Ho Chi Minh City – As cyberattacks grow in sophistication and scale, Vietnam is taking a hard stance on holding organizational leaders accountable for breaches that threaten national security. Experts and officials warn that the escalating risks to critical sectors—ranging from banking to energy—demand stricter oversight, with new standards and potential criminal liabilities on the horizon for those who fail to prioritize cybersecurity.
A Growing Threat to National Security
Vietnam’s information systems have faced persistent attacks over the years, targeting key sectors including government, energy, telecommunications, and banking. These breaches pose not only operational risks to individual agencies but also broader threats to the nation’s stability. A compromised energy system could disrupt power supplies, while breaches in telecommunications or banking could destabilize entire communities, officials caution.
The National Cybersecurity Center, tasked with safeguarding Vietnam’s digital infrastructure, has introduced TCVN 14423:2025, the first standard in a new cybersecurity framework. This initiative aims to equip agencies and organizations with actionable measures to bolster their defenses. Lieutenant Colonel Le Xuan Thuy, director of the center, highlighted the urgency of these measures, pointing to systemic vulnerabilities that have persisted despite existing regulations. “We have noticed that information systems in Vietnam, despite standards, have been attacked for many years across critical sectors. This means that current regulations are not enough” Thuy emphasized. He noted that many IT assets remain neglected, unmanaged, or improperly operated, creating entry points for hackers to exploit critical systems. 
However “regulation itself is not the absolute control necessary when combating cybercrime” says Jamie Fisher, who is a former Chief Information Security Officer and former hacker. He says that while regulation is key to ensuring that organizations and government agencies have the right type of rules and structure, things like governance, organizational culture, technology, competent staff and some luck also play an important role. Fisher said that he understands that “South East Asia is a hot target owing to information being so easy to access through API endpoints, unsecured databases, default firewall rules and cultural nuances which don’t exist in the West”. Fisher, who has worked for government security agencies, as well as finance and big-tech says that the stakes are particularly high for state agencies handling sensitive data or providing public services. “Targeted cyberattacks are becoming more complex and breaches in these systems could expose state secrets or disrupt essential services, with ripple effects on Vietnam’s economic planning and foreign policy” he said. Fisher went on to say that “When important agencies are targeted, the fallout extends beyond their walls, impacting entire sectors and compromising national interests”.
Escalating Challenges and Sophisticated Attacks
The nature of cyberattacks targeting Vietnam has evolved dramatically in recent years. Major Tran Trung Hieu, Deputy Director of the National Cybersecurity Center A05, described a landscape of increasing complexity, with attacks growing in number and sophistication. Unlike the lone hackers of the past, today’s threats often involve well-funded organizations equipped with advanced cyber weapons and skilled teams.
“Targeted cyberattacks are growing in number, sophistication, and complexity” Hieu warned. He pointed out that many leaders remain unaware of security incidents within their organizations, often failing to prioritize cybersecurity until it’s too late. This lack of awareness has led to significant breaches, with hackers stealing organizational data, personal information, and even state secrets.
The consequences of such negligence can be catastrophic. In recent years, high-profile incidents involving banks, Vietnam Airlines, and energy firms have caused widespread disruption for customers and society. Yet, in many cases, leaders have faced little to no accountability for these failures, prompting calls for stricter enforcement.
Hieu underscored the potential for criminal liability in cases where breaches affect national security or result in the loss of state secrets. “We’ve repeatedly warned agencies and enterprises in writing that, if cybersecurity breaches affect national security or lead to the loss of state secrets, we may pursue criminal liability under regulations holding leaders accountable for negligence causing serious consequences or intentional violations” he stated.
Accountability as a Deterrent
Experts argue that imposing strict penalties on leaders of critical organizations could serve as a powerful deterrent, raising awareness and driving proactive measures. The logic is straightforward: when personal accountability is at stake, leaders are more likely to allocate resources and attention to cybersecurity. This shift in mindset is seen as essential in a country where digital infrastructure is increasingly integral to governance and economic activity.
The push for accountability comes at a critical juncture for Vietnam, as the nation accelerates its digital transformation. From e-government initiatives to the rapid growth of fintech and online services, the reliance on secure systems has never been greater. Yet, this digital expansion also widens the attack surface for malicious actors, making robust defenses a non-negotiable priority.
Recent cases of data breaches in major enterprises have fueled public and governmental frustration. While specific details of these incidents remain limited, the broader impact on customers and societal trust is undeniable. For instance, breaches in the banking sector have eroded confidence among users, while disruptions in energy firms have raised concerns about infrastructure resilience. Holding leaders accountable, officials argue, could help restore trust by ensuring that cybersecurity is treated as a core responsibility rather than an afterthought.
Challenges in Implementation
Despite the clear need for accountability, implementing such measures poses significant challenges. For one, identifying negligence or intentional violations in the context of cybersecurity is often complex. Cyberattacks can exploit vulnerabilities that are not immediately apparent, and attributing responsibility requires a deep understanding of technical and operational failures.
