Speaking at the monthly gathering of his ministry here on 31 January 2023, Communications and Digital Minister Fahmi Fadzil said the government will be establishing the Malaysian Cybersecurity Commission as part of efforts to strengthen cybersecurity in the country.
He also said the proposal is now at the engagement stage with related agencies to discuss legal aspects as well as the form of the commission itself and he hopes to table it in the Dewan Rakyat in June 2023 after receiving the approval of the Cabinet as well as the top leadership.
By now, lawmakers should increasingly recognize and realize the need to shield the country from cyber threats and the risks that come with it, internally and externally, and improve the quality of the country’s cyber defence with the ultimate goal of preventing a cyber crisis.
Presently, nations around the world managed their risks through a national agency tasked with managing the threats and risks.
There are no known regulatory agency around the world tasked with providing a framework of rules that can help prevent the excesses and failures of a market left entirely to its own devices on cyber risks and the ecosystem for cybersecurity.
Malaysia is no exception.
As it is, presently, there is no regulatory agency for improving the way rules and policies are applied consistently and uniformly across both the public and private sector on managing cyber risks and cybersecurity in the country.
For Fahmi to embark on creating a Cybersecurity Commission, the conditions for the creation, operation and supervision of the Commission need to be coherent and transparent.
E.g the composition and method of appointing the members for the Commission, their relations within the cybersecurity ecosystem, the role played by the Commission and their responsibilities and powers.
Is the function of the Commission primarily to provide assistance in the form of opinions and recommendations, which provide the technical basis for the Commission's decisions or they are primarily providing assistance in the form of inspection reports, intended to enable the Commission to meet its responsibilities as "guardian" of cybersecurity in Malaysia?
Is the Commission defining all cyber risks and potential threats?
Defining it all guarantee greater effectiveness of the Commission’s activities while ensuring that the Commission fit in fully and is up to the tasks it will be called upon to perform.
It will also facilitate the decision-making process of the Commission by ensuring that its sound organisation and operation are not prejudiced by tactical considerations connected with particular sectors or interests and its role as an executive instrument by the government will be governed by greater transparency.
Supervision of cyber risks and threats against the country is expected to be more rigorous and intensive than supervision in even the financial sector which in extreme cases, take ownership rights away from the owners of failed or failing financial institutions.
In many of the world's hacking and cyber attacks, the lack of supervision has consistently caused or worsened the situation.
Hopefully with a Cybersecurity Commission,
1. managing cyber threats and risks will be more effective, coherent, and transparent and that in the future, institutions in the public sector and organizations in the private sector will be held accountable for their responsibilities,
2. with its executive responsibilities, it will be able to adopt and push for measures to be implemented by institutions in the public sector and organizations in the private sector that are within the limits defined by legislation and that they put in place appropriate control and monitoring arrangements set by the Commission are put in place for the purpose of managing cyber risks
Clearly, the Commission fulfils a very important public service function.
Their structure must permit them to perform that function correctly.
The independence of their technical and scientific assessments based on purely technical evaluations of very high quality is, in fact, their real raison d’être.
Accordingly, they would be held accountable to the institutions, organisations concerned and more generally the public.
This also means that the Commission’s activities need to be fully transparent so that the various players concerned can effectively monitor their operations.
The Commission needs to demonstrate and thus should be given both autonomy and authority to instruct organizations – both public and private sector – that tends to take advantage of regulatory and supervisory gaps – and hold them accountable for their responsibilities.
In passing the laws that create this Commission, it is the hope that law makers properly set and define regulatory and supervisory goals which once those laws are in force, the Commission must be free to determine how to achieve these goals—and should be held accountable if they fail to achieve them.
These rules and regulations concern the practices that public institutions and organizations in the private sector must adopt to maintain their safety and stability.
The Commission should work closely with every organization, not only inspecting and monitoring them but also enforcing sanctions – a rule based system of sanctions and interventions - when necessary.
Decision making should be open and transparent to the extent consistent with commercial confidentiality, enabling both the public and the industry to scrutinize regulatory decisions.
The Commission's relationships with the executive, legislative, and judicial branches must be clearly defined.
The issues on which, and the form in which, it must inform or consult the Communications and Digital Minister or seek its approval must be spelt out.
The procedures by which the legislature holds the Commission to account for using the powers delegated to it must be carefully defined.
And its exercise of those powers should be subject to judicial review.
The government and the Commission need to commit and demonstrate that they will be adhering to best international standards and practices in today's cyber risks environment.
If regulations diverge too far from international best practices, and supervisory practices are considered weak, foreign investors might turn their backs, cutting the country off from the benefits of foreign investment in the digital economy in the country.
The Commission should have a clear, public statement of its objectives—for example, preserving the stability and integrity of ecosystem of the country’s digital economy and protecting the personal data of every Malaysian from being misused or abused by hackers or cyber criminals.
The public statement would protect the Commission against claims by opportunistic politicians and the affected institutions and organizations from spurious claims that it has not carried out its mandate.
A clear mandate makes it easier to measure the Commission's performance against that mandate.
Over the last few decades, the government has set up, just to name a few, the Malaysian Aviation Commission (MAVCOM), Malaysia Competition Commission (MyCC), Securities Commission (SC), Companies Commission of Malaysia (CCM), Public Services Commission (PSC), Malaysian Communications and Multimedia Commission (MCMC).
The public can judge the effectiveness of these few Commissions and the role they are supposed to play regulating and supervising the matter which they are formed for.
Have each of them proven to be a highly effective in resolving issues and fulfilled their respective pivotal role of safeguarding the rights of those they are supposed, be it organizations or individuals, to protect in the industry they are regulating and supervising?
FLK is a content creator under the Newswav Creator programme, where you get to express yourself, be a citizen journalist, and at the same time monetize your content & reach millions of users on Newswav. Log in to creator.newswav.com and become a Newswav Creator now!
The User Content (as defined on Newswav Terms of Use) above including the views expressed and media (pictures, videos, citations etc) were submitted & posted by the author. Newswav is solely an aggregation platform that hosts the User Content. If you have any questions about the content, copyright or other issues of the work, please contact Newswav.
