Ir Dr Megat Zuhairy Megat Tajuddin, National Cyber Security Agency (NACSA) Chief Executive
IN conjunction with Cyber Digital Services, Defence and Security Asia (CyberDSA) 2024 and the Asia International Security Summit & Expo 2024 (AISSE’24), the National Cyber Security Agency (NACSA) chief executive Ir Dr Megat Zuhairy Megat Tajuddin speaks to the Asian Defence Journal on the agency’s initiatives, including the Cyber Security Act, and also provides a comprehensive understanding of NACSA’s efforts in enhancing Malaysia’s cybersecurity framework.
ADJ: Can you provide an overview of NACSA’s mission and its role in enhancing Malaysia’s cybersecurity landscape? What are some of the key achievements of NACSA in recent years?
CE: Malaysia, recognising the critical nature of cyber threats, has placed trust in NACSA to lead the national initiatives to safeguard our cyber ecosystem. NACSA, established under the purview of the National Security Council, Prime Minister’s Department in 2017, is lead agency in the field of national cyber security. NACSA is responsible for all aspects of cyber security based on the policies and strategic measures formulated by the National Security Council including measures aimed to tackle cyber threats. Since its inception, NACSA has made significant strides in bolstering Malaysia’s cyber security eco-system.
Some of the key achievements of NACSA are:
1. Malaysia Cyber Security Strategy 2020-2024 (MCSS 2020-2024): This is a strategic document that outlines the key objectives, categorised into five strategic pillars that will govern all aspects of cyber security planning and implementation in Malaysia until 2024. The vision of this Strategy is to have a secure, trusted and resilient cyberspace while at the same time fostering economic prosperity and citizens’ well-being and its mission is to fortify the local capabilities to predict, detect, deter and respond to cyber threats through structured governance, competence people, support best practices processes and deploy effective technology. MCSS introduces the “Whole Nation Approach” concept where everyone is included in the national cybersecurity agenda.The strategy outlines five Pillars and 12 implementation strategy that holistically touch all aspects of Malaysia’s cyber security concerns including governance and management; legislation and enforcement; local industry development; innovation and technology; research and development (R&D); capacity and capability building, awareness and education, as well as international engagement and cooperation, 35 action plans and 113 programmes. The five Pillars and 12 implementation strategies are:
Pillar 1: Effective governance and management
Strategy 1: Enhancing national cyber security governance.
Strategy 2: Improving organisation management and business operation among the government, critical national information infrastructure (CNII) and business entities.
Strategy 3: Strengthening cyber security incident management and active cyber defence.
Pillar 2: Strengthening legislative framework and enforcement
Strategy 4: Enhancing Malaysia’s cyber laws in addressing current and emerging threats.
Strategy 5: Enhancing the capacity and capability of cybercrime enforcement.
Pillar 3: Catalysing world-class innovation, technology, R&D and industry
Strategy 6: Spurring the National Cyber Security R&D Programme.
Strategy 7: Promoting the creation of local technologies and a competitive local industry.
Pillar 4: Developing capacity & capability-building, awareness and education
Strategy 8: Enhancing national cyber security capacity and capability.
Strategy 9: Enhancing cyber security awareness.
Strategy 10: Nourishing cyber security knowledge through education.
Pillar 5: Strengthening global collaboration
Strategy 11: Strengthening international collaboration and cooperation in cyber security affairs.
Strategy 12: Demonstrating Malaysia’s commitment in promoting secure, stable and peaceful cyberspace to uphold international security. MCSS 2020-2024 has been designed with tools to provide trust in our cyber environment not only for national security, but also to support the government agenda in the digital economy, Industry 4.0 and the adoption of other disruptive technologies for Malaysia’s advancement.
MCSS 2020-2024 is replacing the existing National Cyber Security Policy (NCSP) as it is developed to be more inclusive and comprehensive covering protection of CNII, businesses, industries and citizens.
i. The National Security Council Directive No. 26: Management of National Cyber Security. The National Security Council, Prime Minister’s Department (NSC, PMD) has issued the new NSC Directive No. 26: National Cyber Security Management. The Directive was signed by the Prime Minister on Dec 21, 2021. The objectives of the NSC Directive No. 26 are as follows:
a). to establish a comprehensive national cyber security management structure and outlining the roles and responsibilities of agencies in the national cyber security ecosystem;
b) to achieve a uniform and proactive approach so that national cyber security management can be implemented effectively; and,
c) to outline the duties and responsibilities of the NSC, PMD through its agency, the NACSA as a lead agency in the field of national cyber security.The government has established a governance structure under this NSC Directive No. 26 to focus on all aspects of cyber security to ensure more effective management of the country’s cyber security. The National Cyber Security Committee is the highest committee in this governance and is supported by three committees i.e. National Cyber Crime Coordination Committee; National Cyber Crisis Management Committee, and the National Cybersecurity Awareness Committee that focus on aspects of policy implementation, coordination, crisis management, acculturation and capacity development as well as compliance and enforcement. The National Cyber Security Committee is chaired by the Prime Minister. In addition, the Prime Minister is also a minister in-charge of cybersecurity.
