MalaysiaCyberSecurityStrategy2020-2024

2 Malaysia Cyber Security Strategy 2020-2024
CONTENTS
INTRODUCTION 4
CYBER SECURITY LANDSCAPE & ECOSYSTEM 14
ISSUES & CHALLENGES 20
STRATEGIC PILLARS 28
PILLAR 1 30 PILLAR 4 62
Effective Governance Enhancing
and Management Capacity &
Capability Building,
PILLAR 2 Awareness and
Strengthening 44 Education
Legislative Framework
and Enforcement PILLAR 5 74
Strengthening
PILLAR 3 Global
Catalysing World 54 Collaboration
Class Innovation,
Technology, R&D and
Industry
CONCLUSION 84
ABBREVIATIONS 88
INTRODUCTION
Malaysia has been rapidly ushered into the digital age,

together with the rest of the world, for the past few decades
due to the exponential and unprecedented advancement
in the use of Information and Communications Technology
(ICT). We have come a long way since the first adoption of
the Internet back in 1995. Today, broadband connectivity
has become a necessity for businesses, services and citizens
of Malaysia to succeed and be relevant in the Fourth
Industrial Revolution (Industry 4.0). Hardly any person or thing
is unconnected to cyberspace. Businesses are becoming
deeply reliant on democratised technologies such as mobile,
social, Big Data, Internet of Things (IoT), Artificial Intelligence
(AI), and hyper-scale cloud that are all dependant on this
connectivity.
Malaysia Cyber Security Strategy 2020-2024 5
Anything connected to the in place. Governments now have
internet is exposed to cyber risks. to deal with cyber threats not just
With this in mind, Malaysia needs to aimed at personal and financial
develop a cyber security strategy gains, but also threats from state-
that is pragmatic and aims for a sponsored actors aimed at critical
cyberspace that is secured, trusted targets of national importance. It is
and resilient while at the same worth noting that state-sponsored
time fostering economic prosperity attacks are not only sophisticated
and the well-being of its citizens. and potent, but once deployed,
We believe that our vision can these advanced technologies
be achieved by fortifying local can fall into the hands of cyber-
capabilities to predict, detect, criminals who can then amplify
deter and respond to cyber threats the use of these powerful cyber-
by strengthening our cyber security weapons at global scale.
governance, nurturing competent
people, supporting best practice The targets of malicious
processes and deploying effective cyber activity are often the
technologies. very foundation of a nation.
Consequently Malaysia recognises
Information sharing platforms, cyber security as a national
channels and avenues for priority. This has led to the
government agencies, businesses formulation of the National Cyber
and the general public on cyber Security Policy (NCSP) in 2006. The
security and cyber threats need NCSP was specifically developed
to be enhanced. Our situational to address the risks to the Critical
awareness, coordination, and National Information Infrastructure
threat mitigation capabilities (CNII), which are made up of 10
likewise must be improved. sectors namely: National Defence
and Security; Banking and Finance;
We are indeed fast becoming a Information and Communications;
digitalised nation. In 2018 there Energy; Transportation; Water;
are 28.7 million Internet users in Health Services; Government;
Malaysia which represent 87.4% of Emergency Services; and Food
the population. Such astounding and Agriculture. The NCSP
figures illustrates our growing recognises the critical and highly
dependency and connectedness interdependent nature of the CNII
to cyberspace. On the other side, and aims to develop and establish
cyber-attacks have progressed just a comprehensive programme and
as fast as, or even faster than the a series of frameworks that will
security measures that were put ensure the effectiveness of cyber
security controls over vital assets, of the laws of Malaysia with a view
as well as to ensure that the CNII to enhance the existing legislative
sectors are protected to a level and regulatory framework used
that commensurate with the risks to combat cybercrime. The
faced. amendments to certain laws are
now in progress, where the AGC
The establishment of the National collaborates with law enforcement
Cyber Security Agency (NACSA) agencies and other relevant
further reaffirmed the growing government bodies.
importance of cyber issues to
Malaysia’s national security. Furthermore, a national policy
NACSA is a dedicated agency that and procedure in managing
oversees all national cyber security cyber crises has been formulated
functions formed under the aegis to ensure that cyber attacks
of the National Security Council and cyber incidents are being
(NSC). NACSA was established managed proactively through
as a response to the dynamic a coordinated approach at the
nature, increasing sophistication, national level. This initiative is
global nature and heighten socio- closely guided by the National
economic impact of cyber security Security Council’s Directive
threats. It serves as the lead No 24: Policy and Mechanism
agency that integrates the existing of the National Cyber Crisis
cyber security capabilities. This Management, an executive
includes combating cybercrime directive that outlines the
in a strategic and coordinated nation’s strategy for ‘cyber crisis
manner in partnership with mitigation and response’ through
the private sector and other public and private collaboration
governments. and coordination. There are six
(6) main principles under this
The efforts are ongoing to directive namely national cyber
assess the current legislative crisis management structure;
framework for cybercrime issues national cyber-threat levels;
and cases. In order to adapt to Computer Emergency Response
the ever-changing landscape of Team (CERT); cyber security
cyberspace, existing laws need protection mechanisms; response,
to be enhanced to effectively communication and coordination
address the legal challenges procedures; and a readiness
in taking action against cyber programme.
criminals. The Attorney General’s
Chambers (AGC) led the review
The government has also established
the National Cyber Coordination and
Command Centre (NC4), a centre that
deals with cyber threats and crises at the
national level. The NC4 was developed
under the purview of the NACSA as a
central coordination and command facility
responsible for managing cyber security
at the national level, including mitigation,
preparedness and response functions at a
strategic and tactical level. It is connected
to the entire main cyber security-operating
centre (SOC) in Malaysia namely MCMC
Network Security Centre, Government
Integrated Telecommunications Network
(GITN) SOC, Cyber Defence Operation
Centre (CDOC) and Cybersecurity Malaysia
SOC. It has the ability to determine the
national cyber security threat level and
assess the impact of the threats to the
country.
Malaysia has also implemented the initiative

to ensure the adoption and certification of
the CNII agencies (public and private) to
the MS ISO/IEC 27001: Information Security
Management Systems standard and other
related certifications. This initiative is to
ensure the CNII agencies and organisations
have the necessary information security
protection in place and are in compliance
with the standard. Appropriate measures
will also be prepared to protect other non-
CNII sectors such as the manufacturing,
construction, education and retail since
cyber threats and attacks in these sectors
also pose risks to the overall economic
wellbeing and security of the nation.
Another important cyber security On another front, Malaysia has

initiative that has been conducted also been actively creating
for the past decade is the National awareness and capacity building
Cyber Crisis Exercise (also known programmes. Whilst the rapid of
as X-Maya). The exercise was ICT, bring benefits and advantages
designed to test the effectiveness to our citizen, it is also carries
of the procedures that have been risks to the nation’s economy,
developed under the National social harmony and security.
Cyber Crisis Management Plan To manage such risks, public
(NCCMP) and to assess the awareness is crucial. Agencies
readiness and preparedness of have been carrying out various
critical national infrastructure awareness programmes to
agencies against cyber-attacks. educate Malaysians. As a mean
To date, six (6) national cyber crisis to coordinate these programmes,
exercises have been organised NACSA is developing the National
with the participation from more Cyber Security Awareness Master
than 100 public and private Plan. This Master Plan aims to
agencies across the 10 CNIIs. increase the level of cyber security
awareness among Malaysian
cyber citizens through concerted coordinated mechanism and clear

and effective programmes and measurement. It will start from the
initiatives. Under this Master Plan, development of school curricula in
four (4) main target groups, cyber security; followed by focus-
(kids, youth, adults/parents and based skills at the institutions of
organisations), were identified for higher learning; and training and
specific cyber security awareness skills development schemes for
programmes and initiatives. expert and non-experts in both
This Master Plan outlines an public and private sectors. The
implementation strategy to ensure government will further enhance
it achieves its anticipated goals the current initiatives especially
and objectives. the Centre of Excellence, a
collaboration with the local
To address the critical shortage of universities to address the shortage
skilled cyber security professionals, of local talent in the cyber security
a comprehensive capacity workforce.
building plan on cyber security
will be established riding on the
existing initiatives with a more
NATIONAL CYBER
DRILL EXERCISE
X-Maya is a National Cyber Crisis Exercise, a large scale cyber-attack
simulation on Critical National Information Infrastructure
Objectives
• To exercise the workability, identify the gaps and further
improve the National Cyber Security Response, 2008 2009
10 28
Communication & Coordination Procedure
• To raise awareness of the national security impact

associated with a significant cyber incident amongst all Agencies Agencies
participants
2010 2011
• To familiarise the participants with cyber incident
handling experience 34 66
Agencies Agencies
• To test the capability of CNII agencies/organisations in
dealing with significant cyber incidents and workability 2013 2017
96 100
of internal incident handling procedure within CNII
agencies /organisations
• To familiarise communications between CNII agencies Agencies Agencies

