In the ever-changing landscape of global cybersecurity, one conversation in April made ripples far beyond tech circles: should one country control the world’s most important cybersecurity database?
For over two decades, the U.S. government has held near-exclusive authority over the CVE (Common Vulnerabilities and Exposures) system — a centralized registry for cataloging security flaws in software and hardware. But last month, experts at Sophos reignited calls for reform, questioning the fairness and long-term sustainability of this one-nation model.
Why does this matter? Because nearly every software vendor, researcher, and security analyst in the world relies on the CVE system. If the global digital economy is a house of cards, then CVEs are the list of known cracks in the foundation — and when only one country holds the blueprint, it raises uncomfortable questions about transparency, trust, and global equity in cyber defense.
But the push for decentralization isn’t just a Western debate. Across the Asia-Pacific, governments are quietly — and sometimes boldly — redefining what national and regional cybersecurity should look like.
From Central Control to Regional Resilience
In the face of these global shifts, Asia-Pacific countries are taking concrete action to define their own cybersecurity frameworks. Governments are no longer just passive participants in a system dominated by the West—they’re proactively shaping their digital defenses.
In March, Hong Kong introduced a draft cybersecurity law aimed at protecting its critical infrastructure, from telecom to energy and finance. This was the jurisdiction’s most significant cyber legislation to date, requiring operators of critical facilities to conduct risk assessments and report serious incidents to the government.
Further west, India has scaled up its cyber civil defense plans. In April, the Indian government announced new initiatives to enhance protection around critical infrastructure, including power grids, financial institutions, and medical data systems. The move is seen as part of India’s broader strategy to prepare for potential hybrid threats, especially as regional tensions mount.
A few hours south, Singapore proposed the Digital Infrastructure Act, which seeks to formalize digital safety baselines for sectors like cloud computing, public administration, and cross-border data services. As Digital Development and Information Senior Minister Janil Puthucheary noted during a March policy session, the Act aims to establish “a reliable and resilient digital environment for the long haul”.
But Singapore’s forward-thinking efforts didn’t begin there. In fact, it became one of the first countries in the world to impose licensing requirements on cybersecurity service providers, starting in 2022. The Cybersecurity Service Providers Licensing Framework, launched by the Cyber Security Agency of Singapore (CSA), mandates licensing for penetration testing and managed security operations center (SOC) services—two high-risk sectors with deep access to sensitive systems. This move has since inspired similar regulations in Malaysia and Ghana, setting a precedent closely watched by industry players and policymakers worldwide.
Australia, too, has taken bold action. In February, the government passed new rules requiring essential service providers to report ransomware attacks, with penalties for failure to comply. This shift aims to improve incident transparency, strengthen real-time threat intelligence, and deepen cooperation between public and private cybersecurity teams.
Taken together, these developments signal that APAC governments are no longer willing to wait for international frameworks to trickle down. They’re building their own shields — and sometimes even their own swords.
Cybersecurity Isn’t Just Technical — It’s Political
Behind the firewalls and encryption keys lies a much deeper story: power. Who gets to decide what’s secure? Who sets the rules? And whose interests are served when vulnerabilities are disclosed — or kept quiet?
That’s why the debate over CVE decentralization feels like a tipping point. Some countries are calling for a multistakeholder model — one that allows international input on how security vulnerabilities are logged, prioritized, and shared. Others argue that even in cybersecurity, national interests come first.
But the risks of fragmentation are real. If every country builds its own system, the result may not be resilience — but confusion. And in a world where cyber threats don’t respect borders, that could leave everyone worse off.
A Youth Perspective: Where Do We Fit In?
Cybersecurity can feel like something far away — something for experts in government agencies or tech firms to worry about. But in reality, young people are on the frontlines.
We’re the ones using digital platforms every day — for school, work, activism, and creativity. We’re also the ones most likely to be targeted by phishing scams, surveillance tools, and misinformation campaigns. And yet, youth voices are often missing in national cybersecurity strategies.
That needs to change.
Young people in the Asia-Pacific region are increasingly stepping up. From participating in IGF workshops on trust and safety, to leading open-source security projects, we’re building both awareness and solutions. Programs like NetMission.Asia and youth-focused events in the APAC DNS Forum have helped empower us to take part in these conversations.
So how can we do more?
Start by educating yourself. Learn how encryption works. Understand the role of CVEs. Push for greater transparency from the platforms you use. And if you’re already in tech — whether coding, designing, or studying policy — think about how your work intersects with cybersecurity and governance. This isn’t just about building secure systems. It’s about making sure those systems serve everyone — fairly.
Final Thoughts
Cybersecurity used to be about protecting systems. Now it’s about protecting people. In 2025, the stakes are higher than ever. From decentralizing digital infrastructure to defending democratic processes, we are witnessing a pivotal moment — not just in tech, but in global trust.
And that’s a story the youth must help write.
What Are We Reading & Listening To?
This month, we’re tuning into CNBC’s Beyond the Valley podcast, which breaks down 2025’s biggest tech stories — from quantum-ready cybersecurity to shifts in global cooperation. It’s a good reminder that cybersecurity is no longer a backend issue. It’s a front-page topic, shaping not only how we protect data but how we trust the Internet itself.
If you’re looking for more, keep an eye out for upcoming youth cybersecurity boot camps in the APAC region — several are being planned in response to rising demand for multistakeholder participation. In a world where digital trust is fragile, it’s up to all of us — especially youth — to build systems that are transparent, inclusive, and secure.
Written by Jenie Fernando (Reviewed by Kenneth Leung)