ii. Cyber Security Act 2024 (Act 854) – (explained in the following two questions and answers).
iii. The enhancement of the National Cyber Coordination and Command Centre (NC4). The NC4, established in and operated since 2016, is currently undergoing an enhancement in terms of its services and capabilities. Its enhancement as the National Computer Emergency Response Team (National CERT) is with a view to level up and raise the bar in increasing national cyber security situational awareness and visibilities to identify, protect, detect, respond to and recover from high scale and complex cyber incidents in a timely manner. Section 11 of the Cyber Security Act specifically indicated the NC4 System.
iv. Capacity building
NACSA has undertaken significant collaborative efforts with various stakeholders to bolster the nation’s cybersecurity awareness and capacity. Among the key initiatives is a notable cybersecurity scholarship and training programme in partnership with the EC-Council (International Council of E-Commerce Consultants). This programme aims to equip individuals with essential skills and knowledge to effectively counter cyber threats, thereby enhancing the overall cybersecurity posture of the nation. The goal is to increase the number of qualified cybersecurity professionals in the country. These programmes focus on various aspects of certification of cyber security, including ethical hacking, incident response, risk management and security auditing.
ADJ: The Cyber Security Act has been a significant development in Malaysia’s cybersecurity framework. Can you elaborate on the main provisions of the Act? What specific areas of cybersecurity does the Act aim to address?
CE: The Cyber Security Act 2024 (Act 854) seeks to enhance national cyber security by requiring compliance of certain measures, standards and processes in the management of the cyber security threats and cyber security incidents to national critical information infrastructures. This is due to the extensive use of information and communications technology systems and devices in executing various functions and businesses of the public sectors and private sectors.
For these purposes, the Act provides, among others, for the establishment of the National Cyber Security Committee, the duties and powers of the Chief Executive of NACSA, the appointment of the national critical information infrastructure sector leads and the designation of national critical information infrastructure entities as well as licensing of cyber security service providers.
ADJ: How does the Cyber Security Act enhance the capabilities of NACSA in protecting national digital infrastructure? What new powers or tools do the Act provide to NACSA once it is in force? Why is it not in force yet?
CE: The term used in the Cyber Security Act 2024 (Act 854) is national critical information infrastructure (NCII). The Act, once enforced, will empower NACSA with, among others, investigative powers to conduct investigations on cyber security incidents involving NCII entities. NACSA will now be able to issue directives to NCII entities which must be followed by NCII entities. Also, NACSA will now have the power to instruct NCII entities to conduct audits and risk assessments which are important elements in identifying the vulnerabilities of the assets of the NCII entities.
The Cyber Security Act 2024 was passed by Parliament on April 3, 2024 and the Royal Assent for the Act was received on June 18, 2024 and the Act was gazetted on June 26, 2024. Be that as it may, Act 854 is not yet in force.
To implement the Cyber Security Act 2024, we have identified three critical elements which we like to refer to as 3R: Regulations, Resources (Manpower) and Resources (Budget). With regard to the regulations, NACSA has drafted four regulations, and they are as follows:
(i) Cyber Security (Licensing of Cyber Security Service Provider) Regulations 2024;
(ii) Cyber Security (Compounding of Offences) Regulations 2024;
(iii) Cyber Security (Risk Assessment and Audit) Regulations 2024; and,
(iv) Cyber Security (Notification of Cyber Security Incident) Regulations 2024.
The next step is to gazette the entry into force of the Cyber Security Act which will be done after the four cybersecurity regulations have been vetted and approved by the Drafting Division of the Attorney General’s Chambers. This is because these four regulations are meant to be implemented together with the Cyber Security Act 2024. It is also important to note that we need to obtain the approval of the Right Honourable Prime Minister of Malaysia as he is the Minister charged with the responsibility of cyber security.
ADJ: What are the key challenges in implementing the Cyber Security Act, and how is NACSA addressing these challenges?
