BSA Cloud Report


The following summaries give an overview of the cybersecurity landscape, based on the set of criteria outlined above, highlighting key cybersecurity legislation and policy, as well as the main entities currently operating within each jurisdiction.

  • Legal Foundations
  • Operational Entities
  • žžPublic-Private Partnerships
  • žžSector-Specific Cybersecurity Plans
  • Education
  • Additional Cyberlaw Indicators

Download the APAC Dashboard

Country Reports

See the summaries and full report below for detailed information on each Member State.

  1. Australia



    Legal Foundations: Australia’s national cybersecurity strategy was adopted in 2009 and is currently under review. A revised strategy is expected to be released in late 2015. While Australia has a strong legal framework for information classification, it enacts its information security through guidelines and similar policy documents as opposed to acts of Parliament, and there is no dedicated information security act or classified information act.

    Operational Entities: The Australian Cyber Security Centre, launched in 2014, is a hub bringing together the numerous agencies that are engaged with cybersecurity and information security; however, there remains some confusion regarding the separation of responsibilities. Both CERT Australia and the Australian Signals Directorate operate incident-reporting services.

    Public-Private Partnerships: Australia does not have a formal public-private partnership for cybersecurity, however CERT Australia works with the private sector in awareness programs and critical infrastructure protection. The private sector also has been consulted as part of the cybersecurity strategy review process.

    Sector-Specific Cybersecurity Plans: There is no joint public-private sector plan in Australia that addresses cybersecurity. The Critical Infrastructure Resilience Strategy does highlight the participation of “sector groups” as a key part of the Trusted Information Sharing Network (TISN), but the TISN was not intended to produce sector-specific plans.

    Education: Australia has a comprehensive cybersecurity education strategy in place for all age groups, and has heavily invested in education materials and initiatives.

    Additional Cyberlaw Indicators: Australia is largely free of country-specific restrictions on technology providers (e.g., mandatory technology requirements, local testing requirements, and requirements for the sharing of source code), but some restrictions and burdens do exist in the procurement space.

  2. China



    Legal Foundations: China does not currently have a national cybersecurity strategy in place, although several government policies include advice on cybersecurity. There is no one specific law that focuses on cybersecurity in China, but there are many provisions under different laws that cover cybersecurity, such as the State Secrets Law 2010.

    Operational Entities: China’s national CERT, CNCERT/CC. was established in 2002. National information security is handled by a range of different government bodies and there is sometimes very little public information about their operations and objectives.

    Public-Private Partnerships: There is little activity regarding public-private partnerships in China in the field of cybersecurity.

    Sector-Specific Cybersecurity Plans: There is no joint public-private sector plan in China that addresses cybersecurity.

    Education: There is no national cybersecurity education strategy in place in China, but some ad hoc education initiatives have been undertaken by the CERT and the Ministry of Industry and Information Technology.

    Additional Cyberlaw Indicators: China imposes a range of legal and policy restrictions on cybersecurity service providers.

  3. India



    Legal Foundations: India’s National Cyber Security Policy was adopted in 2013. It is a detailed plan that includes both high-level principles and targeted objectives and proposals. However, the plan has not been fully implemented and the legal framework supporting cybersecurity remains weak.

    Operational Entities: CERT-In, the national CERT, is involved in high-level policy discussions related to information security.

    Public-Private Partnerships: Private-sector representative bodies in India are well developed and proactive with regard to cybersecurity. CERT-In also liaises with the private sector; however, there is no dedicated public-private partnership.

    Sector-Specific Cybersecurity Plans: There is no joint public-private sector plan that addresses cybersecurity in India. A Joint Working Group has been established to discuss and present recommendations on public-private partnerships in cybersecurity. The working group includes industry representatives.

    Education: Creating a culture of cybersecurity awareness through a series of promotional activities and education initiatives is one objective of the Indian National Cyber Security Policy 2013, which also includes a commitment to a comprehensive national awareness raising campaign on cybersecurity.

