Can Kaspersky help CSM and NASCA improve cybersecurity in Malaysia?

Over the last few years, organizations and government agencies in Malaysia have fallen victim to numerous cybersecurity incidents. Some of these incidents have led to the personal information of millions of Malaysians being exposed to the dark web.

In fact, some of the biggest data breaches in Malaysia included financial institutions like banks and payment service providers, telco companies and universities. For example, in December 2022, about 13 million Malaysians had data compromised from Maybank, Astro and the Election Commission. Prior to that, Malaysian payment gateway iPay88 also had customers’ credit card data compromised by a cybersecurity incident.

Another cybersecurity incident in Malaysia involved the sale of a database containing the personal information of 22.5 million Malaysians which was hacked from the country’s national registration department.  According to the 160 gigabytes database, data from Malaysian adults born between 1940 and 2004 are included. The transaction was advertised on a website serving as a data leak market.

Apart from data breaches, other cybersecurity incidents involve scams. In Malaysia, online scams continue to be a huge problem as thousands continue to lose funds online through various phishing campaigns. The government established the National Scam Response Center to deal with the growing number of incidents and has already blocked more than 1.6 billion calls and 1,500 suspicious websites.

According to a report by The Star, Datuk Seri Anwar Ibrahim, the Prime Minister of Malaysia has also called for a law on cybersecurity to be drawn up quickly to ensure all aspects of the issue are complete and in place. The Prime Minister said having a specific law would allow the National Cybersecurity Agency (NASCA) of the National Security Council to have clear powers to monitor and enforce laws pertaining to cybersecurity.

“I want to stress that there will be no compromise on national security. This includes the digital domain and the cyber ecosystem,” he said in a statement.

Anwar said the national cybersecurity agency had been tasked as the lead agency for mobilizing relevant efforts across various government entities and industries. Entities in the cyber ecosystem would continue with their existing powers that allowed them to carry out their functions and roles, he added.

The Prime Minister said with the digital era throwing different challenges, the entire government machinery must be better prepared to handle cyber threats.

Who’s really in charge of cybersecurity in Malaysia?

There are two main agencies that currently oversee cybersecurity in Malaysia. The first one is NASCA. NASCA was formed in 2017 as the national lead agency for cybersecurity measures. The agency is supposed to secure and strengthen Malaysia’s resilience in facing the threats of cyber attacks, by coordinating and consolidating the nation’s best experts and resources in the field of cybersecurity.

According to NASCA’s website, the agency is also committed to developing and implementing national-level cyber security policies and strategies, protecting Critical National Information Infrastructures (CNII), undertaking strategic measures in countering cyber threats, spearheading cyber security awareness, acculturation and capacity-building programs, formulating strategic approach towards combatting cyber crimes, advising on organizational cyber risk management, developing and optimizing shared resources among agencies, and fostering constructive regional and global networks among entities with shared interests in cyber security.

The other agency that oversees cybersecurity in Malaysia is CyberSecurity Malaysia (CSM). What started as a small cybersecurity unit in 1997 eventually became a full government agency in 2007. The agency was tasked with leading the development of a safer and more resilient cyber ecosystem to enhance national security, economic prosperity and social harmony through the provision of quality and impactful services, frontier-expanding cyber knowledge and technical supremacy as well as continuous nurturing of talent and expertise.

Between the two agencies, CSM is often the go-to agency whenever there are data breaches or any cyber incidents in the region. For example, on the recent MOVEit file transfer security flaw, CSM released an advisory reminding companies to be vigilant about the program.

In an article by The Star, Dato’ Ts Dr Haji Amirudin Abdul Wahab, Chief Executive Officer of CSM stated that he hopes the cybersecurity bill will help to drive more enforcement measures as the lack of a cybersecurity act means some companies are still not taking critical measures to beef up online safety.

“To me what’s important is the preventive part. For example, I can’t force companies or critical sectors to do full security audits. We shouldn’t wait to act only when an incident has happened,” he said.

While both agencies admit that there are weaknesses in Malaysia’s law enforcement for data breaches and such, the reality is that a lot more can be achieved if the proper laws are in place.

One of the biggest weaknesses in the jurisdiction for cybersecurity incidents in Malaysia is that organizations are not legally required to report any data breaches or cyber incidents they face. The issue has been highlighted numerous times in many conferences in the country with both cybersecurity vendors and organizations highlighting this as a key concern when it comes to cybersecurity.

Enter Kaspersky

One cybersecurity vendor that continues to show concern for Malaysia’s cybersecurity is Kaspersky. While other security vendors have also invested in improving cybersecurity in Malaysia, Kasperksy has taken a step further by providing both cybersecurity agencies a hands-on experience of how the country can boost its cyber defense capabilities.

With the objective of securing and further strengthening Malaysia’s resilience in facing cyberattacks through mutual collaboration, NASCA visited Kaspersky’s Transparency Center in Zurich, Switzerland last year. It was the first time a high-ranking officer from Malaysia has visited the company’s first-ever Transparency Center.

