Malaysia Vs Malware
Futures Magazine - Issue 5.1

Malaysia is one of Asia's most alluring countries for cyber criminals. Why? And what is being done by the government to shore up its defences? Robin Hicks investigates.

At a high-level government conference in Kuala Lumpur earlier this year, an overseas speaker stunned his audience of Malaysian civil servants when he showed a slide of a government website festooned with images of naked women.

His point, though crudely made, was fair enough. Hackers are capable of pretty much anything these days, particularly in Malaysia, which suffers more from malicious invasions than most countries in the region. According toa Symantec report released in February 2010, 87 per cent of all Malaysian web traffic is malware. And ironically, only 0.2 percent of malware sent globally originates from Malaysia.

A recent Microsoft Security Intelligence Report tells the same story. The infection rate on Windows machines in Malaysia increased from 3.5 systems per thousand in the second half of 2008 to 5.1 systems per thousand in 2009. Only South Korea and Thailand suffer higher computer infection rates than Malaysia. Why? Infection rates reflect the scale of vulnerability of a country's IT systems, and vulnerability is to a large extent determined by piracy, believes Freddy Tan, the Chief Security Advisor at Microsoft Southeast Asia. "Users of pirated computers often do not patch their machines. This is because there is a misconception that Microsoft does not provide patches to pirated machines. But that is simply not true."

So what about government online infrastructure, which presumably isn't pirated? The news is similarly alarming. The number of security incidents (excluding spam) on government infrastructure recorded by CyberSecurity Malaysia, the government's lead cyber security agency, has increased by 218 percent in two years, from 1,038 in 2007 to 3,305 in 2009 (see table).

Lt Col Husin Jazri, Chief Executive of CyberSecurity Malaysia, says a growing dependency on information systems has left the government exposed to an expanding array of threats from cyber space. Information, particularly that controlled by governments, has become more accessible to cyber criminals who trade with it on the black market. "Our dependency on information has increased its value as a resource," say Jazri.

Bar the occasional politically motivated spat of homepage graffiti, most threats to Malaysian cyber soil are money-driven, as is the case elsewhere. Which is why the government departments most at risk are those that generate and store the most profitable data. "As long as the financial reward is there, the threat will be there too," says Jazri.

Malaysia fights back

The Malaysian government's response has been to get organised, give real power to cyber security decision-makers, and alert its citizens and civil servants to the dangers of cyber crime.

This has not been straightforward. CyberSecurity Malaysia, which reports to the Ministry of Science, Technology & Innovation (MOSTI), has taken on the responsibility.

Not long ago, CyberSecurity Malaysia was a small department within the Malaysian Institute of Microelectric Systems (MIMOS), a research centre that supports the local IT industry, running Malaysia's Computer Emergency Response Team (MyCERT). As the internet grew and cyber crime grew with it, the agency was renamed the National ICT Security Emergency Response Centre (NISER) at that time was given new capabilities in digital forensics, business continuity and, what is probably still its biggest role, raising cyber security awareness.

When Malaysian Cabinet Ministers approved the National Cyber Security Policy (NCSP) in 2006, NISER was given the lead implementation role – and real power. The policy was designed to make Malaysian IT systems "secure, resilient and self-reliant", and the agency's added responsibility prompted another name change. NISER became CyberSecurity Malaysia.

One of the agency's first initiatives was the Cyber 999 Help Centre, an online emergency service set up in July 2009. "Malaysians are just an email away from expert help," explains Jazri. "The public can report hack attempts, malicious codes, denial-of-service attacks and intrusion via our website Cyber 999 brings us closer to our public and feeds us with ‘real' input to help us formulate action plans."

Next came CyberSAFE, an awareness campaign designed to teach Malaysian netizens good habits in cyber space. This was supported by the portal, which launched in August 2009. The latest innovation is the CyberSAFE Ambassador Programme, which recruits thought-leaders to spread the word.

Microsoft's Freddy Tan says Malaysia's efforts to make its citizens more cyber security savvy set it apart in the region. Even so, CyberSecurity Malaysia's CEO believes more could be done. "Our biggest challenge is resources," says Jazri. "The internet is growing rapidly in terms of user numbers, content volume and the threat landscape. We have to be able to adapt to these changes. We need to inculcate cyber safety awareness and best practice in every internet user. But we do not have the manpower or machines or funding to do all the things we need to do."

Making Malaysian citizens cyber security aware is one thing. But what about civil servants? Jazri says that taking the lead on the National Cyber Security Policy has given CyberSecurity Malaysia the power to get its way with other government departments. "The NCSP has specific deliverables assigned to specific ministries. Usually they cooperate and take us very seriously," he says. "In fact, we have received invitations for us to give talks and training from other departments."

Is the war being won?

CyberSecurity Malaysia's projects fall under the 9th Malaysian Development Plan, which is closely monitored by the Implementation Coordination Unit of the Prime Minister's Department. As the agency's mission - to "Secure Malaysian Cyberspace" - is supported from the very top, it has a fighting chance of being accomplished.

The biggest threats to Malaysian cyber space are, according to a variety of different sources, botnets - networks of remotely controlled corrupted computers. CyberSecurity Malaysia can't fight them on its own. Professor Ahmed Manasrah of the National Advanced IPv6 Centre of Excellence at the Universiti Sains Malaysia is part of a team that is developing a botnet mitigation plan which, if it works in Malaysia, will roll out globally.

"Raising awareness is important. But what should we do if we find a botnet?" he asks. "We can block it. But if a bot herder is found, what legal action can be taken? There's a lot of obstacles that prevent effective legal action being taken against cyber criminals. What if a botnet is discovered in a government department? We need to be able to cut through the red tape."

Professor Manasrah is working with the International Multilateral Partnership Against Cyber Threats (IMPACT), which also happens to be based in Malaysia, and the International Telecommunication Union to form a cyber security cluster. The cluster of public and private sector organisations will, if it gets sufficient funding, support cyber defence research, educational initiatives including the framework for a cyber security course in universities, and a cyber threat analysis database.

This is crucial for the next phase of the war on cyber crime to be fought, says Professor Manasrah. "It's going to be a long journey to get the industry and government where it needs to be, let alone win the war on cyber crime. No matter what techniques or laws we use to fight it, the black hats will always find a way in. There is no silver bullet."

Jazri is less pessimistic. Just like conventional crime, cyber crime will reach its own equilibrium, he says. "Cyber criminals are getting smarter, but so are crime fighters. And with intensified awareness campaigns, even users are becoming capable crime fighters."

Cyber criminals have been caught and convicted, and law enforcement personnel are learning more about underground operations, he adds. This is making it more difficult for crime criminals. "This is just an ordinary war, good people against bad, with cyber technology used as a weapon. The good guys always have the most support and resources as well as backing from the law. The odds are stacked against the criminals. So, yes, this war is winnable."