While the U.S., the United Kingdom and Russia are expected to sit high on any list of cyber nations, one surprise name also mixes with the best, highlighting the value of having solid allies over technical prowess.
Malaysia came in eighth out of 194 states in this year’s Global Cybersecurity Index released Tuesday by the International Telecoms Union, a United Nations agency. With 98.06 out of a possible 100 points, the Southeast Asian country was only fractionally behind Singapore and South Korea, and equal with Russia and the United Arab Emirates. It’s been in the top 10 since the first report was released in 2014.
While neither a technology powerhouse nor a prolific hacker, Malaysia’s standing comes from an early commitment to cybersecurity issues and a solid national strategy. Yet, other developing countries could learn a lot from Kuala Lumpur’s ability to apply its long-standing geopolitical strength — gather friends and avoid making enemies — to the electronic realm where information is as valuable as weaponry.
The country’s first cybersecurity policy dates back at least 15 years and outlines areas of key importance. Today, the government operates a Critical National Information Infrastructure portal for sharing information and a coordination and command center that deals with crises and evaluates the national threat level daily. It’s also been running annual drills, called X-Maya, to test its readiness and to game-plan attack scenarios, while implementing a scheme to evaluate and certify the security of technology products such as data storage, access control systems, and networking equipment.
Many of these measures are carried out elsewhere and aren’t necessarily unique to Malaysia. Yet underlying the ITU’s assessment is a nation’s commitment to cybersecurity issues and practice, and its focus on improvement, rather than actual capability. That’s why the country rates so highly.
It achieved the top score in three of five categories used by the ITU: a legal framework for handling security and crime, capacity measures based on R&D, education and training, and international partnerships and information sharing. It’s slight weaknesses were in organizational and technical areas.
Global cooperation helps make up for the fact that Malaysia’s own cyber proficiencies are sometimes lacking. In fact, if skill alone was the deciding factor, the nation would be rated much more poorly. The Harvard Kennedy School’s Belfer Center, for example, puts the country 19th out of 30 in its ranking of cyber powers. The analysts here combine both intent and actual capabilities, finding that Malaysia is relatively weak in defensive abilities while being not particularly keen on carrying out cyber attacks.
In other words, the country isn’t so adept at “destroying or disabling an adversary’s infrastructure” (Russia and the U.S. are at the top) and shows deficiencies when it comes to the “defense of government and national assets and systems” (China and Singapore lead here). It’s also lacking at controlling information, particular specialties of the U.S. and Russia. The same analysis sees Malaysia highly regarded for its capability to gather foreign intelligence but handicapped by apparent lack of interest in doing so.
This dichotomy between policy and projection also puts Malaysia in the bottom of three tiers in research on 15 nations released Monday by London-based International Institute for Strategic Studies. The U.S. was once again the standout superpower, with China and Russia in the second tier. Malaysia’s domestic strategy and international links are strong, but a failure to flex its cyber muscle makes it trail the likes of Australia, France and Israel.
With centuries of trading links due to its strategic position on the Straits of Malacca, Malaysia is one of few nations to have a well-regarded foot in the Middle East, East Asia and the West and is a fairly easy place to do business. Yet that porousness has given rise to trouble, including the 1MDB scandal that brought down former Prime Minister Najib Razak, and use as an “illegal base” in the Libyan and Pakistani nuclear weapons programs. It’s also less-well regarded on graft, coming in at 57 out of 180 on Transparency International’s corruption perceptions index.
“You have to invest in diplomacy,” said Greg Austin, IISS’s Senior Fellow for Cyber, Space and Future Conflict. “If you’re a tier-three country, you cannot be secure in cyberspace without securing the support of stronger countries who can help you.”
Even then, straddling a crossroads is no guarantee of protection. Having a (rare) embassy in Pyongyang didn’t stop North Korea from sending assassins to Kuala Lumpur’s international airport to murder leader Kim Jong-un’s estranged half-brother in 2017. And the U.S. continues to warn its citizens about the possibility of armed terrorist attacks in Malaysia against foreigners, including Americans.
But overall, its nuanced and neutral approach to global affairs has helped Malaysia gain trust and thus tap into the intelligence networks of more powerful nations. The country “compensates for some of its shortcomings in cyber capability through international alliances, particularly with the United States, the United Kingdom, Australia and Singapore,” the IISS wrote.
Having decided it actually cares about cybersecurity, and by implementing policies to ensure a coordinated strategy to deal with it, Malaysia’s greatest advantage may not be its own skillset but an ability to leverage stronger allies. For a small country, that’s an effective way to maintain the balance of power in cyberspace.