Cybersecurity remains a defining challenge shaping Southeast Asia’s digital economy. The region’s rapid expansion into cloud infrastructure, AI systems and interconnected digital services has created unprecedented opportunities, but also vulnerabilities. In addition, as frontier technologies such as quantum computing and agentic AI continue to reshape the region’s digital landscape, cybersecurity has become a strategic priority that touches every sector such as finance, energy, healthcare, telecommunications, and governance.

With the advent of new innovations, there are concerns that governments and organisations may be unprepared for the next phase of cybersecurity. For example, despite quantum computing now ranking among the top five threats organisations face, fewer than 10% of organisations globally prioritise quantum risk in their budgets, and only 3% have implemented quantum-resistant measures. This is compounded by new threats such as AI-generated deepfake frauds. The impact is undeniable as the average cost of a data breach in ASEAN reached US$3.33 million in 2024.

It is notable to highlight, however, that governments are moving to fortify their defences against these emergent threats. Malaysia, for example, has updated its Cyber Security Strategy 2025–2030 and Vietnam is committed to securing their digital ecosystems with the  upcoming new cybersecurity law. In October, Singapore also released several documents for public consultation, including the Quantum-Safe Handbook, the Quantum Readiness Index and an addendum on securing agentic AI. These aim to prepare organisations for emerging cryptographic risks and more autonomous AI system behaviour.

Yet as countries prepare for the next phase of cybersecurity, policy fragmentation remains a critical risk that must be addressed. Divergent regulatory approaches, misaligned standards and uneven capacity across member states hinder cross-border collaboration at a time when threats increasingly require regional coordination.

With this in mind, the Tech for Good Institute and Microsoft co-hosted a roundtable discussion on the next phase of securing our shared cyberspace.

Participants:

• Melissa Yoong, Director, Government Affairs, Microsoft
• Raymond Lum, Group Chief Executive Officer, Rajah & Tann Technologies
• Priya Mahajan, Head of Asia Pacific Public Policy & Regulatory Counsel, Verizon
• Jared Ragland, Senior Director, Policy, APAC, Business Software Alliance
• Josh Lee, Managing Director, Asia Pacific, Future of Privacy Forum
• Rajeshpal Singh Sandhu, APAC Director, Digital Trust Centre of Excellence, Mastercard
• Jason Grant Allen, Associate Professor and Director, Centre for Digital Law, Singapore Management University (SMU)
• Benjamin Ang, Senior Fellow Head, Digital Impact Research; Deputy Head of Centre of Excellence for National Security; Coordinator of Cyber and Homeland Defence Programme, S. Rajaratnam School of International Studies (RSIS)
• Cheryl Seah, Director, Corporate & Finance, Drew & Napier
• Smrithi Ramesh, Senior Manager Outreach for Asia Pacific Japan and China. Cloudflare
• Jason Chan, APAC Government Relations Lead, Sumsub
• Ethan Teo, Senior Consultant, Flint Global
• Helena Huang Yixin, Associate Research Fellow, S. Rajaratnam School of International Studies (RSIS)
• Ming Tan, Senior Fellow and Founding Executive Director, Tech for Good Institute
• Keith Detros, Programme Manager, Tech for Good Institute

Key Takeaways:

 1. Governance frameworks must be designed with regional interoperability in mind.

Different countries in the region operate under distinct governance structures, policy mechanisms and legal traditions. While laws and regulations governing cybersecurity are implemented at the national level, regional interoperability should remain a core design principle. Stronger regional coordination can support a step-by-step, modular approach to achieving greater alignment on cybersecurity across Southeast Asia.

ASEAN committees, working groups and ministerial meetings provide important platforms to advance this agenda. Next year, the Philippines has an opportunity to help shape the regional direction, and in 2027 Singapore can build on this momentum.

There is also an opportunity for Singapore to lead on standards development and support baseline agreement on cybersecurity expectations across the region. A key challenge is ensuring that frameworks are practical in different national contexts, allowing flexibility for diverse regulatory environments and investing in shared understanding before rollout. This requires co-creation and sustained dialogue with ASEAN member states. The aim is to create “crosswalks”, or frameworks that enable interoperability while respecting national sovereignty, which will be especially important for emerging issues such as quantum-safe cryptography and supply chain security standards.

2. More than alignment, addressing implementation gaps and strengthening capability development should also be central to building a resilient cyberspace.

While policies are important, effective implementation is essential for addressing cyber risks and threats. There is a need to close implementation gaps through more innovative and engaging capability-development initiatives. The region can build on existing programmes, such as the Cyber SEA Games, to incorporate gamification into training efforts. Bug bounty programmes for critical infrastructure also present an innovative way to strengthen skills within the technical community.

International partners and the private sector have expressed interest in continuing third-country training programmes and knowledge-sharing sessions. A key challenge is ensuring that technical knowledge transfer is sustained and applied in practice. Personnel trained through capacity-building activities are sometimes reassigned or work in environments that lack the systems needed to operationalise new skills. Continued commitment from ASEAN member states will be important to address this gap.

Capability development is also needed at multiple levels. While technical staff and enforcement agencies are key beneficiaries, there is value in designing programmes that address capability gaps across industries and different population groups. For example, cybersecurity training for SMEs remains important for strengthening resilience and reducing supply chain vulnerabilities. Public awareness and education on cyber threats also play a significant role in promoting good cybersecurity practices at the individual level.

3. Leveraging frontier technologies to promote a secure digital ecosystem.

Frontier technologies present both opportunities and challenges for cybersecurity. While they introduce new risks and raise critical questions around securing emerging technologies, frontier technologies can also be harnessed to strengthen cyber defences. For example, AI can support the early detection of vulnerabilities, automate threat monitoring and improve incident response by analysing patterns at a scale that would be impossible for human teams. Similarly, machine learning models can help identify anomalous behaviour in real-time, which enhances the ability of organisations to pre-empt attacks.

There are also valuable lessons from other domains. In the privacy sector, for instance, privacy-enhancing technologies have shown how technical tools can increase trusted information sharing while safeguarding sensitive data. Applying similar approaches in cybersecurity could improve cross-border cooperation and intelligence sharing while respecting national regulations and commercial confidentiality.