Malaysia-Russia bilateral engagements in cyber diplomacy

Russia is a global cyber power that cannot be ignored or sidelined.

831 0
831 0
Englis

Published by Astro Awani, image by Astro Awani.

In the age of a hyperconnected global economy, cyberspace not only opens up fundamentally new opportunities for futuristic developments but also brings in new challenges and risks, and represents one of the leading unconventional threats to global security.

For developing economies like Malaysia, digitalisation has been identified as a top priority and backbone of a high-tech economy, moving forward, especially set against the current global trend of the fourth (and now even the emerging fifth) industrial revolution of various sectors which perhaps the most familiar of which is e-commerce that uses e-payment as a medium of financial transactions.

The intensification of digital trends in Malaysia, including the one mentioned above, in terms of their mass appeal and usage, also exposes us to the dangers and heightened risks such as hacking.

In the early 2000s, the websites of Parliament and University Technology Mara (UiTM) were hacked and the contents of homepages appeared in a foreign language.

The scenario recurred in 2011 but on a broader scale when a group simply self-styled “Anonymous” threatened to expose confidential documents after successfully hacking into fifty-one government official websites. That served as a reminder of how fragile our national cyber security system had been (see, “Hackers disrupt 51 Malaysian government websites”, Reuters, 2011).

To enhance and consolidate national cyber security governance in Malaysia at the “macro”-level, the government established the National Cyber Security Agency (Nacsa) in February 2017 to coordinate the security of our Critical National Information Infrastructures (CNII).

At the “micro”-level, there’s e.g., the annual X-Maya/National Cyber Crisis Exercises jointly-organised by the National Security Council (NSC) and CyberSecurity Malaysia in collaboration with the private sector – and hence a public-private partnership (PPP) initiative – which aims at assessing the readiness of critical infrastructures against cyber-attacks to create a resilient digital environment against systemic cyber risks.

As a result, Malaysia has been successfully listed as one of the top ten countries with a high commitment to cybersecurity in the Global Cybersecurity Index 2020 report (see, “Saifuddin: Malaysia Ranked Among Top 10 Countries with Highest Commitment to Cybersecurity”, Ministry of Communications and Multimedia Malaysia/K-KOMM).

Despite the constant and repeated readiness exercises and stress tests, and also the upgrade to newer technologies or higher levels of technical/technological sophistications, the critical issue is whether or not we can still keep pace with the fast emerging and ever-rising new cyber-threats that seem to be constantly lurking “in the background”?

Since Covid-19, cybercrime has been up by 600% (as per the United Nations Office on Drugs and Crime/UNODC for Southeast Asia and the Pacific).

Global spending on cybersecurity is predicted to exceed USD1 trillion by now. According to Kaspersky, cyber-attacks grew from 32,500,000 globally in 2021 to almost 35,400,000 in 2022 (year to date).

One of the most rapidly evolving pernicious forms of cyber threats is ransomware – a type of malware that involves extortion whereby hackers prevent users from accessing data until a ransom is paid.

Ransomware is 60 times more destructive currently than it was in 2015 (as per cyber security firm, PurpleSec).

Furthermore, Norton has highlighted (from CheckPoint Software Technologies) how ransomware attacks increased by 102% in 2021 compared to the beginning of 2020, and “[show] no sign of slowing down”.

The modus operandi has even metamorphosed into Ransomware as a Service (RaaS) – where operators provide the infrastructure required to perform a ransomware attack (for “affiliates”) together with the payment portal (for victims) and also, as the case may be, the “customer service” (i.e., for overriding the ransomware concerned).

In Malaysia, more than 20,000 cybercrimes were reported in 2021 alone which involved losses of at least RM560 million. Between 2017 and 2021, the country suffered losses of about RM2.23 billion due to cybercrimes.

Along with that arises the critical question of the sufficiency and adequacy of the relevant laws in place.

The foiled cyber heist attempt on Bank Negara in 2018 which sought to facilitate unauthorised fund transfers using falsified Swift (Society for Worldwide Interbank Financial Telecommunication) messages sparked intense public outcry and nearly undermined confidence in the payments/settlements system.

