Malaysia has joined at least two other nations – Singapore and Ghana – in passing laws requiring cybersecurity professionals or their companies to be certified and licensed to provide certain cybersecurity services in their country.
On April 3, the upper house of Malaysia’s parliament, known as Dewan Negara, passed the Cyber Security Bill 2024, following approval in the lower house the previous month. The bill, which will become law following signature by the King and its publication in the Official Journal, is structured as umbrella legislation and will serve as a framework for future government activities by ensuring the protection of critical infrastructure and improving the national state of IT security.
While legislation mandates licensing, actual requirements for cybersecurity professionals and service providers will come later, Malaysia-based law firm Christopher & Lee Ong declared in a notice.
“Although the bill does not specify the types of cybersecurity services subject to the licensing regime… this will likely apply to service providers who provide services to safeguard another person’s information and communications technology devices – [for example,] penetration testing providers and security operations centers,” the law firm said.
Malaysia joins Asia-Pacific neighbor Singapore, which has applied for the permit licensing of cybersecurity service providers (CSPs) over the past two years, and the West African nation of Ghana, which requires the licensing of CSPs and accreditation of cybersecurity professionals. More generally, governments like the European Union have normalized cybersecurity certifications, while other agencies — like the US state of New York — require certifications and licenses for cybersecurity capabilities in specific industries.
Hacking License in Ghana
While many governments require companies to obtain licenses to offer cybersecurity services, Ghana is the only nation to require private individuals to have a license, says Alexey Lukatsky, managing director of cybersecurity business consulting at Positive Technologies, a cybersecurity provider based in Moscow.
“The uniqueness of Ghana’s approach is that the licensing requirements do not apply to all cybersecurity specialists, but to those who intend to work in four specific areas: vulnerability assessment and penetration testing, computer forensics, managed cybersecurity services, cybersecurity training and cybersecurity GRC,” he says.
The Singapore government has taken a proactive approach to pushing private industry to adopt strong cybersecurity regulations, as it has done so far with organizations implementing more than 70% of the requirements necessary for a “Cyber Essentials” certification.
“We certainly believe that having a minimum standard will generate more trust across the ecosystem as there will be assurance that, among others, the penetration tests, security audits and incident response services to be provided are on par with expectations industry and evolving technologies,” says Serene Kan, partner in the IP and Technology practice at Wong & Partners, a member firm of Baker McKenzie International.
In the United States, such efforts have not gained much traction. However, there are many professional organizations offer certification of specific skill sets. ISC2, for example, administers the popular Certified Information Systems Security Professional (CISSP) accreditation, while CompTIA offers the Security+ certification, and ISACA – formerly the Information Systems Audit and Control Association – offers the Certified Information System Auditor (CISA) certification, among others .
ISC2 and ISACA declined to comment for this article.
Lack of protections for free speech
While the requirements appear to improve the overall maturity of countries’ cybersecurity posture, the legislation has often raised concerns about potential costs to free speech and other individual rights.
Governments that gain broad power to regulate cybersecurity-related activities are by default empowered to control digital services. This often results in targeting journalistic businesses and whistleblowers by requiring “pre-approval under arbitrary standards subject to change or revocation,” according to Article 19, a human rights organization.
Malaysia’s cybersecurity law, for example, is “unnecessary and flawed in its current state,” the organization said.
“Although it presents itself as a ‘cyber security’ tool, the bill will give the government irresponsible control of computer-related activities, as well as almost unlimited search and seizure powers,” the organization said. He said this while analyzing the bill. “Its criminal provisions require no actual intent to infringe, effectively introducing many strict liability crimes.”
In particular, cybersecurity researchers could be put at risk, as releasing source code or cyber-offensive research would require a license, the organization said.
However, often licensing requirements simply put a government stamp on existing certification best practices and require candidates to have specific cybersecurity certifications, but with a local twist, says Positive Technologies’ Lukatsky.
The approach followed by Ghana, for example, “resembles the creation of a register of all cybersecurity specialists since it is unlikely that in this or any other country there are many independent and isolated specialists who can work with serious organizations, where the risks of hiring unqualified staff are too high,” he says. “The main reason for such requirements is that as the number of cyber attacks increases, specialists who understand what they are doing and why they are doing it are needed to detect and prevent them: how to apply international best practices and how to adapt them to local needs. specifications.”