An Interview with Dato’ Ts Dr Amirudin Abdul Wahab, CEO of CyberSecurity Malaysia

Together with its convenience, cyberspace has also posed an increasing number of potential risks and challenges. With the internet and digital technology now entrenched in daily life, cyberthreats have become increasingly a cause for concern. From banking fraud to social media scams to malware attacks, cybercrimes can cause significant financial losses, disruption and threaten public safety. Just as in other domains, to maintain order in cyberspace is becoming a herculean task. Ts Dr Amirudin Abdul Wahab, CEO of CyberSecurity Malaysia explains to Asian Defence Journal the strategies and solutions in managing the latest cyber security challenges.

ADJ: Can you enlighten our readers what is CyberSecurity Malaysia as one of the oldest government agencies created to manage cybersecurity in Malaysia?

CEO-CSM:  CyberSecurity Malaysia’s journey started in January 1997 as MyCERT (Malaysia Computer Emergency Response Team), as a unit under MIMOS Berhad. In 2001, National ICT Security and Emergency Response Centre (NISER) was established as a department in MIMOS Berhad and MyCERT was subsequently placed under NISER.

In 2005, NISER became a separate entity from MIMOS Berhad as a company limited by guarantee (CLBG) under the Ministry of Science, Technology, and Innovation (MOSTI). NISER was officially registered as CyberSecurity Malaysia on March 30, 2007 and officially launched by the Prime Minister of Malaysia on August 20, 2007.

CyberSecurity of Malaysia was placed under the Ministry of Communications and Multimedia Malaysia (now Ministry of Communications and Digital) on October 19, 2018 until at present. After 25 years, CyberSecurity Malaysia has grown into a premier national cybersecurity specialist and technical agency with numerous accolades and awards under its name.

CyberSecurity Malaysia has shown its commitment to provide a broad range of cybersecurity innovation-led services, programmes, and initiatives to reduce vulnerability of digital systems, and at the same time strengthen Malaysia’s self-reliance in cyberspace.

The following are among the services provided by CyberSecurity Malaysia.

• Cyber Security Responsive Services,
• Cyber Security Proactive Services,
• Outreach and Capacity Building,
• Strategic Study and Engagement, and
• Industry and Research Development.

CyberSecurity Malaysia collaborates with a wide range of stakeholders, including government agencies, industry players, and the general public, to increase cybersecurity awareness, set cybersecurity standards and guidelines, conduct research and development, and provide incident response services.

It works to defend Malaysia’s cyberspace and protect key information infrastructure with its significant knowledge and expertise, creating a secure digital environment for citizens, organisations, and the government.

ADJ: How would you describe the current cyber threats scenarios? Has there been an increase or decrease in terms of attacks detected / countered?

CEO-CSM:  In this digital age, people rely heavily on the Internet and digital technology to stay connected and carry out their daily activities and business operations. However, with the world being highly connected, Internet users also become more vulnerable and targeted by cybercriminals for their personal gain.

Nowadays, cybercriminals are no longer amateurs AKA script kiddies. They are opportunists, have become more bold, knowledgeable, skilled, and sophisticated in executing a cyber-attack.

Organisations must accept that their entities will be constantly targeted and attacked. They need to identify and understand all types of cyber threats and trends that might create risk to the organisation. In addition, they can come up with mitigating controls and strategies that can be put in place to minimise the damage that occurs from an attack.

Currently, cybercriminals have become more proactive and organised to conduct their operations of attacks. Not only they target individuals but whole organisations, as various industries started reporting cases of data breach, web defacement, ransomware, malware, and various critical forms of attack. Cyberthreats and attack does not take into consideration how the organisation is prepared but how valuable the data is.

ADJ: Malaysia is seeing a rise in data leaks, especially personal data, from various sources (financial institutions, telecommunication companies, etc.). What is CyberSecurity Malaysia’s role in countering this trend? Who prosecute personal data leakers?

CEO-CSM:  CyberSecurity Malaysia had developed a framework called “Cyber Security Capacity Building Framework” to cultivate cyber security expertise, knowledge and awareness. The programme has been designed in a manner where it covers and provides training to three groups of audiences.

Global ACE – CyberSecurity Malaysia has initiated the Global Accredited Cybersecurity Education Certification (Global ACE) in response to the pressing need to have certified cybersecurity professionals who are trained, qualified and dependable to protect and defend the nation’s critical national information infrastructures (CNII). It is a holistic framework designed to address the requirement to certify cybersecurity professionals

CyberGURU – CyberSecurity Malaysia integrates its training programmes into selected local and international training programs and works closely with industry partners to further enhance, deliver and market these services effectively and efficiently.

CyberSAFE – As for the public, there is CyberSAFE (Cyber Security Awareness for Everyone) that aims at instilling cybersecurity awareness among the public. Using a public Wi-fi, password toothbrush lesson, proper sharing news on social media, and the correct approach when any types of cybercrime occurred.

