No such thing as 100 per cent security: Cyber- Security CEO
Published on: Sunday, August 07, 2022
By: Sherell Jeffrey
Text Size:
Encouraging response to a Cybersecurity programme.
Topics include initiatives to protect the Malaysian cyberspace, educating youngsters about online safety, and publishing the E-Security Journal in 2022.
The following are his responses to initiatives to protect the Malaysian cyberspace.
Q: How ready is Malaysia to face incoming cyber threats? What kind of threats could be seen coming ahead? Which/what sectors could be prone to the attacks?
A: In this highly connected world and due to Malaysians being highly dependent on the Internet and digital technology, we can’t afford to be complacent and just sit on our laurels in terms of cybersecurity matters.
Some might think we are well equipped and ready to face incoming threats. Hence, they take things for granted and do not place cybersecurity as priority for national security and the people’s wellbeing.
However, the times have changed. The environment of the Internet and digital technology is ever changing, so are cyber threats.
Cyber criminals have become more bold, knowledgeable, skilled, innovative, advanced, sophisticated and are able to cause considerable damage. Cyber defenders need to be at par or be one step ahead of these cyber criminals. We cannot afford to be left behind.
There is no such thing as 100 per cent security. No matter how strong a country or organisation is in terms of cybersecurity, it is just a matter of time before it is attacked. It is better to assume that the criminals will eventually break through the organisation’s cyber defences.
The most important action for an organisation is to strategize and implement cybersecurity in order to lessen the impact due to cyber-attacks. What is most important is to prepare for any attacks. It is crucial to know how to act and recover or bounce back once attacked. There is still much (room for) improvement to be made by many organisations in Malaysia.
Encouraging response to the Sambutan Hari Keselamatan Internet 2022 organised by CyberSecurity Malaysia.
The cyber threats that can be seen in the near future are state-sponsored attacks, information warfare, supply-chain attacks, ransomware-as-a-service, zero-day exploits, attacks on the 5G networks and also IoT devices, etc.
According to Trend Micro Incorporated, most organisations in Malaysia believe that they will be attacked in the next 12 months. The sectors that may be more prone to cyber-attacks are the small and medium enterprises (SMEs) and critical national information infrastructures.
Malaysia has 11 CNII sectors and they are the National Defence and Security, Health Services, Banking and Finance, Information and Communication, Energy, Transportation, Water, Government, Emergency Services, Agriculture and Plantation, and Trade, Industry and Economy. Each has the potential to be attacked and pose risks that need to be evaluated.
Q: What are the steps/efforts taken by CyberSecurity Malaysia to prepare for the attacks? Any funding allocation or other kind of related assistance received from the government?
A: CyberSecurity Malaysia is the national cybersecurity technical agency under the purview of the Ministry of Communications and Multimedia Malaysia (K-KOMM) and is responsible to advice and implement cybersecurity related matters.
CyberSecurity Malaysia also supports Malaysia’s National cybersecurity related strategic policies and plans such as the Malaysia Cyber Security Strategy (MCSS), Malaysia Digital Economy Blueprint, National 4th Industrial Revolution Policy, Twelfth Malaysia Plan (RMK-12), K-KOMM Strategic Framework and more.
CyberSecurity Malaysia has always taken a holistic, adaptive, dynamic and innovative approaches to cybersecurity that covers people, processes and technologies. We also need to ensure that we have a strong Public-Private-Partnership as well as national, bilateral, regional and international collaborations.
Furthermore, CyberSecurity Malaysia has launched SiberKASA, an initiative aimed at developing, empowering, sustaining and strengthening cyber security infrastructure and ecosystem in Malaysia to ensure network security preparedness. We provide services that covers people, process and technology and also predictive, preventive, responsive and also detective services.
Q: What about the recent personal data breaches Malaysia faced? Could you share some updates on them? Any plans by CyberSecurity to introduce/update/strengthen policies and regulations (cyber law) related to cybersecurity?
A: Malaysia has seen a rise in data breach in recent years, and even more since the emergence of the Covid-19 pandemic. Information such as their full names to identification numbers, home addresses, phone numbers and ID photos, were stolen from government servers and sold on the dark web for a reported price of just US$10,000. Barely two months later, Malaysian computer security experts, or “white hat hackers” discovered a website on the conventional Internet that offered access to a wide range of Malaysians personal information.
The country has launched and conducted various initiatives and strategic national plans, collaborating with other nations, reviewing policies and holding vigorous discussions to determine the best approach to deal with these issues. Such as CSM guidelines:
- Cyber Security Guideline for Industrial Control System (ICS)
- Cyber Security Guidelines for Secure Software Development Live Cycle (SSDLC)
- Cyber Security Guideline for Internet of Things (IOT)
- Cyber Security Guideline for Industry 4.0 (I4.0)
* Cloud Security Implementation for Cloud Service Subscriber (CSS) Guideline
- l Guideline for Securing MyKAD EBA Ecosystem
* Guideline on the Usage of Recommended AKSA MySEAL Cryptographic Algorithms
Q: Does Malaysia have a big enough cybersecurity team to handle the threats? What kind of challenges/issues are faced by them? Is there/do you see local brain drain in this area?
