South Asia has experienced a year-on-year surge in cyberattacks. Countries in the region also share common cyber vulnerabilities due to low cyber awareness clubbed with a rapidly rising internet user base. Given the region’s expanding cyber threat surface and overlapping vulnerabilities, cooperation in the cyber domain is in the shared interests of the countries in the region. Computer Emergency Response Teams (CERTs) have primarily addressed cyber threats at the national level, despite the transnational nature of vulnerabilities and threat actors. A regional cooperative mechanism could have potentially helped South Asia mount an effective cybersecurity response.

However, the region’s fractious geopolitics has impeded regional cybersecurity cooperation. In this context, what cybersecurity cooperation measures could be effective in South Asia? This work argues for two potential solutions: the establishment of a regional joint-coordination mechanism to tackle cyberattacks of a non-military and non-strategic nature, and the creation of a cyber advisory body composed on the principle of concensus and inclusivity. These are two measures that could help overcome the geopolitical hurdles to cybersecurity cooperation. However, before arriving at these measures, the cybersecurity cooperation landscape of the European Union (EU) and Association for Southeast Asian Nations (ASEAN) are discussed, to provide international context and borrow best practices and ideas.

Examining the EU and ASEAN Cybersecurity Landscape

The fact that cyber vulnerabilities are shared beyond national borders and across South Asia create the necessary conditions for cybersecurity cooperation. An ideal solution to address shared vulnerabilities is to establish a region-wide cybersecurity organization with a top tier of ministers of information technology (or equivalents) from countries in the region. Such a format of regional cooperation has been established in Europe in the form of the European Union Agency for Cybersecurity (ENISA). ENISA was established in 2004, and for the last two decades remains a sui generis example of cybersecurity cooperation. The basis for ENISA’s founding was the Regulation (EC) No 460/2004 in 2004 by the European Parliament and the Council.[1] It was originally established as the European Network and Information Security Agency (hence the acronym ENISA) for a period of five years. However, its mandate has since then been periodically extended. The 2019 EU Cybersecurity Act accorded a permanent mandate and strengthened ENISA.[2] The agency is “dedicated to achieving a high common level of cybersecurity across Europe” and engages in operational cooperation, cybersecurity policy, capacity building, and trusted solutions.[3] The 2019 EU Cybersecurity Act also establishes a framework for cybersecurity certification of ICT products, services or processes. In this regard, the act empowers ENISA to provide secretariat support to both the European Cybersecurity Certification Group and the Stakeholder Cybersecurity Certification Group. ENISA has a tiered organizational structure, with the Management Board—consisting of representatives of the EU member states and the European Commission— as the overarching decision-making body. The other tiers include the Executive Board, Executive Director, National Liaison Officers Network, Advisory Group and Ad hoc Working Groups.

On the other hand, the ASEAN case demonstrates a slightly contrasting cybersecurity cooperation landscape. While ASEAN has a history of cooperating on cybersecurity including engaging in capacity building,[4] ASEAN struggled to establish an effective regional CERT that its Cybersecurity Cooperation Strategy for 2021-2025 envisioned to “synergise the individual strengths and areas of expertise of the ASEAN national CERTs to bolster the overall effectiveness of regional incident response capabilities.”[5]

Comparing the EU and ASEAN cybersecurity cooperation landscape, Eugenio Benincasa argues:

The EU has developed a solid and comprehensive cybersecurity framework in the last few years, setting out ambitious goals, enhancing information sharing, and harmonizing practices across its member states, marking a significant improvement for regional cyber resilience and cooperation. In contrast, ASEAN has no strong unifying governance or legal framework, limiting the collective capability of the region to capitalize on shared knowledge to prevent and mitigate cyber threats.[6]

The ASEAN Regional CERT was finally launched in October 2024, with substantial support from Singapore.[7]

Even though the realities of South Asia differ from those of both the EU and ASEAN, the region can still draw lessons from both in formulating a workable cybersecurity cooperation mechanism. The ASEAN example shows that, while advancing cybersecurity cooperation may be difficult—even with a history of strong cooperation (including in the cyber domain)—the challenges are not insurmountable, as demonstrated by the establishment of the ASEAN Regional CERT. Following ASEAN’s example, South Asia can also experiment with a regional CERT. Similarly, drawing from the EU’s ENISA model, a regional cybersecurity cooperation mechanism in South Asia could engage in capacity building and cybersecurity certification.