    Additional Cyberlaw Indicators: India has avoided several legal and policy burdens on cybersecurity providers, but it continue to impose local testing requirements in addition to international testing regimes.

  4. Indonesia



    Legal Foundations: Indonesia is in the early stages of developing a national cybersecurity strategy. The legal framework for cybersecurity in Indonesia is weak. There is no clear classified security law or policy, and security practices are spread across different legislation. There are no specific cybersecurity provisions in place.

    Operational Entities: ID.SIRTII/CC, the national CERT, seems to be in the early phases of operation. ID.CERT is a non- government CERT, but has been operating for longer.

    Public-Private Partnerships: There is no dedicated cybersecurity public private partnership in Indonesia, so the CERT acts as the main liaison body for the private sector. Industry representative associations exist, but none are dedicated to cybersecurity in particular.

    Sector-Specific Cybersecurity Plans: Indonesia lacks any joint public-private sector plan to address cybersecurity.

    Education: Indonesia lacks a cybersecurity education strategy.

    Additional Cyberlaw Indicators: Indonesia subjects cybersecurity service providers to a range of burdensome laws and policies, including discriminatory procurement preferences, local testing requirements, and limits on data flows.

  5. Japan



    Legal Foundations: Japan’s Cybersecurity Strategy, adopted in 2013, is a comprehensive document that identifies not only proposed measures, but also address the roles of various stakeholders with regard to Japanese cybersecurity. The legal framework supporting cybersecurity is one of the strongest in the region, following the recent passage of the Basic Law on Cybersecurity 2015. Japan also passed a new state secrets law in December 2013 that imposes much stronger security practices on the handling of sensitive information and stronger penalties in cases of unauthorised access.

    Operational Entities: The operational entities in Japan that relate to cybersecurity are all mature. The national cert, JCERT/CC, was established in 1996 and maintains a strong web presence. The Cyber Security Strategy Headquarters has also been established under the Basic Law on Cybersecurity 2015.

    Public-Private Partnerships: Japan has a mature public-private partnership structure for cybersecurity, including J- CSIP, whose members include representatives from government and private entities involved with critical national infrastructure.

    Sector-Specific Cybersecurity Plans: There is no joint public-private sector plan in Japan that addresses cybersecurity.

    Education: Japan’s Cybersecurity Strategy 2013 contains a detailed and comprehensive commitment to educating young people about cybersecurity.

    Additional Cyberlaw Indicators: Japan avoids undue legal and regulatory restrictions on cybersecurity service providers.

  6. Malaysia



    Legal Foundations: Malaysia does not have a single cybersecurity strategy, but refers to its collection of policies and strategies as Malaysia’s Cyber Security Policy. The Malaysian Government has announced that this suite of policies will be completely revised and strengthened by 2017.

    Operational Entities: CyberSecurity Malaysia runs the national cert — MyCert — as well as the reporting service Cyber999. It also acts as the chief authority on information security.

    Public-Private Partnerships: CyberSecurity Malaysia organizes an awards event which doubles as an annual convention on cyber security in a public-private partnership model.

    Sector-Specific Cybersecurity Plans: Public-private cooperation is a key principle of Malaysia’s National Cyber Security Policy, which uses a sector-based approach to address security concerns and identifies 10 critical sectors for this purpose.

    Education: The Cybersafe program provides a comprehensive suite of materials and activities relating to cybersecurity.

    Additional Cyberlaw Indicators: Malaysia’s government procurement regime includes certain restrictions on global cybersecurity providers, but the country otherwise avoids many undue legal and regulatory burdens.

  7. Singapore



    Legal Foundations: Singapore adopted a five-year National Cyber Security Masterplan in 2013, and also is continuing to develop its critical infrastructure protection regime. Singapore has some broad legal infrastructure in place for cybersecurity. The new Singapore Cybersecurity Agency will begin operations in April 2015.

