Protecting Malaysian cyberspace

Protecting Malaysian cyberspace
-A +A

In this highly connected world and because Malaysians are largely dependent on the internet and digital technology, one cannot afford to be complacent when it comes to cybersecurity matters. Some might think we are well equipped and ready to face incoming threats, thus they take things for granted and do not consider cybersecurity as a priority for national security and the people’s well-being.

However, times have changed. The environment of the internet and digital technology is ever changing, and so are cyberthreats. Cyber criminals have become bolder and more knowledgeable, skilled, innovative, advanced and sophisticated, leading to considerable damage.

Malaysia has seen a rise in data breach in recent years, and even more so since the emergence of Covid-19. Information such as users’ full name, identification number, home address, phone number and ID photo have been stolen from government servers and sold on the dark web for a reported price of just US$10,000. Barely two months later, the country’s computer security experts, or “white hat hackers”, discovered a website on the conventional internet that offered access to a wide range of Malaysians’ personal information.

There has also been more incidences of fraud using “mobile apps” or APK files to steal credentials or banking information. Fraudsters have evolved from just merely spoofing or impersonating organisations or companies to now having their own fake mobile applications that target citizens. Apart from that, citizens and organisations are faced with constant threats such as ransomware, which demands money by ransom.

According to Trend Micro Inc, most organisations in Malaysia believe they will be attacked in the next 12 months. Those that may be more prone to cyberattacks are small and medium enterprise (SMEs) and critical national information infrastructures (CNII).

Malaysia has 11 CNII sectors: national defence and security, health services, banking and finance, information and communication, energy, transportation, water, government, emergency services, agriculture and plantation, and trade, industry and economy. Each has the potential to be attacked and faces risks that need to be evaluated.

Meanwhile, cyberthreats that could arise in the near future are state-sponsored attacks, information warfare, supply-chain attacks, ransomware-as-a-service, zero-day exploits, as well as attacks on 5G networks and Internet of Things (IoT) devices.

Malaysia does not have a big enough cybersecurity team to handle the current cyberthreats."
— Datuk Dr Amirudin Abdul Wahab CEO, CyberSecurity Malaysia

“As cyber defenders, we need to ... one step ahead of these cyber criminals. We cannot afford to be left behind,” says CyberSecurity Malaysia CEO Datuk Dr Amirudin Abdul Wahab.

He notes that there is no such thing as 100% security, as no matter how strong a country or organisation is in terms of cybersecurity, it would be just a matter of time before it is attacked.

Thus, it would be better to assume that criminals will eventually break through an organisation’s cyber defences. The most important action for an organisation is to strategise and implement cybersecurity to lessen the impact of such attacks.

“What is most important is to prepare for any attack. It is crucial to know how to act and recover or bounce back once attacked.There is still much room for improvement for many organisations
in Malaysia,” says Amirudin.

As the national cybersecurity technical agency under the purview of the Ministry of Communications and Multimedia Malaysia (K-KOMM), CyberSecurity Malaysia is responsible for advising on and implementing cybersecurity-related matters as well as supporting the country’s national cybersecurity-related strategic policies and plans.

Cybercrime continues to evolve alongside advancements in technology, with big data, IoT, artificial intelligence, blockchain, cloud computing and many more being exploited by cybercriminals for their nefarious operations.

Dedicated cybersecurity teams are mostly available in multinational corporations while, in medium-scale organisations, cybersecurity capabilities are embedded in their IT teams. However, this is rarely the case for small and micro organisations.

As at July 1, there were 13,851 cybersecurity knowledge workers in the country and, based on this figure, the nation does not yet have enough cybersecurity personnel to handle cyberthreats.

Amirudin says the current cybersecurity talent available is insufficient to support the needs of the industry, given the gap between the quality of students and the industries’ expectations, which might be due to most students being educated in theory rather than practical or hands-on experiences.

Concurrently, it takes time to build a workforce of knowledgeable cybersecurity experts and to recruit the right people for this profession. In resolving that, strategic public-private partnerships and rewards from diverse sources, such as scholarships, mentorships and internships with job guarantees, are needed to close the human capital gap.

“Malaysia does not have a big enough cybersecurity team to handle the current cyberthreats. Lack of expertise and professionals may be Malaysia’s downfall if no immediate action is taken.

“With reference to the Malaysia Digital Economy Blueprint (MyDIGITAL), under Thrust 4, Strategy 3 and Initiative 11, Malaysia requires no less than 20,000 cybersecurity knowledge personnel by the end of 2025,” says Amirudin.

In response to that, CyberSecurity Malaysia has the capability to train and certify people through CyberGuru and the Global ACE Scheme. CyberGuru is designed inhouse by technical experts in the industry. Apart from content development, the agency has also partnered with security platform providers such as SANS, (ISC)2 and others to provide comprehensive training.

The Global ACE Scheme, meanwhile, was established to validate and certify cybersecurity personnel as a world-class competent workforce in cybersecurity and promote the development of cybersecurity professional programmes within the region.

Keeping our future generations safe

Although CyberSecurity Malaysia does not have information on reported cases related to children, given that it falls under the jurisdiction of the police, the agency provides technical assistance to the Royal Malaysia Police (PDRM) as a technical expert when there are cyber incidents involving children. These incidents are usually handled by the technical team, the Malaysia Computer Emergency Response Team (MyCERT) and digital forensics.

Apart from mitigating online threats towards children, CyberSecurity Malaysia through its Cyber Security Awareness for Everyone (CyberSAFE) programme takes several initiatives to study the level of awareness, and elevate cyber safety knowledge among schoolchildren.

CyberSAFE is CyberSecurity Malaysia’s initiative to educate and enhance the awareness of the public on technological and social issues facing internet users, particularly on the risks they face online.

Among the programmes/activities under CyberSAFE are the National Baseline Study on the level of Cybersecurity Awareness among Schoolchildren and Parents 2021/2022, National Cybersecurity Awareness Modules, Safer Internet Day Malaysia Edition, National ICT Security Discourse and Cyber Security Awareness Talk.

“The best way to keep children safe online is to be involved and monitor their activities because no software or app can completely guarantee their safety. Parents are advised to be mindful that your child probably already knows more about the internet than you do.

“Therefore, it is best that you set up your own social media accounts and play the games and apps your children play, so you know how these platforms work. Doing so will keep you updated on cyber parenting,” Amirudin advises.

The public can also read CyberSecurity Malaysia’s e-Security Bulletin, which has been published since 2004. The twice yearly online publication highlights information related to cybersecurity comprising incident reports, technical sharing, report findings, best practices and awareness. The e-Security bulletin is a bilingual publication, with articles in English and Bahasa Malaysia that cover topics about cybersecurity matters, whether technical or generic in nature.