Geo Focus: Asia , Geo-Specific , Governance & Risk Management
Malaysia Passes Cybersecurity Law as Privacy Concerns Grow
Government's Citizen Database Draws Flak Over Data Privacy and Security RisksMalaysia has passed a landmark cybersecurity law in response to heightened cybersecurity threats to critical national infrastructure, but privacy hawks believe the greatest risk to citizens' privacy is PADU, a centralized government database that will store the data of 29 million citizens.
The Cyber Security Act 2024, in the works for more than three years, replaces legacy laws, such as the Personal Data Protection Act 2010, the Police Act 1967 and the Malaysian Communication and Multimedia Commission 1988 as overarching legislation dedicated to cybersecurity.
See Also: The Biggest & Boldest Data Breaches & Insider Threats of 2023
The law makes the National Cyber Security Agency, or NACSA, the sole legal authority to regulate and enforce cybersecurity laws and regulations, centralizing a previously fragmented approach toward cybersecurity governance.
The law also enables the formation of a National Cyber Security Committee, chaired by the prime minister and populated by cabinet members, that will provide advice and recommendations to the federal government on national cybersecurity matters.
The Cyber Security Act 2024 also seeks to plug critical loopholes in existing cybersecurity-related laws, such as the lack of requirements for organizations to report cybersecurity incidents to authorities.
Passage coincides with urgent government action to boost cybersecurity skills in the country, devote additional resources to agencies and set up government bodies to lead joint efforts with the private sector against cybercrime.
One of the government's biggest challenges will be securing a central database that will store the personal and financial information of about 29 million citizens. The government says the database will help distribute targeted subsidies to those who need them, but it faces questions over how it plans to secure the database from cyberattacks or malicious use.
Tackling Worker Shortage
On Monday, Prime Minister Anwar Ibrahim launched a Cybersecurity Center of Excellence in Cyberjaya, a growing technology hub also known as Malaysia's Silicon Valley. He said the center will serve as a key training facility to help fill a shortfall of 12,000 cybersecurity workers countrywide.
"In my speech, I expressed my confidence that the CCoE is able to help in Malaysia's efforts to have 25,000 human resources in the field of cybersecurity by 2025," Anwar said on X. He said the center also will help enhance "information sharing and establishing regional cooperation in efforts to address security threats and cybercrime."
Cybersecurity company BlackBerry, which co-launched the CCoE in partnership with the governments of Malaysia and Canada, said it also partnered with the SANS Institute and Toronto Metropolitan University's national center for cybersecurity training, research and innovation - also known as Rogers Cybersecure Catalyst - to offer cybersecurity training to Malaysians beginning in May.
Last year, NACSA obtained $1 million in funding from global cybersecurity certifications leader EC-Council to provide free cybersecurity training for skills such as digital forensics, pen testing, risk identification and mitigation, threat intelligence, network security and ethical hacking.
Anwar said the EC-Council funds could give about 2,000 Malaysians access to international cybersecurity courses and the chance to tap into placement opportunities and jobs at NACSA.
"The government views seriously the need to increase the ability, capacity and number of professionals, as well as skilled workforce in the field of cybersecurity to complement the national cybersecurity ecosystem. To deal with the lack of 12,000 required workers, cooperation between the government, educational institutions and industry players is critical," he said.
Enhancing the cybersecurity workforce is just one of several challenges the government outlined in its national Cyber Security Strategy 2020-2024. It promised to invest $434 million in the new strategy, which calls for a modernized cybersecurity law, improving the governance of critical national infrastructure and shoring up the cybersecurity workforce.
The government in its national budget for 2024 allocated over $500 million to the Ministry of Communications and Digital that oversees investments in cybersecurity and digital transformation.
Cybersecurity Malaysia, the government's cybersecurity advisory body, said that in the first half of 2023, the government sector accounted for 22% of all breaches, and two-thirds of hacking attacks resulted in data leaks or data sharing among threat actors.
The agency said threat actors stole 292 gigabytes of data from government agencies, including records of 22 million Malaysians from the National Registration Department, detailed records of 22.5 million Malaysians from various government agencies, and 13 million data records from Maybank, satellite broadcaster Astro and the Election Commission.
