THE NATIONAL ICT Association of Malaysia (Pikom) has called on Putrajaya to “strike a balance” in implementing its new Central Database Hub (Padu) by engaging appropriate external experts.
This comes in the wake of cybersecurity concerns surrounding the project.
In a statement, the body acknowledged the recent security breach affecting the online platform created by the government.
It applauded the objective of Padu in streamlining public service delivery for citizens, and also commended the move to utilise expertise from within the public sector.
Utilising “internal talent” for such projects, it stressed, fosters self-reliance and knowledge retention within the public sector.
“However, when it comes to complex technological initiatives, particularly those involving sensitive data, striking a balance between leveraging existing resources and engaging external expertise is crucial,” it said in a statement this morning.
“While we commend the government's initiative in developing and deploying Padu utilising internal public sector expertise, we believe the vulnerabilities discovered highlight the need for a more comprehensive approach to cybersecurity in critical government IT infrastructure.”
According to Pikom, the fundamental nature of the vulnerabilities discovered suggests that they could have been identified during the development and testing phases.
“This underscores the importance of involving independent, industry-expert security personnel in comprehensive security assessments throughout the entire software development lifecycle,” the association said.
“Such assessments, conducted by real-world threat actors and penetration testers, would significantly bolster the platform's resilience against cyberattacks.”
Pikom’s membership currently stands at more than 1,000 active companies involved in a spectrum of tech products and services, commanding 80% of the total tech business in Malaysia.
Collaborate with private sector
When launching the project on January 2, Prime Minister Datuk Seri Anwar Ibrahim had hailed it for demonstrating that the Malaysian government machinery is capable of implementing new innovations without depending on highly priced international consultants.
The system was fully developed by civil servants from three main agencies, namely the Ministry of Economy, the Department of Statistics Malaysia (DOSM) and the Malaysian Administrative Modernisation and Management Planning Unit (Mampu), in collaboration with numerous other agencies.
The data is managed by DOSM.
Padu contains profiles of the socio-economic status of individuals and households, including citizens and permanent residents in Malaysia.
It covers nearly 300 types of data under the federal government and will also progressively in the future take in data from state and local governments.
Pikom also urged the government to consider collaborating with the private sector in upskilling public officers in niche areas like cybersecurity.
It said that industry attachments, where public officers spend time working within established private companies, can provide invaluable real-world experience and exposure to cutting-edge security practices.
“This knowledge transfer would then enhance internal capabilities and ensure future projects are developed with robust security considerations from the outset,” it said.
“At Pikom, we remain committed to working with the government and industry stakeholders to strengthen Malaysia's overall cybersecurity posture,” it said.
“We believe that by adopting a collaborative approach, including leveraging independent expertise, promoting knowledge sharing, and fostering upskilling initiatives, we can build a more secure and robust digital infrastructure for our nation.”
Suspend system and perform stress test
The day after the launch, Ong Kian Ming, a former deputy minister of the Ministry of Investment, Trade, and Industry (MITI), had called on the cabinet to suspend the registration process for Padu until the security issues are resolved.
He pointed to a major loophole with the registration process. Someone can register for another person's Padu account by just having the IC number and postcode associated with the IC address of the other.
Ong said this can be done without having to go through the e-KYC process.
The e-KYC (for ‘know your customer’) is an online platform’s process of identifying and verifying the identity of a client who tries to open an account and periodically after.
Ong said that he did this with the IC addresses and postcodes of four of his DAP colleagues – all ministers or deputy ministers.
For instance, he was also able to change some of the details in the academic qualifications and occupation of Youth and Sports Minister Hannah Yeoh without having to go through e-KYC verification.
“I would strongly recommend for the cabinet to make a collective decision to suspend the registration of Padu users until the security issues can be solved,” Ong said.
The system should be properly stress-tested before it is rolled out again, he asserted.
He added that users who have registered but have not undergone the e-KYC verification should be asked to register again after the security issues have been resolved.
Ong also suggested that the number of fields of information required for every individual be decreased.
“Once the security features are in place, the information which can be pulled from other agencies and ministries should be pre-filled as much as possible.
“The user should have a mechanism where he or she can make a report if the information provided is not accurate,” he said.
IT and cybersecurity experts should be called in to provide value-added inputs which can be used to improve the design of the Padu system, he added. – The Vibes, January 6, 2024
.jpg)
