Malaysia Cyber Security Policies
NACSA National Cyber Security Agency
The National Cyber Security Agency (NACSA) was officially established in February 2017 as the national lead agency for cyber security matters, with the objectives of securing and strengthening Malaysia's resilience in facing the threats of cyber attacks, by co-ordinating and consolidating the nation's best experts and resources in the field of cyber security.
The Strategic Research Division of CyberSecurity Malaysia is responsible for developing, coordinating and stimulating a continuous research activity at CyberSecurity Malaysia within the cyber security domain.
Safeguarding Malaysia’s Cyberspace against Cyber Threats: Contributions by CyberSecurity Malaysia
Cybersecurity remains one of Malaysia’s top concerns, says Hamzah
NATIONAL CYBER CRISIS MANAGEMENT PLAN (NCCMP)
Malaysia’s National Cyber Security Policy The Country’s Cyber Defence Initiatives
The Malaysian Cyber Security Framework (MyCSF) is a set of guidelines and best practices developed by the Cyber Security Agency of Malaysia (CSA) to help organizations in Malaysia protect their IT systems and data from cyber threats. The MyCSF framework is based on international standards such as ISO 27001 and provides a systematic approach for managing and implementing cyber security in an organization. It covers areas such as risk management, incident management, and compliance. The framework is intended for use by organizations of all sizes and industries, and is designed to be flexible and adaptable to the specific needs of each organization.
The Cyber Security Agency of Malaysia (CSA) is a government agency established in 2016 to protect and defend the country's critical information infrastructure and national security from cyber threats. The CSA is responsible for developing and implementing national cyber security policies, strategies, and plans, as well as providing guidance and assistance to organizations on how to secure their IT systems and data.
The CSA also plays a key role in incident response and management, working closely with other government agencies and private sector organizations to detect, investigate, and respond to cyber incidents. The agency also works to raise awareness about cyber security and educate the public and organizations about the risks and best practices for protecting against cyber threats.
The CSA is headed by a Director General and is overseen by the Ministry of Communications and Multimedia. The agency is also responsible for the development of the Malaysian Cyber Security Framework, a set of guidelines and best practices for managing and implementing cyber security in organizations.
ASEAN members will invest US$171 billion collectively on Cybersecurity between 2017 and 2025.
Cybersecurity is a priority across the majority of economic sectors in Malaysia. The Government of Malaysia (GOM) launched the Malaysia Cyber Security Strategy (MCSS) 2020-2024, with an allocation of US$434 million to step up the national cybersecurity preparedness and upgrade the country’s cybersecurity measures.
The MCSS outlines five strategic pillars as guiding principles to improve the country’s cybersecurity management over the next five years. The first pillar is to boost national governance and cybersecurity management by improving Malaysia’s critical ICT infrastructure. The second pillar focuses on bolstering current cybersecurity laws by reviewing related legislation and formulating new laws on cybersecurity. The remaining pillars focus on empowering innovation, improving cybersecurity talents in Malaysia, and leveraging regional and international cooperation to protect its cyberspace.
In the current shifting landscape towards digitalization, Malaysian companies, especially SMEs, fail to obtain the required cybersecurity technologies and capabilities to mitigate the expected wave of sophisticated cyber threats. Malaysia SMEs are aware that traditional cybersecurity solutions may no longer be sufficient to stay relevant and secure in the current economic environment. Investments in new technologies that address cybersecurity vulnerability are now becoming an essential consideration in budget allocations.
In response to the rising tide of cyber security threats in Malaysia, the Parliament has, over the years, passed a slew of cyber legislation to deal with activities in the cyberspace and to tackle cyber attacks.
There has yet to be a stand-alone cyber security legislation and there is no news that the Parliament is planning to enact one. In this article, we set out a brief description of the relevant cyber legislation and their relevance to cybersecurity as well as the cybersecurity framework that is currently in place in Malaysia.
Existing Laws That Deal with Cyber Security
Communications and Multimedia Act 1998 (“CMA”)
As the main cyber law in Malaysia, the CMA provides for and regulates the converging areas of communications and multimedia.
In particular, the CMA regulates various activities carried out by licensees (i.e. network facilities providers, network service providers, applications service providers and content applications service providers) as well as those utilising the services provided by licensees. One of the objects of the CMA is to ensure information security and network reliability and integrity in Malaysia.
Computer Crimes Act 1997 (“CCA”)
The CCA criminalizes the act of hacking, spreading of computer viruses and wrongful communication of any means of access to a computer to an unauthorized person.
Depending on the type of offence committed, the fines range from RM25,000 to RM150,000 and imprisonment of 3 to 10 years or both.
Digital Signatures Act 1997 (“DSA”)
The DSA is an enabling law that allows for the development of, among others, electronic transactions, by providing an avenue for secure online transactions through the use of digital signatures.
The legal recognition of digital signatures allows electronic communications to be transmitted securely, especially on the Internet. It is an identity verification procedure using encryption techniques to prevent forgery and interception of communication.
Electronic Commerce Act 2006 (“ECA”)
The object of the ECA is to provide for legal recognition of electronic messages in commercial transactions, the use of the electronic messages to fulfil legal requirements and to enable and facilitate commercial transactions via electronic means.
It confers legal recognition to the formation of a contract via electronic means; recognizes electronic messages and electronic signatures; deems certain electronic document to be considered original as well as provides that the retention of documents in electronic format fulfils the requirements of the law, provided certain qualifying criteria are met.
Personal Data Protection Act 2010 (“PDPA”)
The PDPA regulates the processing of personal data in commercial transactions and for matters connected therewith and incidental thereto.
