Securing Malaysia's Digital Future: Cyber Threats and Opportunities

This paper summarises key findings by Social & Economic Research Initiative

December 2022

Introduction

The substantial increase in connectivity and data generation, the explosion of the number of connected devices, and the rapid take-up of technologies such as cloud computing, advanced robotics, and artificial intelligence (AI) are fundamentally changing the way organizations do business and how governments provide public services and engage with citizens. At the same time, with every new system or device that is connected to the internet, the scope for cyber-attacks grows, as do the consequences of successful attacks. As cyber-attackers become ever more sophisticat ed in their operations and cyber-criminals ever more ambitious, policymakers are responding with increasing agility and innovation.

While the state has traditionally assumed responsibility for national security, citizen welfare, economic growth, public health, and a range of aspects that are fundamental to the prosperity and well-being of a country, the internet has become such a pervasive part of public and private life that it is now a vital com- ponent in almost all areas of state responsibility. But what are the responsibilities of the modern state in providing cybersecurity for individuals, organizations, and its own operations? How should governments think about using cybersecurity to enable citizens to benefit from the full potential of the internet, when much of digital infrastructure is owned by the private sector?

Governments over the last several years have responded by enacting a variety of cybersecurity regulations. In their responses, policymakers have been compelled to balance competing priorities, e.g., the need for measures to tackle cyber-threats with the requirement to protect fundamental principles like privacy and civil liberties. In the same way, they must balance the need for regulations to enhance cybersecurity with the risk that those regulations, if not structured correctly, could stifle the innovation and progress being driven by technology.

While analogue policies have served us well in the past, our shared lived reality represents a highly networked data-driven world which requires digital-native policies: policies that are built ground up for the digital-first world. Digital citizen services, connected classrooms, and hyperconnected hospitals will not only require leading-edge technology but also modernized policies and regulations.

Today’s digital nation-states and organisations need comprehensive policies and technologies which are secure-by-design to manage complexity for now and the future. While we have certainly made progress, more can be done as we work to secure our digital future.

Securing Malaysia’s Digital Future

The Covid-19 pandemic forced us to adapt and assimilate to an increased dependence on the internet and digital infrastructure. In Malaysia, due to the increase in online activities, we observed the upward surge of internet traffic since the beginning of the Movement Control Order (MCO) in March 2020. The rapid growth of e-commerce, largely a result of the pandemic, also reshaped consumer behaviour – contactless shopping, store pickups, delivery services, remote learning, and telemedicine are some of the more prevalent examples we have observed.

Working from anywhere and hybrid work have become part of our new normal with meetings, conferences, and seminars shifting to various virtual platforms. Governments have had to rethink existing processes and practices, with technology providing a way forward for business continuity. However, as with any tool, technology has presented both opportunities and challenges.

CyberSecurity Malaysia (CSM) reported that the top five highest incidents were fraud, intrusion attempts, malicious code, content related cybercrime, and cyber harassment. CSM recorded a total of 3057 incidents as of May 2022, and according to a study referenced in the Malaysia Cyber Security Strategy 2020-2024, Malaysia has the potential to lose RM51 billion due to cyber security incidents, which accounts for more than 4% of the country's total gross domestic product.

Malaysia’s recognition of cybersecurity as a national priority led to the formulation of the National Cyber Security Policy (NCSP) in 2006 to address potential risks to Critical National Information Infrastructure (CNII).

In October 2020, the Government launched the Malaysia Cyber Security Strategy (MCSS) to (i) bolster trust in society and the cyber environment, and (ii) to support the government’s agenda in the digital economy, Industry 4.0, and the adoption of emerging technologies.

MCSS outlines 5 strategic pillars:
1. Effective Governance and Management

2. Strengthening Legislative Framework and Enforcement
3. Catalysing World Class Innovation, Technology, Research & Development, and Industry

4. Enhancing Capacity & Capability Building, Awareness and Education 5. Strengthening Global Collaboration

This paper summarises the challenges and opportunities presented by cybersecurity developments in Malaysia, as we work to strengthen our collective digital resilience.