The settlements system is crucial for the interbank movement and shifting/shuffling of the reserves, and the rise in the OPR (Overnight Policy Rate) could see Bank Negara intervene to manage liquidity on a more frequent basis to ensure that the target rate can be hit.

Furthermore, EPF bond holdings may come under increasing stress/pressure due to the double squeeze (as is akin to a double pincer movement in military parlance) from higher interest rates emanating domestically and overseas.

This in the local context of depleted EPF funds which might lower the local bid-to-cover auction ratio that in turn could further push up borrowing costs attractive to overseas investors but further depressing the ringgit with the sell-offs (as in outflows) in a “feedback” or “doom” loop, on the one hand.

On the other hand, the EPF might be “forced” to “cap” its allocation for bonds in favour of overseas investment to try reap higher returns amidst extreme volatility and uncertainty in the overseas markets suffering also from a self-inflicted energy crisis.

By the end of 2024, Malaysia is expected (on the optimistic side) to have 80% of densely populated areas covered by 5G networks (see, “5G Technology: Moving Industries by Leaps and Bounds”, Malaysian Investment Development Authority/MIDA). This raises concerns of potential escalation in ransomware, botnets and DDoS (Distributed Denial of Service) attacks, etc.

As the global race towards digitalisation becomes more acute, the need for cyber diplomacy will also become more vital since cyber threats (like any other global challenges) require multilateral and bilateral cooperation.

This explains the logic of state engagement in cyber diplomacy.

Cyber diplomacy is an instrument of statecraft that sovereign states use to achieve their national interest goals in cyberspace.

In the regional context, Malaysia has actively engaged in Asean-led mechanisms such as the Asean Regional Forum (ARF), Asean Network Security Action Council (Ansac), etc.

During the 5th ARF Open Ended Study Group (OESG) on Confidence Building Measures (CBMs) held in Kuala Lumpur in 2020, Russia presented a proposal to develop a lexicon of basic terms and definitions of ICT security in response to cyber incidents (which was also supported by China) – to define remedial action.

In response, the NSC via Nacsa hosted Cydes 2020 (first of its kind in the region) in June 2020 in Langkawi to discuss technological solutions to combat cyber threats by inviting ARF dialogue partners including US and Russia (see, Co-Chairs’ Minutes – 5th ARF OESG).

In continuity, Cydes 2021 placed importance on closer engagement and networking with other states and international entities as top agenda in ensuring a more secure cyberspace.

Outside of Asean and the ARF framework, the UK government has been assisting Malaysia over the past few years by sharing information through programmes like Cyber Talent (a collaboration between Asia Pacific University and MDEC/Malaysia Digital Economy Corporation) that aims to promote upskilling to address Malaysia’s growing need for cybersecurity specialists.

Furthermore, Malaysia and the US also agreed to strengthen bilateral ties last year to expand digital collaboration, particularly in cyber security (see, “Malaysia, US to strengthen cooperation on cybersecurity, digital economy”, K-KOMM).

However, engaging with our traditional friends alone is not enough.

Hence, we must take full advantage of our country’s neutral stand by developing stronger collaborative ties with non-Western countries as well.

This is in line with the broader vision of a rules-based multilateral order in cyberspace, as clearly stated in the Asean Cybersecurity Cooperation Strategy (2021-2025). 

This is why Prime Minister Ismail Sabri has stated that Asean can leverage Russia’s background, experience and expertise in digital technologies to help combat cybercrimes (see, “PM: Asean can leverage on Russia’s expertise to combat cybercrimes”, The Star, October 28, 2021).

The complexity and diversity of cyber-threats make collaboration with all parties a    vital imperative.

Although the West has rhetorically accused Russia of “cyber-aggression”, it needs to be re-stated that Malaysia’s foreign policy interests diverge significantly from the West and that we enjoy a cordial relationship with Russia.

