Cyberspace guardians
12 April 2009 (New Staits Times)

CyberSecurity Malaysia who? A vast majority of Internet users do not know that there is a public agency tothat look after Malaysian cyberspace. safe? Agency boss Lt-Col (R) Husin Jazri tells CHANDRA DEVI how they do go about doing their job

Q: What are your functions?

We advise Internet users on how to cope with cyber threats and deal with safety issues.

We also provide specialised services to support the growth of digital forensics, security management and best practices, and cyber security products evaluation based on international standards.

Third party validation on quality and reliability of security products is important as it will ensure that Malaysian products get accepted globally.

Another important function is education, training and creating awareness in the area of cyber security.

We intend to increase the number of cyber security professionals.

We develop educational content on cyber security that can be used by Internet users of all ages --- students, office workers and home users.

We also run a help centre, the Cyber 999 service.

Q: Is CyberSecurity Malaysia an enforcement agency?

We are not a law enforcement agency. We cannot knock down the doors of people suspected of committing cyber crimes and confiscate computers.

Enforcement only comes from law enforcement agencies like the police. We provide support to enforcement agencies and victims.

We can assist in cyber forensic and analysis investigation such as analysing evidence and providing expert witnesses.

Not everything should be in the form of enforcement.

We need tiers, role players, technical support and specialist centres which can probe deeper and solve technical problems to help the judicial process.

Q: What makes a crime a cyber crime?

There is no comprehensive definition of cyber crime. There were some attempts but no conclusive definition was agreeable.

Cyber crime comes under three categories. The first is when information and communications technology (ICT) systems and intellectual property become targets of exploitation, intrusion, identity and information theft.

The second is when ICT devices are used as means to commit crimes.

For example, computers at home are used to run malicious programs to intrude other computers to steal money, identity and passwords.

The third category is where the ICT devices are used as mediums of committing crimes. For example, sedition, disharmony or unrest, slandering and instigating at higher scale come under this category.

Some people say these cases must be prosecuted under cyber laws. But there are already laws that can be used to handle these cases. For example, for sedition and slander, one can be charged under the Penal Code.

Q: How successful is CyberSecurity Malaysia in combating cyber crimes?

There are no agreed indicators to measure this success.

It is hard to say how successful we are. But we have achieved some breakthroughs in many incidents.

Our role in combating cyber crime involves providing specialised and in-depth tech support on how to tackle threats.

For example, when there is a dedicated attack by botnet to propagate malware which is very dangerous, we quickly analyse it to look for an antidote.

If there is none, then we create one to release to our partners, so Malaysians can be protected from these vulnerabilities online.

Q: A recent CyberSecurity statement said cyber crimes had increased 100 per cent.

Last year, we handled a total of 2,123 incidents, more than 100 per cent increase compared with 2007. But that rate was an increase in incidents and it may not correlate with cyber crime rates.

We have not analysed cyber crime rates per se. But what we have is analysis on the complaints and referrals given to us.

In my years of service, I have not seen comprehensive statistics on the rate of cyber crime in Malaysia. The police, Bank Negara, Securities Commission and Malaysian Communications and Multimedia Commission (MCMC) have their own statistics. We have not been able to collate these statistics to see the bigger picture.

What we at CyberSecurity Malaysia have at the moment is the statistical data captured from our cyber complaint centre, the Cyber 999 and MyCert.

Many factors can contribute to the increase. One is that cyber crimes have gone up. Second is that the number of Internet users has gone up. There are 13.5 million Internet users in the country today and the number is increasing.

So the base has expanded and, correspondingly, complaints have also increased.

Q: Do you see cyber crime numbers escalating with the economic downturn?

Most cyber crimes are financially motivated. The impact of the economic downturn and financial crisis could potentially lead to the increase in cyber crime cases globally. With people becoming jobless and unemployed, it can lead to the boom in spam, especially those related to false job offers.

Q: The Energy, Water and Communications Minister Datuk Shaziman Abu Mansor has said that Malaysia may need a cyber court to deal with the increasing number of cyber crimes.

Yes, we need a cyber court. It could, hopefully, speed up the prosecution of cyber
criminals. And it would encourage more judges and lawyers to specialise in cyber laws. A very challenging issue in cyber crime investigation is the gathering of evidence. If there is a cyber court, there will be a need for a provision on how the court can facilitate and give empowerment for evidence collection in a much, much easier way.

This is a bottleneck due to the borderless nature of the Internet and multiple jurisdiction as evidence can come from two or more countries.

The setting up of the court must take into consideration the bottleneck and how it can help ease evidence gathering.

Q: Are we lacking or, perhaps, not doing it right in combating cyber crimes?

The government has acted wisely and is far-sighted as far as cyber security issues are concerned.

It has created institutions like CyberSecurity Malaysia to help us face the challenges. There is also the National Cyber Security Policy which aims to reduce the vulnerability of ICT systems and networks.

It tries to instil a culture of cyber security among Internet users and strengthen Malaysian self-reliance in terms of technology and human resources.

Not many countries have such a policy or enacted laws like the Computer Crime Act 1997 and the Communication and Multimedia Act 1998.

The fundamentals have been put in place. I believe the security and safety in Malaysian cyberspace is much better than in some developed countries.

For example, if a malicious virus arrives in Malaysian space, we can stop it within 24 hours.

We do this by working with banks, MCMC, ISPs and the police.

If you talk about a 100m sprint, we are the fastest. Our cyberspace is well governed.

Q: What about cyber laws?

To address the rapid increase in cyber-related crimes, the government understands that cyber laws need to be, if necessary, revamped to meet the challenges.

The Ministry of Science, Technology and Innovation has worked with CyberSecurity Malaysia since last year to look into cyber laws and all related laws, and recommend amendments, if needed.

Q: What areas are we lacking in?

It will be in the number of security professionals. We have just about 800 professionals now.

We need to increase the number to about 7,000 in three years' time. Universities have already responded and are offering courses. But still, the demand is huge.

We need to educate the public and create awareness on cyber security. There is no dedicated agency doing that right now.

We have done some bits like creating content and interacting with schools through pilot projects.

Q: CyberSecurity aims to "create a culture of info-security" among Malaysians. Can you explain?

Most people go into the information infrastructure and concentrate on the ease of use. Very few look at it from a safety and security perspective.

For example, if we subscribe to Internet banking, we should learn about the risk factors. In social networking sites like Friendster and Facebook, we must be aware of the risk in dealing with people on these sites.

We should never blindly trust people and we must be critical about what we read and see.

We aim to build a culture of security through awareness programmes and best practices among children, teenagers, parents and organisations.

We have organised and created many activities to improve the level of awareness in information security.