|IS CYBERSECURITY MALAYSIA AN ENFORCEMENT AGENCY?|
We are not a law enforcement agency. We do not knock down the doors of cyber criminals to seize computers. Enforcement can only be carried out by law enforcement agencies, such as the police. However, we provide support to enforcement agencies and victims, in ensuring that justice will prevail regardless of the "space" where a particular crime is conducted.
We assist in cyber forensics and analysis - such as analysing evidence and providing expert witnesses for relevant cases. In order for enforcement agencies to fulfill their roles, they require processes, role players, technical support and specialist centres to aid in analysing and solving technical problems to help the judicial process.
|WHAT WE MEAN BY CREATING A CULTURE OF CYBER SECURITY|
CyberSecurity Malaysia aims to "create a culture of info-security" among Malaysians. Please explain?
Most people go into the information infrastructure and concentrate on the ease of use.
Very few look at it from a safety and security perspective. For example, if we subscribe to Internet banking, we should learn about the risk factors. In social networking sites like Friendster and Facebook, we must be aware of the risk in dealing with people on these sites. We should never blindly trust people and we must be critical about what we read and see.
We aim to build a culture of security through awareness programmes and best practices among children, teenagers, parents and organisations. We have organised and created many activities to improve the level of awareness in information security. Please visit our website www.cybersecurity.my
for more information on this, or visit the independent awareness website that we run www.cybersafe.my
to download contents/resources that we have developed and to obtain safety tips for a secure venture into the cyber space.
|WHAT ABOUT CYBER LAWS|
To address the rapid increase in cyber-related crimes, the government understands that cyber laws need to be, if necessary, revamped to meet the challenges. The Ministry of Science, Technology and Innovation has worked with CyberSecurity Malaysia since last year to look into cyber laws and all related laws, and recommend amendments, if needed.
What areas are we lacking in?
It will be in the number of security professionals. We have just about 800 professionals now. We need to increase the number to about 7,000 in three years' time. Universities have already responded and are offering courses. But still, the demand is huge. We need to educate the public and create awareness on cyber security. There is no dedicated agency doing that right now. We have done some bits like creating content and interacting with schools through pilot projects.
|WHAT ABOUT CYBER CRIME|
What makes a crime a cyber crime?
There is no comprehensive definition of cyber crime. There were some attempts but no conclusive definition was agreeable. Cyber crime comes under three categories.
The first is when information and communications technology (ICT) systems and intellectual property become targets of exploitation, intrusion, identity and information theft.
The second is when ICT devices are used as means to commit crimes. For example, computers at home are used to run malicious programs to intrude other computers to steal money, identity and passwords.
The third category is where the ICT devices are used as mediums of committing crimes. For example, sedition, disharmony or unrest, slandering and instigating at higher scale come under this category. Some people say these cases must be prosecuted under cyber laws. But there are already laws that can be used to handle these cases. For example, for sedition and slander, one can be charged under the Penal Code.
How successful is CyberSecurity Malaysia in combating cyber crimes?
There are no agreed indicators to measure this success. It is hard to say how successful we are. But we have achieved some breakthroughs in many incidents. Our role in combating cyber crime involves providing specialised and in-depth tech support on how to tackle threats. For example, when there is a dedicated attack by botnet to propagate malware which is very dangerous, we quickly analyse it to look for an antidote. If there is none, then we create one to release to our partners, so Malaysians can be protected from these vulnerabilities online.
A recent CyberSecurity statement said cyber crimes had increased 100 per cent.
Last year, we handled a total of 2,123 incidents, more than 100 per cent increase compared with 2007. But that rate was an increase in incidents and it may not correlate with cyber crime rates. We have not analysed cyber crime rates per se. But what we have is analysis on the complaints and referrals given to us.
We have not seen comprehensive statistics on the rate of cyber crime in Malaysia. The police, Bank Negara, Securities Commission and Malaysian Communications and Multimedia Commission (MCMC) have their own statistics. We have not been able to collate these statistics to see the bigger picture.
What we at CyberSecurity Malaysia have at the moment is the statistical data captured from our cyber help centre, the Cyber999™ service. Many factors can contribute to the increase.
One is that cyber crimes have gone up.
Second is that the number of Internet users has gone up. There are 13.5 million Internet users in the country today and the number is increasing.
So the base has expanded and, correspondingly, complaints have also increased.
Are the cyber crime numbers escalating with the economic downturn?
Most cyber crimes are financially motivated. The impact of the economic downturn and financial crisis could potentially lead to the increase in cyber crime cases globally. With people becoming jobless and unemployed, it can lead to the boom in spam, especially those related to false job offers.
The former Energy, Water and Communications Minister Datuk Shaziman Abu Mansor has said that Malaysia may need a cyber court to deal with the increasing number of cyber crimes.
Yes, we need a cyber court. It could, hopefully, speed up the prosecution of cyber criminals. And it would encourage more judges and lawyers to specialise in cyber laws.
A very challenging issue in cyber crime investigation is the gathering of evidence. If there is a cyber court, there will be a need for a provision on how the court can facilitate and give empowerment for evidence collection in a much, much easier way. This is a bottleneck due to the borderless nature of the Internet and multiple jurisdiction as evidence can come from two or more countries. The setting up of the court must take into consideration the bottleneck and how it can help ease evidence gathering.
Are we lacking or, perhaps, not doing it right in combating cyber crimes?
The government has acted wisely and is far-sighted as far as cyber security issues are concerned. It has created institutions like CyberSecurity Malaysia to help us face the challenges.
There is also the National Cyber Security Policy which aims to reduce the vulnerability of ICT systems and networks. It tries to instill a culture of cyber security among Internet users and strengthen Malaysian self-reliance in terms of technology and human resources. Not many countries have such a policy or enacted laws like the Computer Crime Act 1997 and the Communication and Multimedia Act 1998.
The fundamentals have been put in place. I believe the security and safety in Malaysian cyberspace is much better than in some developed countries. For example, if a malicious virus arrives in Malaysian space, we can stop it within 24 hours. We do this by working with banks, MCMC, ISPs and the police. If you talk about a 100m sprint, we are the fastest. Our cyberspace is well governed.
|WHAT IS CYBER WAR OR CYBER TERRORISM|
There is nothing new about this term except for the "cyber" prefix. War and terrorism are "traditional" concepts that occur in the physical domain. The new domain is the "cyber" prefix.
Cyber war is warfare in cyberspace. This includes warfare attacks against a nation's state and forcing critical communications channels and information systems infrastructure and assets to fail or destroy. This may also include warfare against foreign websites which cause the websites down and not accessible.
On the other hand, cyber terrorism is the use of cyberspace to commit terrorist acts. The simple definition of cyber terrorism is the use of information technology and its means by terrorist groups and agents to cause fear and/or physical harm to the people. The perpetrator use information systems or other electronic means to launch the cyber attack against critical information infrastructures such as financial, energy, transportation and government operations. An example might be hacking into a computer system with the objective to cripple the electrical distribution grid by shutting down the control systems; to disrupt the national telecommunications network services; to sabotage the airport traffic control systems; to destroy bank information on a massive scale, therefore crippling the financial sector; and to gain access to the dam control systems, and cause massive floods.