Twentytwo13

Search
Close this search box.

‘Digital trust isn’t just a technical issue; it’s a social one that must be urgently addressed’

Gobind Singh Deo at the Singapore International Cyber Week 2024 on October 14, 2024.

Malaysia’s Digital Minister Gobind Singh Deo is in Singapore for the 9th Singapore International Cyber Week 2024, which started today.

In his keynote address during the gala dinner at the Sands Expo and Convention Centre this evening, Gobind stressed that regional cooperation is key for a secure digital future in Southeast Asia. This comes against the backdrop of Malaysia assuming the Asean chair on Oct 11.

Gobind earlier met Josephine Teo, Singapore’s Minister for Digital Development and Information, Second Minister for Home Affairs, and Minister-in-charge of Smart Nation and Cybersecurity.

During his three-day working trip, he is scheduled to meet, among others, Asean Secretary-General Dr Kao Kim Hourn; Secretary for Information and Communications Technology of the Philippines, Ivan John Uy; Brunei’s Minister for Transport and Infocommunications, Pengiran Dato’ Seri Setia Shamhary Pengiran Dato’ Paduka Haji Mustapha; and National Cyber Director of the United States, Harry Coker.

Below is Gobind’s keynote address in full:

A very good evening to all of you.

1. This morning, like all of you, I placed my trust in a multitude of systems without even thinking about it. I trusted my alarm to wake me on time; trusted my phone to connect me to my team; and trusted
the car that picked me up to navigate the roads and traffic lights to operate correctly as I made my way here.

2. But the trust didn’t stop there. I trusted the airline that brought me to Changi Airport; the airport security to keep me safe; and the systems that checked my passport, and verified my credentials and identity. At every stage of this journey, my confidence rested on a seamless blend of multiple hardware and software – each system silently assuring me that my information is safe, that my transactions are secure, and in that sense, that I am protected.

3. And here we are today, some of us hundreds or thousands of miles away from home, gathered in this room, relying heavily on the trusted systems that brought us here together, safely.

A New Social Contract For The Digital Era

4. Yet, how often do we pause to reflect on this invisible web that holds our digital world together? All of us place an implicit trust in our devices, our mobile applications, our networks, and our governments, to live and work as seamlessly as we do. But this trust, vital as it is, is indeed fragile.

5. In the volatile, uncertain, complex, and ambiguous world that we live in today, cyber threats loom large. Ensuring digital trust is no longer an option. It is an imperative!

6. We trust our digital devices and systems because they enable our lives to run smoothly. But this trust isn’t new. In 1762, the political philosopher Jean-Jacques Rousseau spoke of a social contract – an agreement between individuals and their governing authorities, built on mutual trust and responsibility. That same principle applies today, almost three centuries on. Only now, it extends into the digital realm.

7. In this digital age, we have entered a new kind of social contract. We hand over our data, our privacy, and in return, we expect security, reliability, and transparency from the platforms, devices, and services we use. And just like Rousseau’s social contract, when trust is broken, the agreement unravels and confidence is lost. We see this in instances where personal data is breached, artificial intelligence (AI) fuels mis- and dis-information, and certain quarters abuse concentrated power. This is why digital trust is not just a technical issue; it needs to be looked at as a social one, which needs to be urgently addressed.

Digital Trust: A Shared Responsibility

8. Against this backdrop, the World Economic Forum defines digital trust as “individuals’ expectation that digital technologies and services – and the organisations providing them – will protect all stakeholders’ interests and uphold societal expectations and values.” In other words, digital trust does not impose obligations on just one entity in isolation. It is a complex, interdependent network of relationships, reliant on every actor to hold up their end of the social contract.

9. This trust runs deeper than we often realise. It operates on many levels – not just in the devices we hold, but in the ecosystem of platforms, apps, and services that now facilitate and empower our daily lives. Whenever you send a message on WhatsApp, order a Grab ride, or add to your cart on Shopee, you trust an intricate web of technology, expecting it to work seamlessly and securely, protecting you from risks at every step.

10. The recent Crowdstrike outage is a textbook example of how this trust is easily lost. A single piece of code brought down networks of hospitals, banks, and airlines worldwide – and this was caused by a non-malicious actor. Now imagine what malicious threat actors can do with an expanding attack surface, as the world’s digital footprint grows.

11. For example, in February this year, a cyberattack on Change Healthcare caused a backlog of unpaid claims in the U.S., disrupting cash flow for clinics and hospitals and affecting patients’ access to care. Authorities later discovered that a substantial amount of data relating to health had been leaked onto the dark web. The breach, it is reported, occurred because of a failure to implement multifactor authentication, a basic industry standard.

12. This brings us to consider the important question of how many system operators, entrusted with our personal data, actually implement even basic industry-standard practices? Are there even such standard practices in place to begin with and if so, are they effective and compliant with global thresholds?

