Is Malaysia doing enough to tackle the growing threat of cyberattacks? The answer is no

• Cyberattacks are running rampant in Malaysia, and a recent report indicated that the country stands as the eleventh most breached country in the second quarter of 2022.
• In an interview with Cybersecurity Malaysia, Tech Wire Asia were told that fraud leads as the most common cybercrime and up to June this year alone, 3,762 incidents were reported whereby 2,633 is made up of complaints on fraud.

Cyberthreats around the world are not slowing down, let alone getting any easier to tackle. Cyber crimes are in fact evolving with time and regardless of the measures adopted to prevent breaches, criminals are finding increasingly innovative ways to bypass them. In Malaysia, the situation is no different — network threats and ransomware are the prime culprits of the loss of millions of dollars each year in the country. Unfortunately though, little is being done to tackle the issue so far, and actions have been more reactive than proactive.

Let’s dive into the cybersecurity complaints made to the Royal Malaysia Police’s Commercial Crime Investigation Department (CCID) from 2020 up to May this year. Inspector-General of Police Acryl Sani Abdullah Sani emphasized that complaints have increased significantly to 71,833 involving losses amounting to RM5.2 billion. And that is just a tip of the iceberg.

Considering the timeline is mainly during the early and peak pandemic days with lockdown measures in place, from the total, 48,850 cases, or a staggering 68% involved online fraud. Even e-commerce purchase fraud cases recorded an increase from 8,851 cases in 2020 to 9,569 cases last year, while as of May this year alone, a total of 3,833 cases have been recorded. 

The underlying factor? A significant increase in the use of the internet whilst most of us were home — combined of course, with poor cyber hygiene. On a global front, a recent study conducted by cybersecurity company Surfshark placed Malaysia as the eleventh most breached country as of the second quarter of this year. 

The study analyzed millions of breached accounts between April through June, 2022, which showed more than 665,200 Malaysians have been breached during this period, recording a growth of 733% in the last quarter. For context, in South-Eastern Asia, every second person, or 64 out of every 100, have been affected by data breaches but for Malaysia, according to Surfshark data researcher Agneska Sablovskaja, the number goes up to 138 per 100 people. 

Statistically speaking, an average Malaysian has been affected by data breaches at least one time. The statement said that breaches are rising worldwide, Malaysia included and that since 2004, there have already been a total of 44.2 million breached accounts in Malaysia. On that note, Tech Wire Asia had the opportunity to conduct a joint interview with Cybersecurity Malaysia (CSM) CEO Dr Amiruddin Abdul Wahab, alongside Menlo Secruity’s regional director for Southeast Asia CK Mah, on the state of the cybersecurity threat landscape and trends specifically in Malaysia.

The following is a transcript of the first part one of the interview (a second part to follow). Some of the questions have been edited for brevity and clarity.

What is the state of the cybersecurity threat landscape and trends specifically in Malaysia?

Amiruddin: We have our Cyber999, which is our cyber incident reference center, where we receive various incidents by the netizens whether for public or private, organization, or individuals. For this year, according to the latest statistics, up to June, we received 3,762 incidents, mainly dominated by fraud, which made up to 2,633, followed by malicious code (552) and intrusion (394). Fraud is actually a big category, under which there are few subcategories, including phishing, scam, etc while malicious code includes ransomware and intrusion is hacking. 

Basically, these incidents have consistently been in the top three for the last several years, while fraud has always led, encompassing about 70% of the total incidents reported to us. This can be confirmed by the Royal Malaysian Police’s data from 2022 up to May 2022. There were about 71,833 commercial crime cases reported with an estimated loss of about 5.2 billion and out of that, 48,850 cases or generally 60% and fraud in general.

What is Cybersecurity Malaysia’s role actually?

Amiruddin: When it comes to CSM, we are actually the national technical reference and specialty center, under the purview of the Ministry of Communications and Multimedia Malaysia. So as a technical agency, we are not a regulatory body, so we provide a broad range of innovation services related to cybersecurity. At the national level, we have a policy or strategy called Malaysia Cybersecurity Strategy 2020-2024 to ensure the cyberspace is secure, trusted and resilient. 

Malaysians can actually report to us at Cyber999 when faced with cyber threats. We also have services including training services, outreach services and also technical services like ecurity assurance, assessments and others. In essence, we are around to help the country’s cyberspace to be more secure, and better. 

The Malaysian government has been pretty silent when it comes to cyber-related issues. Would you both reckon a better approach in dealing with cyber threats?

CK: From Menlo’s perspective, as a leader in cybersecurity, we feel that we play a key role in shaping the nation’s cyberspace, ensuring that we support any digital national agenda. We also recognise the role that we play is highly interdependent between both the government and also the private sectors. That is the reason why we are committed to work in collaboration with all government sectors to safeguard our country’s digital agenda. We also specialize in providing military grade 100% air gap or internet separation security platform for all web traffic. Since there are many spectrums in security, we specialize in the web traffic area in terms of the potential cyber attack. 

Amiruddin: In the context of the Malaysia ecosystem, there are several ways players such as the Personal Data Protection Department, the custodian that is in charge of what we call PDPA — Personal Data Protection Act 2010. They are basically the regulatory body or the entity that looks into protection of personal data, especially that involve commercial transactions. The law however, was established in 2010 and that was a long time ago. Since then, countries around us have evolved and even GDPR came about in Europe. 

After all, 10 years is a long time in the technology sector and it is about time for us to strengthen these aspects of personal data protection — by modifying the law. The government no doubt is making the necessary arrangements to amend the law and strengthen the legislative framework when it comes to data protection, but it has to be done sooner rather than later. At the same time, in the government sector, there’s another body that looks into it — the National Cyber Security Agency (NACSA) in charge of the government sector with regard to the issue of cybersecurity and protection of data. I believe these parties are making the necessary adjustments and even trying to push a legislative framework with regard to strengthening cybersecurity.

However, when it comes to legislative framework, it takes time because it is not an easy task and if I could recall well, the government did mention in the Parliament that they are trying to present something probably at the end of next year or sometime mid next year with regards to strengthening the cybersecurity aspects of the nations. So these are the two actually key entities that really look into the aspects of data protection and the country. 

I understand the framework takes time. But at this point, don’t you think taking another year or another year and a half to amend legislation is actually a long time in terms of the cybersecurity window?

I agree that while we work towards the long term or midterm solution, there is a need to immediately address the current issues. As I mentioned, these are the purview under NACSA, who is in charge of the overall matter so they are in a better position to respond to this. CSM on the other hand, we can only go as far as focusing on the provision of technical services. We will always be there to assist because our solutions and services are already available. 

---

---

---