Built to enable trusted partners and government stakeholders to review the company’s code, software updates and threat detection rules, the facility in Zurich is part of Kaspersky’s global network of Transparency Centers. Do note that Kaspersky also has Transparency Centers in Kuala Lumpur (Malaysia), Madrid (Spain), Rome (Italy), São Paulo (Brazil), Singapore, Tokyo (Japan), Utrecht (the Netherlands), and Woburn (the United States).

According to a press release by Kaspersky, the company remains to be the only cybersecurity provider which offers governments and companies a rare and technical insight into its cybersecurity practices and source codes of its flagship consumer and enterprise solutions.

Representing NASCA was Rahamzan Bin Hashim, the Chief Executive Officer. Rahamzan stated that the visit to Kaspersky Transparency Center could further enhance the guidelines for all quarters on methods that can be standardized to improve cybersecurity in Malaysia. In January 2023, he said NACSA and the National Security Council (MKN) are working on the country’s Cyber Security Awareness Master Plan.

The Kaspersky team also subsequently hosted national cybersecurity bodies from Thailand and Indonesia.

Fast forward to June 2023, a CSM team led by Dato’ Dr Amirudin visited Kaspersky’s Transparency Center in Utrecht, the Netherlands. During the visit, the delegation reviewed Kaspersky’s secure software development documentation, threat analysis capabilities, and data management practices.

“It is worth noting that Kaspersky is one of the few cybersecurity companies in the world with such transparent data practices. As we play our crucial part in building a safer cyberspace for Malaysia, we are here to visit Kaspersky’s Transparency Center to engage in knowledge sharing, to exchange views, to assess the practices of a cybersecurity provider operating in our country to be of good quality and integrity,” said Dato’ Dr Amirudin.

In a press release, Kaspersky stated that it is the first cybersecurity provider to offer governments and companies a rare insight into its cybersecurity practices and source codes of its flagship consumer and enterprise solutions.

Kaspersky’s Transparency Center in Utrecht is part of the company’s global network of nine such facilities. Notably, no visitor has ever raised any red flag about Kaspersky’s source code, software updates, and threat detection rules since this program started.

An eye-opening trip

Tech Wire Asia reached out to Kaspersky to get more information on the recent trips made by both agencies. In an email reply attributed to Genie Sugene Gan, Head of Government Affairs and Public Policy, Asia-Pacific, Japan, Middle East, Turkey and Africa regions at Kaspersky, here’s what they had to say.

TWA: Two (Malaysian) cybersecurity agencies went on a trip to Transparency centers by Kaspersky. Was there any outcome from the trip?

Having both agencies visit the centers allowed them to review the company’s source code, software updates, and threat detection rules.

These activities are aimed to increase transparency and build trust between the stakeholders within the cybersecurity ecosystem, in Malaysia and around the world. Because we believe that to build a safer world, we need collaboration and cooperation between private and public organizations founded in mutual trust and transparency.

In general, one of the Global Transparency Initiative’s cornerstones includes Transparency Centers, which are trusted facilities where government agencies, customers and partners can review the company’s source code, software updates, and threat detection rules.

Through them, we provide governments and partners with information on our products and their security, including essential and important technical documentation, for external evaluation in a secure environment.

TWA: Why did Kaspersky take both agencies to two different locations?

NACSA visited our first Transparency Center in Zurich last year, which also provided an opportunity to visit our two data centers on those premises, which store and process our users’ threat-related data, including those from Southeast Asia.

This latest visit by CSM was hosted at our Utrecht Transparency Center, which is also among our newest facilities launched most recently as we expand our Global Transparency Initiative (GTI) footprint globally.

Hence, we are delighted to have had the privilege to host both agencies in these different Transparency Centers.

TWA: How is Kaspersky helping these agencies improve cybersecurity in Malaysia?

Having both agencies visit the centers allowed them to review the company’s source code, software updates, and threat detection rules. Doing so ensures that our collaboration is founded on mutual trust and transparency.

Aside from Transparency Center visits, we have also offered to our agency partners our Kaspersky Cyber Capacity Building Program which is aimed at equipping them with skills in security assessments of ICT products.

TWA: Are there plans to take other government agencies to the Transparency centers as well? 

Yes, certainly. We regularly receive requests to visit our Transparency Centers. We remain open to hosting public agencies and enterprise customers in our Transparency Centers to review our source codes, software updates and threat detection rules, amongst other things. We have several of such visits in the pipeline for the rest of this year globally.

Renewed hope for cybersecurity in Malaysia?

Following the visit to Kaspersky Transparency centers, both NASCA and CSM should now be more prepared and confident in coming up with a bill that can properly address the growing cybersecurity challenges in the country. Enough time has already been wasted in planning. It’s time both agencies work with the relevant industries to draft the changes needed.

As the prime minister has clearly stated,  “This challenge is not just exclusive to Malaysia but is a global issue. This is because the cyberworld and digital communications are part of our lives. Therefore, the national cybersecurity committee meeting is unanimous in wanting (such) a Bill.”

 

---

---

---

---