Malaysia drafts legislation based on the Budapest Convention, a ‘gold standard’
But still lagging in signing multilateral treaties, CyberSecurity Malaysia explains why
WITHIN the category of developing and almost-developed nations, Malaysia is considered a leader when it comes to legislation that deals with digital or cybercrime.
Zahid Jamil, chair of the Developing Countries Centre for Cyber Crime and Law, shared that he looks to Malaysia along with Singapore, Hong Kong and Australia when drafting legislation.
“I look to these countries and the fact that they draft legislation based on the Budapest standard – which is really the only gold standard,” he told Digital News Asia (DNA) on the sidelines of the ninth Internet Governance Forum (IGF) which was hosted in Istanbul, Turkey in early September.
The Budapest Convention on Cybercrime, or merely the Budapest Convention, is the first international treaty seeking to address Internet and computer crime by harmonising national laws, improving investigative techniques, and increasing cooperation among nations.
It was drawn up by the Council of Europe in Strasbourg, France, with the active participation of the Council of Europe's observer states Canada and Japan, and entered into force on July 1, 2004.
The Budapest Convention is specific in its mandate, covering only cybercrimes as defined by the convention, and does not include blasphemy or racism.
“What does that mean for a country like Malaysia in terms of how progressive it is with adapting legislation to better deal with the complexities of fighting cybercrime? It means it has the competitive advantage by being a first mover; it gains from it especially in terms of attractiveness as a market to do business in,” Jamil said.
The Developing Countries Centre for Cyber Crime and Law is an organisation which aims to provide cybercrime legal and policy assistance, advice and to develop resources for the speciﬁc perspectives and needs of developing economies, with a view to achieving consistency, compatibility and convergence of law and policy with international standards and instruments.
Jamil was also moderating a panel at IGF entitled 'Cybercrime Cooperation and Developing Countries: Internet frameworks,' which delved into the need for countries to not only have domestic cybercrime legislation, but also mutual legal assistance treaties (MLATs) to better combat the borderless nature of these crimes.
Panellist Christopher Painter, who works as a coordinator for Cyber Issues at the US State Department, noted that a combination of different tools is required to approach these kinds of investigations.
“The data doesn't necessarily last very long and can go through several jurisdictions. Smart cybercriminals will often route their attacks or communications, their phishing or fraud, through several different countries because they are trying to take advantage of the fact that there are uneven laws ... and uneven procedures in different countries,” he said.
Painter noted that many of the MLATs are not specifically about cybercrime, they are about classes of different kinds of crimes.
“So you can still get cooperation under them. And the United States has about 100 bilateral MLATs around the world,” he said.
Another panellist, Alexander Seger, head of the Economic Crime Division and directorate general of Human Rights and Legal Affairs at the Council of Europe, argued that one should consider measures against cybercrime as a positive contribution to human rights and the rule of law and cyberspace.
Having been involved with the drafting of the Budapest Convention, Seger expressed some frustration over getting nations around the world to sign on with the treaty, which is comprehensive and requires participating nations to have certain elements in place domestically, such as cybercrime legislation and the capacity to handle such cases.
“Some countries come and say 'Yes, you know, we don't mind the Budapest convention, but we didn't participate in the preparation and the negotiation. And as a matter of policy, we are not joining a treaty that we did not participate in preparing’,” he shared.
However, there are some perks to getting on board, especially assistance in capacity-building programmes.
“Because we realise countries may sign the treaty, may have to form the legislation, or may already have the formal legislation in place, but you have to do more.
“You have to follow up with restraining, with providing guidance, and developing guidelines with those countries. Help countries set up high-tech crime units. Help high-tech crime units develop operating procedures. And so forth,” Seger said.
He said that he doesn’t foresee an alternative to the Budapest Convention appearing anytime soon, given the present difficulties in coming to an agreement on anything.
“So the strength of the Budapest Convention is that it's there and functioning. It's been there and functioning for the past 12 years,” he added.
The situation for Malaysia
Given Malaysia’s standing as a leader amongst developing nations, when asked what needs to be done to ‘get to the next level’, Jamil (pic) was succinct in his response: Sign a multilateral treaty.
“Right now there no multilateral MLATs with Malaysia – it relies on bilateral agreements with different countries, and that’s not a good way to fight cybercrime.
“That’s a ‘We’ll try but we don’t know what’s going to happen’ approach,” he said.
Responding to queries from DNA about the nation’s stance on the Budapest Convention or similar treaties, Dr Amirudin Abdul Wahab, chief executive officer of CyberSecurity Malaysia (CSM), said that there is a lot of preparation that needs to done in order for Malaysia to comply with the Convention.
He said that Budapest Convention is still being studied by Malaysia led by the National Security Council (MKN), with the Attorney General's Chambers (AGC), industry regulator the Malaysian Communication and Multimedia Commission (MCMC), and CSM amongst the study group members.
“At the moment, this initiative is led by National Security Council and CyberSecurity Malaysia's role is to assist the authorities to provide high-level input on this matter,” he said.