Russia’s image in the eyes of many Malaysians is also not too unfavourable as compared to most countries in the Western hemisphere.

The US has never shared Russia’s International Information Security (IIS) approach which prioritises national sovereignty (“Global Cybersecurity at Stake Amid US and Russia’s Disagreements”, September 7, 2021) – suspecting that the real motivation is the intention to legitimise the suppression of free cyber-domains.

It cannot be emphasised too strongly, however, that Russia is a global cyber power that cannot be ignored or sidelined.

Indeed, Russia plays a critical role in the international cyber order vis-à-vis the US and has contributed significantly to the advancement of the digital security agenda in the UN and BRICs (the major emerging countries) – providing a necessary counter-balance.

Russia has extensive networks in terms of cross-border cyber-security regulations and enforcement because of its linkages with former member-states of the USSR and it’s also been claimed that Russian organised crime has been financing local Malaysian hackers (see, “Cybercrimes in the Former Soviet Union and Central and Eastern Europe: current status and key drivers”, The Quest to Cyber Superiority, 2016).

Close ties and collaboration with Russia will help to enhance our knowledge, exposure and capabilities in combatting cybercrimes, especially when the origins are outside Malaysia.

In addition, the fifth pillar under the Malaysia Cyber Security Strategy (MCSS) 2020-2024 which underlines “strengthening global collaboration”, is pivotal and should be an enabler for cyber diplomacy with other non-Asean members like Russia.

The MCSS document clearly highlights a comprehensive framework of engagement with state actors bilaterally that may include knowledge sharing, transfer of information exchange, training policy dialogues, jointly organised programmes, and discussion on the harmonisation of legislation.

To this end, it is worth mentioning that we – as a middle power – aren’t seeking “co-dependence”, but rather “diversification of relationships” (which avoids “bandwagoning” and “hedging”) with all players, including Russia.

This is important because co-dependence (i.e., too much dependence) on a particular foreign country can be risky – again not least with cybersecurity implications.

Jason Loh and Hazriq Iqmal Abdul Aziz are part of the research team of EMIR Research, an independent think tank focused on strategic policy recommendations based on rigorous research.

In the age of a hyperconnected global economy, cyberspace not only opens up fundamentally new opportunities for futuristic developments but also brings in new challenges and risks, and represents one of the leading unconventional threats to global security.

For developing economies like Malaysia, digitalisation has been identified as a top priority and backbone of a high-tech economy, moving forward, especially set against the current global trend of the fourth (and now even the emerging fifth) industrial revolution of various sectors which perhaps the most familiar of which is e-commerce that uses e-payment as a medium of financial transactions.

The intensification of digital trends in Malaysia, including the one mentioned above, in terms of their mass appeal and usage, also exposes us to the dangers and heightened risks such as hacking.

In the early 2000s, the websites of Parliament and University Technology Mara (UiTM) were hacked and the contents of homepages appeared in a foreign language.

The scenario recurred in 2011 but on a broader scale when a group simply self-styled “Anonymous” threatened to expose confidential documents after successfully hacking into fifty-one government official websites. That served as a reminder of how fragile our national cyber security system had been (see, “Hackers disrupt 51 Malaysian government websites”, Reuters, 2011).

To enhance and consolidate national cyber security governance in Malaysia at the “macro”-level, the government established the National Cyber Security Agency (Nacsa) in February 2017 to coordinate the security of our Critical National Information Infrastructures (CNII).

At the “micro”-level, there’s e.g., the annual X-Maya/National Cyber Crisis Exercises jointly-organised by the National Security Council (NSC) and CyberSecurity Malaysia in collaboration with the private sector – and hence a public-private partnership (PPP) initiative – which aims at assessing the readiness of critical infrastructures against cyber-attacks to create a resilient digital environment against systemic cyber risks.

As a result, Malaysia has been successfully listed as one of the top ten countries with a high commitment to cybersecurity in the Global Cybersecurity Index 2020 report (see, “Saifuddin: Malaysia Ranked Among Top 10 Countries with Highest Commitment to Cybersecurity”, Ministry of Communications and Multimedia Malaysia/K-KOMM).

