Comparing Singapore’s and Malaysia’s cybersecurity plans

National Cyber Security Agency (NACSA) Malaysia

Earlier this month, the Singapore government released its Safer Cyberspace Masterplan 2020, which builds on the government’s 2016 Cybersecurity Strategy with the goal of boosting cybersecurity on three specific fronts: core digital infrastructure, enterprises and consumers.

A week later, the Malaysian government launched its own plan: Malaysia Cyber Security Strategy (MCSS) 2020-2024, which – as the name implies – has a much broader scope covering everything from governance and legislation to R&D, education and global collaboration.

Given the timing of both launches, it’s tempting to contrast and compare them, although such comparisons arguably wouldn’t be fair. While both plans have their differences, that’s only to be expected – any given country’s cybersecurity strategy must be tailored to its specific needs, which are in part determined by how far advanced it is in terms of connectivity, digital services and existing policies security practices.

That said, one striking similarity between both plans is the emphasis on incorporating enterprises and individual consumers into the mix. The reasoning is simple: In the always-on digital era where all services are digital and everything is connected, security is so paramount that everyone needs to take at least some responsibility.

The plans explained

Briefly, here’s what each plan involves.

Singapore’s Safer Cyberspace Masterplan talks up the importance of “cyber safety” (as opposed to cybersecurity – see what they did there?) in the digital economy, and breaks down responsibilities into three basic provinces:

  1. IMDA and CSA will partner with 5G mobile operators to make sure Singapore’s overall digital network infrastructure is secure, as well as set up AI-powered capabilities to detect and mitigate malicious activities, particularly in regards to threats that exploit IoT devices
  2. Enterprises and organizations will be encouraged to improve their cybersecurity postures using various initiatives like the CSA’s ‘zero-trust’ Security-as-a-Service cyber solution and Internet Cyber Hygiene Portal, as well as the government’s National Digital Identity (NDI) services. As an incentive, the government will award “SG Cyber Safe Trustmark” certificates to qualified organizations as a market differentiator.
  3. Individuals will be educated to recognize the importance of security, be aware of various threats they may encounter, and adopt cyber hygiene practices such as strong passwords, anti-virus software, and updating software as soon as new releases come out (which typically include the latest security patches). The government will also launch a Cybersecurity Labelling Scheme (CLS) for IoT devices that will alert consumers to the certified level of security for that device.

By contrast, the MCSS 2020-2024 plan is a more comprehensive beast sporting five pillars encompassing 12 strategies, 35 actions plans and 113 programs to establish a nationwide cybersecurity posture. The five pillars include:

  1. Effective governance and management (i.e. beefing up Malaysia’s critical ICT infrastructure with stronger cybersecurity across government agencies, industries and supply chains)
  2. Strengthening legislative framework and enforcement (i.e. tougher updated cybersecurity laws and enforcement mechanisms)
  3. Catalysing world class innovation, technology, R&D and industry (i.e. spurring a local cybersecurity industry to develop world-class solutions that can compete against international players)
  4. Enhancing capacity & capability building, awareness and education (i.e. fostering the security skillsets and awareness to supply enough talent for Pillar 3)
  5. Strengthening global collaboration (i.e. cybersecurity as foreign policy tool, building Malaysia into a global cybersecurity partner that other countries and businesses can trust enough to partner with)

Contrast and compare

Clearly, the Safer Cyberspace Masterplan has a more specific focus on making all stakeholders in the digital economy (government, enterprises, service providers and consumers) part of a more holistic security solution, while the MCSS has the broader objective of transforming Malaysia into a global cybersecurity powerhouse by cultivating local talent.

That said, consumer awareness is certainly part of the MCSS, if you dig down deep enough. As part of Pillar 4, the government says it will develop and implement its National Cyber Security Awareness Master Plan, which will “outline integrated initiatives on public-private driven collaboration and coordination, and the mobilisation of resources to enable a wider outreach of programmes to kids, youth, adults/parents and organisations”, with the ultimate goal of “creating well-informed and responsible cyber citizens.”

To an extent, this has already been going on in Malaysia for some time via various digital literacy and awareness initiatives launched by the Malaysian Communications and Multimedia Commission, Ministry of Health, Ministry of Education, the Royal Malaysia Police and Central Bank of Malaysia, among others. However, according to the MCSS document, such initiatives have had mixed results largely because they’re standalone initiatives with varying resources, coverage, approaches and target groups. The National Cyber Security Awareness Master Plan aims to defrag the cybersecurity education landscape with a more comprehensive and centralized effort.

Making it happen

On paper, both the Singapore and Malaysia plans are sound efforts to make security-by-design the default posture of their respective digital economies, and it’s good that both plans see ordinary users as a crucial element of that posture. After all, many ordinary users are also employees of enterprises that are also trying to instil that level of security hygiene in their workforces. Raising a generation of “responsible cyber citizens” will (hopefully) make the life of CISOs a lot easier.

However, as always, the secret will be in the execution, which naturally remains to be seen. There’s a lot that could go wrong with either plan, from the complex bureaucratic hoops of the MCSS to the Singapore plan’s reliance on certification and labelling schemes that are voluntary.

A number of security experts have reportedly said the Singapore plan is “a step in the right direction”, especially in terms of getting users involved and making security compliance a competitive advantage. Still, while market pressures might give enterprises and IoT device makers incentives to take security seriously, it would arguably take just one certified company or device being hacked to undermine trust in the whole scheme.