/organisations with their respective Sector Leads when
cyber incidents occur
It is crucial to acknowledge that also to support the government
the security of cyberspace is agenda in the digital economy,
paramount, now more than ever. Industry 4.0 and the adoption
In the past, we have seen how of other disruptive technologies
the infrastructure of nations and for Malaysia’s advancement.
businesses were brought down with This Strategy will replace the
significant financial implications. existing NCSP as it is developed
to be more inclusive and
This is not a far-fetched scenario for comprehensive covering
Malaysia, especially if we refer to protection of CNII, businesses,
the results of a study conducted by industries and also citizen. This
Microsoft in collaboration with Frost document includes specific
& Sullivan on Understanding the Pillars to define key areas of our
Cybersecurity Threat Landscape concern as well as the necessary
in Asia Pacific : Securing the strategies for each of them. Each
Modern Enterprise in a Digital strategy will in turn comprise
World published in July 2018. The of a number of action plans
study revealed that the potential and measurement mechanisms
economic loss in Malaysia due that will be implemented within
to cyber security incidents could the effective period of this
hit up to RM51 billion, which is document. Regardless of those
more than 4% of the total Gross mechanisms we need to, we have
Domestic Product. to realistically remind ourselves
that none of these strategies
As the foundations of our economy will be effective in combating
become increasingly rooted in cyber security issues without the
digital technologies, Malaysia will cooperation from all stakeholders.
model and promote standards
that protect our economic security Cyber threats are persistent
and reinforce the vitality of the and there will always be the
nation as a viable marketplace risk of targeted cyberattacks of
and source of innovation. This massive scale and consequences.
will include, among others, the Such threats can never truly be
initiatives to promote local industry eradicated as long as everything
in emerging technologies and 5G. stays connected. Yet, they can
be mitigated. For this to happen,
The Malaysia Cyber Security everyone will have to play
Strategy (MCSS) has been their role and work together to
designed with tools to provide enhance Malaysia’s overall cyber
trust in our cyber environment security readiness, capacity and
not only for national security, but capabilities.
Malaysia cyberspace is
secured, trusted
and resilient, fostering
economic prosperity and
citizens’ well-being
Fortifying local capabilities to
predict, detect, deter and respond

to cyber threats through structured governance,
competence people, support best practices
processes and deploy effective technology
CYBER SECURITY LANDSCAPE

AND ECOSYSTEM
According to the Digital Crimes Unit of Microsoft Asia (January

2019), roughly 720 people become preys to cyber criminals all
over the world in every minute which translates to more than
1 million victims every day. In 2018, the Royal Malaysia Police
had to deal with 10,742 cybercrime cases with an estimated
loss amounting to almost RM400 million, while in 2019, the
number has increased to 11,875 cases with an estimated
loss to almost RM500 million. The numbers may be shocking
to some but not if we consider the fact that cyber criminals
these days are no longer conduct hacking merely out of
curiosity or to test their intrusion and penetration skills, but also
for economic gain.
Cybercrime Statistics (2018 & 2019)
No of cases
1400
1,242
1200
1,074 1,138
1,149 1,054 1,182 1,108
978 1,216 1,084
910
1000
1,017
1,051 741 1,058
800 620 939 867
849
794 678
600 684 632
597
400
200
0
January
February
March
April
May
June
July
August
September
October
November
December
2018 Total Case :
10,742 2019 Total Case :
11,875
Estimated Loss :
RM397,944,265 Estimated Loss :
RM497, 719, 498
SOURCE: Royal Malaysian Police
NC4 reporting reveals that cyber intrusions at 2,076 and 1,270 cases,
security incidents are increasing respectively. However, in 2019 the
since 2016 to 2018. In 2018, a total number of incidents reported
total of 5,627 cyber security to NC4 has shown a significant
incidents were reported to the decreased to 3,787 cases
NC4 compared to 2,981 in 2017 compared to 2018. This reflects
and 2,429 a year before that. the effectiveness of proactive
Malicious software infections top measures that has been put in
the rest with 2,244 cases, followed place to secure our cyberspace.
by intrusion attempts and actual
Cyber Security Incidents (2016 - 2019)

2016 2017 2018 2019
DOS / DDoS 49 37 19 14
Intrusion 1,754 1,910 1,270 1,297
Instrusion Attempt 228 225 2,076 256
Malware Infection 372 752 2,244 2,154
Malware Hosting 0 0 15 6
Potential Attacks 26 57 3 60
2,429 2,981 5,627 3,787

Malaysia is also a target of government, while respecting the

Advanced Persistent Threat (APT) right to freedom of speech.
attacks, with the most recent
incident manifested by way of As Malaysia continues to embrace
email spear phishing. These threats digital technologies, there is an
can escalate further given that increasing need to streamline
many Malaysian organisations the management of cybercrimes
continue to operate a number of and incidents to assure the public
legacy and unsupported systems, that all cybercrimes and incidents
which can no longer be updated will be handled appropriately
with the latest security patches. and effectively by the respective
These legacy systems may have law enforcement agencies.
multiple vulnerabilities, which are There is a need to eliminate
susceptible to attack payloads duplicative efforts and maximise
and tools available to cyber resource utilisation among the law
criminals. enforcement agencies.
There are also concerns about One of the main reasons for the
the increasing number of content- establishment of NACSA was to
related issues in Malaysian coordinate and complement all
cyberspace. While these incidents efforts on cyber security to make
are relatively still small in number, sure that all aspects are given
the impact on the nation is not. due attention. While focusing on
Given the speedy and widespread cyber security policy, governance
nature of the Internet as a medium and coordination matters, NACSA
of delivery, the effects of content- will also be administering other
related issues are potentially areas of concern, which will be
more detrimental and damaging. mandated to specialised agencies.
For this reason, Internet-based
contents, in the form of fake news, Efforts concerning other
misinformation, contents that are target areas, namely the CNII,
seditious and slanderous in nature, cybercrime, awareness, capacity
or with racial or religious overtones, building and international
are taken very seriously by the cooperation will be delegated to
selected groups of lead agencies, implementation of the strategy,

law enforcement arms and an effective ecosystem and
institutions that have the relevant governance, this Strategy will
expertise and direct responsibility, outline the roles and responsibilities
as well as the required capacity of agencies involved in managing
and capability to deal with the national cyber security. This
related issues and initiatives. will be realised by legislating a
new National Security Council’s
In Cyber Security Ecosystem, Directive, which will elucidate our
NACSA will serve as the focal point enhanced national cyber security
on all matters related to cyber governance arrangements and
security that also spans vertically the restructuring of committees
to include other existing and directly responsible for national
aligned national initiatives such cyber security, and delineating the
as the Digital Infrastructure, Digital exact roles and responsibilities of
Trade, National Security, Digital all relevant agencies.
Malaysia and Digital Government.
NACSA serves as an entity that
is responsible for streamlining
all cyber security planning,
development and implementation.
To ensure the successful
ISSUES AND CHALLENGES

Due to the borderless nature of (also known as Nigerian Scam) and
cyber threats, it can be safely e-financial fraud are among the
assumed that any or all of them most prominent threats. Such cases
can befall upon any nation. To have been known to cause huge
date, Internet-related fraud has monetary losses to the victims. If
been the most prevalent cyber this trend is sustained, Malaysians
threat in Malaysia. This is supported will project a greater concern in
by the cybercrime reports doing business through an online
received by Royal Malaysian platform, which indirectly erodes
Police in 2018 and 2019 which the consumers’ confidence in our
shows that telecommunication cyber security measures.
fraud, e-commerce, 419 scam
Cybercrime Statistics By Offences (2018 & 2019)
No of cases
6000 5,956
5000 2019
4000 5,732 2018

3,520
3000
3,325
2000
1,708
1000 1,536 869
500 45 103
63 26 146
2 119
57 377 3
30
0
419 Scam
Personal Data
E-Commerce Fraud
Intellectual Property
Infringement
Breaches
Obscene, indecent,
offensive content
Fraud
(Nigerian Scam)
Materials
(Online Purchase)
E-Financial Fraud
Online Fake News

Pornographic
false, menacing or
Telecommunication
SOURCE: Royal Malaysian Police

However, it is important to note and networks which expose

that lack of awareness is the main them to cyber threats. As the
factor in most of these fraud cases. patient records are digitised, the
In phishing incidents, for example, risks of breach and disclosure of
people can be easily duped by confidential information are also
bogus sites and services due to rampant.
their negligence. The same goes
for scams whereby unsuspecting Clearly, much has to be done
victims would transfer huge in terms of creating awareness
amount of money to recipients among the general public.
whom they have never met and This would explain why cyber
whose identity cannot be verified security education will soon be
– all done for the expectation of introduced even as early as
an honest purchase, attractive in primary education. Cyber
investments and even promises of security awareness and education
love. aims to educate citizens from
making errors of judgement while
On another alarming note, the transacting on the Internet.
healthcare sector now has other
cyber threat concerns that are Aside from that, Malaysia is
even more worrying than the also facing a shortage in its
attacks and intrusions on electronic cyber security workforce and
medical records. Medical robotic talent gaps in many sectors. In
technology and robot-assisted today’s constantly connected
surgical procedures are now and borderless world, such
connected to computer systems inadequacy can be disastrous
to organisations. The shortage of

cyber security professionals will
leave organisations vulnerable and
exposed to untold dangers from
cyberspace.
Insider threats also remain a

significant cyber security risk to
organisations. Insiders with access
to critical information systems and
data pose a significant threats to
any organisations. There have been
numerous cases of intellectual
property theft and the leaking of
sensitive information that have
caused substantial financial and
reputational damage.
There were also incidents where