CE: NACSA has identified three key challenges in implementing the Cyber Security Act 2024 [Act 854] and they are, for ease of reference, identified as the 3R challenges. These challenges are Regulations, Resources (Manpower) and Resources (Budget). With regard to the challenges pertaining to the regulations, NACSA has drafted four regulations as mentioned above. With regard to human resources, NACSA is working closely with the National Security Council, Prime Minister’s Department and the Public Service Department to re-organise and expand NACSA to cater for officers/personnel. With regard to budgetary requirements, NACSA is working with the Ministry of Finance to secure the necessary financial resources to implement the Cyber Security Act 2024 (Act 854).
ADJ: How do you foresee the Cyber Security Act impacting businesses and private sector entities in Malaysia? Can you talk about the licensing of cyber security service providers as stated in the Act?
CE: The Cyber Security Act 2024 (Act 854) will have an impact on businesses and private sector entities in several ways. Some businesses and private sector entities such as banks and telcos may be designated as national critical information infrastructure entities (NCII entities) provided they fulfil the criteria of NCII as defined under the Cyber Security Act 2024 (Act 854). If they are designated as NCII entities by their respective NCII sector leads, they are bound by the obligations of NCII entities as provided in the Cyber Security Act 2024 (Act 854). Examples of obligations of NCII entities would be to notify the Chief Executive of NACSA and their respective sector lead if there is any cyber security incident which had or might have occurred in respect of the NCII-owned or under the control of the NCII entity.
Businesses and individuals providing licensable cyber security services will also be required to obtain a licence under the Cyber Security Act 2024 (Act 854). Currently, NACSA is planning to license only two types of cyber security services and they are managed security operations centre monitoring service and penetration testing service.
ADJ: Can you discuss the role of public-private partnerships in the context of the Cyber Security Act?
CE: The role of the public-private partnerships (PPP) can best be illustrated in section 12 of the Cyber Security Act 2024 (Act 854). Section 12 deals with the appointment of cyber security experts by the Chief Executive of NACSA and this section was drafted to enable cyber security experts from the private sector to be appointed in the course of, or in connection with, or incidental to, the performance of the Chief Executive’s duties under the Act. NACSA does foresee, in the event of a cyber incident, PPPs enable a coordinated response, ensuring that both public and private entities can work together to mitigate the impact and recover more quickly. This collaboration is essential for dealing with large-scale cyber attacks that can affect multiple sectors. This collaboration is now given a legal effect through section 12 of the Cyber Security Act 2024 (Act 854).
ADJ: How does the Cyber Security Act align with international cybersecurity standards and frameworks? Which countries have you worked with when setting a benchmark for the Act?
CE: The best example of where international cyber security standards have been recognised by the Cyber Security Act 2024 (Act 854) is in subsection 21(3) pertaining to the duty of the NCII entity to implement the Code of Practice. Subsection 21(3) states as follows:
“A national critical information infrastructure entity may, in addition to the measures, standards and processes referred to in subsection (1) or (2), establish and implement the measures, standards and processes on cyber security based on internationally recognised standards or framework.”
When NACSA was drafting the Cyber Security Act, we took note of international instruments and standards pertaining to cyber security such as ISO/IEC 27001 Information Security Management System (ISMS). Rather than mentioning a specific instrument in the Act, we took the approach of using the phrase “internationally recognised standards or framework” to enable the Act to cater for new or amended international instruments in the future.
With regard to countries that we have worked with, during the drafting of the Cyber Security Act 2024 (Act 854), NACSA worked closely with Singapore (Cyber Security Agency, CSA), the US (Department of State, MITRE and Cyber Security and Infrastructure Security Agency, CISA), European Union (ESIWA – Enhancing security cooperation in and with Asia), Australia, United Kingdom and Russia.
ADJ: Beyond the Cyber Security Act, what other major initiatives is NACSA currently working on to strengthen Malaysia’s cybersecurity posture? Are there any new projects or programmes that you are particularly excited about (such as educating the public and businesses, for example)?
CE: The Cyber Security Act 2024 is a pivotal step to fortify Malaysia’s cyber security framework, but it is merely the foundation upon which we are building a more robust and resilient cyber security ecosystem. The enforcement of the Act will empower NACSA with legislative power to perform its function as the National Cyber Security Lead agency. Currently and beyond, NACSA is actively engaged in a multitude of strategic initiatives. This includes the enhancement of the NC4 to detect and respond to cyber threats with greater efficiency and effectiveness. We are also focusing on developing the cyber security talent pool through comprehensive training and education programmes.
Through partnerships with academic institutions and industry leaders, we aim to create a sustainable pipeline of cybersecurity experts who will contribute to our national resilience. Recognising the critical role of the private sector in national cybersecurity, NACSA is fostering deeper collaborations with industry stakeholders. We are working on several public-private partnership programmes to enhance information sharing, promote best practices, and develop innovative cybersecurity solutions. These collaborations are vital in creating a unified front against cyber adversaries.