Moreover, there is the question of capacity. Many organizations, particularly smaller state agencies or enterprises, may lack the resources or expertise to implement comprehensive cybersecurity measures. While standards like TCVN 14423:2025 provide a framework, translating these guidelines into effective action often requires significant investment in technology, training, and personnel—resources that are not always readily available.
Another concern is the potential for overreach. Holding leaders criminally liable for breaches could discourage innovation or risk-taking in the digital space, particularly among enterprises driving Vietnam’s tech sector. Striking a balance between accountability and fostering a supportive environment for digital growth will be crucial as these policies take shape.
Regional and Global Context
Vietnam’s cybersecurity challenges are not unique; they reflect a broader trend across Southeast Asia and beyond. Nations like Thailand, Malaysia, and Singapore have also grappled with rising cyber threats, often targeting critical infrastructure and government systems. In response, many countries in the region are tightening regulations and enhancing cooperation to combat cross-border cybercrime.
For Vietnam, aligning with regional and global cybersecurity norms could offer additional benefits. Participation in frameworks like the ASEAN Digital Masterplan 2025, which emphasizes secure digital ecosystems, could help the country access shared resources and expertise. At the same time, international partnerships with cybersecurity leaders—such as the United States, Japan, or the European Union—could provide technical support and best practices tailored to Vietnam’s needs.
However, domestic action remains the cornerstone of Vietnam’s strategy. The emphasis on leader accountability signals a shift toward a more proactive stance, one that prioritizes prevention over reaction. By embedding cybersecurity into the responsibilities of organizational heads, the government hopes to create a culture of vigilance that permeates all levels of operation.
Vietnam Comparison: ASEAN and Australia Cyber Security
| Country/Region | Standard/Framework | Key Subjects Covered | Comparison to TCVN 14423:2025 |
|---|---|---|---|
| Vietnam | TCVN 14423:2025 | Asset management, access control, vulnerability management, incident response, data encryption, logging, web/email protection, risk management, leader accountability (15–18 requirements) | Baseline standard. Tailored for critical systems with strong governance focus, including leader accountability. Recently introduced, with ongoing implementation. |
| Singapore | Cybersecurity Act 2018, CII Framework | Asset management, access control, vulnerability management, incident response, encryption, logging, web/email protection, risk management | Highly mature with mandatory compliance, regular audits, and proactive threat detection. Broader scope and stronger enforcement than TCVN 14423:2025, with established adoption. |
| Malaysia | MCSF, Cyber Security Bill 2024 | Asset management, access control, vulnerability management, incident response, encryption, logging | Comprehensive, aligned with ISO/IEC 27001 and NIST. Slightly broader but less prescriptive for critical systems compared to TCVN 14423:2025. Strong national policy support. |
| Thailand | Cybersecurity Act 2019 | Asset management, access control, vulnerability management, incident response | Practical framework with focus on critical infrastructure. Less detailed in technical and managerial requirements compared to TCVN 14423:2025. Growing enforcement. |
| Indonesia | Government Regulation No. 71/2019 | Asset management, access control, limited incident response | Broad guidelines for electronic systems. Less focus on critical infrastructure specifics compared to TCVN 14423:2025. Developing enforcement mechanisms. |
| Philippines | National Cybersecurity Plan 2022 | Asset management, access control | Covers basic cybersecurity needs but less detailed and inconsistently implemented compared to TCVN 14423:2025. Focus on general cybercrime prevention. |
| Brunei | National ICT Policy | Limited coverage of critical infrastructure | General ICT focus with minimal specific cybersecurity requirements. Significantly less developed for critical systems compared to TCVN 14423:2025. |
| Cambodia | Draft Cybercrime Law | Limited coverage of critical infrastructure | Nascent framework with draft legislation. Lacks specific standards for critical systems compared to TCVN 14423:2025. |
| Laos | ICT Policy | Limited coverage of critical infrastructure | General ICT policies with minimal cybersecurity focus. Significantly less developed compared to TCVN 14423:2025. |
| Myanmar | Draft Cybersecurity Law | Limited coverage of critical infrastructure | Developing framework with draft laws. Minimal focus on critical infrastructure compared to TCVN 14423:2025. |
| Australia | ACSC Essential Eight | Application control, patching, MFA, backups, access control, incident response | Focused on eight prioritized controls with clear maturity levels. More streamlined but less comprehensive in scope than TCVN 14423:2025. Strong enforcement and adoption. |
Table researched and prepared by Jamie Fisher for Broadsheet Asia
The Road Ahead
As Vietnam navigates this complex landscape, the effectiveness of its new accountability measures will depend on careful implementation and sustained commitment. The introduction of TCVN 14423:2025 marks a significant step forward, but it is only the beginning. Building a resilient digital infrastructure requires not just standards and penalties, but also education, investment, and collaboration across public and private sectors.
For now, the message to leaders is clear: cybersecurity is no longer optional. With the specter of criminal liability looming, those at the helm of critical organizations must act decisively to protect their systems—and, by extension, the nation. As cyber threats continue to evolve, the question remains whether Vietnam can stay one step ahead of its adversaries in this high-stakes digital battlefield.