these insiders, either employees
or vendors, unknowingly became
victims of elaborate cybercrime
schemes such as through watering
hole attacks, social engineering
ploys, malware and ransomware
infections, propagation mechanism
by inserting infected USB devices
into the internal networks or
arbitrarily clicking on links found
in emails or while browsing the
Internet.
The government via its relevant

agencies and initiatives will
have to approach organisations
and institutions on best cyber
security practices. More efforts
have to be made to encourage
necessary controls over system

and data access by employees
and vendors. The implementation
of a proper Bring Your Own
Device (BYOD) policy should be
deployed by organisations and
institutions. Again, awareness also
plays an important role here in
mitigating incidents due to insider
threats, especially for those at the
management tier.
Additionally, the correct posture

and approach are needed in
dealing with the selection of
third parties/vendors, planning,
development and implementation
of ICT projects, especially those
that involve or intended for critical
establishments such as an Industrial
Control System (ICS) for CNII
agency. Security-by-Design should
be the flagship approach in ICT
project development in order to
ensure that the end products and
systems are free of vulnerabilities
and not susceptible to cyber
threats. This can only be achieved
through continuous testing,
authentication safeguards and
adherence to best practices.
Malaysia has also been facing

threats of terrorism and violent
extremism. Terrorists and violent
extremists have been using various
web services and social media as
a breeding ground to entice new
recruits, followers and supporters concerning pornography and

to their causes. Continuous efforts harmful content such as online
have been made to curb such gambling, information on illegal
threats and there have been substances, instructions to make
successful convictions in recent firearms, and misleading and false
years. Yet the ease of developing information, require a coordinated
a new website or forum for any and swift effort and commitment
agenda presents a growing by all parties, which in this case
challenge to law enforcement would be agencies and institutions
agencies. that are directly responsible for
network accessibilities. Removal
These issues are complex due to or restriction of access to content
the varying interpretation of what that is deemed as harmful by
would and should be considered Malaysian law must be pursued.
as amounting to terrorism or
violent extremism. There has been There is also the issue of differing
a dire need of manpower and perspectives on content that
expertise to monitor and correctly may be perceived as either
identify web contents that would hate speech or seditious, or an
fall under this category. There are appropriate expression of free
also other obstacles including speech. This is often the case for
this content which is usually politically-motivated postings on
hosted by providers that are blogs and social media. While
beyond our jurisdiction. The lack there have been successful
of awareness among the general convictions from time to time, the
public concerning these types of creation and spreading of content
resources reduces the incidents of of this nature does not seem to
timely reporting of this content. be lessening, and if anything, they
seem to flourish correspondingly
Content-related issues, on the to the actual situation of the
other hand, bring a new level counterpart issues in the real world.
of complexity to the challenges
of cyberspace. Some issues
Concerns over the misuse of user All things considered, we believe

personal data are increasing at all that it is rather fair to assume
levels of society. Citizens are now that the prevailing issues and
more vigilant on how and what challenges in Malaysia’s cyber
personal information is shared. security landscape can be
The Personal Data Protection Act attributed to, first and foremost,
2010 has also helped to clarify awareness and education.
what would be considered as Technological solutions and
encroaching user privacy by controls can only do so much – it is
entities collecting user information. the netizens themselves that need
Greater effort is needed to take to have a basic grasp of cyber
strong action against those that do security essentials and related
not act appropriately to protect legislation and regulations so that
personal data. they can at least avoid the most
common pitfalls, particularly while
On the technological side, threats navigating cyberspace.
due to vulnerabilities and cyber-
attacks are consistently increasing.
This is very much due to lack of
awareness among users, both
in government institutions and
business entities; and among
individuals. Good cyber hygiene
habits - such as creating complex
passwords, consistently backing
up data, regularly updating and
upgrading software and hardware,
and limiting privileged access to
critical systems - are still lacking
among public and private sector
users.
STRATEGIC
PILLARS
STRATEGIC
PILLARS
Malaysia Cyber Security Strategy outlines our key objectives,
categorised into five strategic Pillars that will govern all
aspects of cyber security planning and implementation in
Malaysia until 2024. The Strategy is focused on the three
overriding success factors for interrelated and interdependent
organisational change, namely People, Process and
Technology.
For this purpose, People represents The Strategy also describes a

the need for knowledge, skill and number of action plans aimed
expertise enhancements as well as at increasing cyber security in
capacity and capability building various sectors of the government,
among the human capital of the businesses and society. These
digital era. Process covers the action plans will be measured
development and strengthening, accordingly to assess their
and implementation and effectiveness.
maintenance of laws, regulations,
procedures and guidelines to The five Pillars outlined in this
effectively govern our cyberspace. Strategy have been identified as
Technology covers the technology crucial for achieving Malaysia’s
required for effective cyber goals of protecting government
security implementation. and CNII networks, system and
data, as well as businesses and
citizens, while at the same time
combatting cybercrime.
1
EFFECTIVE
GOVERNANCE
AND MANAGEMENT
Effective
Governance
and Management
Experience has taught Malaysia that the most important

measure to safeguard cyberspace is effective governance
and management. The management of cyber security risks
should evolve simultaneously with the evolution of threats,
alongside the adoption of digital in doing business. Ideally, we
need a national standard on governance and management,
which allows for shared responsibility and cross-sectional
integration to optimise the efforts in dealing with any issues,
threats or breaches.
To improve national resilience for the challenges of the digital

against cyber threats, an active era (and beyond). It has to have
cyber defence approach which the necessary framework and
ranges from Advanced Persistent action plans in place, creating a
Threat to cybercrimes and partnership within the ecosystem
content-related threats is needed. that will foster close collaborations
This approach will include both among stakeholders, including
the defensive and offensive relevant government entities,
capabilities to effectively mitigate law enforcement agencies,
cyber threats, focusing on the businesses and industry leaders.
capability to detect, analyse, and Such partnerships will be made
act upon any cyber threats within possible through the establishment
our cyber defence ecosystem. of appropriate platforms for
information sharing, strategy-
In the quest to achieve greater building and resource sharing
resilience, Malaysia needs a to form a strong national cyber
functional governance and workforce to manage the ever
management system that is agile, evolving and ever increasing
adoptable and ready to cater cyber-related issues and incidents.
This Pillar aims to create effective governance and management through

three strategic initiatives, specifically by:
Enhancing Improving Strengthening

national organisation cyber security
cyber management incident
security and business management
governance operations and active
and among the cyber defence
ecosystem government,
CNII and
business
entities
This Pillar aims to achieve the clearly defining the roles and
ability to defend our networks, responsibilities of all parties within
data and systems from cyber the ecosystem. This can be
threats and subsequently respond accomplished by reviewing the
to threats effectively in a well- current roles and responsibilities
coordinated and concerted held by the existing cyber security
manner. Equally imperative is stakeholders in Malaysia.
the ability to predict and detect,
investigate and disrupt hostile Recognising the critical and
actions against the government, highly interdependent nature of
businesses and citizens of Malaysia. CNII organisations from both the
To achieve this, the government government and private sectors
shall play the crucial role of in managing cyber security risks
ensuring that all action plans are and incident responses, the
properly implemented by the government will continue to clarify
intended entities. the roles and responsibilities of
the respective organisations as
In order to enhance the national technologies evolve to ensure
cyber security governance the CNII are protected to a level
framework, we will strengthen that commensurates with the risks
governance structures by faced.
We will also identify and bridge To achieve this agenda, the

gaps in responsibilities and government has established
coordination among agencies and NACSA to serve as the central
sector leads in managing incident agency for cyber security in
response by enhancing threat Malaysia. At the moment,
information sharing platforms. At development and enhancement
present, there are various cyber efforts are now in place to
security stakeholders in Malaysia equip NACSA with the necessary
in the form of law enforcement capabilities to provide leadership
agencies and other government and guidance to all cyber security
bodies with varying degrees of organisations that will fall under
roles, jurisdiction, competence its coordination. In this respect,
and functions in the cyber security NACSA will be directly responsible
governance value chain. Agencies in overseeing the establishment
such as the MCMC, MDEC and and operations of various
CyberSecurity Malaysia focus on information sharing platforms
regulating the communications among the various stakeholders. It
and multimedia industry, driving will also be at the forefront in the
the digital economy and providing identification and management of
ICT security specialist services, risks and vulnerabilities that are of
respectively. Others like the significance and concern to the
Royal Malaysia Police and the national cyber security ecosystem.
Central Bank of Malaysia lean Subsequently, NACSA will be the
more towards law enforcement. focal point for the implementation
Whereas parent institutions such of proactive measures to protect
as the Ministry of Communications the government and CNII
and Multimedia Malaysia and the agencies’ networks, systems
Ministry of International Trade and and data and to improve inter-
Industry oversee the bigger picture agency coordination to combat
and implementation of policies. cybercrime.
For the purpose of improving the
national cyber security ecosystem, The NC4 will be the main hub of
all these resources must be pulled all other Cyber Operation Centres
together and work side by side in Malaysia. NC4’s capability
via a multi-agency coordination to predict, detect, deter and
protocol with streamlined respond will be further intensified,
processes and procedures, and strengthened and enhanced to
a well-defined scope of authority address cyber-security related
and accountability. issues.
Even though the government has including Chief Executive Officers,

