EXCLUSIVE - Safeguarding Malaysian cyber space (Part I) - Protecting critical infrastructure and inculcating public awareness
Cybersecurity is a vital concern for countries moving towards a digital government and economy. Every step forward in technology adoption brings its own set of risks.
CSM is the national cyber security specialist agency under the Ministry of Science, Technology and Innovation (MOSTI). OpenGov conducted an interview with Dato’ Dr. Haji Amirudin Abdul Wahab, Chief Executive Officer, CyberSecurity Malaysia (CSM) to learn about areas of focus and key ongoing initiatives at CSM (OpenGov previously interviewed Dato’ Dr. Haji Amirudin in March 2016) .
We will be publishing the comprehensive interview in two parts, with the first part covering CSM’s Business Transformation Program which aims to achieve 20 per cent self-sustainability for CSM by 2020, protecting Critical National Information Infrastructure and improving general public awareness of cybersecurity and best practices. In the second part, Dato’ Dr. Haji Amirudin tells us about multilateral cooperation and the challenges of changing mindset and culture.
Could you tell us about your role as the CEO of CSM (CSM)? What are the short to medium term areas of focus and key ongoing initiatives at CSM? (SM)
Since taking over the role as Chief Executive Officer in 2013, I have been overseeing CSM’s initiatives that are implemented to realise its vision to become a globally recognised national cyber security reference and specialist centre by 2020.
CSM has successfully rolled out programs and projects under its Centre of Excellence (COE) initiative that was introduced in 2013 to provide leadership and specialised services delivery to the country’s Critical National Information infrastructure (CNII) sectors. COE is a comprehensive strategic long term plan, which lays out CSM’s vision for 2020 and provides a roadmap on how to achieve it.
There are eight selected expertise areas under COE as listed below:
- Digital Forensics and Investigation
- Cybersecurity Responsive Services
- Cybersecurity Strategic Studies
- Cyber Rapid Action & Intelligence
- Cybersecurity Acculturation & Capacity Building
- Information Security Certification
- Cybersecurity Governance, Risk Management & Compliance
- Cybersecurity Assessment and Assurance
Each of CSM division or department for the above eight focus areas has been tasked to identify potential cyber security services ready for commercialisation.
CSM’s key ongoing initiative is its Business Transformation Program (BTP), which kicked off in 2016.Currently, I am closely monitoring BTP, which requires revision of both the agency’s corporate and organisation structures.
Central to the BTP is the commercialisation of cyber security training, consultancy, certification and technical services. The BTP has been outlined with the aim of achieving 20 per cent self-sustainability through own revenue generation by 2020.
The overall objectives of BTP are to:
- Achieve technical excellence and national leadership in the eight selected focus areas;
- Drive commercialisation efforts to generate alternative revenue sources;
- Reorganise corporation to be more market or commercially oriented;
- Enhance service delivery effectiveness and visibility of impact;
- Develop strategic partnerships and collaborations with leading industry players;
- Engage stakeholders to safeguard and enhance relevance and positioning; and
- Transform people mindset and corporate culture
BTP integrates various strategic initiatives which encompass people, process and technology elements namely:
- Domain Expertise Areas under COE – in terms of technical/supply
- Product Development and Marketing – product packaging
- Industry Development – industry collaboration program
- Change Management – supply and demand of employees
- Account Management – internal supply, account and project management
These days a cyber attack on critical infrastructure or even an important private company, such as a major bank, can cause significant damage. What is CSM doing to provide cybersecurity support to industry and for protecting infrastructure assets?
To safeguard the nation cyber space from cyber threats, the Government through CSM has taken steps including to:
- Implement the National Cyber Security Policy (NCSP) under the supervision of the National Security Council. NCSP is a comprehensive initiative to tackle cyber threats, especially in the protection of CNII. NCSP focuses on the use of cyber security technology towards the development, usage and production of local technologies to reduce dependence on foreign technologies. This policy also emphasises capacity building in the field of cyber security, research and development, as well as initiatives in dealing with cyber threats.
- Assist in implementing the certification of Information Security Management System (ISMS) based on ISO 27001 International Standard for the CNII organizations.
- Enact the National Cryptography Policy under the supervision of the National Security Council in order to protect the nation's critical information assets in terms of confidentiality, integrity and authenticity through the implementation of a trusted cryptographic infrastructure. National Cryptography Policy has outlined the methods and strategic approach in the use of cryptography, the cryptography products and research and development for government agencies to protect information.
