By Azlan Mohamed Ghazali and Ho Siew Kei
IN the past year, we’ve seen supply chain attacks, the rapid shift to cloud, the adoption of remote work, and more. While it is clear that governments are already operating in these ecosystems, their approach to security has yet to catch up.
The move toward participating in cybersecurity ecosystems has been accelerating, driven largely by access to better tools or a greater variety of skills. However, recent events such as cyberattacks by hacktivist group Anonymous Malaysia on the Malaysian Government’s websites and online assets as well as the Malaysian Armed Forces (MAF) network, show the difficulties of living in a networked ecosystem.
In addition to that, high numbers of cyber incidents reported by Cyber Security Malaysia such as denial-of-service (DoS), fraud (scammers), and intrusions is another avenue that cyber threats will impact organisations. This can indirectly threaten its partners, clients, and even an entire industry.
Unfortunately, criminals are always on the look out to capitalise on the COVID-19 pandemic – such as phishing, scam domains, malware, and android malware.
With a strong Internet penetration of 83% in Malaysia and the rapid increase of Internet-enabled devices, cyber culture is growing faster than cyber security. Understanding that an attack can become more sophisticated, organisations should consider multi-layered solutions and protection from the technology and infrastructure perspective, while increasing awareness and revaluating risk management to help strengthen its security postures.
Everything that depends on cyberspace is potentially at risk. The key is to be resilient, by reimagining risk to drive core organisation objectives, from cyber, technology, and strategic risk, to sustainability and building a solid reputation.
Attacks can scale dramatically, moving quickly between public and private networks. For example, the WannaCry ransomware attack of 2017 compromised more than 300,000 machines across 150 countries – affecting more than a dozen companies in Malaysia, including a large government-linked corporation, a government-linked investment firm, and an insurance company.
So, what can governments do to keep all the advantages of participating in ecosystems while mitigating the risks? A shift in government’s role in cybersecurity is the answer. No longer are governments content just to protect their own networks; many are beginning to take larger roles in coordinating security across public-private ecosystems.
No government can function in isolation. There is thus a growing realisation within governments that in order to mount a proper national cyber defence, their role should expand from only securing public networks to encompass both public and private networks. Many governments across the world are already moving in this direction.
Similarly, the Malaysia Cyber Security Strategy was launched in 2020 with the aim to upgrade the country’s cybersecurity measures. The four-year strategy comprises five strategic pillars and 35 action plans, all of which will see strategic partnerships between the public and private sector to combat cybercrime and strengthen the nation’s cyber security posture.
To become effective in these new roles, governments must shift how they manage relationships, talent, and even internal operations. The following considerations should be taken into account:
Increase access to cutting-edge tools and technologies. Connecting with a wide array of partners—service providers, government agencies, academia, private industry—can help keep the government at the cutting edge of cyber tools, technologies, and best practices.
Scale the sharing of threat information. Coordinating with ecosystems across levels of government and with other countries can ensure government access to the newest threat indicators, and that leading practices are in place.
To secure an ecosystem, it requires relationships to share information and set norms of behavior – a significant change from government agencies norm of restricting sensitive data from a “need to know” basis. This shift towards greater sharing and collaborative decision-making applies for every level. Some ecosystems are formed at the international level, while others are limited to a specific country or a region.
Grow your pool of leading talent. Tapping into a wider cyber talent ecosystem can expand access to the right skills.
The requirement to secure today’s network services is no longer focused on securing the perimeter alone. ‘Defence in depth’ is the challenge the world is facing. In order to keep up with the risk of attacks, governments need to encourage independent technological talents to volunteer their time to help spot potential issues. Governments should allow pre-vetted hackers to run vulnerability assessment, infrastructure penetration testing, application penetration testing, and configuration review, to determine its weakness in order to build a stronger defense.
Inculcate a zero-trust mindset. Cybersecurity needs a seat at the table, whether it is in executive decisions on new investments or operations in the form of DevSecOps.
The sheer number of interconnections in an ecosystem means that old models of security built on keeping threats at bay outside of networks simply do not work. Rather, security is beginning to shift toward models such as zero trust that assume breaches exist and look to verify that activity is authentic. A Deloitte survey of nearly 600 IT professionals found that 37% saw an acceleration in the adoption of zero trust due to COVID-19.
As the cyberspace is an environment with its own rules and dangers, the challenge for governments lies in how government officials anticipate and counter moves by an ever-shifting cast of criminal adversaries. Governments in their new roles will need to work with speed, dexterity, and adaptability to succeed on this new ecosystem. – June 3, 2021
Azlan Mohamed Ghazali is the cyber risk director of Deloitte Malaysia and Ho Siew Kei is Deloitte Malaysia’s cyber risk leader.
The views expressed are solely of the author and do not necessarily reflect those of Focus Malaysia.
