Distinguished guests, ladies and gentlemen.
Before I begin, allow me to extend my sincere thanks to Dr John Chipman, the director general and chief executive of the International Institute of Strategic Studies (IISS) for inviting me to speak at this prestigious forum today. I am indeed delighted to be given the opportunity to deliver this address to a group of prominent people in this august dialogue.
Ladies and gentlemen, the age of the information wave or the third wave has turned the world into a global village with extensive and wide digital connectivity. The digital era has not only influenced the manner in which nations are governed but also our day to day lives. As digital networks span over wider areas and touching much diverse groups of people, it leaves such connections vulnerable to attacks by interested parties be it state or non-state actors.
Similarly, the state of security of a nation today is greatly influenced by many both military and non-military factors. The need to monitor shifts and changes in these areas remain vital towards sound and timely decision making by the relevant parties. To afford this, the national and military command, control, communications, computer, intelligence, surveillance and reconnaissance (c4isr) systems are highly dependent upon safe and reliable networks to feed critical information. Hence, it would be to the advantage of the aggressor to possess the capability to compromise the integrity of a nation’s information network while ensuring dominance in cyberspace. That in a nutshell is the purpose of cyber warfare – both its offensive and defensive parameters.
Ladies and gentlemen, in recent conflicts, the initial engagement will be aimed towards dominating cyberspace before any physical deployment of troops or material can be conducted. Cyber warfare will then be a continuous application in any phase of the campaign until success is achieved. The ultimate endstate in this form of warfare will be to impose a state of strategic paralysis where systems are disrupted and crippled to render it useless. What remains disturbing is that cyber warfare need not be waged by state run organisations but could be conducted by non-state entities or even individuals with intent to cause disruption on the affairs of the state. Whoever the actors may be, any hostile action in cyberspace by individuals would be a criminal or hostile act while deliberate attacks by another state would tantamount to an act of war as the effects could be disastrous. To this end, much effort has been taken to ensure that systems are well protected against attacks while continuous measures are taken to dominate cyberspace. Hence, two important elements which constitutes cyber warfare would be the offensive and defensive measures.
While physical engagements especially by military forces are regulated by a number of internationally binded protocols or agreements, cyber warfare on the other hand is virtually difficult to regulate granted new breakthroughs in information technology which makes detection of any offence difficult. Hence, much emphasis is placed in creating defensive measures to ensure the continued and undisrupted use of cyberspace.
The introduction of a new dimension which is cyber warfare has sparked a virtual ‘‘arms’’ race for nations to acquire cyber warfare tools and techniques. Similarly, non-state actors and individuals have also gained capacities to threaten the various networks in cyberspace through the open market. Recent attacks of the network systems in Estonia (2007), during the Russia-Georgia conflict (2008) and the rise of "digital hacktivism" have increased the threat of cyber offensives. On the same note, highly sophisticated and high profiled hacktivist groups such as 'Anonymous’ have attacked systems of established organisations which include the United States Congress, Mastercard, Visa and Sony Playstation networks.
Closer to home, Malaysian websites were attacked by 'Anonymous' in June 2010 however with minimal impact. From January to March 2012, Malaysian Computer Emergency and Incident Response Team or MYCERT, a division of Cybersecurity Malaysia, handled a total of 3,140 cases which saw a decrease of 4.5% compared to the previous quarter. This period also noted 1,491 cases of system fraud which marked a 17.12% increase mainly in phishing activities, cheating and identity thefts. Though not triggering any critical impact, it reflects that our systems are vulnerable to attacks and if we fail to develop in tandem with the threats, I daresay that the attacks will become more malicious, devastating with far reaching impact on national security.
What remains evident is that the impact of these attacks, whether by state or non-state actors can be highly devastating, destabilising and irreparable towards national or regional security such as that in ASEAN. Increased shared awareness by ASEAN members through the use of digital networks will expose us to cyber-attacks. No doubt that each member of ASEAN would possess their own enforcement agencies and measures to protect the digital networks nonetheless, with increasing sophistication in cyber-attacks, these precautions may be left wanting. As a case in point, studies show that losses incurred through cyber security crimes amounted to rm388 billion (us$ 121.9 billion) worldwide last year. Could this be the right time to signal stronger collaboration in cyber defence amongst ASEAN members? This has been discussed in the recent ASEAN defence ministers meeting in Phonm Penh and the possibility of developing an ASEAN master plan of security connectivity was suggested.