Since the term of 100 percent secure is unachievable, the public must be able to handle any cybercrime that occurs.

MyCERT – Then there is the Malaysia Computer Emergency Response Team (MyCERT) and Cyber999. When cybercrime occurs, the victim can report to Cyber999 through telephone, online form, email or using the Cyber999 help centre. MyCERT then will forward the matter to relevant authorities to track down the suspect or culprit.

• National Cryptography Policy – The enactment of the National Cryptography Policy under the supervision of the National Security Council (MKN) in order to protect the nation’s critical information assets in terms of confidentiality, integrity and authenticity through the implementation of a trusted cryptographic infrastructure. The policy has outlined methods and strategic approach in the use of cryptography, cryptography products and research and development for government agencies to protect information – addressing issues on the data breach.

Complying to international standards: CyberSecurity Malaysia complies and adheres to the MS ISO/IEC 27001:2013 Information Security Management System (ISMS)

• The Commissioner of Personal Data Protection Department (JPDP) is the authority that has been empowered to administer and enforce the PDPA. Pursuant to section 5 of the PDPA, a breach of any of the data protection principles is an offense under the PDPA and is punishable by a fine of up to MYR 300,000, and/or up to two years imprisonment.

• There are other relevant laws that can be used to take action against the offenders, and the Malaysian Communications and Multimedia Commission (MCMC) also can help those who feel that their privacy has been violated.

• These legislations include the Communications and Multimedia Act (CMA) 1998 and the Credit Rating Agency Act 2010. For example, a person who intentionally infiltrates and gets without permission the personal data of an individual can be jailed up to one year or fined up to RM50,000 or both, if found guilty under the CMA.

ADJ: There is also a rise in terms of online scams and fake news on the social media. What is the role of CyberSecurity Malaysia in tackling this issue?

CEO-CSM:  CyberSecurity Malaysia takes proactive steps to address these issues and protect the public from the negative impacts of cyber threats. CyberSecurity Malaysia launched SiberKASA on March 23, 2021. This initiative aims to develop, empower, sustain, and strengthen cybersecurity infrastructure and ecosystem in Malaysia to ensure network security preparedness inclusive of human, process, and technology. Thus far, CyberSecurity Malaysia has established more than 40 products and services across the cybersecurity domains covering assessment and rectification, information security management, monitoring, control and response, capability, and capacity development.

CyberSecurity Malaysia has a designated computer emergency response team (CERT), known as MyCERT (Malaysia Computer Emergency Respond Team) that responds to reported cyber problems such as internet scams and the spread of fake news. Therefore, it works to investigate such cases, acquire evidence, and work with competent authorities to take legal action against perpetrators. Following the reporting of the occurrence, we will conduct research to identify growing online fraud techniques and fake news dissemination strategies.

This research contributes to the development of effective countermeasures, as well as the providing of policy and regulatory suggestions to the Malaysian government on how to reduce the vulnerability of Malaysia’s ICT systems and networks and increase Malaysia’s cyber security capacity.

CyberSecurity Malaysia also runs major public awareness campaigns and educational programmes through CyberSAFE programme to educate the public about the dangers of online scams and fake news. These efforts aim to enhance digital literacy, empower individuals to identify and avoid scams, and encourage critical thinking when reading online content.

We also play the role to collaborates with government agencies, law enforcement bodies, industry partners, and international counterparts to tackle online scams and fake news collectively.

This year, CyberSecurity Malaysia organises “Jelajah Anti-Scam Kebangsaan 2023” as a concerted effort to continue fighting scam crimes in Malaysia. The programme is inspired by the Gabungan Bertindak Anti-Scam (GBAS) consisting of government agencies, including enforcement agencies, private organisations, non-governmental organisations (NGOs) and Associations and is supported by the Ministry of Communications and Digital (KKD). The programme targeted to few states / zones such as Selangor/Kuala Lumpur, Perlis, Sarawak, Kelantan, Sabah, Johor and Putrajaya.

ADJ: How are the Malaysian government responses towards the above issues coordinated so that the issues can be tackled in a more holistic manner? Who handles the coordination?

CEO-CSM:  For fake news, the main coordinating body is the Malaysian Communications and Multimedia Commission (MCMC) where MCMC is the regulatory authority for the communications and multimedia industry in Malaysia and has the mandate to oversee and enforce laws related to communication and multimedia activities. MCMC works closely with various government agencies, law enforcement agencies, and industry stakeholders to coordinate and implement initiatives to tackle these issues in a holistic manner. This includes collaboration with agencies like CyberSecurity Malaysia, Royal Malaysia Police (PDRM), the Ministry of Communications and Multimedia Malaysia, the Ministry of Home Affairs, and other relevant bodies.

