In conversation with Dato’ Ts. Dr Haji Amirudin Abdul Wahab FASc, Chief Executive Officer, CyberSecurity Malaysia
CyberSecurity Malaysia is the national cyber security specialist agency under the purview of the Ministry of Communications and Digital (KKD). CyberSecurity Malaysia is committed to providing a broad range of cybersecurity innovation-led services, programmes, and initiatives to reduce the vulnerability of digital systems, and at the same time strengthen Malaysia’s self-reliance in cyberspace. We speak to CEO, Dato’ Ts. Dr Haji Amirudin Abdul Wahab, on how his organisation has sought to stay ahead of the cybersecurity curve and what measures they have taken to ensure Malaysia is one of the most cyber secure countries on Earth.
What do you see as the most pressing new cybersecurity threats over the horizon?
Based on a report from the Malaysia Computer Emergency Response Team (MyCERT) – a department within CyberSecurity Malaysia – the top incidents that are regularly reported to Cyber999 are fraud, malicious code, intrusion and content related crimes.
In Malaysia, new emerging cybersecurity threats that are of concern are threats posed by Artificial Intelligence (AI), supply chain attacks, a more complex and advanced malware as well as ransomware attacks, and attacks on mobile devices etc. There are also new ways, innovations, tools, and technologies to steal, leak and manipulate data.
In addition, Malaysia is looking into reducing the number of incidents that involved online fraud, scam, and data breaches. The rise of these types of incidents has triggered the government to review and amend the existing laws and regulations.
How do illicit human activities and technical cyber threats interrelate?
Illicit human activity is the source of cyber threat with motivations varying from monetary to espionage. The emergence of new technology will create vulnerabilities that threat actors will take advantages of. Apart from that, they continuously improve and devise new strategies while conducting cyber-attacks, to remain anonymous and to avoid being apprehended. The combination of both new technology and new strategy multiplies the cyber threat environment.
With an increasingly rapid and highly connected internet, and apparent use of advanced digital technology, cyber threat and cyber-attacks in the industry are getting speedier, more advanced, complicated, automated, and persistent. These threats and attacks cause unpredictable and destructive consequences. The impact of a successful advanced attack does not only affect a particular organisation or sector, but also has the capability to trigger a domino effect and cause widespread disruption reaching organisations in other sectors.
The Internet has also become a haven for criminals, terrorists, and other actors whose nefarious intentions could undermine the added value of cyberspace for most of its users. Nowadays cybercriminals are also more active, bold, and sophisticated. They have come up with new, effective, and advanced methods to prey on their victims for illicit gain.
What measures have you introduced in the past few years that make Malaysia one of the top 10 cybersecure countries on earth?
Malaysia is one of the top rated countries in the cybersecurity domain and in potential for growth in the cybersecurity industry. Indeed, in June 2021, according to the latest Global Cybersecurity Index (GCI) published by the International Telecommunications Union (ITU), Malaysia was ranked fifth, together with the Russian Federation and the United Arab Emirates. Malaysia came in second at the Asia Pacific level with both South Korea and Singapore in joint first. That recognition indicates the government’s capacities, continuous efforts, commitment and will - especially while adjusting to the new normal and an uncertain environment - in delivering services, advocacy and preparedness in cyber security.
The Malaysia Cyber Security Strategy 2020-2024 was designed with an allocation of RM1.8 billion in order to strengthen the country’s cybersecurity and combat threats in a comprehensive manner. Furthermore, in March 2021, the government announced the CYBER Security Empowerment Programme (SiberKASA) to improve cyber security threats and attacks. This initiative aims to assure network security readiness by creating, enabling, sustaining, and improving the country’s cyber security infrastructure and ecosystem.
Resilience speaks of an ability to mitigate, respond to, and recover from threat. What would you say are the core principles to creating a cyber resilient organisation?
The whole organisation, from the board, senior management right the way down to normal officers are responsible to ensure they adhere to cybersecurity requirements. Cybersecurity must focus on the three areas: people, process and technology as it will help the organisation to be prepared against cyber-attack.
It is challenging for an organisation to be 100 percent secure even if it is equipped with a full pledged security package. It’s just a matter of time that a cyber-attack can occur. Similarly, human error can also affect a business’ operations and render it incapable of serving its customers. What is more important is that an organisation try their best to strategise to lessen the impact. It is crucial to know how to act and bounce back once attacked.
Cyber resilience goes beyond cybersecurity. However, it does not replace cybersecurity, it goes hand in hand with it. It covers a more comprehensive threat protection and risk assessment and management. With cyber resilience, an organisation has good recoverability. It must have the ability to return to regular operations fast. This means that they are well prepared, conducted simulations and tabletop exercises and possess infrastructure redundancies and data backups across different regions in case a natural disaster or cyberattack impacts a specific part of the world.
An organisation should be durable, adopt a dynamic, innovative, holistic, and adaptive cybersecurity approach that covers people, process and technology. They should already have the basics and implement cybersecurity best practices. They should have regular cybersecurity awareness and education programs. They should also strengthen their organisational infrastructure with defence in depth/multilayered defence approach and also zero trust approach. Cybersecurity should be part of their organisation’s culture. It is a shared responsibility, and everyone should be involved.
'CyberSecurity Malaysia is the co-founder of the Asia Pacific Computer Emergency Response Team (APCERT) and Organisation of Islamic Cooperation - Computer Emergency Response Team (OIC-CERT).' How important is international engagement to understanding and responding to emerging cyberthreats?
It is important to enhance international collaboration in information sharing, legal and technical approaches, capacity building and also cyber security awareness and education. No country can work alone. Due to the cross-border nature of cyber incidents and crimes, international coordination and cooperation remain crucial, particularly in the areas of investigation and mitigation.
Some of the International collaborations that Malaysia participates are:
a) Association of Southeast Asian Nations (ASEAN) – One of the Coordinating Council members
b) International Telecommunication Union (ITU)
c) Organisation of The Islamic Cooperation – Computer Emergency Response Teams (OIC-CERT)
d) Asia-Pacific Computer Emergency Response Team (APCERT)
e) Collaboration with Council for Security Cooperation in the Asia Pacific (CSCAP)
f) World Trustmark Alliance
g) FIRST
h) Axiata
i) Huawei
No single entity can act alone in this digital age. Inherently, there is the need to instil, build and develop trust between each other in order to overcome these issues in the long run. The public and private sectors need to work closely together across all areas to deal with cybersecurity issues. Public-Private Partnership (PPP) is an enabling factor that comes from various parties, in terms of technological advancement, expertise, processes etc. by enhancing:
a) Sharing of Information amongst relevant parties
b) Cyber Incidents Response and Coordination
c) Innovative & Collaborative Research
d) Capacity Building
e) Cyber Security Awareness and Education
Malaysia as a nation aims to successfully adopt a holistic approach in enhancing the security of its cyber environment. Whilst at the same time, as a part of global community, Malaysia also aims to strengthen its international cooperation to respond to global cyber challenges. With such approach, we hope to be able to benefit and take the advantages of a secure, resilient, and trusted cyber environment.
Comments