The state of cyber security in Thailand
Thailand – the land of smiles – invited me as a panelist to the CSA ASEAN 2015 summit. Bangkok, with its fantastic street food, smiling people and general gentleness felt safe and very welcoming this June. I managed to lengthen my stay for a few extra days so that I could embrace the culture, taste the food, and meet up with the local security people.
The general consensus seems to be that Thailand is less of a cyber target than many other countries, and the example used was that most phishing e-mails were English, a language most locals are not accustomed using when communicating. Other possible explanations may be the lack of adequate equipment and training to discover successful attacks; the political climate in Thailand and the area in general, which doesn’t allow sharing of seemingly negative information; or the culture that encourages people not to appear weak.
Thailand has one national CERT, and are currently setting up a second one within their Electronic Government Agency (EGA). By comparison, Norway, with its 5 million inhabitants, has at least four CERTs (that I recall from the top of my mind). Taking this into consideration, the lack of infrastructure and competence is likely the major reason why Thailand is believed to be less of a target.
Thailand´s national CERT is a member of the regional network of CERTs, which offers a backchannel for discussions and information sharing, as well as access to statistics and learning. This network seems similar to the one in Europe, where the different (national) CERT operators have their Initial Review Questionnaires (IRQs) and other communication methods and channels available should the need to reach out arise. This kind of network also gives the operators access to unofficial information and early warnings of possible operations. It also provides insights into which part of the region is mostly targeted, and which countries receive less attention from attackers.
No matter what the real numbers are, and how they compare to the region and the rest of the world, I have a feeling that Thailand would greatly profit from better technology and competence when it comes to security. As one of the participants at the CSA ASEAN Summit told me: “Thailand is 7-10 years behind Europe and the USA when it comes to security.”
There may be a number of reasons for this statement – he was a salesperson, after all – but it seems to back up my own experience. Good thing, then, that their educational sector seems to be doing great, with higher-learning institutions like the Mahidol University running security programs from undergraduate all the way through Ph.D.
When I had the pleasure of giving a guest lecture at the university, I was impressed by their accomplishments and programs, and I believe the students will be a great resource for Thailand to further develop its security workforce. This particular university also seemed well versed in co-operating with universities outside of Thailand, something I believe helps bring about new ideas and access to a wider set of competences.
Being the cynical security person I am, I have to admit I believe that Thailand is just as much a cyber target as most other countries. The low number of reported breaches, I believe, may very well be explained by the lack of compentence and equipment.
That is not to say that there are not other, political reasons, that force the reports to show fewer attacks that actually happen – I’m open to that notion. Without passing judgement, it is my belief that underreporting incidents is just as bad as not discovering them in the first place.
Trust is important, according to several fellow speakers at the CSA ASEAN Summit, and trust comes through transparency. Knowing the real numbers helps determining the real causes, which in their turn point to solutions.
I found Thailand to be just as welcoming, kind and caring as I hoped. Those people in security I had the pleasure to meet, treated me very well, and shared what they felt they could share – just as the rest of us do. And the struggles for resources, priorities and equipment seems to be the same here as elsewhere. All in all, it has been a smashing week, and I am very grateful for the opportunity to meet so many amazing people. I hope to be back soon!