Amirudin deferred on a few of the questions asked about Malaysia’s current number of signed MLATs and hesitations about joining any multilateral treaty, noting that the subject matter comes under the purview of the AGC. When contacted for this article, the AGC declined to comment.
According to a search on the AGC website, Malaysia currently has quite a few bilateral MLATs covering crime with many South-East Asian nations including Singapore, Thailand, Laos, Cambodia, Indonesia and Myanmar. Agreements with the Philippines and Vietnam are pending.
Amirudin said the country recognises the cross-border jurisdictional and legal issues, and the possibility of common regional legal approaches to address these issues – including the harmonisation of related legislation amongst nations.
“Despite certain common cyberthreats, the differences in legislation between nations remain significant. Because of the legal complexities involved, Malaysia has taken some time to sign any multilateral treaties to date, including the Budapest Convention or other similar treaties,” he said.
Amirudin added that Malaysia always supports any global efforts in combating cybercrime, including multilateral treaties.
“As cybercrime is a truly transnational crime, Malaysia recognises the importance of international cooperation to achieve common understanding, practices and solutions. However, it is important that such treaties should not be in conflict with national interests and sovereignty.
“As an immediate measure at the initial stage, Malaysia emphasises the importance of the global community being more proactive in dealing with cybersecurity by non-legal approaches,” he added.
These non-legal approaches include the adoption of best practices by all national stakeholders, involving public cybersecurity awareness, information sharing and technical assistance between nations, as well as capacity-building, which includes the development of technical means and solutions.
Amirudin said that in Malaysia, under the National Cyber Security Policy (NCSP), CSM is tasked with spearheading the implementation of the NCSP Policy Thrust 4, which is the Culture of Security and Capacity Building, a strategic initiative in developing human capabilities in cybersecurity.
With this mandate, CSM provides awareness, training and certification programmes to nurture the information security workforce with the required knowledge and skills.
“We have been organising various efforts in capacity-building to strengthen cybersecurity and to increase the number of information security professionals in the country through our Cyber Security Professional Development Programme,” he added.
Amirudin (pic) also said that as international collaboration is the most important aspect in the effort to combat cybercrime, Malaysia (through CSM) has displayed strong leadership in various international collaborations pertaining to cybersecurity, such as in the Asia Pacific Computer Emergency Response Team (APCERT) and the Organisation of the Islamic Cooperation – Computer Emergency Response Team (OIC-CERT).
APCERT was established in 2003 with the objective of improving cooperation between various CERTs in the Asia Pacific region. Malaysia, through CSM, is the cofounder and a member of the Steering Committee of APCERT, which currently has 26 Operational Members from 19 economies.
Meanwhile, the OIC-CERT was established in 2009 after securing the mandate from the Organisation of the Islamic Cooperation (OIC) during the 35th Session of the Council of Foreign Ministers of the OIC Meeting in Kampala, Uganda, held in June, 2008. This is a platform for cooperation in ICT that focuses on information security.
Malaysia spearheaded the task force for the establishment of the OIC-CERT in 2005 and in recognising this international leadership, CSM was appointed the chair of OIC-CERT for two consecutive terms (2009-2011 and 2011-2013), which was the maximum allowable serving period.
Consequently, Malaysia was unanimously appointed the Permanent Secretariat of OIC-CERT in 2013. Currently OIC-CERT has 33 members from 19 countries.
Despite Malaysia’s robust efforts in building up cybercrime-fighting capabilities, and taking a lead role in many international initiatives, the fact remains that its participation in an international framework geared toward global cooperation remains a glaring gap, with no timeline for when any commitment will be made.
Jamil strongly advocated expediency for such a commitment, noting that it was preferable to waiting for the United Nations or the International Telecommunication Union to come up with a fresh framework or “do something in the next 25 years.”
“You can’t just sit by waiting for something that will never happen that may not happen after a long time. The government may want to protect its citizens, considering what’s happened in the last year.
“It’s about protecting your citizens and doing it in a cooperative fashion. One biggest criticism in cooperation exercises concerning Malaysian Airlines was that the cooperation was not forthcoming.
“You cannot, in this day and age, say 'I’m a developing country and do not want to join international cooperative mechanisms.' [You have] to sign up for something where everyone agrees who are the criminals so that they can be taken to task.
“It’s in the vested sovereign interest of Malaysia or any sovereign nation to do this – to join up with an international treaty,” Jamil added.
This report stems from interviews conducted during the Internet Governance Forum in Istanbul by Gabey Goh, thanks to a grant by the South-East Asia Press Alliance (Seapa).
Previous IGF Reports:
Malaysia’s Sinar Project wins regional award, seeks to level up
Trust key for IXPs’ role in driving digital economies
Post-Snowden revelations, action still a long way away
Cyber-war: Time for our agencies to step up
APAC emergency response teams in drills with OIC, Euro counterparts
Malaysian Government formulates national cyber-crisis policy
Cybersecurity Malaysia appointed OIC-CERT secretariat
CyberSecurity Malaysia in MoU with CERT Australia
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.