Nations Require Licensure of Cybersecurity Pros
Malaysia has joined at least two other nations — Singapore and Ghana — in passing laws that require cybersecurity professionals or their firms to be certified and licensed to provide some cybersecurity services in their country.
On April 3, the upper house of the Malaysian Parliament, known as the Dewan Negara, passed the Cyber Security Bill 2024, following its passage in the lower house the previous month. The bill, which will become law following its signing by the King and its publication in the Government Gazette, is structured as umbrella legislation and will act as a framework for future government activity securing critical infrastructure and improving the national state of cybersecurity.
While the legislation mandates licensing, the actual requirements for cybersecurity professionals and service providers will come later, Malaysia-based law firm Christopher & Lee Ong stated in an advisory.
“While the Bill does not specify the types of cyber security services that are subject to the licensing regime … this will likely apply to service providers that provide services to safeguard information and communications technology device of another person — [for example,] penetration testing providers and security operation centres,” the law firm stated.
Malaysia joins Asia-Pacific neighbor Singapore, which has required the licensing of cybersecurity service providers (CSPs) for the past two years, and the West African nation of Ghana, which requires the licensing of CSPs and the accreditation of cybersecurity professionals. More widely, governments such as the European Union have normalized cybersecurity certifications, while other agencies — such as the US state of New York — require certification and licenses for cybersecurity capabilities in specific industries.
License to Hack in Ghana
While many governments require businesses to obtain licenses to offer cybersecurity services, Ghana is the only nation to require individuals to have a license, says Alexey Lukatsky, managing director of cybersecurity business consulting at Positive Technologies, a Moscow-based cybersecurity provider.
“The uniqueness of Ghana’s approach lies in the fact that licensing requirements apply not to all cybersecurity specialists, but to those who plan to work in four specific areas — vulnerability assessment and penetration testing, digital forensics, managed cybersecurity services, cybersecurity training, and cybersecurity GRC,” he says.
Singapore’s government has taken a proactive approach to prompting private industry to adopt stringent cybersecurity regulations, with organizations so far implementing more than 70% of the requirements needed for a “Cyber Essentials” certification.
“We most certainly think that having a bare minimum standard will engender more confidence across the ecosystem as there will be assurance that — among others — penetration testing, security audits, and incident response services to be provided are on par with industry expectations and evolving technologies,” says Serene Kan, a partner in the IP & technology practice at Wong & Partners, member firm of Baker McKenzie International.
In the United States, such efforts have not gained much ground. Instead, many professional organizations offer certification of specific sets of skills. ISC2, for example, administers the well-known Certified Information Systems Security Professional (CISSP) accreditation, while CompTIA offers the Security+ certification, and ISACA — formerly the Information Systems Audit and Control Association — offers the Certified Information System Auditor (CISA) certification, among others.
ISC2 and ISACA declined to comment for this article.
Lack of Protections for Free Speech
While the requirements appear to improve the overall maturity of the countries’ cybersecurity posture, legislation has often raised concerns over potential cost to freedom of speech and other individual rights.
Governments that gain broad power to regulate activities related to cybersecurity by default have powers to control digital services. This often results in targeting journalistic activities and whistleblowers by requiring “pre-approval under arbitrary standards subject to change or revocation,” according to Article 19, a human rights organization.
The Malaysian cybersecurity bill, for example, is “unnecessary and flawed in its current state,” the organization stated.
“Although posing as a ‘cybersecurity’ instrument, the Bill will give the government unaccountable control of computer-related activities, as well as nearly unlimited search and seizure powers,” the organization said in an analysis of the bill. “Its criminal provisions do not require any actual intent to violate, effectively introducing many strict liability offences.”
In particular, cybersecurity researchers could be put in jeopardy, since the release of source code or cyber-offensive research would require a license, the organization stated.
Yet often licensing requirements are just putting a government stamp on certification best practices that already exist and requirements that job applicants have specific cybersecurity certifications, but with a local twist, says Positive Technologies’ Lukatsky.
The approach that Ghana has pursued, for example, “resembles the establishment of a registry of all cybersecurity specialists since it is unlikely that in this or any other country there are many independent lone specialists who can work with serious organizations, where the risks of hiring unqualified personnel are too high,” he says. “The main reason for such requirements is that as the number of cyberattacks grows, specialists who understand what they are doing and why they are doing it are needed to detect and prevent them — how to apply international best practices and how to adapt them to local specifics.”