Despite the constant and repeated readiness exercises and stress tests, and also the upgrade to newer technologies or higher levels of technical/technological sophistications, the critical issue is whether or not we can still keep pace with the fast emerging and ever-rising new cyber-threats that seem to be constantly lurking “in the background”?

Since Covid-19, cybercrime has been up by 600% (as per the United Nations Office on Drugs and Crime/UNODC for Southeast Asia and the Pacific).

Global spending on cybersecurity is predicted to exceed USD1 trillion by now. According to Kaspersky, cyber-attacks grew from 32,500,000 globally in 2021 to almost 35,400,000 in 2022 (year to date).

One of the most rapidly evolving pernicious forms of cyber threats is ransomware – a type of malware that involves extortion whereby hackers prevent users from accessing data until a ransom is paid.

Ransomware is 60 times more destructive currently than it was in 2015 (as per cyber security firm, PurpleSec).

Furthermore, Norton has highlighted (from CheckPoint Software Technologies) how ransomware attacks increased by 102% in 2021 compared to the beginning of 2020, and “[show] no sign of slowing down”.

The modus operandi has even metamorphosed into Ransomware as a Service (RaaS) – where operators provide the infrastructure required to perform a ransomware attack (for “affiliates”) together with the payment portal (for victims) and also, as the case may be, the “customer service” (i.e., for overriding the ransomware concerned).

In Malaysia, more than 20,000 cybercrimes were reported in 2021 alone which involved losses of at least RM560 million. Between 2017 and 2021, the country suffered losses of about RM2.23 billion due to cybercrimes.

Along with that arises the critical question of the sufficiency and adequacy of the relevant laws in place.

The foiled cyber heist attempt on Bank Negara in 2018 which sought to facilitate unauthorised fund transfers using falsified Swift (Society for Worldwide Interbank Financial Telecommunication) messages sparked intense public outcry and nearly undermined confidence in the payments/settlements system.

The settlements system is crucial for the interbank movement and shifting/shuffling of the reserves, and the rise in the OPR (Overnight Policy Rate) could see Bank Negara intervene to manage liquidity on a more frequent basis to ensure that the target rate can be hit.

Furthermore, EPF bond holdings may come under increasing stress/pressure due to the double squeeze (as is akin to a double pincer movement in military parlance) from higher interest rates emanating domestically and overseas.

This in the local context of depleted EPF funds which might lower the local bid-to-cover auction ratio that in turn could further push up borrowing costs attractive to overseas investors but further depressing the ringgit with the sell-offs (as in outflows) in a “feedback” or “doom” loop, on the one hand.

On the other hand, the EPF might be “forced” to “cap” its allocation for bonds in favour of overseas investment to try reap higher returns amidst extreme volatility and uncertainty in the overseas markets suffering also from a self-inflicted energy crisis.

By the end of 2024, Malaysia is expected (on the optimistic side) to have 80% of densely populated areas covered by 5G networks (see, “5G Technology: Moving Industries by Leaps and Bounds”, Malaysian Investment Development Authority/MIDA). This raises concerns of potential escalation in ransomware, botnets and DDoS (Distributed Denial of Service) attacks, etc.

As the global race towards digitalisation becomes more acute, the need for cyber diplomacy will also become more vital since cyber threats (like any other global challenges) require multilateral and bilateral cooperation.

This explains the logic of state engagement in cyber diplomacy.

Cyber diplomacy is an instrument of statecraft that sovereign states use to achieve their national interest goals in cyberspace.

In the regional context, Malaysia has actively engaged in Asean-led mechanisms such as the Asean Regional Forum (ARF), Asean Network Security Action Council (Ansac), etc.

During the 5th ARF Open Ended Study Group (OESG) on Confidence Building Measures (CBMs) held in Kuala Lumpur in 2020, Russia presented a proposal to develop a lexicon of basic terms and definitions of ICT security in response to cyber incidents (which was also supported by China) – to define remedial action.