Investing in Cyber Resilience

According to the United Nations Conference on Trade and Development, investment in cybersecurity companies reached more than $11 billion in 2020, the highest level since 2016, amid the global economic crisis. The average amount per deal in cybersecurity more than doubled between 2016 and 2020 (from $10 million to $23 million). While we know this increase can be largely explained by the accelerated digital adoption due to the pandemic, there are four main areas of opportunity as Malaysia strives to increase its share of socio-economic benefits resulting from digital adoption and investment:

Digital Infrastruckture : Anchored to Technology, Powered by Trust

With the Government of Malaysia’s recent signing of the Cloud Framework Agreement – a strategic collaboration with four cloud service providers: Microsoft Azure, Google Cloud, TM Cloud Alpha, and Amazon Web Services (AWS), as well as the gazettement of the Public Sector Cloud Computing Services Policy on 10 June 2021, Malaysia has joined various other countries in the world in implementing its Cloud First Policy. This is in line with national targets outlined in the Malaysia Digital Economic Blueprint including 80% cloud storage across the government in 2022, 100% civil service digital literacy and 80% end-to-end online Government services by 2025.

With cloud being the underlying infrastructure enabling essential services and sectors such as education, healthcare, and financial services, the trustworthiness of cloud providers is fundamental. As government and business organisations seek to select trusted cloud service providers (CSPs) for storing and processing data, they may want to ask the following questions:

Have CSPs obtained global certification?
How does the CSP protect customer data?
How does the data owner have control over the data?
Where is the data stored? (Which country, region, data center?
What does the CSP do with customer data?
Does the CSP publish/make publicly accessible law enforcement access

requests for data stored in its cloud?

The increasing prevalence of cloud-based services, mobile computing, internet of things (IoT), and bring your own device (BYOD) in the workforce have changed the technology landscape for modern enterprises and governments. Security architectures that rely on network firewalls and virtual private networks (VPNs) to isolate and restrict access to technology resources and services are no longer sufficient for organisations that regularly require access to applications and resources that exist beyond traditional network boundaries.

The shift to the internet as the network of choice and the continuously evolving threats have led to broad adoption of the Zero Trust security model.

Zero Trust

Zero Trust is a new security model that assumes breach and verifies each request as though it originated from an uncontrolled network. A Zero Trust approach extends throughout the entire digital estate and serves as an integrated security philosophy and end-to-end strategy.

A Zero Trust environment requires that every transaction between systems (user identity, device, network, and applications) be validated and proven trustworthy before the transaction can occur – this is based on the principle: never trust, always verify.

Zero Trust architecture reduces risk across all environments by establishing strong identity verification, validating device compliance prior to granting access, and ensuring least privilege access to only explicitly authorized resources.

From Security Perimeter to Zero Trust:

The traditional approach of access control for IT has been based on restricting access to a corporate network and then supplementing it with more controls as appropriate. This model restricts all resources to a corporate owned network connection and has become too restrictive to meet the needs of a dynamic organization or nation-state.

Organizations must embrace a Zero Trust approach to access control as they embrace remote work and use cloud technology to digitally transform their business model, customer engagement model, employee engagement, and empowerment model.

Zero trust principles help establish and continuously improve security assurances, while maintaining flexibility to keep pace with this new world. Most zero trust journeys start with access control and focus on identity as a preferred and primary control while they continue to embrace network security technology as a key element. Network technology and the security perimeter tactic are still present in a modern access control model, but they aren't the dominant and preferred approach in a complete access control strategy.

The illustration below provides a representation of the primary elements that contribute to Zero Trust.

In the illustration above: Securi ty policy enforcement is at the center of a Zero Trust architecture. This includes Multi Factor authentication with conditional access that considers user account risk, device status, and other criteria and policies that the organisation defines and implements.

Identities, devices (also called endpoints), data, applications, network, and other infrastructure components are all configured with appropriate security. Policies that are configured for each of these components are coordinated with an overall Zero Trust strategy. For example, device policies determine the criteria for healthy devices and conditional access policies require healthy devices for access to specific apps and data.

Threat protection and intelligence monitors the environment, surfaces current risks, and takes automated action to remediate attacks.