led many initiatives to improve the Chief Financial Officers, Chief
current cyber security landscape, Information Officers, Chief Security
it requires the cooperation and Officers and Chief Information
collaboration of all stakeholders to Security Officers could share
achieve the mission to secure our their knowledge, thoughts,
cyberspace and provide a safer experiences and proposals. Such
environment for all Malaysians. collaboration would pave the way
An embedded and sustainable for an appropriate and systematic
approach is needed whereby sharing mechanism and platform
citizens, industry and other partners on actionable cyber threat
in the society and government, information, enhancements of
play their full part in securing cyber security coordination and
the networks, services and data. the promotion of analytical and
Therefore, efforts will also be taken technical exchanges between
to enhance collaboration and subject matter experts.
build trust among government
and CNII agencies, businesses A change management plan
and partners through information will also be prepared and
sharing and Public-Private subsequently introduced to
Partnerships. organisations that are involved
to streamline changes and
To facilitate this, we will provide improvements that are required
the engagement programmes to be in place to support
and information sharing platforms, the envisioned governance
such as conducting conferences, structure. Also, in order to provide
seminars, workshops and dialogues the necessary mechanism
where all the stakeholders, and structure for effective
Clear roles and responsibilities
Well coordinated and conserted approach
Close cooperation and collaboration

coordination, information and one of the CNII sectors. Focus will
media management, we will be be made on the development
working towards establishing the of sector specific guidelines and
National Communication Plan. This frameworks, such as maritime and
Plan is necessary to describe the aviation to accommodate current
requirements of an information cyber security needs and address
channel that is both capable the emerging threats, with a key
and quick to accommodate for attention on the convergence of
information sharing during a cyber Information Technology (IT) and
crisis or incident and will also serve Operational Technology (OT)
as the main reference to explain systems.
the roles and responsibilities of all
related agencies with regards to Hence, a government-led
media management. Technical Working Group will be
established to spearhead an in-
These are especially crucial given the depth study on laws, rules and
rapid advancements of the digital regulations as well as standards
age that foresee the expansions of and best practices in cyber
e-government initiatives, e-commerce security that have to be adhered
transactions and digital economy to by the CNII agencies. The
in our daily lives. This is with the government will also create
inclusion of Artificial Intelligence a training platform to assist
and machine learning in modern participating organisations in
systems, the increasing application complying with cyber security
of IoT in devices and peripherals, standards.
and the extensive use of complex
Industrial Control Systems. All The government will work together
of which inadvertently would with private sector entities to
open up even more avenue for promote understanding of cyber
potentials risks and threats to security risks, encourage a more
security, safety and privacy. informed risk management
decisions, and advocate
In essence, Pillar 1 initiatives investments in appropriate security
will cover the protection of measures. This will serve as an
the CNII sectors, with support effective platform of cooperation
and guidance for businesses between various public and
and individuals to mitigate private sectors thus ensuring that
cyber threats. Recognising the business entities and organisations,
importance of digital economy, as well as citizens, adopt the
the government will include security-centric norms, behaviour
Trade, Industry and Economy as and practices that are required to
stay safe in cyberspace.
We will establish a data leakage

protection mechanism through the
CNII: 11 SECTORS adoption and implementation of
policies, procedures and guidelines
National Defence related to data protection, public
and Security
key infrastructure and electronic
information management. This will be
Banking and realised through the development of
Finance data leakage protection policy and
guidelines as well as the execution
Information and of the National Cryptography Policy,
Communication which outlines the methods and
strategic approach in the use and
creation of cryptographic algorithms
Energy and cryptography products to protect
information that are of national interest.
Transportation Management of vendors that deal

with government and CNII agencies
will also be improved to minimise data
Water privacy and security risks. Awareness
initiatives will be conducted on supply
chain threats. Supply chain security
management will be integrated
Health Services
into agency procurement and risk
management process. Vendors,
products and services shall be assessed
Government
to identify those with high risk and
mitigated accordingly. Third parties that
are awarded with government projects,
Emergency
Services especially on ICT, will be required to
adhere to information security standards
and practices such as the International
Agriculture Organization for Standardization and
and Plantation
the International Electrotechnical
Commission’s ISO/IEC 27001:2013 and
ISO/IEC 27002:2013 as well as having
Trade, Industry
and Economy the necessary cyber security and
information security experts in place.
Management of the Computer measure the National Readiness
Emergency Response Teams Level through periodically-
(CERTs) will also be improved conducted studies.
and strengthened through the
enhancement and restructuring of The government will draw on its
National Cyber Security Incident capabilities to develop and apply
Response Team (CSIRT), Sector active cyber defence measures
CSIRT and Organisation CSIRT. to enhance the levels of cyber
These CSIRTs will be provided with security readiness across national
the necessary capabilities and and government networks. Cyber
capacity to handle, mitigate and security courses, content and
recover from cyber crisis and syllabuses will be developed for
incidents. Furthermore, cyber government training programmes
incident reporting will be made and for specific target groups that
mandatory for all government and will be identified based on their
CNII agencies, while businesses will roles and responsibilities. All existing
be encouraged to report them. training platforms will be utilised to
We will also develop a Vulnerability establish main training centres that
Assessment Implementation can cater for these target groups
Plan and conduct periodic risk and properly meet their needs
and vulnerability assessment on and requirements in capacity and
all critical ICT services. We will capability building efforts.
Best practices
Standards compliance
Laws, rules and regulations
Sector specific guideline

Cyber security incident Terrorism (SEARCCT) and the Royal

management will also be Malaysia Police will continue to
enhanced through the revision play their role in monitoring violent
of the National Cyber Crisis extremist activities in cyberspace.
Management Plan (NCCMP) and An integrated information sharing
its reporting mechanism by the first platform shall be developed
quarter of 2021. Cyber exercises to facilitate flow of information
at the organisational, sectoral and between agencies and towards
national levels will be implemented the general public.
according to the Cyber Exercise
Implementation Plan, of which Ultimately, under this Pillar, it is
the findings will greatly contribute expected that a new national
to the preparation of the Cyber cyber security governance
Readiness Report, planned to be structure with a clear division of
delivered by end of 2021. power and responsibilities is built
based on the foundations and
Combatting terrorists and violent principles set forth by the National
extremists’ use of the Internet will Security Council’s Directive. The
continue to be a priority area, implementation of the Malaysia
with the main objectives of: raising Cyber Security Strategy will be
awareness among the public; supervised through an annual
and preventing radicalisation and evaluation process, after which a
terrorist recruitment and fund- Malaysia Cyber Security Strategy
raising activities through digital landscape report will be prepared
platforms such as social media and presented to the stakeholders
and web portals. The Southeast for milestone reviews and further
Asia Regional Centre for Counter- deliberations.
SUMMARY
s to Address Current and Emerging
PILLAR 1: Effective Governance and Management
STRATEGY
1 Enhancing National Cyber Security Governance
and Ecosystem
• To strengthen governance and ecosystem in cyber security
• To enhance collaboration and building trust among government agencies,

CNII agencies, businesses and partners through information sharing and
effective Public-Private Partnership
• To establish and implement National Communication Mechanism for effective

coordination, information sharing and media management
STRATEGY
2 Improving Organisation Management and Business
Operation (Government, CNII and Business)
• To embed cyber security in business operation
• To enhance holistic cyber security controls in supply chain environment
• To comply to International Standard (ISMS, BCMS or equivalent) and Best Practices
• To promote the use of certified ICT security products
• To implement S-SDLC for critical Information System Development
• To establish Data Leakage Protection Mechanism

• To improve CERT Management
• To develop Vulnerability Assessment (VA) Implementation Plan and conduct

periodic risk and VA on all critical ICT services
• To measure National Readiness Level through periodical study
• To enhance Industrial Control System (ICS) Protection
STRATEGY
3 Strengthening Cyber Security Incident Management and
Active Cyber Defence
• To strengthen capacity and capability in Incident Management
• To develop capacity in combating terrorist/extremist use of Internet
• To enhance national readiness towards bigger scale and targeted cyber

attacks
CYBER SECURITY ECOSYSTEM
Policy
Governance
Coordination
Clear Roles & Responsibilities Critical National Expert Groups

Information
Infrastructure Protection
Effective Public-Private Protection of SMEs Industries

Partnership
Cybercrime
Information Exchange &
Collaboration Platform Academia &
Researchers
Awareness & Education
International
Utilisation of Capacity Building Partners
Experts
& Resources
International Cooperation
National Security & Sovereignty

NATIONAL CYBER
WORKFORCE
2
STRENGTHENING
LEGISLATIVE FRAMEWORK
AND ENFORCEMENT
Strengthening
Legislative
Framework
and Enforcement
Malaysia has a comprehensive set of cyber related laws

in South East Asia. Since the 1990s, Malaysia has introduced
numerous laws to cater for the advent of digital age and the
full spectrum of cyber issues.
EXISTING LAWS FOR CYBERCRIME AND

CYBER SECURITY ISSUES IN MALAYSIA
Criminal Procedure Code Penal Code
Sedition Act 1948 Evidence Act 1950
Defamation Act 1957 Prevention of Crime Act 1959
Official Secrets Act 1972 Trade Marks Act 1976
Patents Act 1983 Copyright Act 1987
Direct Sales and Anti-Pyramid

Computer Crimes Act 1997
Scheme Act 1993
Digital Signature Act 1997 Telemedicine Act 1997
Communications and
Consumer Protection Act 1999
Multimedia Act 1998
Optical Discs Act 2000 Child Act 2001
Anti-Money Laundering,
Anti-Terrorism Financing and Proceeds Film Censorship Act 2002
of Unlawful Activities Act 2001
Mutual Assistance in Electronic Commerce