Centralized Public Database Raises Privacy Concerns
The increased budgetary allocation coincided with the government launching a centralized online government database, named the Publicly Accessible Data Universe - or PADU - that integrates data from all government resources to enable effective service delivery and policymaking.
The government database is expected to store about 29 million citizens' names, demographic details, addresses, income details, banking records, debts, properties and investments - information that can help the government provide aid and subsidies based on socioeconomic profiles of citizens.
This program is generating concerns about the data security of the database and citizens' data privacy, and privacy activists are saying that the Personal Data Protection Act does not apply to the government. By March 18, only 5.43 million Malaysians had registered to the database despite the government registration deadline of March 31.
"The government unfortunately has a bad track record of data protection," said rights group Lawyers for Liberty. "There are numerous reports of data being stolen from multiple government agencies, exposing users to scams and data fraud with no legal recourse as the government is exempt from liability under the PDPA. This puts the public in a terrible disadvantage and danger of loss and damage."
Minister of Economy Rafizi Ramli, who spearheaded the PADU initiative, went public last week to address citizens' concerns, saying the government will strictly control who has access to the database and will apply the Official Secrets Act and the Computer Crimes Act to stored information and associated hardware.
"Therefore, any act involving accessing data in PADU, uploading, downloading, modifying, adding or distributing data without permission is a criminal offense punishable on conviction by imprisonment, fine or both," he said.
On Tuesday, Rafizi told Parliament that the PADU database has remained resilient despite suffering over 2 million intrusion attempts every day. "Despite records showing attempts exceeding 2 million accesses daily, especially in the first month, all of them have been thwarted, and the PADU system remains unpenetrated," he said in a speech accessed by Malaysian national news agency Bernama.
"Of course, there are things we need to balance, and we do not allow access from outside the country because so far, the records of most access attempts are from outside the country or from locations we consider risky."
Rafizi said that data records stored in the PADU database are encrypted. "This means that even if someone manages to break in and download files, those files need to be decrypted," he said.
Political opponents and privacy activists aren't convinced. Though politicians have voiced concerns over the government collecting too much information about citizens and the potential for data misuse for political purposes, public policy research group Penang Institute said the government needs to be transparent about potential data security risks and the associated effect on citizens.
"Establishing a clear data governance framework outlining procedures for data access, management, and disposal is urgently needed to create a trustworthy database system. PADU has to be transparent about data security practices and communicate potential risks and breaches to stakeholders. Furthermore, this is an ongoing exercise where continuous monitoring, assessment and adaptation are crucial to keeping pace with evolving threats and vulnerabilities," it said.
Cybersecurity Malaysia CEO Amirudin Abdul Wahab said the centralized database could feature vulnerabilities at any time, and the government must test its resilience through regular security audits. "The more we are connected, the more we are exposed. The security of a system at present does not automatically ensure its safety in the forthcoming five or six months. As such, we must conduct security audits periodically to ensure the safety of the database," he said.
An analysis by cybersecurity company Cymetrics in January revealed that the centralized database did not support HTTPS, meaning that threat actors could intercept sensitive information, such as identity cookies and PII, in plain text.
Researchers found that the system's public code repository was exposed, revealing source code and modifications history, and that the system forwarded spam emails to users' inboxes even if they were marked suspicious.
Lawyers for Liberty said it is essential for the government to amend the Personal Data Protection Act 2010 to ensure there is a legal framework to govern how data collected by PADU is used. Though Rafizi promised that the cybersecurity bill will address data security concerns, the group urged the government to be more clear and transparent about its actions.
"There is a need for an immediate amendment to the PDPA to place responsibility and liability on the government as well as the agencies responsible for the protection and security of the data collected. Whether there is an Omnibus Bill or not, the amendments to the PDPA must be done.
"Without the amendments being made before the launch of PADU, the public cannot be assured that their data will be protected from misuse by the government or scammers and unscrupulous individuals who will undoubtedly target the massive database.
"This type of criminality is notoriously widespread now and has become regional. It is strange that the government has proceeded without fixing the law as this is tantamount to putting the horse before the cart," the group said.