The PDPA applies to anyone who processes and has control over or authorizes the processing of any personal data in respect of commercial transactions. The PDPA sets out 7 personal data protection principles, of which the most relevant one in the context of cybersecurity would be the Security Principle i.e. appropriate technical and organisational security measures shall be taken to prevent unauthorised or unlawful processing of personal data and accidental loss, misuse, modification or unauthorised disclosure of personal data.
National Cyber Security Policy (“NCSP”)
In addition to legislative measures, the Government has also rolled out the NCSP to strengthen Malaysia’s Critical National Information Infrastructure (“CNII”) and facilitate Malaysia’s drive towards attaining a developed nation status by the year 2020.
The NCSP addresses, among other things, risks to the CNII, which concern the networked information systems of ten sectors, namely, Defence and Security; Transportation; Banking and Finance; Health Services; Emergency Services; Energy; Information and Communications; Government; Food and Agricultural; and Water. These CNII sectors have been identified based on the fact that their incapacitation would cause substantial damage to national interests and security and potentially collapse the nation’s economy.
The NCSP sets out a number of “policy thrusts” to ensure the effectiveness of cybersecurity controls over vital assets. These “policy thrusts” would require the collaboration of different government agencies in ensuring effective governance and proper regulatory framework. The NCSP also requires the CNII sectors to ensure compliance with information security standards and technology-specific guidelines to a level commensurate with the risks.
On top of that, the NCSP also aims to increase the technological capabilities to resolve cyber crimes through improving digital forensic lab facilities. Malaysia has identified the ISO/IEC 27001 as the baseline standard for information security and has proposed for all CNII sectors to be ISO/IEC 27001 Information Security Management Systems (“ISMS”) certified.
Government Agencies/Units That Deal with Cyber Security
Cyber Security Malaysia
Cyber Security Malaysia (formerly known as the National ICT Security and Emergency Response Centre (“NISER”)), is a national cybersecurity specialist agency formed under the Ministry of Science, Technology & Innovation. Cyber Security Malaysia is tasked with the roles of monitoring the National e-Security aspect, providing specialized cybersecurity services and identifying possible areas that may be detrimental to national security and public safety.
MyCERT and Cyber999
Malaysia Computer Emergency Response Team (“MyCERT”) addresses the computer security concerns of Malaysia’s Internet users and aims to reduce the probability of cybersecurity attacks.
The agency was formed under Cyber Security Malaysia to provide a point of contact for Internet users who are affected by cybersecurity incidents. MyCERT provides assistance for users who are affected by the intrusion, identity theft, malware infection, cyber harassment and other computer security related incidents. MyCERT collaborates with other law enforcement agencies and regulators such as the Royal Malaysian Police, Securities Commission, Central Bank of Malaysia, along with Internet Service Providers and various computer security response teams around the world.
Operated by MyCERT, Cyber999 is a computer security incident handling and response help centre relating to detection, interpretation and response to computer security incidents. Aside from that, it also alerts Internet users in Malaysia in the event of a cybersecurity threat or malware outbreak.
CyberCSI
As Cyber Security Malaysia’s Outreach & Corporate Commitment Department, CyberCSI provides full-fledged digital forensics investigations and examinations in the areas of audio and video forensics.
The agency regularly works with law enforcement agencies, government-linked companies and private companies. The agency also has a team of analysts who have been gazetted under the Criminal Procedure Code i.e. all reports and testimonials provided by the CyberCSI analysts are admissible in the Malaysian courts. The services provided by CyberCSI include digital forensics, data recovery, data sanitization and provision of expert witnesses.
MyVAC, MySEF and MyCC
Initially created in line with the NCSP, the National Vulnerability Assessment Centre (“MyVAC”) is a unit of the Security Assurance Department under Cyber Security Malaysia that aims to improve the nation’s ability to defend against cyber crimes and the exploitation of information systems and technological vulnerabilities. It aims to improve security in the CNII sectors through actual assessment or evaluation. Specifically, the key function of this unit is the development of critical technology laboratories along with the cultivation of expertise in the area of control systems, applications and networks. A few examples of MyVAC’s services include vulnerability assessment research, cyber security audit and control systems security assessments.
Likewise, the Malaysian ICT Security Evaluation Facilities (“MySEF”) provides similar assessment and evaluation services, except that it provides its services from the perspective of ICT Security Evaluation of its products and systems.
Another agency that carries out these functions is the Malaysian Common Criteria Evaluation and Certification (“MyCC”). MyCC evaluates and certifies the security functionality within ICT products against the Common Criteria, i.e. ISO/IEC 15408.
CyberSAFE
CyberSAFE stands for “Cyber Security Awareness for Everyone”.
The agency acts as the government’s outreach initiative to educate and improve awareness of the general public on the technological and social issues plaguing Internet users. In line with this, the agency regularly provides updates and guidelines on the safe usage of the Internet for children, parents, industry players and policymakers.
Proposed Regulatory Framework on Cyber Security Resilience
The Securities Commission Malaysia is in the midst of coming up with a regulatory framework relating to the management of cyber security risk by capital market participants. The framework would include recommendations on the steps to be taken and the minimum requirements that should be addressed in cybersecurity frameworks, which includes prevention, detection and recovery measures.
On the defence front, the Deputy Defence Minister has recently announced a three-pronged approach to enhance cyber security in Malaysia. We may expect some legislative reforms to bolster and/or to introduce new legislation that deals with cyber security threats to Malaysia’s critical information infrastructure.