Criminal Matters Act 2002 Act 2006
Capital Market and Electronic Government

Services Act 2007 Activities Act 2007
Personal Data Protection Security Offences

Act 2010 (Special Measures) Act 2012
Islamic Financial Services

Financial Services Act 2013
Act 2013
National Security Council

Prevention of Terrorism Act 2015
Act 2016
D
Sexual Offences Against Children Act 2017

The Computer Crimes Act 1997 was accommodate new technologies

enacted in 1997 to address crimes and to reflect new realities,
directed at computers and ICTs. especially in the cyber security
This act covers offences such as domain. The emergence of
unauthorised access to computer new cyber threats pose new
material and unauthorised challenges. Consequently,
modification of computer contents. Malaysia may need to consider
mechanisms to enable existing
As technology evolves at a laws to be applied in cyberspace,
rapid pace, Malaysia recognises and, only if required, enact new
that there are areas in the laws laws.
which need to be reviewed to
This Pillar aims to strengthen cyber security legislation and enforcement

through two strategic initiatives, specifically by:
Enhancing Malaysia’s Enhancing the capacity

cyber laws in addressing and capability of
current and emerging cybercrime enforcement
threats
The first order of this Pillar is to Malaysia is fully aware that

study and review all the existing cybercrime requires a coordinated
laws and regulations that have and cooperative international
been used to deal with cybercrime response. The cross-border nature
and cyber security cases. Findings of cybercrime creates challenges
of said efforts will not only pave in bringing cyber criminals justice.
the way for us to appropriately Recognising that effective regional
update the existing legislation and international cooperation is
and regulation but will also help crucial in combating cybercrime,
us introduce a new law in cyber Malaysia will continue enhancing
security, if deemed necessary. regional and international co-
operation through existing bilateral
and multilateral cooperation National Cybercrime Enforcement

platforms. Malaysia is also striving Plan (NCCEP). Under this Plan,
to strengthen and harmonise efforts will be taken to increase
domestic legislation with the knowledge and skill of judiciary
international conventions and members, prosecutors, law
treaties. enforcement officers and legal
practitioners so as to prepare them
Malaysia recognises that for the intricacies of cybercrimes in
the challenge presented by the digital era.
cybercrime also requires a
coordinated and an integrated An expert group will also be
national approach. Law established to identify gaps
enforcement agencies need to and required improvements
work together to address the in cybercrime enforcement.
threats. Malaysia will be taking Furthermore, we also need
steps to enhance the capacity to foster better collaboration
and capability of law enforcement between government agencies
agencies to tackle cybercrime by and key stakeholders including
developing and implementing the telecommunication companies,
industries, Internet service providers and coordinated approach in

as well as content providers both addressing cybercrime.
at national and international levels.
Law enforcement agencies will be This approach is timely since
equipped with the latest tools and fighting cybercrime requires
capability for the identification concerted efforts. In order to
of criminals / malicious parties; achieve effective investigation
and the identification, collection, and successful prosecution of
acquisition and preservation of cybercrime, a team of experts,
digital evidence. Digital forensic consisting of investigating officers
labs will be enhanced to address and forensic experts, should be
the growing complexity of established at the initial stage
cybercrime investigation. of the investigation to address
and advise on specific issues
We will also ensure that the arising during the investigation
tools and technology, as well process. The Centre will also
as capability enhancements serve as a central information
for each law enforcement sharing mechanism between law
agency are accredited, directly enforcement agencies to increase
related and the best available efficiency and to minimise delay in
to accommodate the type of investigation.
cybercrime cases that they
handle. A national working group Such endeavours follows the
on capacity building and joint study on the requirements for
collaboration with various training the establishment of more cyber
institutions will be established in courts. The first cyber court was
order to develop specific modules established in September 2016,
of training and the mechanisms and was aimed at addressing
to assess the effectiveness of such the increasing number of civil
training. and criminal cyber cases. The
dedicated cyber court will ensure
The Plan also calls for a clear and that cyber cases receive priority
streamlined coordination process with adequate levels of expertise,
among central and enforcement which will translate into efficiency
agencies. For this purpose, a in disposal of cyber cases. The
Cybercrime Coordination Centre government will also examine
will be established. The Centre will the feasibility and viability of
focus on ensuring an integrated establishing a specific unit that
combines elements from all of the Other than fostering collaborations

various government agencies that between local law enforcement
have been dealing with cyber security agencies, the Plan will also explore the
cases and incidents under one roof possibility of furthering cooperation
in order to streamline our actions and with foreign counterparts. This could
reactions. include cross-border secondments
or visiting experts’ programmes. It
A comprehensive Standard Operating is hoped that through these efforts,
Procedure (SOP) also needs to be more can be shared between like-
developed and endorsed to serve minded national agencies and experts
as a guide for law enforcement in dealing with cyber security issues
agencies in investigating cybercrime. and challenges that are common to
This is particularly important as all and borderless in nature.
cybercrime have expanded well
beyond the virtual domains and now
even interconnected with other type
of criminal activities such as human
trafficking, drug smuggling and illicit
recruitment whereby ICT tools are used
as an information, communication and
coordination platform.
SUMMARY
PILLAR 2: Strengthening Legislative Framework and

Enforcement
STRATEGY
4 Enhancing Malaysia’s Cyber Laws to
Address Current and Emerging Threats
• To enhance and review current legal frameworks to address

cybercrime
• To study the need to introduce a new law on cyber security
STRATEGY
5 Enhancing the Capacity and Capability
of Cybercrime Enforcement
• To strengthen cybercrime enforcement capacity and

capability in managing cybercrime, advanced threats and
organised syndicates
Comprehensive
SOP
Knowledge and Coordinated and

Skill an Integrated National
Approach
Adequate
Tools
Enhancing regional and international cooperation

through existing bilateral and multilateral cooperation
Strengthen cybercrime enforcement capacity &

capability in managing cybercrime, advanced threats
and organised syndicates
Review existing laws
Cyber Security Act
Enforcement Agencies Industries
National Cybercrime Telcos

Enforcement Plan
CYBERCRIME
COORDINATION Expert Groups
CENTRE
3
CATALYSING
WORLD CLASS INNOVATION,
TECHNOLOGY, R&D
AND INDUSTRY
Catalysing
World Class
Innovation,
Technology,
R&D and Industry
To ensure self-reliance and encourage economic growth,
the government plans to spur innovative cyber security
technology research and development (R&D) by local industry
players through the development of the National Cyber
Security Research and Development Roadmap and creating
a conducive domestic environment for innovation and R&D.
The key objective of the Roadmap is to spearhead innovation
in the areas of cyber security, safety and privacy protection.
Towards this end, we will establish two decades. Key areas of R&D
a R&D collaboration platform include:
between the government,
academia and industry with the • Privacy enhancing technology;
objective of generating local • Digital signature;
innovations and scaling-up • Digital identity;
existing cyber security technology • Entity authentication;
solutions. This will not only address • Encryption algorithm; and
current cyber security challenges, • Cyber physical security
but also drive local industry to
compete and thrive at the global Technologies developed have
level. been incorporated into various
systems to provide higher security
MIMOS Berhad is well positioned posture, for example Malaysian
to spearhead this initiative since Health Data Warehouse,
it has been very active and Government Online Services
productive in driving R&D in Cyber Gateway, National Cyber
security, together with partners Coordination and Command
from the academia, industry Centre, and the National Digital ID
and government, for more than Proof-of-Concept.
Appropriately, this Pillar aims to catalyse world class innovation,

technology, R&D and industry in building and strengthening the cyber
security innovation ecosystem in Malaysia through two strategic initiatives,
specifically by:
Spurring the National Cyber Security R&D

Programme
Promoting a competitive local industry and technology

The National Cyber Security

Research and Development
Roadmap, which will take into
consideration of the maturity of
R&D initiatives, will be formulated
after identifying the priority
areas and the prevailing gaps.
The Roadmap will outline short-
term, medium-term and long-
term planning to address security
challenges and opportunities
brought forward by current and
emerging technologies.
The Roadmap will be further

supported by the establishment
of a shared Centre of Excellence.
Specialised programmes will be
established to produce more local
talent and contribute towards
a sustainable and vibrant R&D
community. Collaborations will also
be fostered between universities,
educational institutions, industries
and key government stakeholder to
help design, create and introduce
more industry-oriented courses
and specialisations and thereby
increase the number of marketable
university graduate students in
cyber security-related fields of
study.
To promote the creation of local

technologies and a competitive
local industry, we plan to nurture
existing companies and create new
ventures, supported by the Public-
Private Partnership establishment
of a Cyber Security Start-Up Hub.
The Hub will help to understand
and address local cyber security
challenges so that companies or
start-ups could in turn develop
solutions and services that are
relevant and ready to serve local
needs and subsequently scale up
to meet global requirements. The
Hub will also provide incentives
and appropriate platforms for
companies to share information.
The Hub will assist companies
with marketing their products
locally and globally. A national
programme will facilitate adoption
of locally developed cyber security
products, solutions and services
within critical national infrastructure.
There will also be a notable

expansion of funding, through
additional government grants
and incentives, to help promote
the acceptance and adoption of
locally developed cyber security
products, solutions and services
by CNII organisations, including
government agencies and private
sector organisations.
SUMMARY
PILLAR 3: Catalysing World Class Innovation,

