In response to the rising tide of cyber security threats in Malaysia, the Parliament has, over the years, passed a slew of cyber legislation to deal with activities in the cyberspace and to tackle cyber attacks.
There has yet to be a stand-alone cyber security legislation and there is no news that the Parliament is planning to enact one. In this article, we set out a brief description of the relevant cyber legislation and their relevance to cybersecurity as well as the cybersecurity framework that is currently in place in Malaysia.
Existing Laws That Deal with Cyber Security
Communications and Multimedia Act 1998 (“CMA”)
As the main cyber law in Malaysia, the CMA provides for and regulates the converging areas of communications and multimedia.
In particular, the CMA regulates various activities carried out by licensees (i.e. network facilities providers, network service providers, applications service providers and content applications service providers) as well as those utilising the services provided by licensees. One of the objects of the CMA is to ensure information security and network reliability and integrity in Malaysia.
Computer Crimes Act 1997 (“CCA”)
The CCA criminalizes the act of hacking, spreading of computer viruses and wrongful communication of any means of access to a computer to an unauthorized person.
Depending on the type of offence committed, the fines range from RM25,000 to RM150,000 and imprisonment of 3 to 10 years or both.
Digital Signatures Act 1997 (“DSA”)
The DSA is an enabling law that allows for the development of, among others, electronic transactions, by providing an avenue for secure online transactions through the use of digital signatures.
The legal recognition of digital signatures allows electronic communications to be transmitted securely, especially on the Internet. It is an identity verification procedure using encryption techniques to prevent forgery and interception of communication.
Electronic Commerce Act 2006 (“ECA”)
The object of the ECA is to provide for legal recognition of electronic messages in commercial transactions, the use of the electronic messages to fulfil legal requirements and to enable and facilitate commercial transactions via electronic means.
It confers legal recognition to the formation of a contract via electronic means; recognizes electronic messages and electronic signatures; deems certain electronic document to be considered original as well as provides that the retention of documents in electronic format fulfils the requirements of the law, provided certain qualifying criteria are met.
Personal Data Protection Act 2010 (“PDPA”)
The PDPA regulates the processing of personal data in commercial transactions and for matters connected therewith and incidental thereto.
The PDPA applies to anyone who processes and has control over or authorizes the processing of any personal data in respect of commercial transactions. The PDPA sets out 7 personal data protection principles, of which the most relevant one in the context of cybersecurity would be the Security Principle i.e. appropriate technical and organisational security measures shall be taken to prevent unauthorised or unlawful processing of personal data and accidental loss, misuse, modification or unauthorised disclosure of personal data.
National Cyber Security Policy (“NCSP”)
In addition to legislative measures, the Government has also rolled out the NCSP to strengthen Malaysia’s Critical National Information Infrastructure (“CNII”) and facilitate Malaysia’s drive towards attaining a developed nation status by the year 2020.
The NCSP addresses, among other things, risks to the CNII, which concern the networked information systems of ten sectors, namely, Defence and Security; Transportation; Banking and Finance; Health Services; Emergency Services; Energy; Information and Communications; Government; Food and Agricultural; and Water. These CNII sectors have been identified based on the fact that their incapacitation would cause substantial damage to national interests and security and potentially collapse the nation’s economy.
The NCSP sets out a number of “policy thrusts” to ensure the effectiveness of cybersecurity controls over vital assets. These “policy thrusts” would require the collaboration of different government agencies in ensuring effective governance and proper regulatory framework. The NCSP also requires the CNII sectors to ensure compliance with information security standards and technology-specific guidelines to a level commensurate with the risks.
On top of that, the NCSP also aims to increase the technological capabilities to resolve cyber crimes through improving digital forensic lab facilities. Malaysia has identified the ISO/IEC 27001 as the baseline standard for information security and has proposed for all CNII sectors to be ISO/IEC 27001 Information Security Management Systems (“ISMS”) certified.
Government Agencies/Units That Deal with Cyber Security
Cyber Security Malaysia
Cyber Security Malaysia (formerly known as the National ICT Security and Emergency Response Centre (“NISER”)), is a national cybersecurity specialist agency formed under the Ministry of Science, Technology & Innovation. Cyber Security Malaysia is tasked with the roles of monitoring the National e-Security aspect, providing specialized cybersecurity services and identifying possible areas that may be detrimental to national security and public safety.
MyCERT and Cyber999
Malaysia Computer Emergency Response Team (“MyCERT”) addresses the computer security concerns of Malaysia’s Internet users and aims to reduce the probability of cybersecurity attacks.
The agency was formed under Cyber Security Malaysia to provide a point of contact for Internet users who are affected by cybersecurity incidents. MyCERT provides assistance for users who are affected by the intrusion, identity theft, malware infection, cyber harassment and other computer security related incidents. MyCERT collaborates with other law enforcement agencies and regulators such as the Royal Malaysian Police, Securities Commission, Central Bank of Malaysia, along with Internet Service Providers and various computer security response teams around the world.
Operated by MyCERT, Cyber999 is a computer security incident handling and response help centre relating to detection, interpretation and response to computer security incidents. Aside from that, it also alerts Internet users in Malaysia in the event of a cybersecurity threat or malware outbreak.
As Cyber Security Malaysia’s Outreach & Corporate Commitment Department, CyberCSI provides full-fledged digital forensics investigations and examinations in the areas of audio and video forensics.
The agency regularly works with law enforcement agencies, government-linked companies and private companies. The agency also has a team of analysts who have been gazetted under the Criminal Procedure Code i.e. all reports and testimonials provided by the CyberCSI analysts are admissible in the Malaysian courts. The services provided by CyberCSI include digital forensics, data recovery, data sanitization and provision of expert witnesses.
MyVAC, MySEF and MyCC
Initially created in line with the NCSP, the National Vulnerability Assessment Centre (“MyVAC”) is a unit of the Security Assurance Department under Cyber Security Malaysia that aims to improve the nation’s ability to defend against cyber crimes and the exploitation of information systems and technological vulnerabilities. It aims to improve security in the CNII sectors through actual assessment or evaluation. Specifically, the key function of this unit is the development of critical technology laboratories along with the cultivation of expertise in the area of control systems, applications and networks. A few examples of MyVAC’s services include vulnerability assessment research, cyber security audit and control systems security assessments.
Likewise, the Malaysian ICT Security Evaluation Facilities (“MySEF”) provides similar assessment and evaluation services, except that it provides its services from the perspective of ICT Security Evaluation of its products and systems.
Another agency that carries out these functions is the Malaysian Common Criteria Evaluation and Certification (“MyCC”). MyCC evaluates and certifies the security functionality within ICT products against the Common Criteria, i.e. ISO/IEC 15408.
CyberSAFE stands for “Cyber Security Awareness for Everyone”.
The agency acts as the government’s outreach initiative to educate and improve awareness of the general public on the technological and social issues plaguing Internet users. In line with this, the agency regularly provides updates and guidelines on the safe usage of the Internet for children, parents, industry players and policymakers.
Proposed Regulatory Framework on Cyber Security Resilience
The Securities Commission Malaysia is in the midst of coming up with a regulatory framework relating to the management of cyber security risk by capital market participants. The framework would include recommendations on the steps to be taken and the minimum requirements that should be addressed in cybersecurity frameworks, which includes prevention, detection and recovery measures.
On the defence front, the Deputy Defence Minister has recently announced a three-pronged approach to enhance cyber security in Malaysia. We may expect some legislative reforms to bolster and/or to introduce new legislation that deals with cyber security threats to Malaysia’s critical information infrastructure.