KUALA LUMPUR – Cybersecurity experts are urging the ministry and government agencies responsible for the newly launched Central Database Hub (Padu) to prioritise building public confidence in the system.
Padu, unveiled on Tuesday, is a comprehensive government system containing profiles of individuals and households, encompassing citizens and permanent residents in the country.
The system is intended to serve as the primary reference for structuring and implementing programmes or policies aimed at promoting the well-being of the people, as well as to ensure subsidies go to the targeted groups.
However, shortly after its launch, Malaysians expressed concerns about the system’s security, with former deputy investment, trade, and industry minister Ong Kian Ming highlighting flaws and loopholes in the system, triggering a social media debate with Economy Minister Rafizi Ramli.
What went wrong?
Among the flaws raised after the launch was that the electronic Know Your Customer (e-KYC) registration feature did not work for some users.
Ong also pointed out that it was easy to register on behalf of others using their MyKad details which. in turn, prevents the actual identification card (IC) holders from registering and having access to their own accounts.
On social media platform X, a user claimed to have managed to change the passwords of other individuals merely by using their ICs.
In response, Rafizi said that there were no flaws detected when the Security Posture Assessment (SPA) was conducted using the ICs, adding that the issue of “overriding” accounts was resolved on the same night of the launch.
What’s next?
In light of concerns raised by the public, Taylor’s University Global Centre for Cyber Safety School of Computer Science director Datuk Husin Jazri urged the government to dedicate the next two months to managing public confidence and perception regarding Padu.
Husin emphasised on treating Padu’s cybersecurity with the same diligence as managing the financial standing of a company – advocating for transparency, traceability, and audits in the system.
He suggested engaging a reputable third party to conduct a transparent audit of the Padu system’s security and to address any improvements needed.
“What’s currently happening is that the project team and the ministry in charge are not managing the public trust well. This should be their focus in the next two months – to strategise and manage public confidence in their system before fully launching it.
“The way they can do this is by engaging a reputable third party to audit and testify how secure the Padu system is transparently and what more to be improved, if any.
“Managing the public’s confidence is harder than technical solutions. Thus, the plan should cover those aspects first before anything else goes.
“Moving forward, this should be a priority,” he said.
Meanwhile, cybersecurity expert Murugason R. Thangaratnam acknowledged the reduction in public confidence due to recent data breaches. He stressed the importance of addressing the trust deficit between the public and government agencies to ensure Padu’s success.
Following this, he said it is crucial to address the current trust deficit between the public and government agencies when it comes to protecting their data, as public confidence needs to be built for Padu to be successful and fully functional.
“A government-run central database hub is only as good as the security that keeps it safe.
“But we need to also understand that a single point of truth can also lead to a single point of failure, whereby a centralised database system has a single point of failure, which means that if the central server goes down, the entire system becomes unavailable,” he said.
“(Therefore), forward-thinking organisations or agencies that focus on huge data volumes should know their catalogue components, data structure, hardware configuration, and computer systems.”
Thangaratnam highlighted the potential risks of a centralised database system, emphasising the need for robust security infrastructure and testing against real threats.
He said that the need for a centralised database like Padu has its merits and it can be adopted by the government to control data redundancy and inconsistency for security and sustainable development.
However, he hoped that Padu’s database security infrastructure was already in place and tested against a real threat.
“I always believe that it has to be security by design and not as an afterthought. They should build a secure framework, test it against attacks, audit it, and get an independent body to certify its reliability before introducing it.
“Threats are always there, but it can be minimised or eradicated by having proper security governance and processes in place,” he said.
He suggested a public-private partnership for managing Padu, leveraging competent cybersecurity talents in the private sector.
“Get them onboard as government security contractors and hold them to higher standards. We can only speculate on how efficient and secure Padu is designed to be because database management is not as simple as it sounds.
“The value of data lies in its use to improve government functions that translate into better outcomes for Malaysians seeing that the volume of data organisations and government agencies that usually collect and store data are increasing rapidly and will continue to increase.
“In introducing the new system, he said, it is crucial for the government to ensure effective database patch management in its security practice because attackers are actively seeking out new security flaws in databases, and new viruses and malware appear daily,” he said. – January 4, 2024