    Operational Entities: SingCERT was established as the national computer emergency response team in 1997, and the Infocomm Development Authority (IDA) acts as a high-profile coordinating agency for all aspects of information communications policy, including cybersecurity.

    Public-Private Partnerships: Singapore’s government agencies work closely with the private sector in the field of cybersecurity, and there is a formal commitment to the development of public-private partnerships.

    Sector-Specific Cybersecurity Plans: The Infocomm Security Masterplan 2 (MP2), launched in 2008, stated the Singapore government would work to develop sector-specific security programs, particular with regard to owners of critical infrastructure. MP2 has been subsequently succeeded by a plan that, although building on MP2, does not include a direct commitment to the sector-based programs.

    Education: The National Cyber Security Masterplan 2018, published in 2013, includes a strong commitment to cybersecurity education.

    Additional Cyberlaw Indicators: Singapore avoids undue legal and regulatory restrictions on cybersecurity service providers.

  8. South Korea



    Legal Foundations: South Korea takes a national security and defense-focused approach to cybersecurity. As such, the country’s Cyber Security Master Plan, issued in 2011, is more a cyberdefense strategy than a cybersecurity strategy. There are some minor gaps in their legal framework.

    Operational Entities: Both KrCERT/CC and KN-CERT (government only) are established computer emergency response teams. Information security responsibilities are centralized in the Korea Internet and Security Agency, which has a considerable online presence.

    Public-Private Partnerships: KrCERT/CC liaises with the private sector as part of its incident response duties; however, there is no formal public private partnership for cyber or information security in South Korea.

    Sector-Specific Cybersecurity Plans: There is no joint public-private sector plan in South Korea that addresses cybersecurity.

    Education: The Korea Information Security Agency is responsible for promoting the responsible use of the internet among users, and the agency conducts a range of online and broadcast awareness-raising campaigns.

    Additional Cyberlaw Indicators: South Korea places certain undue restrictions on cybersecurity service providers, including Korea-specific testing rules.

  9. Taiwan



    Legal Foundations: Taiwan’s National Information and Communication Security Taskforce has developed several National Information Security Policy and Strategy documents. The current strategy covers the period from 2013 to 2016.

    Operational Entities: Taiwan has two computer emergency response teams in place and collectively they cover cybersecurity incidents across the Taiwanese network. Government responsibility for network information and security rests within the Ministry for National Defense.

    Public-Private Partnerships: While there is no defined public-private partnership in Taiwan for cybersecurity, the CERT does closely liaise with the private sector.

    Sector-Specific Cybersecurity Plans: There is no joint public-private sector plan in Taiwan that addresses cybersecurity.

    Education: Cybersecurity education is coordinated by the National Information and Communication Security Taskforce. The Ministry of Education has also developed a cybersecurity education website.

    Additional Cyberlaw Indicators: Taiwan avoids most undue restrictions on cybersecurity service providers, but it does allow for the restriction of certain cross-border data flows.

  10. Vietnam



    Legal Foundations: There is no national cybersecurity strategy in place in Vietnam, although the 2012-2015 National Anti-Crime Master Plan does include some very limited coverage of cybercrime. The legal infrastructure for critical infrastructure protection in Vietnam also is limited. A draft Law on Information Security will lead to improvements in this field if it is enacted.

    Operational Entities: VNCERT, the national computer emergency response team, was established in 2005. Other operational entities in Vietnam are quite limited; however, these gaps may be addressed by proposals in the draft Law on Information Security.

    Public-Private Partnerships: While Vietnam does not have a defined public-private partnership for cybersecurity, VNCERT liaises closely with the private sector.

    Sector-Specific Cybersecurity Plans: There is no joint public private-sector plan in Vietnam that addresses cybersecurity.

    Education: Vietnam has introduced some technical training and education courses for cybersecurity capacity building, but there is no general public awareness campaign or education strategy.

    Additional Cyberlaw Indicators: Vietnam imposes certain procurement restrictions and technology mandates on cybersecurity service providers.