Cyberattacks – Plugging the Gap


The ease with which ransomware like WannaCry and Petya crippled entire organisations calls for an immediate response to confronting similar cyberattacks.  In terms of law enforcement, this has led to the Deputy Prime Minister’s proposal to introduce a new cybersecurity law. While this bill has not been tabled in Parliament and has yet to be made public, it is timely to consider the existing gap in the current Malaysian legislation and to note the cybersecurity bill recently introduced in Singapore.

There and Back Again – Malaysia’s Journey with Cyber Security Laws

The current Malaysian legislation deals with cyber security (in particular, unauthorized access of computers and the improper use of network facilities or network service) in the following ways:

  • sections 3 to 5 of the Computer Crimes Act 1997 (“CCA”) prohibits unauthorized access to computers and unauthorized modification of computer content;
  • section 233 of the Communication and Multimedia Act 1998 (“CMA”) prohibits improper use of network facilities; and
  • sections 265 to 267 of the CMA provides for network interception capabilities and emergency powers in relation to communication networks.

While the above sections are widely drafted to include the perpetrator of a cyberattack (i.e. a person who knowingly sends an email containing malware), these provisions are ill suited in addressing large scale malware attacks immediately. This is because the focus of the legislation above is on cybercrime such as hacking, instead of the recent large scale malware attacks. It is also worth noting that the legislation above was drafted in the late 1990’s and since then, technology has not only become essential to everything we do, it has also given mischief-makers new avenues to cause havoc. The Ministry of Science, Technology and Innovation has drafted the National Cyber Security Policy (“NCSP”), to facilitate Malaysia’s move towards a knowledge based economy. The NCSP aims to achieve this by developing and establishing a framework of cyber security controls. However, this Policy is not enacted as legislation, and, therefore, does not have the force of the law.

The National Cyber Security Agency (“NCSA”) provides support services to enforcement agencies and victims. However there is no obligation under Malaysian law for anyone to report a cyberattack to the NCSA. While the NCSA has been helpful to those who have contacted it, others prefer not to report an attack so as not to draw attention to weaknesses in their security, which could possibly lead to legal ramifications such as regulatory breaches or civil actions. Furthermore, the NCSA is not a law enforcement agency and will not be able to obtain injunctions or legal redress.

What Comes Next?

The Malaysian cybersecurity bill (“Malaysian Bill”) announced by the Deputy Prime Minister is intended to combat cybercrime, including the recruitment and financial sourcing by terrorist groups, money-laundering and online gambling.

Given the rapid nature of cyberattacks today, the new Malaysian Bill should target enforcement on the effects of a cybercrime and threats to critical infrastructure, and not just the means of perpetuating the cybercrime, as technology evolves so quickly that the law is always playing catch up. Therefore, our view is that the new framework should cover the following:

  • Introduce a supervisory unit to monitor possible cyberattacks and co-ordinate between the various regulators;
  • Encourage rapid mobilization of a special unit to attend to cyberattacks as soon as such attacks are detected;
  • Co-operate with regulators in other countries as threats are often global;
  • Criminalise activities which cause or knowingly facilitate disruptions to critical infrastructure and specified malicious attacks on communications networks and computer systems;
  • Enforce a system which will oblige victims of cyberattacks to notify the NCSA of any cyberattacks which have affected their computer systems, with appropriate safeguards;
  • Raise public awareness of cyberattacks and educate them on how to deploy suitable security.

Singapore’s draft cybersecurity bill has proposed to designate certain infrastructure as “critical” and prescribe duties to owners of critical infrastructure. This resonates with the NCSP, which has designated sectors like banking and finance to be Critical National Information Infrastructure (“CNII”), although it remains to be seen if the Malaysian Bill will incorporate the CNII into law.

We anticipate further developments once the draft Malaysian Bill is published and will provide further updates when possible.

If you have any questions or require any additional information, please contact Sharon Suyin Tan, Cheong Yuen Wei or the ZICO Law Partner you usually deal with.

This alert is for general information only and is not a substitute for legal advice.