Four prongs of proactivecyber vigilanceare what the country’s National Cybersecurity Agency aims to establish with Act 854

As global cyber threats grow in sophistication and frequency, Malaysia’s National Cyber Security Agency (NACSA) has also stepped up efforts to safeguard the country’s infrastructure.

The agency’s CEO, Dr Megat Zuhairy Megat Tajuddin, has established a dedicated Cyber Security Act of June 2024 (Act 854) that is deemed to be a monumental step forward in the country’s commitment to provide much-needed clarity for industries, particularly in understanding the legal ramifications of non-compliance.

One notable observation from his experience with the Cyber Security Act was the overwhelming support from key sectors, including the National Critical Information Infrastructure (NCII). “Once entities are identified as NCII, they are bound by the law, and non-compliance could result in serious penalties. However, the industry has embraced the Act because it offers a clear justification for securing resources and funding for robust cybersecurity measures,” said Dr Megat, who also expounded on other thrusts of the Cyber Security Act.

Four imperatives of the Cyber Security Act

As Malaysia’s digital sector contributes to 25% of its GDP, cybersecurity is not just a technical concern but an economic imperative: “We’ve been promoting digital transformation since 1996. This maturity means that industries now understand they must protect themselves. The government’s role is to ensure that this understanding translates into action, and we need to continue supporting that process,” Dr Megat explained.

In fact, the Cyber Security Act also focuses on three other imperatives:

  • Intra-regional cyber cooperation: NACSA has cultivated strong partnerships with regional and global cybersecurity agencies. This cooperation is crucial not just for Malaysia, but for the entire ASEAN region, said Dr. Megat: “We have extensive collaborations with our counterparts across the globe through memorandums of understanding. We attend global forums with the perspective that cybersecurity is a shared responsibility. We cannot operate in silos — cyber threats do not recognize borders.”

    This spirit of collaboration extends to emerging technological threats, particularly with the advent of AI and quantum computing. Malaysia is preparing for these shifts with a robust post-quantum cryptography (PQC) initiative, the CEO noted: “We’ve already received a commitment from our Prime Minister to expedite this effort,” citing the collaborative commitments with University Putra Malaysia on PQC research.
  • Public-Private Partnerships: While the government is taking the lead, the private sector’s involvement remains indispensable. “We’re working with industry leaders… to develop hardware-based solutions that integrate PQC with semiconductor technology,” said Dr. Megat. This collaboration, he added, will be critical in safeguarding the country once quantum computing becomes commercially available.

    The increasing interdependence between the government and private entities is a defining characteristic of Malaysia’s cybersecurity landscape, Dr. Megat added. NACSA has taken deliberate steps to ensure that this relationship is collaborative rather than regulatory. “In the past, regulators were often viewed as unfriendly to industry. But cybersecurity is different. It’s about shared responsibility. The government cannot set standards and expect the industry to comply unless we work together.”

    A key part of this collaboration lies in talent development. Both the private sector and the government must play a role in producing and retaining talent, he said. Malaysia is already seeing positive developments in this regard, with both regulators and industry players recognizing the need for partnerships rather than penalties.
  • Protecting Critical Infrastructure: NACSA has identified 11 key sectors — spanning energy, finance, and healthcare — as primary targets for cyberattacks. “We’ve defined around 30 sector leads responsible for identifying and protecting critical infrastructure. Once defined as critical infrastructure, incumbent NCII must protect themselves, report incidents, and mitigate potential impacts. This fosters resilience within the organizations and contributes to the nation’s overall security,” said Dr. Megat.

Looking to the future

The nation’s proactive stance towards cyber vigilance — marked by legislative frameworks, public-private collaboration, and international cooperation — will put the country on guard against emerging threats such as AI and quantum computing.

However, the road ahead will not be without challenges. Dr Megat commented: “While we’re heading in the right direction, we need continued support from the government and industry alike to truly secure our future. For Malaysia, and indeed the broader ASEAN region, cybersecurity is not just about defense — it’s about creating a digital ecosystem where businesses and individuals can thrive securely in an increasingly interconnected world.”