top of page
Image by Jakub Żerdzicki

Vietnam Scorecard

Vietnam is a big, very online, and strategically important state in SEA’s cyber threat landscape. Its Cybersecurity Law, NCSC, and upcoming Data Law provide a robust if highly state-centric framework for controlling data and regulating cyberspace. At the same time, the country faces relentless cyber threats: hundreds of thousands of incidents per year, serious ransomware activity, and headline-grabbing breaches including Vietnam Social Security and the National Credit Information Center.


Geopolitically, Vietnam’s role as a South China Sea frontline state and manufacturing powerhouse makes it a prime target for espionage and infrastructure-focused operations, while its citizens are heavily exposed to regional scam networks and trafficking-for-cybercrime.

​

Overall Position:Big, highly connected, industrializing economy with decent but control-oriented cyber maturity, very high threat activity, big breach/ransomware problem, and growing entanglement with regional scam/trafficking ecosystems.

                                                     Cyber Maturity                                           6/10                                                              Solid laws and agencies, but strongly state-centric and still maturing operationally.

​​​

                                                     Threat Activity                                             8/10                                                          Very high ransomware, phishing, and breach activity across public & private sectors.

​

                                                     Digital Exposure                                          8/10                                                                           around 85M internet users, >80% penetration, rapidly digitizing economy.

​​

                                                     Law Enforcement Capability                        5/10                                                                Growing capabilities and reporting rules, but overloaded and opaque in practice.

​​

                                                     Geopolitical Risk                                          8/10                                                                                   South China Sea frontline + major manufacturing /supply-chain hub.

​​

                                                    Scam/Fraud/Trafficking                               7/10                                                                            Large victim base and source of trafficked workers into scam compounds.

 CYBER MATURITY ASSESSMENT

Vietnam has a 2018 Cybersecurity Law, a National Cyber Security Center (NCSC), and a new Data Law (effective July 2025) extending control over digital data, including transfers and disclosure to the state.
On paper, this is a decent cyber and data governance stack, but much of it is geared toward national security, censorship, and data localization, not just resilience and transparency.

​

  • Cybersecurity Law 2018 regulates cyberspace “for national security and social order,” including requirements on foreign service providers, data localization, and content control.

  • NCSC under the Ministry of Information & Communications monitors national systems and coordinates incident response.

  • Data Law 2025 covers digital data broadly (personal + non-personal), regulating cross-border transfers and requiring disclosure to state authorities in certain cases.

  • Multiple sector regs and breach notification rules exist but implementation quality varies.

6/10

DIGITAL EXPOSURE

Vietnam is a large, young, and heavily online country: around 85.6M internet users and around 84% penetration at the end of 2025, with strong social media and mobile usage.

​

  • Early 2024: 78.44M internet users (79.1% penetration).

  • End of 2025: 85.6M users, 84.2% penetration; 79M social media identities (~77.6% of population).

  • DataReportal: once online, Vietnamese users rapidly adopt e-commerce, digital payments, and new digital services.

  • Big manufacturing, logistics, and services sectors increasingly depend on connected infrastructure.

8/10

GEOPOLITICAL & ECONOMIC DRIVERS

Vietnam is a frontline South China Sea state and a critical global manufacturing and supply-chain hub, with increasingly close ties to the US and its allies. This makes it highly relevant for strategic espionage and infrastructure-focused cyber operations.

​

  • Long-standing maritime disputes with China in the South China Sea; regular tension over fishing, oil, and maritime boundaries (a top espionage driver).

  • Major manufacturing base (electronics, textiles, etc.) and “China+1” beneficiary to attractive for IP theft and supply-chain intelligence.

  • Hosted the UN cybercrime treaty signing in 2025, boosting its diplomatic/cyber profile but also spotlighting its own censorship record.

  • Stronger relationships with US/EU/Japan raise its profile as a strategic partner and thus a more interesting target for rival intelligence.

8/10

CURRENT THREAT ACTIVITY

Threat activity is very high: Vietnam sees extensive ransomware, targeted attacks, and widespread cyber incidents hitting agencies and businesses.

​

  • VNISA/Cybersecurity Association survey (4,935 orgs) found 46.15% of agencies and businesses were victims of cyberattacks in 2024, with around 659,000 incidents (targeted, espionage, data-encryption attacks).

  • Viettel’s 2024/2025 threat reports highlight 315k+ compromised credentials and tens of thousands of phishing attacks, plus rising data leaks.

  • Bkav recorded around155,640 ransomware infections in 2024, estimating total losses in the “tens of millions of USD.”

8/10

LAW ENFORCEMENT & CYBERCRIME CONTROL

Vietnam has regulatory tools and national agencies, plus new data laws and breach-notification expectations, but public visibility into investigations, prosecutions, and technical capacity is limited. Capability is improving but not clearly keeping pace with incident volume.

​

  • Breach-notification rules and personal-data security incident reporting requirements exist under decrees and data regulations.

  • NCSC and MIC coordinate incident responses for critical incidents (e.g., Social Security & CIC breaches).

  • Reports from VNISA and local authorities acknowledge ransomware and cyberattacks as major challenges, calling for more investment in monitoring and detection.

  • Vietnam also hosted the signing of a new UN cybercrime treaty in 2025, signaling its desire to be visible in global cybercrime cooperation—even as rights groups critique its own record.​

5/10

SCAM / HUMAN TRAFFICKING / FRAUD 

Vietnam is both a large victim population for online investment/romance scams and a source of trafficked workers forced into scam compounds in Cambodia, Laos, and Myanmar. It’s not the main compound host, but it’s deeply woven into the regional fraud-factory ecosystem.

​

  • UN and CSIS reporting on SEA scam trafficking highlight Vietnamese victims being lured by fake overseas jobs into compounds in neighboring countries.

  • ABC and other outlets document Vietnamese workers trafficked into cyber-slavery environments to run long-con romance/investment scams.

  • Vietnam has a large, digitally active population, making it a huge target pool for scams, including “investment” and “task” scams.

  • Interpol and others increasingly avoid “pig-butchering” language but still point to SEA hubs (including Vietnam-linked victim flows) in describing industrialized online fraud.

7/10

bottom of page