While leapfrogging into the digital age creates new opportunities and greater connectedness, it also creates challenges and pitfalls. Technological development and progress move fast, while norms and policy production move slowly and create a lag between policy and practice; this has become symptomatic for the digital age. The lag creates a huge gap between political regulation on the one hand and practice on the other, both internationally and nationally. This gap is also pertinent in Myanmar. Interviewees from fieldwork in 2016 and 2017 pointed at the need for cyber security capacity building within the state institutions; for improving legal regulations and mechanisms; and for awareness campaigns, better knowledge, and education. The new and distinct societal challenges and vulnerabilities stemming from digitalization vary from nation to nation and are shaped by the interface between digitalization, local and national policies, and large-scale global forces, elsewhere also described as the “cyber frontier” (Schia, 2018). Cyber security and digital pitfalls must be understood and contextualized to local circumstances. Even though the digital age is relatively new, there are already several examples showing how this technology can be utilized either for democratization trends or by authoritarian regimes to suppress public interests, democratic processes, and freedom of speech. Any outcome will depend on an interplay between the new technology and pre-existing political and economic circumstances. Digital technology may help authoritarian regimes regain control during democratic transition. Some scholars have found that authoritarian regimes or states wanting to repress an independent public sphere were more likely to adopt and expand the Internet than were other autocracies (Rød & Weidmann, 2015).

Myanmar’s current political transition in tandem with the digital revolution is perhaps the country’s most distinct feature in this context. Certainly, one of the main factors determining the limited ability to provide digital security in Myanmar is the glaring lack of resources, both human and financial. The lack of qualified personnel with sufficient training and skills in IT security is obvious, and not just restricted to the public sector but private companies as well. This limitation puts severe strain on all aspects of cyber security provision, from the development of regulations and policies to the day-to-day management of digital events. Raising the competencies and resources available will be critical to enhance cyber security and cyber resiliency in the years going forward. One initiative that has already been taken is The Digital Myanmar Study (2018). This is a self-assessment of the country’s cyber security capacities that was hosted by the Ministry of Transport and Communication and facilitated by the World Bank, the Global Cyber Security Capacity Centre at the University of Oxford (the GCSCC), and the Norwegian Institute of International Affairs (NUPI).⁴ This evaluation identified challenges and produced useful recommendations to the Myanmar government in five societal dimensions; cyber security strategy and policy, cyber security culture and society, cyber security education, training and skills, as well as on standards, organizations, and technologies. However, it is not clear to what extent the Myanmar government has had the capacity to follow up on the recommendations identified in this study.

The outreach to Oxford also highlights an important issue for Myanmar going forward, namely which approach and understanding of cyber security will be implemented. States approach cyber security from two main vantage points: one being championed by western states and forming the basis for initiatives like the Oxford review takes a multi-stakeholder approach to cyber security where this security is conceptualized as a public good. The other camp, most prominently championed by Russia and China, has a more state-centric approach to cyber security. This “cyber sovereign” approach does not separate state authority in cyberspace from state authority over the physical domain, and as such implies larger acceptance for surveillance and control. The majority of states, however, do not fall into one of these categories but are understood as either uncommitted or “digital deciders”; states who are undecided but who have significant regional influence. For the ASEAN region Singapore is one such critical case that could have large regional influence, and a relationship that is worth paying attention to.

However, the most crucial relationship for Myanmar has historically been China. As long as Myanmar was a pariah state globally its relationship with its giant northern neighbor resembled that of a client state. China has also been tentatively identified as the culprit in several espionage campaigns where Myanmar was one of the victims. A 2015 FireEye investigation into the APT 30 group found that the group had been active in targeting ASEAN member-states (like Myanmar) for several years. While the group’s targets pointed towards the Chinese government, the group has not as of yet been definitely linked to any actor (FireEye, 2015). A similar pattern vas evident in the 2015 Arbor Networks investigation into the “Trochilus” campaign (Metzger, 2016). While both reports are hesitant at attributing China directly, other experts have hinted toward China being the likely culprit. The recent democratization has changed the relationship between the two countries as Myanmar looks for other international engagements, and until very recently enjoyed improved relationships with western states (Maini & Sachdeva, 2017). This makes the choices and trajectory of the Myanmar cyber security approach in the years to come an interesting case in how developing states will place themselves within the increasingly contested battle on how to define cyber security. Stating which direction Myanmar will take is so far rather premature, as the approach and strategies are too underdeveloped to be accurately defined, a point we will turn to next.