Ladies and gentlemen, as mentioned earlier, the increase in sophistication and range of cyber-attacks would warrant a more comprehensive, holistic and sustainable form of defence. In Malaysia, the policy direction for cyber security is provided by the national cyber crisis management committee (NCMC) which operates under the national security council (nsc). Cyber related cases are monitored by Cybersecurity Malaysia of the Ministry of Science, Technology and Innovation (MOSTI). Under the Cybersecurity Malaysia flagship, MYCERT is responsible to provide computer emergency and incident response of which I have earlier mentioned. Be that as it may, the response strategy to further reinforce cyber defence in Malaysia would entail a more holistic approach covering both cyber offense and defence spectrums. The response should consider the following dynamics.
The first and fundamental dynamic of computer security is that the defender must always succeed in protecting their systems. This is because the threat posed by the attacker will continue to exist but in different forms or approaches.
The second dynamic provides the attacker advantage with the increasing growth of computer networks and connectivity. Hence the attempt to tally system connectivity could prove to be fruitless.
A third dynamic which affords benefit to the attacker would be the availability of the same technology used by the defender. This is further worsened by the easy accessibility of information on the weaknesses of the various security related hardware and software available in the market.
In a broader perspective, the need for shared awareness has resulted in the increasing span of networks which make it easier to attack. It remains important that a holistic, comprehensive and collaborative structure must be established to protect not only the networks but also the stakeholders. For that purpose, active participation in international groupings dedicated towards enhancing cyber security such as the international cyber security alliance is deemed vital. The formation of Malaysia’s global cyber security alliance is a step on the right direction in enhancing its security through greater outreach.
Ladies and gentlemen, The challenges faced in ensuring the integrity of digital networks in the future would entail the following areas.
Firstly, more and more platforms are today linked to digital networks namely unmanned aerial vehicles (UAV) and numerous forms of sensors which make up the critical intelligence, surveillance and reconnaissance (ISR) system. This expands the reach and span of these networks leaving it vulnerable to cyber-attacks.
Secondly, the open unregulated nature of the internet creates cyberspace with no physical boundaries. Cyber-attacks may originate from nowhere which leaves the need to defend a non-physical entity. This would of course incur much cost and effort to realise.
Thirdly, there is a lack of strategic intelligence on cyber threats due to the rapid development of information technology hardware and software. These cyber warfare tools are not only available to state actors but could be bought off the shelf and redesigned by non-state groups or individuals to meet offensive capacities. The speed of information technology development hinders the collection of strategic intelligence which would be required to counter the emerging threats.
Fourthly, the rapid contagion effect which would not only influence the system of a particular nation but other countries that share a common network. This would negatively affect connectivity and shared awareness.
Finally, the additional need to protect not only the network but platforms that operate within digital domains. Weapons such as the electro-magnetic pulse bomb destroy information systems by gaining entry to the networks through various sensors. As such, both these entities need to be protected in tandem.
Ladies and gentlemen, ASEAN, specifically Malaysia, is experiencing the benefits of connectivity where shared awareness amongst its members and their people would create prosperity and stability. Granted the strong corelation among ASEAN states, a major cyber-attack on the network linking its members would have grave implications leading towards destabilisation especially in face of non-traditional threats which is in the rise. On a same note, the development of defence systems in the various ASEAN military forces would be rendered usless should its network be compromised which would lead to strategic paralysis. Both these situations will have devastating effects and destabilise region.
In this sense, the move to increase awareness in cyber security and the creation of strategic alliances to counter the threats posed by cyber-attacks would be the right direction towards ensuring the integrity of the network and continued flow of information critical in ensuring stability. This, I believe will be well covered by the eminent speakers lined up today.
On that note, I thank you for your kind attention.