Holistic Approach to Cyber Resilience

The evolving threat landscape requires a whole-of society approach. We must recognize that unlike the traditional threats of the past, cyber defense requires a unique level of public and private collaboration, and a modernised approach to investment and skilling.

The private sector, particularly technology companies, are on the front lines of cyber and information attacks. Likewise, civil society organizations are key conveners that play a crucial role in engagement, sometimes are involved in cyber data analysis, and are often targets themselves.

Malaysia, ranked second in ASEAN, spends about 0.08% of our GDP on cybersecurity while Singapore, ranked first in ASEAN, spends about 0.22% on cybersecurity(1). Globally, Malaysia is almost 4 to 5 times below the best practice amount for cybersecurity expenditure(2). Funding, education, and awareness are crucial issues that need to be tackled. When it comes to cyber resiliency, a holistic approach needs to be employed. We cannot merely focus on a single component but rather, we have to look at how they are interdependent and interrelated, encompassing people, process, and technology.

Digital Gender Divide

With technology offering us a way forward for socio-economic continuity, digital technology has become a lifeline, but not for everyone. The digital gender divide continues to impact women disproportionately, and this has been hardest felt by women in vulnerable groups – women with disabilities, climate and economic migrants, and informal workers.

According to the ITU, women and girls comprise the majority of the estimated 3.7 billion unconnected people around the world. Globally, the proportion of women using the Internet amounts to 48 per cent, compared to 55 per cent of men – resulting in far-reaching consequences which impact access to education, healthcare, and financial services.

This divide is also seen in STEM education and careers, particularly in cybersecurity – the (ISC)2 Cybersecurity Workforce Report for 2021 found that the global estimate for women in cybersecurity remains at 25%; however, compared to men, women have higher rates of entry into cybersecurity roles from self-learning (20% vs. 14%) and higher rates of pursuing cybersecurity education to land a job (20% vs. 13%). Skills truly are the currency of our future.

This is particularly promising for both gender parity and economic growth - It is estimated that if women participate in the labour market at the same rate as men do, global GDP will grow by $12 trillion by 2025.

As we recover from this pandemic, and strive to build resilient economies, we need to ensure every person can participate, learn, and contribute within the digital economy. It is no longer just about closing the digital divide, but also the opportunity divide – ensuring that people have the skills required to meaningfully translate digital technologies into economic opportunities.

Policy Recommendations

Societal and technological advancements have accelerated the need for regulatory and policy reform. New policies and regulations are required to better fit the challenges and opportunities presented by the digital world.

Below are some recommendations:

1. Cross-sectoral and Inter-agency coordination and collaboration

Recognize that unlike the traditional threats of the past, cyber defense requires a unique level of public and private collaboration. There must be collaboration and coordination between all relevant organisations.
Public-private partnerships are vital for sharing information securely and confidently. Industry players should collaborate with public sector on best practices for sharing intelligence.
Shared intelligence across organizations, government entities and private institutions would enable data to be converted into actionable insights. Regulations must be in place to give stakeholders the confidence to share information.

2. Review education and training infrastructure

Security policies, networks and applications must be periodically reviewed and modernised.
Provide cybersecurity training and resources for priority sectors including telecommunications, financial services, healthcare.

3. Development of Digital-native policies

Review existing policies to reflect the increasingly central role of cybersecurity across various sectors including education and healthcare.
Modernisation of security policies in response to opportunities and challenges of 21st century
Policies on critical national infrastructure policies to build in cybersecurity and skilling of policymakers.

4. Awareness

Cybersecurity is a team sport requiring multi-stakeholder collaboration. Awareness must be increased, in partnership with public sector and private sector stakeholders, in order to ensure the implementation of online safety and cybersecurity best practices.

There is no national security without cybersecurity. With constantly evolving digital opportunities and challenges, Malaysia’s cyber resiliency will be a critical factor in ensuring we remain at the forefront of the digital economy. As we continue to navigate post-pandemic recovery, there is an opportunity for the public and private sector to partner towards the adoption of clear and unambiguous legislation and enabling policies that steer us towards robust security and protection standards.

1. CISCO, AT Kearney, 2018, “Cybersecurity in ASEAN: An Urgent Call to Action”
2. Ibid