Technology, R&D and Industry
STRATEGY
6 Spurring National Cyber Security R&D
Programme
• To stimulate and encourage cross discipline research and

collaboration
STRATEGY
7 Promoting a Competitive Local Industry and
Technology
• To stimulate the creation of new local cyber security ventures

through the establishment of cyber security start-up / ideation hub
• Promote the use of local ICT security products and services and
support the growth and expansion of the local cyber security
industry
• To strengthen academic centres of excellence in universities through

collaboration with academia, educational institutes and industry
R E S E A R C H & D E V E LO P M E N T
ROADMAP
Stimulate and Encourage Spearheading Innovation

Cross Discipline Research in the Areas of
and Collaboration Cyber Security
SHARED CENTRE OF EXCELLENCE
Collaboration Platform Creating

Government-Academia- a Conducive Environment
Industry for Innovation and R&D
LO C A L I N D U S T R Y D E V E LO P M E N T
Promote the use of

local ICT security
products and services Stimulate the
and support the creation of new
growth and expansion local cyber
of the local cyber security ventures
security industry through the
establishment
of cyber security
start-up/ideation
hub
Generate local innovations

• Scaling-up existing cyber security
technology solutions
• Drive local industry
4
ENHANCING
CAPACITY AND CAPABILITY
BUILDING, AWARENESS
AND EDUCATION
Enhancing
Capacity and
Capability
Building,
Awareness and
Education
To meet the challenges of the rapidly changing nature of
cyber threats, the government will develop and implement
a comprehensive National Cyber Security Capacity and
Capability Plan that will determine the areas of expertise
and skill sets that will need to be continuously improved and
enhanced at national, sectoral and organisational levels.
Correspondingly, this Pillar aims to enhance capacity and capability
building, awareness and education through three strategic initiatives,
specifically by:
Enhancing national cyber security

capacity and capability
Enhancing cyber security awareness
Nourishing cyber security knowledge

through education
The Plan will be implemented for skilled workforce in both

by building coherent cross- the public and private sectors.
sector collaboration in strategic Specialist skill development, on the
information sharing and security other hand, requires pursuing good
awareness initiatives, deepening quality and established security
the understanding of advanced professional certifications primarily
threats, developing a culture in specific areas of cyber security
that understands security risks in domain, that are lacking in the
the context of business resiliency country.
and expanding the capability to
develop a safer and more resilient Meanwhile, awareness and
technology, as well as the ability to education would require, among
respond to advanced threats. other things, the identification of
necessary target audiences and
Malaysia has been developing content development approaches
and implementing cyber security that can enable resource
capacity and capability through sharing and collaboration. The
various ministries, agencies and government, through its various
CNII organisations. Enhancements agencies, will take up the
of national cyber security crucial role of empowering all
capacity and capability will be levels of society to understand
focused on increasing the number cyber security-related risks
of local skilled professionals and challenges, as well as the
through training and certification necessary defensive measures
programmes to meet the demands needed for safer Internet use.
The Malaysia Digital Economy

Corporation, the lead agency
for driving the digital economy in
Malaysia, will spearhead efforts to
increase the number of local skilled
professionals, which will include
talent development initiatives
through new talent, up-skilling and
re-skilling. The government will also
provide additional funding and
scholarships in order to encourage
knowledge acquisition and
enrichment among existing cyber
security professionals. This will help
develop a new generation of a
cyber security professionals, with Ehance capacity at national
the necessary education and skills. sectoral organisation
Currently, CyberSecurity Malaysia

has started its efforts to increase
the number of local cyber
security professionals through
the implementation of Global New talent up-skilling and
Accredited Cybersecurity re-skilling
Education (ACE) Scheme. It is a
holistic professional certification
scheme established indigenously to
certify and recognise cyber security
personnel in tandem with ISO/IEC
17024 on people certifications, ISO/
IEC 9000 on processes and ISO/IEC
27001 on security management.
Realising that cyber security is To name a few;

about human interaction and
attitude towards technology, • NACSA has published the 10
we will need to inculcate the Easy Steps for Cyber Security
importance of adhering to Awareness that outlines all of
cyber hygiene practices among the most sensible practices in
government and CNII entities, cyberspace;
businesses and the general public.
Currently, there are various cyber • Malaysian Modernisation and
security awareness initiatives Management Planning Unit
undertaken by relevant agencies (MAMPU) has been organising
or organisations through various cyber security awareness
approaches and target groups. programmes for public sector
such as the Cyber Security
Awareness Month and Public
Sector ICT Security Conference;
• Royal Malaysia Police through

the Be Smart campaign ensures
the community are more aware
and cautious about cybercrime;
Increase the number of local • Malaysian Communications

skilled professionals through and Multimedia Commission has
training and certification organised various programmes
programmes under the Klik Dengan Bijak®
initiative, a media and digital
literacy initiative to nurture
positive and responsible Internet
use among ICT users based on
Adhering to cyber hygiene
the Rukun Negara together with
practices
its strategic partners including
the Ministry of Communications
and Multimedia Malaysia,
Ministry of Health (MOH),
Ministry of Education (MOE),
Ministry of Women, Family and
Community Development
(MWFCD), Royal Malaysia Police,
Communications and Multimedia
Forum of Malaysia (CMCF) as well

as civil society partners such as
United Nations Children’s Fund
(UNICEF), Scouts Association
of Malaysia, Malaysian Youth
Council and others;
• Ministry of Health also has come

out with Semak Sebelum Klik
campaign;
• Chief Government Security Office

(CGSO) through the Protective
Security Training Centre provides
ICT security awareness courses to
government officer as part of its
annual cyber security awareness
programme;
• CyberSecurity Malaysia in
collaboration with MOE and DiGi
Telecommunications Sdn. Bhd.
runs the CyberSAFE campaign to
nurture positive and responsible
Internet use among ICT users; and
• Central Bank of Malaysia has

been raising awareness to all
banking users on online fraud and
safety tips for Internet banking
services.
These commendable initiatives at

the same time are experiencing
challenges in terms of resources,
coverage, approaches and
target groups that have
hindered the effectiveness of the
implementation.
To enhance Malaysia’s approach

on cyber security awareness, the
government will develop and
implement the National Cyber
Security Awareness Master Plan.
Under the Plan, the National Cyber
Security Awareness Governance
structure will be established, which
aims to develop an integrated
and concerted cyber security
awareness programme. The primary
aim of the integrated programme
is to reduce the number of cyber
incidents by running cyber security
awareness programmes and call
for actions that are more organised,
coordinated and able to reach
a wider target audience among
Malaysians.
The Plan will outline integrated

initiatives on public-private driven
collaboration and coordination,
and the mobilisation of resources
to enable a wider outreach measurement mechanism will

of programmes to kids, youth, also be appropriately devised to
adults/parents and organisations. evaluate the effectiveness of said
Initiatives by various agencies programmes and to identify ways
will also be implemented in an to improve them from time to time.
integrated and coordinated
manner to ensure a wider Cyber security will also become
coverage and bigger impact. This part of the syllabi at the primary,
will be crucial to educating citizens secondary and tertiary level of
on the necessary knowledge to education. Given the increasing
detect and avoid abuse, fraud threats from cyberspace and
and crime online, as well as to the all-embracing nature of
nurture accountable behaviour, ICT and the Internet, especially
thereby creating well-informed among the younger generation
and responsible cyber citizens. of Malaysians, we believe that it is
never too early to introduce and
At the same time, we will also be foster cyber security awareness.
working on establishing a creative Our youth needs to be equipped
content development programme with the necessary cyber security
mechanism that brings together knowledge and tools to ensure
all the stakeholders, from both safety and security.
the public and private sectors, to
share their experience and best In academia, there is a need
practices on creating awareness. to embed cyber security
It is hoped that a unified across taught courses under
national brand of cyber security ICT and Computer Engineering
awareness programme can programmes. As an example,
then be developed, one which cyber security requirements
streamlines the content of various need to be taught in Software
awareness programmes based on Programming (secure coding),
the accepted security baseline Software and System Development
framework. A corresponding Cycle (Secure SDLC), Database,
Operating Systems, Network, IT

Administration and Management,
as well as cross platform
application development. This
effort is in addition to the present
dedicated cyber security related
courses being taught in colleges
and universities.
The same effort of introducing

cyber security related issues
across non-ICT or non-Engineering
disciplines covering cyber law in
Law, FinTech in Finance, security
risk management of network ready
medical devices in Health, among
others, is necessary to enable
graduates to stay relevant and
to be able to grasp the impact of
new technological developments.
Within the Public Service

Department, there is a need
to establish cyber security as a
vertical (grade) in the government
sector to enable specialisation in
the various domains under
information security and to
enable retention of these trained
personnel within their expertise by
providing sufficient opportunities
for career growth.
SUMMARY
Pillar 4: Enhancing Capacity & Capability Building,

Awareness and Education
STRATEGY
8 Enhancing National Cyber Security
Capacity and Capability Building
• To develop National Cyber Security Capacity and Capability

