More budget needed for protection
The Star (18 Dec 2011)

WHILE the 2011 Symantec CIP survey indicated that critical infrastructure providers in Malaysia are less engaged with their government's Critical Infrastructure Protection (CIP) programmes, CyberSecurity Malaysia, which is responsible for them, is confident that many are concerned about the threats and are getting equipped to face the threats.

"When we conducted the 4th National Cyber Crisis Exercise with the National Security Council last month, 67 CNII (Critical National Information Infrastructure) organisations took part, compared with only 34 last year.

"So, there was a 97% increase in willingness to participate among the real CNII sectors in Malaysia," says CyberSecurity Malaysia chief executive officer (CEO) Lt Col Prof Datuk Husin Jazri.

He tells the CIP programme in Malaysia is under the National Cyber Security Policy (NCSP), which has been in place since 2006.

CNII comprises the networked information systems of 10 critical sectors including national defence and security; banking and finance; water; emergency services; and, food and agriculture

Three areas-manufacturing, chemical products and pharmaceuticals-are not included. However, they are included in the Symantec survey, which may have caused a discrepancy in the survey results, says Husin.

He concedes that the government needs to expand the categories of CNII to include the three sectors.

He adds there are valuable lessons that Malaysia can take from the survey. One is the call for a more intensified outreach program to improve the awareness and engagement levels of CNII with regards to the Malaysian CIP Programme.

"On a positive note, however, I believe we have the opportunity to convert the 33% from neutral to willing, and increase the willingness level to 87%," adds Husin, who agrees that the readiness level among CNII in Malaysia is accurately reflected by the survey, which is said to hover around 52-61%.

"We believe the number is quite accurate, judging from the recent incident of hack threat on Malaysian websites, particularly the .gov.my websites," he says, urging the government to update the CIP programme and the NCSP, which was developed in 2005-2006 and implemented in 2007-2010.

"They need to be updated to capture the various changes that have modified the cyber security environment since then," stresses Husin.

In the last two years, he highlights, CyberSecurity Malaysia had held many roadshows, exhibitions and dialogues with stakeholders to promote CIP programmes in Malaysia, as well as the implementation of NCSP.

However, they were not able to do the same this year due to the lack of funding. The government should provide sufficient budget for cyber security initiatives, says Husin.

"What we can do at CyberSecurity Malaysia is to continue to provide more training and capability building in cyber security.

"It will be more effective if we are given legislative power and budget to implement cyber security initiatives for the CNII and the public, and also to monitor the country's cyber security environment," notes Husin.