There has yet to be a stand-alone cyber security legislation and there is no news that the Parliament is planning to enact one. In this article, we set out a brief description of the relevant cyber legislation and their relevance to cybersecurity as well as the cybersecurity framework that is currently in place in Malaysia.
In particular, the CMA regulates various activities carried out by licensees (i.e. network facilities providers, network service providers, applications service providers and content applications service providers) as well as those utilising the services provided by licensees. One of the objects of the CMA is to ensure information security and network reliability and integrity in Malaysia.
Depending on the type of offence committed, the fines range from RM25,000 to RM150,000 and imprisonment of 3 to 10 years or both.
The legal recognition of digital signatures allows electronic communications to be transmitted securely, especially on the Internet. It is an identity verification procedure using encryption techniques to prevent forgery and interception of communication.
It confers legal recognition to the formation of a contract via electronic means; recognizes electronic messages and electronic signatures; deems certain electronic document to be considered original as well as provides that the retention of documents in electronic format fulfils the requirements of the law, provided certain qualifying criteria are met.
The PDPA applies to anyone who processes and has control over or authorizes the processing of any personal data in respect of commercial transactions. The PDPA sets out 7 personal data protection principles, of which the most relevant one in the context of cybersecurity would be the Security Principle i.e. appropriate technical and organisational security measures shall be taken to prevent unauthorised or unlawful processing of personal data and accidental loss, misuse, modification or unauthorised disclosure of personal data.
The NCSP addresses, among other things, risks to the CNII, which concern the networked information systems of ten sectors, namely, Defence and Security; Transportation; Banking and Finance; Health Services; Emergency Services; Energy; Information and Communications; Government; Food and Agricultural; and Water. These CNII sectors have been identified based on the fact that their incapacitation would cause substantial damage to national interests and security and potentially collapse the nation’s economy.
The NCSP sets out a number of “policy thrusts” to ensure the effectiveness of cybersecurity controls over vital assets. These “policy thrusts” would require the collaboration of different government agencies in ensuring effective governance and proper regulatory framework. The NCSP also requires the CNII sectors to ensure compliance with information security standards and technology-specific guidelines to a level commensurate with the risks.
On top of that, the NCSP also aims to increase the technological capabilities to resolve cyber crimes through improving digital forensic lab facilities. Malaysia has identified the ISO/IEC 27001 as the baseline standard for information security and has proposed for all CNII sectors to be ISO/IEC 27001 Information Security Management Systems (“ISMS”) certified.
Cyber Security Malaysia (formerly known as the National ICT Security and Emergency Response Centre (“NISER”)), is a national cybersecurity specialist agency formed under the Ministry of Science, Technology & Innovation. Cyber Security Malaysia is tasked with the roles of monitoring the National e-Security aspect, providing specialized cybersecurity services and identifying possible areas that may be detrimental to national security and public safety.
The agency was formed under Cyber Security Malaysia to provide a point of contact for Internet users who are affected by cybersecurity incidents. MyCERT provides assistance for users who are affected by the intrusion, identity theft, malware infection, cyber harassment and other computer security related incidents. MyCERT collaborates with other law enforcement agencies and regulators such as the Royal Malaysian Police, Securities Commission, Central Bank of Malaysia, along with Internet Service Providers and various computer security response teams around the world.
Operated by MyCERT, Cyber999 is a computer security incident handling and response help centre relating to detection, interpretation and response to computer security incidents. Aside from that, it also alerts Internet users in Malaysia in the event of a cybersecurity threat or malware outbreak.
The agency regularly works with law enforcement agencies, government-linked companies and private companies. The agency also has a team of analysts who have been gazetted under the Criminal Procedure Code i.e. all reports and testimonials provided by the CyberCSI analysts are admissible in the Malaysian courts. The services provided by CyberCSI include digital forensics, data recovery, data sanitization and provision of expert witnesses.
Initially created in line with the NCSP, the National Vulnerability Assessment Centre (“MyVAC”) is a unit of the Security Assurance Department under Cyber Security Malaysia that aims to improve the nation’s ability to defend against cyber crimes and the exploitation of information systems and technological vulnerabilities. It aims to improve security in the CNII sectors through actual assessment or evaluation. Specifically, the key function of this unit is the development of critical technology laboratories along with the cultivation of expertise in the area of control systems, applications and networks. A few examples of MyVAC’s services include vulnerability assessment research, cyber security audit and control systems security assessments.
Likewise, the Malaysian ICT Security Evaluation Facilities (“MySEF”) provides similar assessment and evaluation services, except that it provides its services from the perspective of ICT Security Evaluation of its products and systems.
Another agency that carries out these functions is the Malaysian Common Criteria Evaluation and Certification (“MyCC”). MyCC evaluates and certifies the security functionality within ICT products against the Common Criteria, i.e. ISO/IEC 15408.
The agency acts as the government’s outreach initiative to educate and improve awareness of the general public on the technological and social issues plaguing Internet users. In line with this, the agency regularly provides updates and guidelines on the safe usage of the Internet for children, parents, industry players and policymakers.
The Securities Commission Malaysia is in the midst of coming up with a regulatory framework relating to the management of cyber security risk by capital market participants. The framework would include recommendations on the steps to be taken and the minimum requirements that should be addressed in cybersecurity frameworks, which includes prevention, detection and recovery measures.
On the defence front, the Deputy Defence Minister has recently announced a three-pronged approach to enhance cyber security in Malaysia. We may expect some legislative reforms to bolster and/or to introduce new legislation that deals with cyber security threats to Malaysia’s critical information infrastructure.