- Strengthen cyber security cooperation at the international level such as the ASEAN Regional Forum, the Asia Pacific Computer Emergency Response Team (APCERT) and the Organisation of The Islamic Cooperation - Computer Emergency Response Team (OIC-CERT). Malaysia, through CSM, was appointed as the Permanent Secretariat of the OIC-CERT in 2013. CSM has also been appointed to be the Deputy Chairman APCERT for years 2016-2017.
- Identify the level of preparedness of the CNII agencies in facing the various threats and cyber-attacks, the National Security Council in collaboration with CSM has organized National Cyber Drill (X-MAYA) periodically since 2008. The cyber drill is specifically aimed at testing the effectiveness, identifying gaps and improving communication procedures, response and coordination of National Cyber Crisis Management. In addition, the exercise also plays an important role in increasing awareness among organizations and CNII agencies on the impact of cyber incidents on national security. To date, X-MAYA has been held 6 times from 2008 until 2017.
Regarding cyber threats to the financial sector especially in the banking sector, Bank Negara Malaysia (BNM) has set up Internet Banking Task Force (IBTF) in 2004 to develop best practices for the banking industry and cooperate with respective agencies to address cyber security incidents. It is also a platform to discuss the latest trends or issues to deal with Internet banking and online financial criminal activity. CSM is a key member in providing technical advice and support to IBTF members.
Chaired by Bank Negara Malaysia, IBTF consists of: 1) All commercial banks in Malaysia (banks provide Internet banking services in Malaysia) that carry out the transaction in either a local bank or a foreign bank; 2) The Law Enforcement such as the Royal Malaysian Police (PDRM), Malaysian Communications and Multimedia Commission (MCMC) and other relevant agencies with cyber security such as Telco and technical agencies like CSM.
The IBTF’s main role is to develop best practices for the entire banking industry and to cooperate with relevant agencies in dealing with cyber security incidents and intrusions.
What is CSM doing to improve public awareness of cybersecurity and best practices?
As part of its initiatives to strengthen the field of cyber security, CSM is continuously carrying out various programs to inculcate awareness amongst internet users on technological and social issues, particularly online danger.
CSM has introduced a dedicated program known as Cyber Security Awareness for Everyone (CyberSAFE) aimed at increasing awareness and nurturing best practices on safe and positive ICT usage amongst internet users.
Activities that have been carried out by CyberSAFE include:
- Awareness Talks & Open Seminars
- Training of Teachers/Ambassadors
- Onsite Awareness Days/Week
- Awareness Activity Kits
- Awareness Roadshows and Competitions
- Consultation with the Community and various interest groups
- National ICT Security Discourse (NICTSeD)
- Safer Internet Day (SID)
- Cyber Discovery Camp
- CyberSAFE Mentor program for Institute of Higher Learning Centres
- CyberSAFE Treasure Hunt / Explore Race
- CyberSAFE Performing Arts
Amongst the issues highlighted are:
- Good Online Chatting and Social Networking Habits
- Safe Internet Banking & Online Shopping
- Online Investment Scams, Identity Thefts, Online Fraud and Phishing Scams
- Protecting Your Computer against viruses, worms and other Malware Infections
- Cyber Stalking, Cyberbullying and Online Harassment
- Good Email Account Management and Dealing with Spam
- Protecting privacy and personal information online
The initiatives under CyberSAFE place emphasis on the importance of safeguarding internet users’ safety and assets including personal information when surfing the internet especially social media sites.
How is CSM working with other Malaysian government agencies to create a safer and more secure cyberspace?
As I mentioned earlier, NCSP is one of the most important measures taken to secure the cyberspace and forms the foundation of Malaysia e-Sovereignty. Formulated by the Ministry of Science Technology and Innovation in 2005 and it was endorsed by the Cabinet in May 2006, objectives of the NCSP is aimed at addressing the risk to the CNII sectors, ensure that the critical infrastructure is protected as well as develop and establish a comprehensive program and a series of framework. Collectively, such cyber security posture will promote productivity, national sustainability, social harmony and well-being, as well as wealth creation.
In support of NCSP and through the National Security Council (NSC) of Malaysia CSM is working together with other government agencies and lead sectors from the 10 Critical National Information Infrastructure (CNII) sectors in Malaysia to safeguard the country’s cyberspace. The 10 critical sectors are: Defence and Security, Transportation, Banking and Finance, Health Services, Emergency Services, Energy, Information and Communication, Government, Food and Agriculture and Water.
Malaysia also implements X-Maya, a National Cyber Crisis Exercise or Cyber Drill conducted by CSM in collaboration with the National Security Council to assess and improve the National Cyber Crisis Management Plan together with CNII's readiness against the threat of cyber-attacks on a yearly basis.
The second part of this interview will be published on April 26, 2017.