A: Cybercriminal is evolving alongside with technological advancement in the past years. Big data, Internet of Things (IoTs), Artificial Intelligence, Blockchain, Cloud Computing, and many more are being exploited by cybercriminals for their nefarious operations.
The current cybersecurity talent available is not enough to support the needs of the industry. This also includes the gap between qualities of students against the industries’ expectations. This might be due to most of the students are educated through theory instead of practical or hands-on experiences.
It takes time to build a workforce of knowledgeable cybersecurity experts. Recruiting the ideal people for this profession will take some time. Strategic public-private partnership and rewards from diverse sources, such as scholarships, mentorships, and internships with job guarantees, are needed to close the human capital gap.
Dedicated cybersecurity team are mostly available in multi-national organisations, whereas in the medium scale organisations, cybersecurity capabilities are embedded within their IT team. For small and micro organisations, rarely have any presence in the area.
Malaysia does not have a big enough cybersecurity team to handle the current cyber threats. Lack of expertise and professionals may be Malaysia’s downfall if no immediate action is taken.
As of July 1, 2022, there are 13,851 cybersecurity knowledge workers in the country. Based on this ratio, our country is yet to have sufficient cybersecurity personnel to handle cyber threats.
Q: What can CyberSecurity Malaysia do to address this? How many cybersecurity professionals are needed?
A: With reference to the Malaysia Digital Economy Blueprint (MyDigital), under Thrust 4, Strategy 3 and Initiative 11, Malaysia requires not less than 20,000 cybersecurity knowledge personnel by the end of 2025.
K-KOMM and CyberSecurity Malaysia are conducting various initiatives to address the issue:
CyberSecurity Malaysia has been developing affordable training and certification programs that are customised to our local needs and aligned to international standards.
Our value proposition for training and certification is to make it affordable so that more people can get a chance to be trained and certified. All this is done without compromising quality.
With the support from government, academia and industry, we have established The Global Accredited Cybersecurity Education (Global ACE) Certification scheme that is aligned with international standards of ISO17024, ISO27001 & ISO9001. The Global ACE Certification is established to identify, nurture, and enhance cyber security knowledge workers continuously. It is designated to elevate cyber security knowledge worker to be competent personnel and towards a professional. It is also with the strategic intent to reduce our country’s dependencies on international certification programmes.
CyberSecurity Malaysia has established synergistic collaboration with public and private organizations such as universities and colleges by embedding cyber security professional certifications into their education syllabuses to value-add graduates.
Implemened Pemulih Siberkasa Upskilling Program that integrates Global ACE Certification training exercises, certification exams and lifelong learning plans through the professional membership. Apart from capacity building, it is also as a means for talent retention and provide continuous enhancement on their cybersecurity capabilities through the lifelong learning requirements. Participants of Pemulih Siberkasa will be recognised under the Global ACE Certification scheme in line with international standards if they pass the certification examination. In addition, participants who pass the certification examination are also eligible to apply as a Professional Technologist or Certified Technician from the Malaysian Board of Technology or MBOT under the Technologists and Technicians Act 2015 (or Act 768), subject to the terms and conditions of MBOT.
Amirudin speaking to the media.
CyberSecurity Malaysia can train and certify people through CyberGuru and the Global ACE Scheme. CyberGuru has been designed in-house, by technical experts within the industry. Apart from our content development, we also partnered with other security platform providers like SANS, (ISC)2 and others to provide comprehensive training.
Global ACE Scheme was established to validate and certify cybersecurity personnel as a world-class competent workforce in cybersecurity and promote the development of cybersecurity professional programs within the region. The scheme uses a holistic framework of cybersecurity profession education that outlines the overall approach, identification and classification of cybersecurity domains, the impartiality of examinations, competencies of trainers and the need for membership for lifelong learning. The collective benefit accruing out of such educational and consulting exercises is proof of their enhanced cybersecurity posturing within the country and to the external players. Some of the professional certifications provided are as follows:
- Certified Penetration Tester
- Certified MyCC Evaluator
- Certified Secure Application Practitioner
- Certified Digital Forensic for First Responder
- Certified Information Security Awareness Manager
- Certified Information Security Management System Auditor
Q: How many reports of cyber incidents this year and how much has been resolved compared to previous years? What kind of cyber threats do the country and public face?
A: Total reports of the following incidents as of Jun 2022: 3,755 and no. of incident resolved: 3155
- Denial of Service: 10
- Malicious codes: 552
- Fraud: 2,633
- Intrusion attempt: 66
- Spam: 68
- Intrusion: 394
- Content related: 13
- Vulnerabilities report: 26
You may refer to https://www.mycert.org.my/ for statistics of cyber security incidents reported to our Cyber Incident Reference Centre Cyber999
Recently, there has been an increasing pattern of fraud cases using “mobile apps”/APK files for credential/banking information stealing. Fraud cases has evolved from just merely spoofing/impersonating organisation/companies to now having their own designed fake mobile applications targeting citizens. Other than that, citizens and organisations are still receiving constant threats such as ransomware, which demand for money by ransom.
ADVERTISEMENT
