By Yusmadi Yusoff
The recent cyberattack on Malaysia Airports Holdings Berhad (MAHB), where hackers allegedly demanded US10 million ransom, was not just an attack on a corporation—it was an attack on Malaysia’s national security.
This incident is a stark reminder that in today’s world, wars are no longer fought solely with missiles and tanks but with algorithms and malware.
At the same time, the Ministry of Defence (MIindef) has raised concerns over the need to strengthen cyber, drone, and nuclear warfare capabilities, including discussions on forming a dedicated cyber force.
This is a step in the right direction. However, military solutions alone will not be enough. The reality is that Malaysia still lacks a comprehensive legal, policy, and strategic framework for cyber warfare.
One of the fundamental challenges in addressing cyber warfare today is that many governments—including Malaysia—are still using 19th and 20th-century theories of war to respond to 21st-century threats.
Traditional warfare is based on principles of territorial invasion, physical combat, and military occupation.
But cyber warfare does not require borders, military bases, or physical presence.
A hostile state or cybercriminal group can cripple an entire nation’s infrastructure from the other side of the world without a single soldier setting foot on enemy soil. Yet, Malaysia’s legal and strategic framework still relies on conventional defence doctrines, failing to acknowledge that cyber warfare has fundamentally changed the nature of global conflict.
Outdated approaches
The consequences of this outdated approach are evident. The Cyber Security Act 2024, while a positive step, remains focused on cybercrime, regulatory compliance, and data protection but does not address the broader legal, military, and diplomatic aspects of cyber warfare.
The absence of a clear legal definition of cyber warfare makes it difficult to classify and respond to state-sponsored cyberattacks.
There is no dedicated Cyber Warfare Command that can pre-emptively neutralise cyber threats rather than merely react to them.
Additionally, Malaysia lacks a legal framework for cyber deterrence, meaning there is no official policy on how the country would respond if a foreign state or cyberterrorist group launched a major digital attack.
The importance of learning from Estonia cannot be overstated. In 2007, Estonia suffered a coordinated cyberattack, allegedly launched by Russian-backed hackers, that crippled the country’s banking systems, media networks, and government services.
Instead of simply treating it as an IT problem, Estonia recognised cyberattacks as acts of war, integrating cyber warfare into its national defense strategy.
The country established the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, which later developed the Tallinn Manual, the world’s leading legal framework on cyber warfare norms.
Today, Tallinn is recognized as the global hub for cyber warfare research and policy, shaping international norms on how nations should respond to digital threats.
Malaysia has an opportunity to do the same. Cyberjaya can be positioned as a Global Cyber Diplomacy Hub, learning from Estonia’s transformation of Tallinn into a leader in cyber warfare norms.
By establishing a Cyber Warfare Legal Framework, Malaysia can not only strengthen its own cyber defence but also become a regional leader in cyber diplomacy within ASEAN and the broader Global South.
Cyberjaya—already known as Malaysia’s tech hub—has the potential to house an international cyber policy institute, fostering collaboration between governments, the private sector, and academia to develop global cyber governance standards.
Singapore taken proactive steps
Singapore has already taken proactive steps in this direction. In 2018, Singapore passed the Cybersecurity Act, granting legal authority to the government to secure critical digital infrastructure.
The country established a Cybersecurity Agency (CSA) and a Defence Cyber Organisation (DCO) to ensure that legal, policy, and military responses are aligned. Singapore’s approach emphasizes cyber diplomacy, forging alliances with global partners to share intelligence and coordinate cyber defences.
Malaysia must not lag behind. If Malaysia does not act swiftly, we will not only be vulnerable to cyber threats but also risk becoming irrelevant in shaping the future of global cyber governance.
If cybersecurity is national security, then Malaysia’s legal framework must reflect this reality.
There are urgent steps that Malaysia must take to address this growing threat. First, Malaysia must enact a Cyber Warfare Legal Framework that legally defines cyber warfare and allows proactive cyber defence.
The law must recognise cyberattacks as threats to national security, not just commercial crimes.
It must establish legal protocols for cyber deterrence, cyber retaliation, and cross-border cooperation, aligning with international frameworks such as the Tallinn Manual and the Budapest Convention on Cybercrime.
Second, there must be a dedicated Cyber Warfare Command to centralise cyber operations under Mindef and the National Security Council.
Cyber defence cannot be scattered across multiple agencies, leading to inefficiencies and jurisdictional conflicts.
This Cyber Warfare Command should have legal authority to engage in defensive and counter-offensive cyber operations and integrate artificial intelligence and cyber intelligence tools to detect and neutralize threats before they escalate.
Third, Malaysia must develop a Cyber Diplomacy Strategy because cyber threats do not recognise borders.
Malaysia should lead ASEAN’s cyber diplomacy efforts, creating a regional cyber defense alliance.
The country should strengthen legal cooperation with Estonia, Singapore, and global cybersecurity institutions while investing in international intelligence-sharing agreements to prevent cyberattacks before they reach Malaysian systems.
Fourth, the Malaysian government must increase investment in cybersecurity. Malaysia currently spends less than 1% of GDP on cybersecurity—this must be increased to at least 1.5%, aligning with international best practices.
This funding should be used to develop AI-driven cybersecurity technologies, train a new generation of cyber defence specialists, and strengthen public-private sector collaboration in securing Malaysia’s digital infrastructure.
Need to act now
Prime Minister Datuk Seri Anwar Ibrahim’s vision for Malaysia MADANI is about building a resilient and forward-thinking nation.
But in the digital era, no country can be truly secure without a strong legal and strategic framework for cyber warfare. The cyberattack on MAHB was just the beginning.
If Malaysia does not act now, the next attack could cripple our financial sector, military networks, or energy grid. The time for reactive measures is over—Malaysia must take decisive legal and strategic action now.
Malaysia must not only prepare for today’s threats but must also position itself as a leader in shaping the future of cyber warfare norms—before it is too late. - March 25, 2025
Yusmadi Yusoff, a senior lawyer, former Senator and MP Balik Pulau. Currently a PhD Candidate researching on Cyber Warfare Legal Framework at Ahmad Ibrahim Kulliyyah of Laws, International Islamic University Malaysia (AIKOL-IIUM)