13. Speaking at the IAPP Global Privacy Summit 2022, Tim Cook said: “Companies are mining data about the details of our lives, the shops and restaurants we frequent, saying it is to serve us better. But they don’t believe we should have a real choice in the matter, or that they should need our permission to enter into our personal lives. When a person monitors your every move in the physical world, this would be a cause of concern. In the digital world, it should rightfully be one too.”

14. So how can we build a trustworthy digital world? Key to this is a shift in thinking, to look into efforts to strengthen standards to make devices safer. To make apps safer. To build ecosystems around them that inspire our confidence.

15. Valid digital certificates, for instance, ensure the security and trustworthiness of our digital interactions. These certificates, which verify the identity of websites and organisations, must be regularly audited and kept valid to ensure ongoing trust and security. Expired or breached certificates can lead to serious problems, like outages and loss of data.

Trust Through the Lens of Future Technologies

16. We must also speak about the impact of AI and generative AI. Take images, for instance. In a world that is facing a global election year, with roughly two billion people eligible to vote in 60 countries – constituents need to know what they see and read online is real, and truthful. When you scroll through your newsfeeds daily, or don’t we all know this, the infamous WhatsApp forwarded messages, how
can you know if a piece of content is authentic or synthetic? Was it altered or in its original form?

17. As the Chief Justice of Malaysia, Tun Tengku Maimun Tuan Mat opined recently, reliance on AI and other generative tech is growing, but there are very few laws in place to regulate their use. Furthermore, she said that while local cyber laws are developing, the abuse of bots, deepfake technology, the dark web and the general cloak of anonymity online also poses significant problems and risks when trying to bring offenders to book for their crimes.

18. She added, and I quote, “The fact that these crimes can take place digitally significantly widens the group of victims and allows for maximum damage potential long before the offender can even be identified, much less prosecuted successfully.”

19. Nevertheless, we are starting to see tangible solutions to these challenges. New standards have been designed to tackle the provenance and authenticity of digital assets. This means we can now know if a photo was taken with a camera, edited by software, or generated by AI. This transparency helps users make informed decisions about the content they consume – be it photos, videos, or audio – and plays a crucial role in building digital trust.

20. But this is just one solution to a myriad of uncharted challenges, in a sprawling AI landscape.

21. What do we do with large language models (LLMs)? These models are only as good as the data they are trained on. Biassed data produces biassed outputs. Insufficient or flawed data and incorrect modelling assumptions produce AI hallucinations. LLMs are often described as black boxes. Users cannot see how these models generate responses or the data they are trained on, making it difficult to understand how they come to their conclusions. Thus raising significant questions about accountability and trust!

22. And as AI systems grow increasingly capable of acting autonomously – potentially edging towards Artificial General Intelligence (AGI) – even more ethical questions arise. Who is responsible if an AI model makes a harmful or misleading decision? How do we navigate a world where AI systems may be misaligned with human values?

23. During his presentation at Wharton’s second annual Business & Generative AI Workshop in San Francisco last month, Erik Brynjolfsson – author, inventor, and Stanford University professor where he directs the Digital Economy Lab – made a prediction: “AGI will make human intelligence very narrow within five years.”

24. If that’s not enough, then there is the threat of future, next generation technologies.

25. The rise of immersive technologies, such as the metaverse, for instance, holds great promise as the next frontier of the internet, converging our physical and virtual lives. It will create digital worlds where we can act, interact, and transact – on a hyper-personalised scale.

26. But as some quarters build walled gardens to dominate these ecosystems, it raises critical questions about the future of data privacy and security. What will this concentration of power mean for the integrity of our personal information and digital lives?

27. Quantum technology poses a grave risk to technological sovereignty, national security and cybersecurity. If large-scale quantum computers are built, they could break encryption systems currently in use – a scenario known as “Q-day.” This would severely compromise any and every sector that relies on encrypted data.

28. We must ensure our critical information infrastructure systems are prepared with measures which mitigate these risks and protect us as new technology develops.

29. We as governments, must prepare our countries, and as an ASEAN region, for these challenges.

Multidimensional Challenges: Bridging Cybersecurity Skills and Enforcement Gaps

30. Then there is the flip side of the problem: awareness and skills. Today, the global cybersecurity sector faces a shortage of 4.8 million workers. On average, the traditional bachelor’s degree takes 3-4 years. That shortage gap is growing faster than we can plug it. Relying on old solutions for new challenges is no longer an option.

31. So how can we develop more skilled talent in the cyber workforce fast? Digital apprenticeships, or as I like to call them – DVET, could be the answer. Imagine providing high school graduates with paid training opportunities with talent-hungry tech companies, and doing it at scale. This could create entirely new, cost-effective alternative career pathways for talent, bypassing traditional university degrees. This is an area for us to consider, particularly when it comes to talent in cybersecurity.