Official policies and legal framework

In general, the approach to cyber security in Myanmar is at a start-up stage, with an ad-hoc approach to capacity and blind spots in both official policies, regulation and competencies to deal with the challenges posed by digitalization. Some initial discussions and needs-assessment exercises have been run, but there is currently no official national cyber security strategy, few cyber security units in the public departments, and weak coherence in sets of policies across the ministries.⁵ This can partly be traced back to the newness of digital technologies in Myanmar, the revolutionary uptake of mobile connectivity in later years has necessarily led to a lag in political activity. Partly the general political upheaval of post-junta Myanmar has meant a flurry of political activity wherein digital regulations has not been given prominence. Finally, the issues of Myanmar in managing digital technologies politically could be seen as a symptom of a larger trend wherein developing nations are struggling to provide digital security in a rapidly shifting technological environment.

The most clear-cut example of the inability to provide sufficient security is the lack of a cyber security strategy or any overarching coherent framework for guiding the work on cyber security. While a draft strategy has been under development for a long time, being the work of the Ministry of Transport and Communications in cooperation with the Asian Development Bank, no finalized version exists as of yet. Beyond the non-existence of an actual framework, the process with which the strategy was developed involved a small number of ministries of agencies and taking in very little input from private companies or critical infrastructure owners. As a consequence, questions can be raised regarding the applicability of the strategy when it comes into force. The non-inclusion of the very companies that will be tasked with providing cyber security in developing the strategy can be seen as troubling.

The lack of an overarching strategy in turn fragments the approach by various ministries and agencies, as a cross-sectorial issue is met by isolated initiatives. As ministries and agencies operate within their respective silos when it comes to detecting and responding to various risks and threats. As Myanmar has rapidly digitalized, the frequency of cyber incidents is growing rapidly and the fragmented approach is hampering the ability to manage it sufficiently. This is further complicated by the byzantine bureaucratic processes and structures that define much of the governmental work. For the issue of cyber security providing meaningful legislation and regulations is for instance dependent on the cooperation between the Ministry of Transport and Communication and the Ministry of Planning and Finance, a cooperation which so far has been limited and strained. Providing a clear overarching direction for these various approaches and conflicts of interests necessitates a cyber strategy tailored to the situation in Myanmar, providing clear incentives, benchmarks, and divisions of responsibility.

The lack of top-down political leadership is further reflected in the absence of awareness about critical infrastructures and their importance for modern societies. The very concept of critical infrastructures is not widely established, and subsequently neither is the cyber security of said infrastructures. The lacking mapping, categorization, and understanding of different infrastructures and the role they play in society limits the ability to secure them in a sufficient manner. As there does not exist any legal definition of what a critical infrastructure is, the framework for mapping and categorizing them is non-existent. As a first step creating a legal framework for what is considered critical infrastructure, as well as giving the responsibility of protecting said infrastructures to an institution, would be a starting point to improve critical infrastructure protection in Myanmar. The increasing number of cyber incidents targeting institutions and infrastructures that are widely categorized as “critical” in other states, such as the central bank, highlights the importance of improving on this issue.

Moving towards the regulatory regime, the state of Myanmar cyber security legislation is also at an early stage, with large gaps and insufficient existing frameworks. Some laws are in place that cover some aspects of cyber security, notable examples being the Electronic Transactions Law (State Peace and Development Council Law No 5/2004) covering some aspects of electronic data and cybercrime. This law defines the distribution of information that causes harms to minors (see, section 34(d)) via digital technology and networks as illegal, and it also allows electronic evidence to be brought before the court. The Telecommunications Law regulates access to and the use of telecommunication services (Electronic Transactions Law, 2004). Legislation covering issues like human rights, data protection, and child pornography is however not in place, making the overall legislative framework highly insufficient for responding to rapidly evolving digital threats. Beyond the actual legal framework, the implementation of existing laws is also lacking, as there are limited resources, competencies, and abilities to investigate and prosecute cybercrime both in the police and the judiciary. Some initiatives have been taken, such as the Cybercrime Division at the National Police Criminal Investigation Department, but also here, the unit suffer from limited capacity. Very few cybercrime cases have been brought to court. Prosecutors and judges need training on cybercrime and how to make use of digital evidence.

