Malaysia's new cyber law brings it to par with global standards
By Amit Roy Choudhury
While the law organises the country's cyber infrastructure to keep up with modern threats, it still is to be seen if the lack of cybersecurity professionals turns out to be a roadblock, writes Amit Roy Choudhury
The passage of the Cyber Security Bill 2024 on 3 April is focused on protecting the nation's Critical National Information Infrastructure, across 11 sectors. Image: Canva
Malaysia’s Cyber Security Bill 2024, passed by the Parliament on 3 April, is expected to bring the country's cybersecurity laws to par with Singapore’s Cybersecurity Act and the US’ Critical Infrastructure Information Act.
The new law is part of multi-year efforts to boost the country’s cybersecurity posture and devote more resources to fight cyber attacks. It entails setting up government bodies to lead joint efforts with the private sector.
However, will Malaysia’s chronic shortage of talented cybersecurity professionals present a roadblock to the Government’s ambitious plans?
The information security industry seems to welcome the new law as the country is one of the most targeted in Southeast Asia.
Palo Alto’s State of Cybersecurity ASEAN 2023 noted that Malaysian firms experienced the largest number of disruptive cyber attacks among ASEAN members, with 29 per cent of the companies facing a 51 per cent increase in incidents.
Malaysia also had one of the highest average ransomware payments in the world in 2021, ranking seventh with payouts reaching almost US$900,000 (S$1.23 million) on average, according to a Sophos study.
Over the years, as the country becomes more digitalised, there is growing awareness of the urgent need to tighten cybersecurity, both in the government and industry circles.
While the bill was passed with alacrity, shortly after its first reading in Parliament on 24 March, the new Act has been in the works for more than three years, becoming the overarching legislation dedicated to cybersecurity.
The law is intended to help the government ensure the viability and efficiency of the nation’s Critical National Information Infrastructure (CNII), across 11 sectors, by improving its ability to handle cybersecurity incidents.
In this respect, it is like Singapore’s 2018 Cybersecurity Act, which is currently being amended.
Subscribe to the GovInsider Bulletin for the latest public sector and innovation updates.
Concerns of overreach and overstretched workforce
Still, there are concerns whether the law gives the Government too much overarching power to intervene, and whether Malaysia has the workforce needed to ensure that its digital infrastructure is well protected against hackers and bad actors.
A commentary that has been doing the rounds in Malaysia notes that the new Act “fails to be narrowly tailored to address data breaches causing serious harm”.
The major cause for concern, according to the report, is that the Act considers “communications” as part of the country’s critical information infrastructure (CII).
It extrapolates this to mean that the Act “would conflate any disclosure of information in the public interest with the intentional infringement of security measures with dishonest intent”.
Is this apprehension well-founded or unnecessarily alarmist? It remains to be seen. At the same time, while the Act does include information, communication and digital as part of the nation’s CII, this is by no means unique to Malaysia.
Singapore’s legislation defining the country’s 11 CII sectors includes the media sector as well.
Identity fraud and deepfakes
Media has become more digital and hence more susceptible to attacks from malicious actors.
Last year, deepfake images of former US President Donald Trump in an orange prison jumpsuit being “arrested” circulated on social media. Imagine the chaos if this image had been circulated during the American election season later this year.
Bad actors are bipartisan, it seems. An artificial intelligence-powered robocall mimicked current President Joe Biden’s voice and to discourage voters from going to the polls during a primary election.
One of the top five industries most affected by identity fraud in 2023, online media, encompassing news websites, streaming services, social platforms, and digital advertising, saw a reported 274 per cent rise in identity fraud rate between 2021 and 2023.
The same report noted that large audiences and insufficient regulations create an environment susceptible to fraudulent activities like fake accounts, engagement manipulation, and the spread of misinformation.
The study notes that between 2022 and 2023, there was a 1,530 percent increase in deepfakes in the Asia Pacific region.
Deepfake incendiary videos and pictures, if inserted surreptitiously into trusted media networks by malicious actors, can potentially wreak havoc, especially for a multi-ethnic society such as Malaysia has.
Lack of manpower
The country’s lack of adequately trained cybersecurity workforce, and its potentially detrimental effect on the smooth functioning of a new security infrastructure, is a graver concern.
Malaysia Prime Minister, Datuk Seri Anwar Ibrahim, has said that the country needs at least 25,000 trained workers in the cybersecurity sector by 2025. Currently, the country has just 13,000 cybersecurity experts.
In comparison, Singapore had around 12,000 trained cybersecurity professionals in 2022 and there would be a demand for up to 4,400 new cybersecurity professionals by 2026.
The Singapore Government has launched several public-private partnerships to develop cybersecurity talent. This includes providing incentives for mid-career switch with special paid courses for developing cybersecurity skills.
The race for talent in both countries dovetails with a global shortage. A study shows that while the global cybersecurity workforce in 2023 grew 8.7 per cent to 5.5 million, there was still a shortage of four million cybersecurity workers.
The relatively low salary (versus the global average) and low profile of the profession in Malaysia are seen as major obstacles to developing cybersecurity talent, said one cyber security consultant.
To tackle this, the consultant, Choong-Fook Fong, called for the authorities to provide incentives and tax deductions to strengthen the local industry and entice qualified individuals.
Creating infrastructure
One way of looking at the new Act is that it sets the foundation to build the infrastructure needed to better manage the cyber defence of Malaysia.
In the case of Singapore, when it passed its cybersecurity law in 2018, it had already set up the Cyber Security Agency of Singapore (CSA), the counterpart to Malaysia’s National Cyber Security Agency (NACSA), three years earlier.
Singapore also saw an upsurge in demand for cybersecurity professionals in the government sector. This had a detrimental effect on the private sector, as the demand for people with the right skill sets exceeded the supply.
One envisages Malaysia will go through a similar phase.
Among other things, the Act outlines the establishment of a National Cyber Security Committee and spells out the powers and duties of the chief executive of NACSA, which has been given more powers.
It also outlines the functions and duties of the NCII sector leads and entities, how cybersecurity threats and incidents to the NCII should be managed, and stipulates regulations for cybersecurity service providers.
The Act also has a provision to licence prospective providers of cybersecurity services.
Apart from the implementation of the provisions of the Act by the government, industry observers will keep a lookout for how Malaysia tackles the shortage of skilled workforce in the crucial field.
As of 2021, Malaysia and Singapore ranked first and second in Southeast Asia's cyber capabilities and they have since significantly strengthened their cybersecurity strategies. The new Act in Malaysia is thus timely and brings it up to global standards.
Countries from the rest of the region will be looking at these two neighbours to lead and set an example as they also look to improve their own cyber defence infrastructure.
If Malaysia manages to swiftly grow its cybersecurity workforce, implement the provisions of this law and show positive results, as Singapore has, it will act as a key role model for other nations in Southeast Asia.
Amit Roy Choudhury, a media consultant and senior editor, writes about technology for GovInsider.
Subscribe to the GovInsider Bulletin for the latest public sector and innovation updates.