THE data of millions of Malaysians could fall into the wrong hands if the country becomes a target of cyberwarfare, experts said.

They said recent cybersecurity breaches in government agencies showed Malaysia was neither prepared nor equipped for a cyber attack.

Cybersecurity expert Professor Dr Selvakumar Manickam of University Sains Malaysia said even China, which is known for its cyber capabilities, was hacked.

“Malaysia is not ready to face any cyber attack. We are not even ready even at the lowest, fundamental level,” the senior lecturer and researcher at National Advanced IPv6 Centre, told The Malaysian Insight.

“I would say we are a bit complacent because we have not seen any major threats. At the moment, Malaysia is not a target because we are not at war.

“But should there be conflict between us and another country, how will we fare when they start attacking our online services? I don’t think we will be able to handle or mitigate what happens then.

“We know that China is very strict when it comes to privacy, security and others but even their data has been breached. So where do we stand?”

Early this year, it was alleged that the personal data of 22.5 million people, ranging from their full names to identification number, home address, contact and ID numbers were stolen from government servers and was sold on the dark web for US$10,000 (RM44,000).

In 2017, the data of more than 46 million mobile subscribers in Malaysia were leaked in a record data breach.

As recently as last week, the Education Ministry’s e-operating system was hacked, with the hacker giving a friendly warning to the ministry to rectify the flaws in the system before others from “outside” broke in.

Cybersecurity consultant Fong Chong Fook said the recent hacking of the Education Ministry’s website was “unforgivable”.

Fong called the security system a “bad example”, saying the country could suffer great losses of data and information if it did not buck up.

“Websites today aren’t supposed to be hacked because there are just so many ways to protect it .

“We have so many government agencies. If major government agencies, for example, the MOE, can’t even manage cybersecurity, I cannot imagine the security of the smaller agencies.

“If the MOE website can be hacked just like that, that tells us many things,” he said.

Fong said that is a large gap between the private and the public sectors when it comes to protection for systems and servers.

Ineffective legislation

Experts said the Personal Data Protection Act (2010) is outdated and does not hold the government accountable for data breaches.

They said the law must be revised and updated.

Selvakumar said policymakers have to look at how to make those responsible for data breaches accountable.

“They also have to ensure that independent experts are hired to audit and evaluate their system,” he said.

As the Malaysian economy is highly dependent on digital technology, Selvakumar said the law should carry a hefty punishment for those who fail to protect the data of people.

“Now we have moved to digital assets like NFT, cryptocurrencies… when my datagets stolen, I must be able to sue the culprits.”

Fong said legislation in this area is very weak.

He said the law is not enforced and violators, especially the government, are not punished.

“We have a very simple PDPA where basically the government is exempt from the law, meaning, if any government agencies or employees, because of their negligence, ignorance, cause massive data leaks, there will be nobody to take the responsibility for it.”

In a 2019 study, Malaysia was ranked the fifth-worst nation for protecting the personal data of its citizens.

“How many organisations were prosecuted under  the PDPA? This because we have a very poor legal framework to penalise illegal data use.”

Invest and execute

Selvakumar said that the government should invest in the right technologies and the right people to protect data.

“Cybersecurity, cyberprivacy is a very complicated, wide-spanning area that needs all kinds of expertise.

“We have researchers, agencies, and experts throughout the country. Bring them all together, build a consortium of expertise to look into various aspects of government services.

“Bring in Cybersecurity Malaysia, National Cyber Security Agency, National Security Council and all the other agencies, researchers from universities and expertise from private sectors.

“The government has to formalise such a consortium or organisation and it has to start now,” he said.

Selvakumar said education is also vital for personal data protection.

Referring to the Cyber Security Strategy 2020-2024, Fong said Malaysia’‘s biggest problem has been in the execution of the plan.

Cybersecurity evolves quickly, and Malaysia is always a step behind the others, he said.

“Execution has always been the biggest problem for Malaysia. We can have a very nice plan, idea or concept but execution is poor.

“And cybersecurity is not something that can wait. We cannot say we have to study first and then implement it many years later.

“Cybersecurity is evolving by the second. Hackers work 24 hours a day and seven days a week. Every day new techniques are being discovered by the hackers. We secure something today, the next day, hackers have found a way to (break in).

“The (world of) cybersecurity is very unforgiving. 

“So we have to be very fast. Looking at the pace of our government, even for simple policies like the PDPA, protection of data… we are still very far behind,” Fong said. – July 18, 2022.