Malaysia’s Central Database Hub: is PADU a cybersecurity timebomb?

• Malaysia launched PADU a month ago. 
• Registrations for the national database hub have been increasing – but still have a long way to go. 
• Cybersecurity concerns are the main reason for slow registrations. 

It’s been almost a month since Malaysia launched its Central Database Hub (PADU). Since its launch, there have been mixed reactions from the public. Many are still skeptical about the need to share their data with another government agency, given the increasing number of cybersecurity incidents in the country alongside weak cybersecurity regulations.

According to a report by Bernama, a total of 2.38 million individuals have since updated their personal information on the database. Users are required to update and confirm 30 types of personal particulars, including their identity card number, household size and residential address.

The Central Database Hub was developed locally, using the internal expertise of the Economy Ministry, the Department of Statistics Malaysia and the Malaysian Administrative Modernization and Management Planning Unit (Mampu). Various government ministries, agencies and state governments also contributed to the development of the database.

In a report by The Edge, Datuk Seri Dr Mohd Uzir Mahidin, chief statistician of PADU, asked users to register their details soon. He fears that the last-minute surge in registrations before the March 31 deadline could result in system congestion. This raises more questions on the hub’s capabilities to support the data it has. If it is not even able to support a surge in registrations, will the hub be capable of delivering what it was really intended to do?

As mentioned earlier, cybersecurity concerns are one of the main reasons why Malaysians are still not signing up to the central database hub. To understand more about PADU’s security features and how users can be assured of the system, Tech Wire Asia spoke to David Rajoo, senior systems engineer specialist at Palo Alto Networks.

How different is PADU compared to other central database hubs in the region?

PADU is specifically designed for data integration and sharing among Malaysian government agencies, focusing solely on improving data accessibility and government decision-making efficiency. Its most noteworthy characteristic is its explicit focus on targeted aid and subsidies. Unlike other data hubs that may have broader or more varied objectives, PADU is uniquely dedicated to ensuring the fair distribution of subsidies and services to those who need them most.

Moreover, PADU is managed by the Department of Statistics Malaysia (DoSM), which demonstrates its strong commitment to maintaining data accuracy, reliable statistics, and thorough analysis.

What is the biggest flaw the PADU system has currently and how can this be addressed?

Before PADU, Malaysia encountered significant hurdles in integrating information, leading to substantial gaps in the database, crucial for extending government assistance to those in need. The establishment of PADU signifies a concerted effort to rectify these discrepancies and align our operations with the national digital transformation agenda.

A major risk facing PADU that we see is the threat of a breach. Like many other industries and organizations that are entrusted with safeguarding vast volumes of personal data, PADU is not bulletproof to cyber attacks. Bad actors are not biased toward one country, industry, or system, and they constantly look for vulnerabilities and continue to evolve in their tactics.

Among the measures that can be taken by PADU to strengthen its system are:

• Implement strong encryption protocols – ensure that data, both at rest and in transit, is safeguarded through state-of-the-art encryption methods. This serves as the first line of defence against unauthorized data use.
• Enforce strong multi-factor authentication systems – ensuring strong validation and authentication processes and systems provides assurance of proper system security.
• Develop a zero trust strategy and architecture – assuming a breach condition and systems are compromised, provides a mindset and strategy to secure PADU against actual breeches.
• Deploy advanced threat detection systems – utilize AI and machine learning-powered systems to continuously monitor and analyze data patterns, enabling early detection of anomalies that may signify potential security issues.
• Foster a culture of security awareness – conduct regular training and drills for all stakeholders involved with the PADU This ensures that individuals are prepared to identify and respond to security threats promptly.
• Engage in international collaboration – partner with global cybersecurity experts and partake in knowledge exchange to stay ahead of emerging threats and incorporate global best practices into the PADU system’s security.
• Be prepared and ready for a cyber-event – have a robust cyber-resilience program in place to quickly respond, investigate and recover from a cyber
• Maintain continuous vigilance and update security measures – regularly assess and update the security measures to counter evolving cyberthreats. This proactive approach is crucial in maintaining the integrity of the PADU system and safeguarding the privacy of individuals.

What are the common mistakes governments and businesses make when it comes to data centralization?

