber conflicts. As the Thai-Cambodian case shows, when the law is ambiguous, non-state actors can weaponize cyberspace, causing immeasurable social and economic losses long after the war has ended.
|
300x180 AD