WHY NAMING WITHOUT SHAMING
While Singapore avoids attributing cyber threats to specific states, naming and shaming is the preferred approach for many Western countries and some of their Asian allies, particularly those that view China as a preeminent threat.
For countries not directly involved in adversarial relations or those that pursue a foreign policy of non-alignment, it may be more prudent to deter cyber threats without exacerbating geopolitical animosity. The cost of escalation may be too high a risk to bear. Moreover, it remains debatable whether naming and shaming helps to curb cyber threats in a meaningful way.
In Singapore’s context, there could also be other plausible strategic considerations.
First, Singapore is a cosmopolitan country made up of locally born citizens, naturalised citizens and foreigners. Social cohesion is the glue that keeps its people together and maintains communal harmony. Publicly identifying another country as a threat carries the risk of fuelling racism and xenophobia, including Sinophobia.
For example, in 2021, the fear that the Singapore-India Comprehensive Economic Cooperation Agreement (CECA) posed a threat to the livelihood of citizens raised the ugly head of xenophobia.
Second, there is an observable trend in which Western cybersecurity companies often attribute cyber threat groups to China following incidents involving Western digital networks. Even if there is forensic evidence to link these groups to China, these companies often hold contracts with the US government, creating both commercial and political incentives to focus blame on China.
If Singapore is seen as endorsing these companies’ attributions, it risks making the impression that Singapore has shifted its foreign policy of non-alignment and is siding with the US in the strategic rivalry with China, which involves cyber contestation.