Centralization initiatives in data management present a multitude of advantages in terms of operational efficiency, accessibility, and enhanced service delivery. But when starting such large projects, both governments and businesses often face similar challenges. Identifying and mitigating these shared pitfalls is paramount to ensuring the efficacy and security of these initiatives.

• Data transparency assurance: ensuring data is used with integrity, lawfully, fairly, traceably and with valid purpose, increases the confidence of PADU users.
• Data privacy measures: overlooking the need for strong data privacy protocols can result in unauthorized access.
• Comprehensive security  strategy: a  minimal layered security approach leaves centralized data vulnerable to cyberattack.
• Scalability and flexibility: design systems that are not equipped for future growth can lead to the ever-changing need for efficiency improvements.
• Overlooking data quality and integrity: less emphasis on data accuracy can lead to poor decision-making and unreliable outputs.
• Underestimating stakeholder  engagement:  lack of involvement from key stakeholders during planning and implementation can hinder system acceptance and usefulness.
• Inadequate training and support: not providing enough training and support to users can limit the system’s effectiveness and increase security risks.

While systems like PADU that centralize data can greatly improve services and governance, it’s important to actively prevent these common problems. By doing this, governments and businesses can make sure their data systems are strong, efficient, safe, and able to withstand changing cyberthreats.

Can the PADU system establish standardized security protocols across various government agencies to ensure a uniform and high level of security practices in Malaysia? How can they implement it?

The PADU system, as a centralized data hub, is intrinsically capable of fostering standardized security protocols across various government agencies in Malaysia. This capacity is further amplified when harmonized with legislative initiatives like the Malaysia Omnibus Act, which facilitates data sharing and cloud storage among government agencies. Here’s how this synergistic approach can effectively implement uniform and high-level security practices:

• The Omnibus Act‘s framework for data sharing and cloud storage guides PADU in standardizing security protocols. By aligning PADU’s data management with this Act, a central security framework can be established. This framework will set unified standards, policies, and protocols for data handling, access control, and incident response, tailored to various government sectors, enhancing overall data security and management efficiency.
• Leverage advanced security technologies: utilize state-of-the-art security technologies and services, including advanced encryption, intrusion detection systems, and AI-powered threat analysis tools. Ensure these technologies are integrated seamlessly into the PADU system.
• Managed by the Economy Ministry: with the Economy Ministry overseeing the Omnibus Act‘s implementation, align PADU’s data management strategies with economic strategies and cybersecurity policies. This ensures that the standardization of security protocols not only protects data but also supports the government’s broader economic goals.

By integrating the operational capabilities of the PADU system with the legislative support of the Malaysia Omnibus Act, we can establish and implement standardized security protocols across various government agencies. This not only ensures a uniform and high level of security practices but also aligns with Malaysia’s broader goals of digital transformation, efficient governance, and economic growth, creating a secure, efficient, and future-ready data ecosystem.

Malaysian cybersecurity regulations do not apply to government data. Should this be addressed? Who should be accountable if there are any cybersecurity incidents?

We are certainly looking forward to the new Cybersecurity Bill to be passed in Malaysia, as a measure to strengthen the nation’s cybersecurity posture and maturity. Having said that, cybersecurity is a shared responsibility. Safeguarding digital assets requires collective vigilance and cooperation from individuals, organizations, and governments alike. There should be a well-defined accountability framework in place. This involves:

• Designation of responsibility:  assigning clear responsibility to specific roles or departments within each government agency for maintaining cybersecurity.
• Regular audits and compliance checks: implementing regular audits and compliance checks to ensure that the cybersecurity measures are up to the mark and that the agencies are adhering to the established protocols.
• Incident response and  reporting:  developing a standardized incident response protocol, including immediate measures to mitigate damage, in-depth investigations to identify the source of the breach, and transparent reporting mechanisms to inform stakeholders and the public.
• Public-private partnerships: using expertise from the private sector to help secure government data. Such partnerships can bring in fresh perspectives, advanced technologies, and global best practices.

Lastly, what advice would Palo Alto Networks give to PADU on ensuring it is not compromised?

We have always maintained that cybersecurity is a data issue and we’ve been at this a long time. With this commitment in mind, the team responsible for PADU should implement a zero trust approach. This approach assumes that threats can exist both outside and inside the network. This model requires verifying every user and device, securing every access point, and enforcing least-privilege access to minimize the risk of breaches.

---

---

---