One of the institutions that has been established is a national Computer Emergency Response Team (CERT), with mmCERT (Myanmar Computer Emergency Response Team) being established as early as 2004 by e-National Task Force. The CERT’s mission is to do incident handling, public awareness in security, to provide cyber security advice to Myanmar Internet users, and to prevent cyberattacks. It is also mmCERT’s responsibility to function as a coordinator of incident responses with other teams, organizations, security experts, and law enforcement agencies nationally and internationally. In 2010 mmCERT came under the responsibility of Myanmar’s Ministry of Transport and Communications. This ministry also has its own cyber security unit aiming to enhance the cyber security capacity in the country. The CERT is also an operational member of the Asia Pacific Computer Emergency Response Team (APCERT) and the International Multilateral Partnership Against Cyber Threats (IMPACT). While it’s ostensibly providing technical assistance, cataloguing incidents, collaborating with international partners, and assisting police and other agencies its limited resources significantly hamper its ability to deliver on its mandate. The lack of financial resources available for mmCERT results in insufficient technical equipment, lack of human resources, and limited ability to operate as intended. And outside of its international affiliations, private companies and stakeholders in Myanmar hold that mmCERT is not adequately capable of addressing cyber security threats in Myanmar (Myanmar Centre for Responsible Business, 2015). In addition, there is little awareness of the role and functions of mmCERT, resulting in a lack of information being shared with the organization. While the leading companies, particularly the international ones, have capacities to manage incidents, the cooperation between government and private actors are minimal, further limiting the ability of mmCERT to work as intended.⁶

When it comes to regional collaborations these are limited. Among the more effective collaborations described by interviewees during fieldwork in 2016 and 2017, was the engagement with Interpol. This was pointed at as an important channel for cross-border collaboration and information sharing. Interpol, ITU, and ASEAN deliver capacity building programs to the cybercrime unit at the national police, although not on a regular basis. Regional initiatives through ASEAN intend to develop better, more accessible, and more affordable IT infrastructure. These goals have been established and endorsed in an ASEAN broadband corridor study that also identified key drivers for broadband rollout and recommendations for government initiatives (ASEAN, 2016) as well as improved capacities, knowledge and awareness (ASEAN, 2015). Some regional measures have also been taken to mitigate possible bullet-proof hosting, weak links, and havens of vulnerable ICT architectures in the CLMV countries – Cambodia, Laos, Myanmar, and Vietnam (Heinl, 2014). The collaboration with other ASEAN member states on mutual legal assistance treaty in criminal matters has not been ratified to include cases concerning cybercrime, and Myanmar has not signed the Budapest Convention or any other multilateral or regional cybercrime agreement.

Cultural and societal factors

Cyber security is provisioned by a multitude of actors frequently described as an “assemblage” of private, public, and private citizens (Collier, 2018). To fully comprehend the work on maintaining a safe and reliable cyberspace for citizens one needs to broaden the view to include not only the government initiatives but also the leading private companies and individual citizens. For Myanmar there is a widespread lack of attention being afforded to the security implications of rapid digitalization. This holds true for both public and private sector employees as well as the general public at large. It can be seen through widespread usage of pirated software and unsecured mail accounts for employees, as well as a limited level of awareness on the security issues modern societies face. The most problematic account however related to the understanding of cyber security dangers in the public at large. Taking a broad understanding of cyber security, including such concerns as the dissemination of fake news, there was a noted lack of skepticism surrounding claims made online. Furthermore, there is little to no awareness about the dangers of handing out private data or sensitive information online among the general public, providing an ample breeding ground for cybercrime.⁷ Seen in correlation with the incitement towards ethnic violence mentioned above, the lack of awareness and competencies when it comes to navigating digital media is troubling.

The main exceptions to the rule of low awareness about cyber security is an issue in the private sector, and most notably among the two leading telecommunication operators in the country. After a 2012 licensing-round, licenses were awarded to Qatari telecoms operator Ooredoo and Norwegian operator Telenor (Calderaro, 2014). In Myanmar, there has been a shared responsibility for the development of the telecommunications sector: while the government is focused on developing laws and regulations extending connectivity has fallen into the hands of foreign companies. A large part of the task is thus dependent on the companies doing so in a manner that highlights their corporate social responsibility. A 2013 Human Rights Watch report underlined the potential positive impacts of the Internet and digitalization in societies such as Myanmar. However, the report also stressed the risk that this technology would be used by the regime to crack down on dissent, used for illegal surveillance, and as a way to enforce censorship. The call was for companies involved in improving the ICT-infrastructure in Myanmar to refrain from cooperating with the government on matters that would undermine the rights of its citizens (HRW, 2013).

Whether the companies do so is up for debate. The smaller of the companies is Ooredoo, which has no clear published guidelines and a spotty record on protecting the rights of its users. The company in fact has a history of accepting censorship by the Qatari government and installing filters in accordance with the wishes of autocratic regimes (Calderaro, 2014). Telenor on the other hand is widely regarded as having one of the more advanced policies on social responsibility, however there are some concerns raised over its shutting down of its services at the behest of the Thai military junta in 2014. There are also some uncertainties over the extent to which telephone operators are willing to pass information over to the government and whether these policies are clearly enough formulated to withstand potential pressures (Calderaro, 2014).