In response, the NSC via Nacsa hosted Cydes 2020 (first of its kind in the region) in June 2020 in Langkawi to discuss technological solutions to combat cyber threats by inviting ARF dialogue partners including US and Russia (see, Co-Chairs’ Minutes – 5th ARF OESG).

In continuity, Cydes 2021 placed importance on closer engagement and networking with other states and international entities as top agenda in ensuring a more secure cyberspace.

Outside of Asean and the ARF framework, the UK government has been assisting Malaysia over the past few years by sharing information through programmes like Cyber Talent (a collaboration between Asia Pacific University and MDEC/Malaysia Digital Economy Corporation) that aims to promote upskilling to address Malaysia’s growing need for cybersecurity specialists.

Furthermore, Malaysia and the US also agreed to strengthen bilateral ties last year to expand digital collaboration, particularly in cyber security (see, “Malaysia, US to strengthen cooperation on cybersecurity, digital economy”, K-KOMM).

However, engaging with our traditional friends alone is not enough.

Hence, we must take full advantage of our country’s neutral stand by developing stronger collaborative ties with non-Western countries as well.

This is in line with the broader vision of a rules-based multilateral order in cyberspace, as clearly stated in the Asean Cybersecurity Cooperation Strategy (2021-2025). 

This is why Prime Minister Ismail Sabri has stated that Asean can leverage Russia’s background, experience and expertise in digital technologies to help combat cybercrimes (see, “PM: Asean can leverage on Russia’s expertise to combat cybercrimes”, The Star, October 28, 2021).

The complexity and diversity of cyber-threats make collaboration with all parties a    vital imperative.

Although the West has rhetorically accused Russia of “cyber-aggression”, it needs to be re-stated that Malaysia’s foreign policy interests diverge significantly from the West and that we enjoy a cordial relationship with Russia.

Russia’s image in the eyes of many Malaysians is also not too unfavourable as compared to most countries in the Western hemisphere.

The US has never shared Russia’s International Information Security (IIS) approach which prioritises national sovereignty (“Global Cybersecurity at Stake Amid US and Russia’s Disagreements”, September 7, 2021) – suspecting that the real motivation is the intention to legitimise the suppression of free cyber-domains.

It cannot be emphasised too strongly, however, that Russia is a global cyber power that cannot be ignored or sidelined.

Indeed, Russia plays a critical role in the international cyber order vis-à-vis the US and has contributed significantly to the advancement of the digital security agenda in the UN and BRICs (the major emerging countries) – providing a necessary counter-balance.

Russia has extensive networks in terms of cross-border cyber-security regulations and enforcement because of its linkages with former member-states of the USSR and it’s also been claimed that Russian organised crime has been financing local Malaysian hackers (see, “Cybercrimes in the Former Soviet Union and Central and Eastern Europe: current status and key drivers”, The Quest to Cyber Superiority, 2016).

Close ties and collaboration with Russia will help to enhance our knowledge, exposure and capabilities in combatting cybercrimes, especially when the origins are outside Malaysia.

In addition, the fifth pillar under the Malaysia Cyber Security Strategy (MCSS) 2020-2024 which underlines “strengthening global collaboration”, is pivotal and should be an enabler for cyber diplomacy with other non-Asean members like Russia.

The MCSS document clearly highlights a comprehensive framework of engagement with state actors bilaterally that may include knowledge sharing, transfer of information exchange, training policy dialogues, jointly organised programmes, and discussion on the harmonisation of legislation.

To this end, it is worth mentioning that we – as a middle power – aren’t seeking “co-dependence”, but rather “diversification of relationships” (which avoids “bandwagoning” and “hedging”) with all players, including Russia.

This is important because co-dependence (i.e., too much dependence) on a particular foreign country can be risky – again not least with cybersecurity implications.

Jason Loh and Hazriq Iqmal Abdul Aziz are part of the research team of EMIR Research, an independent think tank focused on strategic policy recommendations based on rigorous research.

In this article