LETTER | Looking at the responsiveness of the relevant government agencies tasked to handle Covid-19 and the floods, it appears that if any of the identified potential calamity, a cyberattack against the country being one of them, were to hit the country in the future, the people will again bear the brunt of the incompetence of the government and the agencies tasked to identify, monitor and manage these problems.
For hackers, Malaysia and other Asean countries are low hanging fruits and testing ground for different kinds of environments, unlike developed countries, which generally have more advanced defences where hackers would take a longer time to hack and penetrate.
The government should not deny the poor state of the country’s cyberspace. The agencies tasked to monitor, investigate and maintain the country’s cyber preparedness will no doubt argue that the cyber security level in the country is above the average and in many instances better compared to other developed countries.
These agencies will cite the response mechanisms in place and that cyber specialist centres are always available for users to report their complaints or any cybercrimes.
So were those agencies under Health Ministry and Environment and Water Ministry tasked to monitor and manage the health of the rakyat and flooding in the country where both had, on several instances, cited their preparedness only for their respective assertions to be cruelly exposed as mere words in both instances.
There is a pattern emerging among hackers. They test something, make improvements, and then weeks or months later test again before launching it at their true targets.
As the country rushed to go online, it provide a fertile testing ground for hackers trying their skills in an environment where they can evade detection before deploying them against a company or state that has more advanced defences.
Publicly, the government announced many initiatives to plan and develop security measures that will be used to protect the country, the most notable being the Malaysia Cyber Security Strategy 2020-2024 (MCSS) that was announced in 2021.
Still, despite the assurances and the plans, the number of cyber incidents reported and cybercrimes are ever-increasing.
In May 2021, the then communications and multimedia minister states that a total of 4,615 cybersecurity incidents were reported from January 2021 to May 2021 with the three highest incidents reported during the period being a fraud (3,299 cases); intrusion (765) and malicious code (256).
The number doubled by November 2021 based on the figures reported by the deputy communications and multimedia minister in a speech in December 2021.
While so-called spear-phishing attacks remains a popular form of cyberattacks, which largely depend on the attackers’ ability to hone a message that can fool a victim into opening a link or attachment, with advancement in artificial intelligence, hackers now deploy malware that could figure out its surroundings and mimic the behaviour of the system’s users and spread and altered its methods to stay in the system for as long as possible.
The push for increased digitisation means increased attack surfaces for hackers. Is the push matched by equal urgency in addressing the challenges in filling in the gaps in talent and visibility?
Imagine being in a large, dark house where even with CCTVs installed everywhere, you can see in all the corners but not the tiny cracks and nooks which are not visible to a CCTV mounted high up.
In fact, it is not surprising to note that majority of the government departments and the Critical National Information Infrastructure (CNII) assets - facilities, systems, sites, information, people, networks and processes, necessary for a country to function and upon which daily life depends on - still uses traditional antivirus technologies protecting against the risks of old.
The hack into Solarwinds – a company that provides information technology management software and its clients include US government agencies and large companies - in 2020 where hackers had gained access to US government and corporate networks by compromising Solarwinds’ systems serves as a grim reminder to those tasked with overseeing and monitoring cyber intrusions against the country that service providers - such as those who provide hosting or outsourcing services – should not be overlooked and should be accorded the same level of intense scrutiny as monitoring the CNII assets itself.
The country must rethink its cybersecurity protocols or we will suffer a security failure of enormous proportions.
We need better regulations and implementation so those who are responsible for our data leaks can be punished.
Our neighbour Singapore is much more advanced in their cybersecurity preparedness than us. With its smaller size, theoretically, it is easier for them to identify, monitor and manage any cyberattack against the city-state.
Yet, pursuant to a spate of attack and data breaches, the government has to resort to cutting off web access for public servants as a defence against potential cyberattack – a big step backwards for a technologically advanced city-state that has trademarked the term “smart nation”.
The country is at an extremely vulnerable stage right now in the midst of the pandemic which is still causing untold damages to our lives and economy.
Businesses, specifically the SMEs who are the main artery to the country’s economic wellbeing, were severely affected by the few rounds of lockdowns imposed by the government during the last two years.
Shoring up their cyber defences will be pushed down to the bottom of their priority list for the next 12 months making them extremely vulnerable to all forms of cyber-attacks specifically ransomware.
And hackers and cybercriminals have no mercy or compassion. They attack when organizations, be it public or private entities, are at their most vulnerable.
If Malaysia does not react now, it will be too late and the consequences will be unbearable. It is now or never.
After the responses shown by the government in both the pandemic and the flood, the rakyat no longer buys into any assurances given by those ministries and agencies tasked to identify, monitor and manage threats and disasters against the country.
As they said, the proof is in the pudding.
The views expressed here are those of the author/contributor and do not necessarily represent the views of Malaysiakini.