By Florian Frank*
Myanmar Times
Nov 6, 2017
WITH a rapidly growing telecommunications infrastructure and improved connectivity, Myanmar is in the midst of large-scale digitalization.
The government has launched an e-government program, banks are jumping from pen and paper bookkeeping to the use of fin-tech services. SMEs and large enterprises are setting up internal networks to streamline processes and improve productivity. It is hard to comprehend the sheer scale of this process. While the new-found connectivity and digitalization brings many benefits and opportunities, it also opens the doors to an entirely new threat – cybercrime, a phenomenon the entire world is grappling with.
In September 2016, Europol Director Rob Wainwright warned, “The relentless growth of cybercrime remains a real and significant threat to our collective security in Europe. Europol is concerned about how an expanding cyber-criminal community has been able to further exploit our increasing dependence on technology and the internet. We have also seen a marked shift in cyber-facilitated activities relating to trafficking in people, terrorism and other threats.”
Former US defense secretary Leon Panetta went a step further, saying, “A cyberattack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11… Such a destructive cyberattack could paralyze the nation.”
In many ways, the risk to Myanmar is even greater than to Europe or the US. Government institutions and private enterprises in all sectors are insufficiently prepared to deter cyberattacks. There is a lack of technical knowledge and no structures in place to be able to handle and assess such threats, and the initial costs of setting up cyber divisions has put off most investment in cybersecurity. The Microsoft Security Intelligence report for January to March 2017, reports an encounter rate of 23.8 percent for Myanmar. This means that 23.8pc of computers running Microsoft real-time security products reported having encountered malware. In comparison, the international average is 9.1pc. Considering that the number of computers in Myanmar running on original software is minute, it must be assumed that the real number of encounters and infected computers is much higher.
Cyber-related issues are nothing new to Myanmar, but the Rakhine conflict has brought to attention the major deficits in the country’s security infrastructure. Since the Rakhine conflict has hit the headlines of major news outlets around the world, there have been a string of attacks on government institutions and private enterprises by so-called hacktivists. Most notable were the attacks by alleged Turkish hackers on government websites that began in late August. In the aftermath of these attacks, there was retaliation by several hacker groups in Myanmar on Turkish sites, a clear indication of the growing hacker scene in Myanmar. While the two groups have announced a sort of truce, there is no reason to believe that there will be any decrease in cybercrime. What made these attacks so unique is that they were publicly covered. The vast majority of cyber-related incidences in Myanmar go unreported, which brings up another question – to whom can one report cyberattacks? The government has not come forward with any regulations in regards to cybersecurity. The country is in dire need of a cyber framework that sets forth government-mandated cybersecurity standards for sectors vital to national security, such as banking and critical infrastructure. And while the government has created the Information Technology and Cyber Security Department, there are no procedures in place for incidence response.
When looking at the current political situation in Myanmar, it is doubtful that the government will come out with any comprehensive cybersecurity guidelines in the near future. The opening of the ITCSD was a step in the right direction, but it remains to be seen if this translates into any legislation. In the meantime, it will be up to the private sector to beef up its security protocols. The growing number of companies looking into ISO27001 and PCI DSS compliance is a good sign.
Currently there are a flurry of small cybersecurity outfits and individuals in the market but very few have the ability to deliver adequate security services. When it comes to cybersecurity, it is well worth taking a second look and choosing those with proven track records. Failure to do so will result in dire consequences.
*Florian Frank is director of business development at DLG in Yangon, a consultancy specializing in cybersecurity.
(https://www.mmtimes.com/news/digital-boom-double-edged-sword.html)