32. We must also not forget the wealth of untapped potential in our existing workforce. As the nature of jobs shift along with technological advancement, employers must be encouraged and incentivised to invest in continuous learning and on-the-job development for their staff. The key is to upskill and re-skill as we go along instead of only when we see job disruption created by new technology.

33. Talent is not the only dimension that has evolved with the digital world. Bad actors have also kept up with technology, taking advantage of vulnerabilities in existing and emerging digital ecosystems. We have new types of crimes that did not exist previously.

34. Traditional crimes are being facilitated by new technologies as well. In 2022, the U.S. Department of the Treasury detected an increase in the use of virtual assets for money laundering activities. As the digital world moves forward, we must ensure enforcement is not left behind.

Malaysia’s Initiatives For Digital Trust

35. Taking a step back, all of these threads fall squarely with what we have done in Malaysia to foster digital trust in all layers of society.

36. In March this year, the Malaysian Parliament passed a landmark Cyber Security Act, which has been in force since 26 August 2024. This Act lays the foundation for the protection of National Critical Information Infrastructure (NCII) against cybersecurity threats, and establishes clear governance through a National Cyber Security Committee. It also mandates a licensing regime for cybersecurity service providers, ensuring only those qualified are authorised to deliver cybersecurity services.

37. To operationalise the Act, four critical regulations have been issued. These include requirements for conducting cybersecurity risk assessments and audits; mandatory notification of cybersecurity incidents; the compounding of offences; and licensing rules for cybersecurity providers. Together, these measures create a comprehensive, future-ready regulatory framework to strengthen national security in cyberspace.

38. Additionally, in July 2024, we amended the Personal Data Protection Act 2010, introducing mandatory data breach notifications; stricter penalties for non-compliance; and regular audits. The amendments also introduced a Data Protection Officer role to ensure that organisations comply with data protection regulations.

39. Malaysia will launch its National AI Office (NAIO) at the end of November 2024. While this represents a significant milestone for the country in terms of technology advancement, the Prime Minister Datuk Seri Anwar Ibrahim, just two weeks ago, re-emphasised the need for NAIO to develop the necessary safeguards and a robust framework in order to promote the adoption of sustainable and ethical AI practices.

40. These legislation and regulations form the bedrock of digital trust in Malaysia. But data protection and security are not ends in themselves. We protect and secure data because we want to encourage its use. Data, ultimately, is from the people and for the people.

41. In view of this, my ministry will introduce a Data Sharing Bill that will create a clear regulatory framework for sharing public sector data. With this Act in place, we expect to spur innovation and value
creation in a trusted, safe, and secure digital ecosystem.

42. We are on track. Our aim is to unify these efforts under a proposed new entity – the Digital Trust and Safety Commission – which will govern digital trust, security, data sharing, and data governance in the country – as well as anticipate future needs. Apart from the National AI Office, we are also preparing to launch a national quantum strategy to stay ahead of emerging technologies.

43. In the 10 months since the establishment of the Ministry of Digital, we have taken steps, real steps to build a trusted digital ecosystem in Malaysia. But there is more to be done.

Regional Cooperation for a Secure ASEAN Digital Future

44. Just last week, Malaysia officially assumed the ASEAN chairmanship for 2025. And in a world where cyber threats are increasingly transnational in nature – we reaffirm our commitment to deepening regional integration, combating cyber threats, and upholding a rules-based multilateral order in cyberspace.

45. ASEAN has already laid strong foundations with two iterations of the ASEAN Cybersecurity Cooperation Strategy (2017-2020 and 2021-2025). As we chart the next five-year cycle, Malaysia will intensify cooperation, align with global efforts, and enhance collaboration with ASEAN dialogue partners.

46. We also look forward to the launch of the ASEAN Regional Computer Emergency Response Team (CERT), which will play a key role in facilitating timely information exchange and coordinating our collective regional response to cyber incidents.

47. Ultimately, ASEAN countries are united in a common purpose: to build a trusted digital ecosystem that benefits all of us. Through joint initiatives, shared knowledge, and collaborative frameworks, we are strengthening regional cybersecurity and data governance. This isn’t just a commitment on paper; it’s a tangible, collective effort to protect our citizens, secure our infrastructure, and promote innovation.

Trusting In Our Multilateral Commitment

48. At the end of today, we will once again place our trust in a multitude of systems. We will trust the networks that connect us to our hotels and homes, the mobile applications that manage our transportation, and the digital services that facilitate our communications along the way.

49. And we can do this with confidence – trusting that across the Southeast Asian region, we are not working in isolation. We are building, collectively, a foundation of digital trust. Together, we can empower the region’s digital economies and ensure that our connected future is secure, resilient, and prosperous for all.

50. With that, I thank you for your attention and, to our gracious host, the Cyber Security Agency of Singapore, for inviting me.

Main image: Singapore International Cyber Week 2024