Finding solutions that work for South Asia

In his working paper Eugenio Benincasa also argues that “[d]espite their internal divergences and different levels of integration, ROs [regional organizations] are in a favorable position in the fight against cyber exploitation.”[8] For South Asia, despite the region’s complex geopolitics, it is possible to find solutions, or measures, that could potentially foster greater cybersecurity cooperation to address shared cyber vulnerabilities. But for any proposed measures to work, it is pertinent to first clarify certain flexibilities regarding membership and the modus operandi to enable cooperation.

First, memberships for Pakistan and Afghanistan may pose serious barriers to a regional cooperative framework from taking off, due to the perennial India-Pakistan problem (similar to what happened to SAARC) and the prevailing domestic situation with the Taliban in Afghanistan. However, Pakistan and Afghanistan should eventually be engaged in a regional cooperative framework when the mechanism matures. Therefore, going by SAARC’s membership criteria, the proposed regional mechanism could (initially) include only India, Bangladesh, Nepal, Bhutan, Sri Lanka, and Maldives, with scope to expand membership in the future.

Second, proposed measures may only deal with non-strategic and non-military cyber vulnerabilities, threats, and attacks; in essence, only civilian cybersecurity issues. This will ensure that tricky and deeply divisive securitized issues are prevented from thwarting a regional mechanism. Civil cyber issues such as cybercrimes, financial fraud, spamming, and ransomwares can be (initially) considered as part of the mandate as their rapid rise in the last few years is a source of shared concern in South Asia. For example, according to Indian government data reported by The Indian Express, “fraudsters cheated people of Rs 551 crore in 2021, Rs 2,306 crore in 2022, and Rs 7,496 in 2023”; this figure reached a whopping 22,812 crore in 2024.[9]  Bangladesh has seen an “increase of approximately 71.39% in malware infection events related to potential ransomware threats” in 2023 as compared to the preceding year.[10] In Nepal, reported cybercrime cases more than doubled in fiscal year 2023-24 as compared to the previous fiscal year.[11] Sri Lanka, Maldives and Bhutan share a similar story.[12]

Third, any regional mechanism would have to avoid directly responding to a cyberattack or a threat actor, as that would entail bypassing the complex problems of sovereignty and attribution in cyberspace, which could be a deal-breaking challenge for a geopolitically fraught region like South Asia. Obtaining reliable attribution in a timely manner is very challenging for cybersecurity teams. This is because malicious actors can mount a sophisticated cyberattack that makes technical attribution difficult (for instance, by routing operations through multiple countries or conducting false-flag operations). Even if reliable attribution was secured in a timely manner, a regional cooperative arrangement would struggle to reach consensus on the following critical questions: when to retaliate (would a retaliation be seen as a fresh provocation)? How much to retaliate (what is proportional and what is excessive)? And who should be the target of retaliation (against the state which hosts the malicious actor or the actor themselves)?

Keeping in mind the regional context and the flexible membership criteria, two measures—short of creating a regional organization—are proposed that could potentially work in South Asia.

• First, learning from the ASEAN example and building on India’s cybersecurity cooperation arrangements with Bangladesh, Bhutan, and Maldives to establish a regional joint-coordination mechanism between CERTs. To begin with, this joint-coordination mechanism could simply scan the threat environment, look for signatures for known threat actors that target civilians (such as actors behind ransomware attacks), issue guidelines and patches, as well as alert users and companies. Learning from the EU, the joint-coordination mechanism could also involve some element of capacity building and cybersecurity certification. The certificates could be non-mandatory but companies may be incentivized to obtain them for securing tenders from governments in the region.

• Second, a regional multistakeholder advisory body may be established to deliberate and issue cyber policy inputs. The multistakeholder nature of the body—involving cyber experts, civil society, policymakers, academia, and the private sector—may help build the necessary consensus among the elites across the socio-politico-economic spectrum of South Asia on cyber matters. The advisory body may also play a key role in amping up the understanding of cyber best practices in a region characterized by “historically low digital penetration rates, recently expanding internet user bases, relatively cheaper consumer electronics, and low cyber awareness.”[13]

The two measures proposed above—a regional join-coordination mechanism and a multistakeholder advisory body—may help overcome the geopolitical hurdles that scuttle cybersecurity cooperation in South Asia which arguably needs it more than the other regions owing to its demography, threat surface, and potential bearing on global cybersecurity.