The ease with which ransomware like WannaCry and Petya crippled entire organisations calls for an immediate response to confronting similar cyberattacks. In terms of law enforcement, this has led to the Deputy Prime Minister’s proposal to introduce a new cybersecurity law. While this bill has not been tabled in Parliament and has yet to be made public, it is timely to consider the existing gap in the current Malaysian legislation and to note the cybersecurity bill recently introduced in Singapore.
There and Back Again – Malaysia’s Journey with Cyber Security Laws
The current Malaysian legislation deals with cyber security (in particular, unauthorized access of computers and the improper use of network facilities or network service) in the following ways:
While the above sections are widely drafted to include the perpetrator of a cyberattack (i.e. a person who knowingly sends an email containing malware), these provisions are ill suited in addressing large scale malware attacks immediately. This is because the focus of the legislation above is on cybercrime such as hacking, instead of the recent large scale malware attacks. It is also worth noting that the legislation above was drafted in the late 1990’s and since then, technology has not only become essential to everything we do, it has also given mischief-makers new avenues to cause havoc. The Ministry of Science, Technology and Innovation has drafted the National Cyber Security Policy (“NCSP”), to facilitate Malaysia’s move towards a knowledge based economy. The NCSP aims to achieve this by developing and establishing a framework of cyber security controls. However, this Policy is not enacted as legislation, and, therefore, does not have the force of the law.
The National Cyber Security Agency (“NCSA”) provides support services to enforcement agencies and victims. However there is no obligation under Malaysian law for anyone to report a cyberattack to the NCSA. While the NCSA has been helpful to those who have contacted it, others prefer not to report an attack so as not to draw attention to weaknesses in their security, which could possibly lead to legal ramifications such as regulatory breaches or civil actions. Furthermore, the NCSA is not a law enforcement agency and will not be able to obtain injunctions or legal redress.
What Comes Next?
The Malaysian cybersecurity bill (“Malaysian Bill”) announced by the Deputy Prime Minister is intended to combat cybercrime, including the recruitment and financial sourcing by terrorist groups, money-laundering and online gambling.
Given the rapid nature of cyberattacks today, the new Malaysian Bill should target enforcement on the effects of a cybercrime and threats to critical infrastructure, and not just the means of perpetuating the cybercrime, as technology evolves so quickly that the law is always playing catch up. Therefore, our view is that the new framework should cover the following:
Singapore’s draft cybersecurity bill has proposed to designate certain infrastructure as “critical” and prescribe duties to owners of critical infrastructure. This resonates with the NCSP, which has designated sectors like banking and finance to be Critical National Information Infrastructure (“CNII”), although it remains to be seen if the Malaysian Bill will incorporate the CNII into law.
We anticipate further developments once the draft Malaysian Bill is published and will provide further updates when possible.
This alert is for general information only and is not a substitute for legal advice.