Building Plan
• To develop a comprehensive plan to build adequate tools and

technology through an integrated approach
STRATEGY
9 Enhancing Cyber Security Awareness
• To improve cyber security awareness programme implementation

approach through the implementation of the National Cyber
Security Awareness Master Plan
STRATEGY
10 Nourishing Cyber Security Knowledge
Through Education
• To develop cyber security subject as one of the syllabi at the primary,

secondary and tertiary level through collaboration with Ministry of
Education
Adequate Tools
& Technology
National Cyber
Security Capacity
& Capability Building
Plan
National Cyber
Security Awareness
Master Plan
Talent
Development
Cyber Security
Education
Develop a comprehensive
plan to build adequate tools
and technology through an
integrated approach
Improve cyber security awareness

programme implementation
approach through the
implementation of the
National Cyber Security
Develop National Cyber Awareness Master Plan
Security Capacity and
Capability Building Plan Talent development
initiatives through new
talent, up-skilling and
re-skilling
Develop cyber security subject
as one of the syllabi at the
primary, secondary and tertiary
level through collaboration with
Ministry of Education
Specialised programmes will

be established to produce
more local talent
More industry-oriented courses and
specialisations and thereby increase
the number of marketable university
graduate students in cyber
security-related fields of study
5
STRENGTHENING
GLOBAL COLLABORATION
Strengthening
Global
Collaboration
In the digital age, no nation or economy can remain in a silo

in combating cyber threats. Global collaborations, including
information and knowledge sharing, as well as international
cooperation and enforcement, are crucial to effectively
counter evolving cyber threats. The nature of the Internet –
which is ambiguous and anonymous – may contribute to the
misperception, misinterpretation and misrepresentation of
cyber threats or attacks, leading to potential escalation or
tension between states. As such, it is imperative to instil trust
and transparency between states through close international
cooperation on cyber issues.
International engagement is also respecting state boundaries and

pivotal to combat cross-border sovereignty.
threats and attacks involving
multiple jurisdictions. Strong While establishing or enhancing
international engagement plays cooperation will significantly
important roles in addressing the strengthen relationships, Malaysia
challenge, particularly in expediting is also committed to adhering to
cross-border enforcement activities. the international commitments
and obligations with regard to
Fostering global collaboration cyber security (where appropriate),
is thus a key component of this be it at regional, sub-regional or
strategy. Malaysia needs to engage multilateral level. Malaysia also
with other trusted international recognises the need to build
entities to strengthen cooperation capacity in cyber diplomacy.
that is mutually beneficial, while
For that reason, this Pillar aims to strengthen global collaboration through
two strategic initiatives specifically by:
Demonstrating
Strengthening Malaysia's
international commitment in
collaboration and promoting a secure,
cooperation stable and peaceful
in cyber security cyberspace to
affairs uphold international
security
The primary element in

accomplishing the first strategic
initiative is through embedding
cyber security as a key priority
in our foreign policy. The
development of a cyber security
international engagement plan
will be the next step – it will
enable Malaysia to enhance
and coordinate its international
engagement across government.
A dedicated working group will be
established to develop this plan.
Having a comprehensive
plan will only be beneficial if
the government machinery
responsible for implementation is
well equipped with appropriate
skills and knowledge. Hence, the
relevant government agencies will
work together to embed cyber
security as one of the elements in
our diplomatic and international
affairs capacity building
programme. The aim is to ensure
that our diplomats around the
globe have a clear understanding
of key cyber security issues and
knowledge of our national context.
Malaysia will continue to foster

bilateral relations in cyber security
with other nations and identified
international organisations or
industry players through the
creation of official collaboration
instruments either by Memorandum
of Understandings, joint statements
or legal instruments. The efforts will
be followed through with practical
collaborations such as knowledge
sharing and transfers, joint R&D,
technology transfers, information
exchange and training, policy
dialogues, jointly organised
programme, and discussions on
harmonisation of legislation.
Malaysia will also continue

to actively participate and
contribute in regional, sub-
regional and multilateral cyber
security collaboration efforts
through the United Nations
(UN), the Association of South
East Asian Nations (ASEAN) and
its dialogue partners, the Asia-
Pacific Economic Cooperation
(APEC), the Commonwealth,
the Organisation of Islamic
Cooperation (OIC), the Global
Forum on Cyber Expertise (GFCE), through greater cross-border

the Asia-Pacific Computer collaboration. We will learn from
Emergency Response Team the successes and failures of
(APCERT), the Forum of Incident others in policing and enforcing
Response and Security Teams cyber security such as in dealing
(FIRST), the Council of Europe, with infringements of copyright,
and other international entities. computer-related fraud, child
Malaysia will innovate proposals pornography, online gambling
on international cyber security and violations of network security
cooperation tailored to the to help improve cyber security
interest of the respective fora in measures. Intelligence from trusted
collaboration with the identified international partners on issues
partners. Concurrently, we with implications to the nation,
will also promote international especially on critical national
collaboration in both the infrastructure, will be constantly
public and private sectors, and monitored and responded
establish strategic alliances with to accordingly. Malaysia will
international partners and entities also engage the international
that share our vision. Malaysia will platforms, primarily in international
also strive to be at the forefront of standards development and
international discussions by driving, ratification of treaties, to ensure
chairing and hosting regional and that any new international cyber
international cyber security fora as security norms being developed
well as conferences. does not contradict our national
interest.
We will intensify our efforts to
disrupt the business model and
infrastructure of organised crime
To demonstrate Malaysia’s dialogue partners with a view

commitment in promoting a to elevate trust and confidence
secure, stable and peaceful between states in cyberspace.
cyberspace with the aim of
upholding international security In taking the steps toward
as per the second strategic realizing Malaysia’s commitments
initiative, we will shape a in international cooperation, we
concerted national position on will also constantly review and
key international cyber security assess the effectiveness of efforts
issues particularly with regard and investments that have been
to norms, rules and principles of made thus far.
responsible states’ behaviour,
how international law applies In the long run, we aspire to
in cyberspace, as well as be recognised and seen as
Confidence Building Measures a country that promotes and
(CBMs). With regard to CBMs, upholds international stability in
Malaysia aims to intensify efforts cyberspace based on the existing
in driving CBMs within ASEAN international agreements on all of
in collaboration with identified these matters.
SUMMARY
Pillar 5: Strengthening Global Collaboration
STRATEGY
11 Strengthening International Collaboration
and Cooperation in Cyber Security Affairs
• To address cyber security as a priority in foreign policy
• To align domestic and International cyber security efforts
• To recognise cyber security as one of the elements in diplomatic and international

affairs
• To actively participate and contribute in key international cyber fora and

strategically collaborate with international partners
• To identify and establish formal and informal bilateral cooperation in cyber security
12
Demonstrating Malaysia's Commitment in Promoting
STRATEGY
Secure, Stable and Peaceful Cyberspace to Uphold
International Security
• To shape a concerted national position on the operationalisation of norms, rules

and principles of responsible behaviour of states and how international law
applies in cyberspace
• To continue efforts in driving regional Confidence Building Measures (CBMs)

Shape a concerted national Shape a concerted

position on norms, rules and national position on
principles of responsible norms, rules and
behaviour of states and how principles of
international law applies in responsible
cyberspace behaviour of states
and how
international law
applies in
cyberspace
Continue
efforts in driving
regional Address
Confidence cyber
Building security as a
Measures(CBMs) priority in
foreign policy
Align domestic
and international
cyber security
efforts
Actively participate and

contribute in key international
cyber fora and strategically Identify and establish formal
collaborate with international & informal cooperation in
partners cyber security
Recognise cyber security
as one of the elements in
diplomatic and
international affairs
CONCLUSION
Malaysia has committed to providing a cyberspace that is

secure, trusted and resilient, and also encourages economic
prosperity and supports social well-being. We are confident
that this can be accomplished by strengthening our
capabilities to predict, detect, deter and respond to cyber
threats.
In the face of constantly changing operating in the event of a cyber

cyber threats, Malaysia needs to incident.
be prepared, more than ever,
to protect its national security NACSA will play its part in providing
and sovereignty. Although the cyber security guidance and
global community agrees on the coordination while keeping pace
importance of cyber threats, there with existing and emerging cyber
are still continuing discussions at threats and the development
the regional and international of new technologies. All the
levels as to how to effectively necessary steps will be taken to
combat them. There will always ensure ease of access and sharing
be questions on how far a nation of threat information among
can or should go in responding to government entities, businesses
what it perceives as a threat to its and the general public. NACSA
national security and sovereignty, will also provide advice on the
and the complexities surrounding risks and the actions necessary to
such a situation when the cyber mitigate them.
incidents are cross-border in
nature. However, the effort to develop
such competencies has to
The Malaysian government will be supported by a structured
strive to meet its responsibilities governance that provides the
and lead the national response; means, funding and facility
however, businesses, organisations required to cultivate a competent
and individual citizens also workforce, maintain the
have to play their roles and appropriate standards, policies
take reasonable cyber hygiene and best practices, and implement
measures to protect themselves the most effective approach and
and ensure that they are cyber solutions to address cyber security
resilient and able to continue issues.
The main duty of the government To support the national interest,