For scams, government has established National Scam Response Centre’s (NSRC) 997 led by Bank Negara Malaysia (Central Bank of Malaysia) dan Royal Malaysia Police which handles online scams in the country. This approach involves leveraging the expertise and resources of multiple agencies to develop strategies, policies, and actions that safeguard the public from these challenges while preserving the freedom of expression and promoting responsible online behaviour.

ADJ: What is the significance of the CyberDSA event for Cybersecurity Malaysia? How does the event contribute the whole-of-society / whole-of-government approach to cyber threats?

CEO-CSM:  A platform like Cyber Digital Services, Defence & Security Asia (CyberDSA) is essential because it connects individuals with the most recent cybersecurity knowledge, insights, applications, systems, and best practises from around the world.

This event seeks to disseminate cutting-edge cybersecurity information and insights while demonstrating cutting-edge solutions that will protect digital economies and encourage global competitiveness.

CyberDSA event holds immense significance for CyberSecurity Malaysia on multiple fronts. Firstly, it serves as a platform for knowledge sharing, collaboration, and networking among cybersecurity professionals, practitioners, policymakers, and stakeholders from various sectors. The event brings together experts and industry leaders to exchange insights, experiences, and best practices, fostering a robust cybersecurity ecosystem in Malaysia.

In terms of significance, the CyberDSA event reinforces CyberSecurity Malaysia’s role as the national cybersecurity agency entrusted with safeguarding Malaysia’s cyberspace. By organising such an event, CyberSecurity Malaysia demonstrates its commitment to promoting cyber resilience, fostering cybersecurity awareness, and enhancing the nation’s capabilities to effectively address cyber threats.

Regarding the whole-of-society / whole-of-government approach to cyber threats, the CyberDSA event plays a pivotal role. It provides a platform that encourages active participation and collaboration from all stakeholders involved in the cybersecurity landscape. This includes government agencies, regulatory bodies, private sector organisations, academia, civil society, and even individual citizens.

Through the CyberDSA event, CyberSecurity Malaysia promotes the integration and coordination of efforts across various sectors, ensuring a holistic approach to cybersecurity. By bringing together representatives from different backgrounds and expertise, the event facilitates a fruitful exchange of ideas, encourages interdisciplinary collaboration, and fosters partnerships to tackle cyber threats collectively.

Furthermore, the event enables stakeholders to gain insights into the latest cyber threats, emerging trends, and technological advancements. Participants can attend keynote speeches, panel discussions, workshops, and training sessions conducted by renowned experts, which equips them with the necessary knowledge and skills to effectively address evolving cyber risks.

ADJ: Any last words for our readers?

CEO-CSM:  Due to the escalation of digitalisation in today’s world, cyber threats and risk have become more common and dangerous. Cybersecurity is no longer one person’s job or only the IT department’s task, everyone is responsible in handling their own information, data, safety, and other individuals as well.

The trend of working from home has become the new normal blending both life at home and professional work style, more individuals needed to practice new approach of cyber hygiene to improve data protection and cybersecurity.

In conclusion, cybersecurity is everyone’s responsibilities. Digital devices are slowly being integrated into our daily life as such even our smart television and smart refrigerator has its own functions such as calendar, voice recording and others that can be personalised to suit our needs. As they are convenient, these smart devices do not have a built-in security (security by design). Which means they have vulnerabilities and loopholes that can be manipulated and hacked by cybercriminals who are actively searching and attacking targets in order to achieve their objectives (for fun, for personal gain, financial gain, taking revenge as perceived injustice (disgruntled employees), making a statement, doing competitors bidding (corporate espionage) or even seeing themselves as future competition.

Therefore, we need to adapt more innovative, aggressive, and proactive approaches in order to stay ahead of cyber threats. We also must effectively face the challenges with dynamic approaches. In addition, the need for cybersecurity encompassing people, process and technology is rather critical and such needs will continue to grow in many more years to come.

On the other hand, CyberSecurity Malaysia is actively engaged in efforts to break the chain of cyber incidents, including tackling the spread of fake news and online scams. Through various initiatives, including CyberDSA event shows a dedication to enhancing the cybersecurity ecosystem.

We recognise the importance of providing individuals with the necessary knowledge and skills, which is why we emphasises collaboration with wide range stakeholders including government agencies, industry players, and international partners to share information, exchange best practises, and develop strategies to mitigate the impact of cyber incidents.

The goals are to raise public awareness and promote cybersecurity through numerous activities, as well as empowering individuals to properly identify and combat cyber threats.

Let us join hands, take responsibility, and actively contribute to national cybersecurity efforts. By undertaking these initiatives, CyberSecurity Malaysia hopes to establish a safer digital environment where individuals are empowered to navigate the online landscape securely. –adj/mgm/mhi (Pix: CyberSecurity Malaysia)