is and will always be to defend the Malaysia needs a class of
nation, its economy and prosperity competency, capability and
as well as its citizens from threat awareness that can truly safeguard
and harm by internal and external the national cyberspace, its
factors, be it from cyberspace or critical sectors, businesses and
otherwise. It is therefore pertinent most importantly the well-being of
for Malaysia to set the rules, its citizens, not only from external
standards and expectations over threats but also those from within.
all elements and entities under It is also important to highlight that
its control and responsibility in while we will always uphold the
order to ensure a safe and secure right to a free cyberspace, we also
cyberspace; and to collaborate acknowledge that constraints and
with trusted parties from the controls are still needed at some
international community that share levels of access and provision to
the same objective and aspiration. ensure that our intrinsic values as a
multi-racial nation and society are
For all these to be realised, there protected and kept intact.
has to be a sense of inclusiveness,
first and foremost, among all the In the long run, this can significantly
stakeholders at the national level. assist in ensuring uniformity in the
Securing the national cyberspace adoption and implementation
will indeed require a collective of standards, policies and
effort. All roles and functions within guidelines among all cyber security
the cyber security ecosystem stakeholders in Malaysia. Again,
that are outlined by the strategies we should remind ourselves that
are eventually connected any strategy or planning will only
and interdependent with one be as good as the people behind
another, which clearly show that it. Therefore, for the next five years,
cooperation will always be a key everybody must pull together or
aspect in ensuring success, security face the risk of getting left behind
and peace. in the digital era.
ACKNOWLEDGEMENT
In the journey of the development of the Malaysia Cyber Security Strategy
(MCSS), an extensive deliberations, engagements and dialogues with a range
of stakeholders has been carried out to gather inputs, feedbacks and insight
from their point of view. A series of workshops, seminars and conferences has
been conducted which involved government ministries and agencies, CNII
agencies, enforcement agencies, industry, businesses, academia, non-gov-
ernment organisations as well as the public.
On the other hand, Academy of Sciences Malaysia (ASM) has conducted an

exercise to understand the issues and challenges that affect the national in-
frastructures, businesses and the well-being of citizens, as well as to identify the
gaps in cyber security in Malaysia. As a result, ASM has produce an advisory
report which outline the relevant strategies and specific recommendations to-
wards ensuring a safe and secure national cyber environment. The advisory
report also being used as a reference in developing the Malaysia Cyber Secu-
rity Strategy.
On that note, the Government would like to express an appreciation to every-

one for their commitment, contribution and efforts towards the completion of
MCSS.
A token of appreciation to:

Ministry of International Trade and Industry
Ministry of Defence
Ministry of Finance
Ministry of Education
Ministry of Transport
Ministry of Women, Family and Community Development
Ministry of Higher Education
Ministry of Home Affairs
Ministry of Communications and Multimedia Malaysia
Ministry of Foreign Affairs
Ministry of Science, Technology and Innovation
Ministry of Health
Ministry of Domestic Trade and Consumer Affairs
Ministry of Youth and Sports
Attorney General’s Chambers
The Office of Chief Government Security Officer
Malaysian Administrative Modernisation and Management Planning Unit
Economic Planning Unit, Prime Minister’s Department
Implementation Coordination Unit, Prime Minister’s Department
Public Service Department
Royal Malaysia Police
Department of Personal Data Protection
Department of National Unity and National Integration
Department of Islamic Development Malaysia
Department of Federal Territory Islamic Affairs
Defence Intelligence Staff Division, Ministry of Defence
Southeast Asia Regional Centre for Counter Terrorism
Council of Trust for the People
Central Bank of Malaysia
Malaysian Communications and Multimedia Commission
Securities Commission Malaysia
National Water Services Commission
Energy Commission
Companies Commission of Malaysia
Malaysian Aviation Commission
Bursa Malaysia
Inland Revenue Board of Malaysia
Intellectual Property Corporation of Malaysia
Technology Depository Agency Berhad
Malaysian Industry-Government Group for High Technology

Malaysia Digital Economy Corporation Sdn Bhd
SME Corporation Malaysia
MIMOS Berhad
CyberSecurity Malaysia
Communications and Multimedia Content Forum of Malaysia
Academy of Sciences Malaysia
Malaysia Airlines Berhad
Telekom Malaysia Berhad
GITN Sdn Berhad
Malayan Banking Berhad
Malaysian Social Institute
Science & Technology Research Institute for Defence
Institute for Youth Research Malaysia
Institute of Strategic and International Studies Malaysia
Retirement Trust Fund
Muslim Youth Movement of Malaysia
International Islamic University Malaysia
National Defence University of Malaysia
Technology University of Malaysia
Technical University of Malaysia Malacca
Association of Banks in Malaysia
Association of Islamic Banking Institutions Malaysia
National Tech Association of Malaysia
Childline Malaysia
Generasi Gemilang Foundation
Microsoft Malaysia
Mudah.my Sdn Bhd
Pos Digicert Sdn Bhd
DiGi Telecommunications Sdn Bhd
Commercial Circle Sdn Bhd
Cyber Intelligence Sdn. Bhd
Firmus Sdn Bhd
Informology Sdn Bhd
LGMS / LE Global Services Sdn Bhd
NanoSec
Netbytesec Sdn Bhd
OWASP
Phoenix Pinnacle Sdn Bhd
Rawsec
Techforte Sdn Bhd
ABBREVIATIONS
AGC Attorney General’s Chambers
AI Artificial Intelligence
APCERT Asia-Pacific Computer Emergency Response Team
APEC Asia-Pacific Economic Cooperation
APT Advanced Persistent Threat
ASEAN Association of South East Asian Nations
BYOD Bring Your Own Device
CBMs Confidence Building Measures
CERT Computer Emergency Response Team
CGSO Chief Government Security Office
CMCF Communications and Multimedia Forum of Malaysia
CNII Critical National Information Infrastructure
CSIRT Cyber Security Incident Response Team
FIRST Forum of Incident Response and Security Teams
GFCE Global Forum on Cyber Expertise
ICS Industrial Control System
ICT Information and Communications Technology
IoT Internet of Things
IT Information Technology
MAMPU Malaysian Modernisation and Management Planning Unit
MCMC Malaysian Communications and Multimedia Commission
MCSS Malaysia Cyber Security Strategy
MDEC Malaysia Digital Economy Corporation
MOE Ministry of Education
MOH Ministry of Health
MWFCD Ministry of Women, Family and Community Development
NACSA National Cyber Security Agency
NC4 National Cyber Coordination and Command Centre
NCCEP National Cybercrime Enforcement Plan
NCCMP National Cyber Crisis Management Plan
NCSP National Cyber Security Policy
NSC National Security Council
OIC Organisation of Islamic Cooperation
OT Operational Technology
R&D Research and Development
SEARCCT Southeast Asia Regional Centre for Counter-Terrorism
SOP Standard Operating Procedures
UN United Nations
UNICEF United Nations Children’s Fund
Level LG & G, West Wing
Perdana Putra Building
Federal Government Administrative Centre
62502 Putrajaya
MALAYSIA

MalaysiaCyberSecurityStrategy2020-2024

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MalaysiaCyberSecurityStrategy2020-2024

Uploaded by

Copyright:

Available Formats

2 Malaysia Cyber Security Strategy 2020-2024

Malaysia has been rapidly ushered into the digital age,

Malaysia has also implemented the initiative

Another important cyber security On another front, Malaysia has

cyber citizens through concerted coordinated mechanism and clear

• To raise awareness of the national security impact

• To familiarise communications between CNII agencies Agencies Agencies

Fortifying local capabilities to

predict, detect, deter and respond

CYBER SECURITY LANDSCAPE

According to the Digital Crimes Unit of Microsoft Asia (January

Cyber Security Incidents (2016 - 2019)

Intrusion 1,754 1,910 1,270 1,297

Instrusion Attempt 228 225 2,076 256

Malware Infection 372 752 2,244 2,154

2,429 2,981 5,627 3,787

Malaysia is also a target of government, while respecting the

selected groups of lead agencies, implementation of the strategy,

ISSUES AND CHALLENGES

Cybercrime Statistics By Offences (2018 & 2019)

4000 5,732 2018

1000 1,536 869

Online Fake News

SOURCE: Royal Malaysian Police

However, it is important to note and networks which expose

to organisations. The shortage of

Insider threats also remain a

There were also incidents where

The government via its relevant

necessary controls over system

Additionally, the correct posture

Malaysia has also been facing

recruits, followers and supporters concerning pornography and

Concerns over the misuse of user All things considered, we believe

For this purpose, People represents The Strategy also describes a

Experience has taught Malaysia that the most important

To improve national resilience for the challenges of the digital

This Pillar aims to create effective governance and management through

Enhancing Improving Strengthening

We will also identify and bridge To achieve this agenda, the

Even though the government has including Chief Executive Officers,

Clear roles and responsibilities

Well coordinated and conserted approach

Close cooperation and collaboration

We will establish a data leakage

Transportation Management of vendors that deal

Laws, rules and regulations

Sector specific guideline

Cyber security incident Terrorism (SEARCCT) and the Royal

PILLAR 1: Effective Governance and Management

• To strengthen governance and ecosystem in cyber security

• To enhance collaboration and building trust among government agencies,

• To establish and implement National Communication Mechanism for effective

• To embed cyber security in business operation

• To enhance holistic cyber security controls in supply chain environment

• To comply to International Standard (ISMS, BCMS or equivalent) and Best Practices

• To promote the use of certified ICT security products

• To implement S-SDLC for critical Information System Development

• To establish Data Leakage Protection Mechanism

• To develop Vulnerability Assessment (VA) Implementation Plan and conduct

• To measure National Readiness Level through periodical study

• To enhance Industrial Control System (ICS) Protection

• To strengthen capacity and capability in Incident Management

• To develop capacity in combating terrorist/extremist use of Internet