Shock to the system
With cyberattacks making headlines around the globe, the government is scrambling to set up institutions to counter the threat
The importance of cybersecurity to Thailand's economy is no secret. It's all over the news. The mobile penetration rate in the capital is 110%, and the country already enjoys one of the highest usage rates in the region.
The staggering pace of adoption in the sharing economy and the government's push for economic models along the lines of Thailand 4.0 will only deepen the country's dependence on internet-related sectors.
Globally, companies spend billions of dollars on cybersecurity, yet the risk of costly and privacy-undermining attacks is still reducing the value of the digital economy by trillions.
Cyberattacks have surged in the past few years. WannaCry, which affected 400,000 computers in all from an initial hit of 230,000 in 150 countries, and the NotPetya ransomware attacks were a wake-up call for the Thai government.
Attacks are becoming more frequent, and they are leaving larger financial footprints. For example, the average pay demanded for a ransomware attack in 2016 was US$1,000 (33,300 baht), up 233% from the previous year.
The risks of cybersecurity are hard to quantify, which is why they had remained, until now, on the back burner for most C-level executives and government officials.
As Thailand gets ready for a digital future, it's imperative that these players take a more active and collaborative role in devising cybersecurity strategies. A fast, efficient and targeted programme to detect threats across the private and public sectors is essential to support internet-driven social development.
In 2017, the International Telecommunication Union's Global Cybersecurity Index report ranked Thailand 20th out of the UN agency's 193 member states, classifying the country as "maturing".
While Thailand has made progress on cybersecurity measures in recent years, much remains to be done. Cybersecurity laws and a skilled workforce are two important areas of opportunity.
A data protection law has been in the works for 18 years, but implementation has been delayed at the Digital Economy and Society (DE) Ministry for close to two years.
Under the cybersecurity law, the National Cybersecurity Agency (NCA) will work with other public and private entities on national cybersecurity policy.
Both laws have passed through the Council of State, but they must still be submitted to the National Legislative Assembly and the prime minister by the DE minister, according to Surangkana Wayuparb, chief executive of the Electronic Transactions Development Agency (ETDA).
The National Security Council will propose the national cybersecurity strategy to the cabinet soon. The piece will serve as a framework for collaboration between the public and private sectors on crucial missions.
The NCA will be set up in early 2018, if both laws are approved. That body will operate under the Defence Ministry, while the ETDA will handle economy-focused attacks.
Shortage of professionals
There are 9,880 Certified Information Systems Security Professionals (CISSPs) in Asia. Of the total, just 198 live in Thailand, 13 times fewer than in South Korea. The extreme shortage of cybersecurity personnel could pose a challenge to the country, even if the laws are passed.
ETDA hopes to increase the number of CISSPs to 1,000 by 2022. Even this small number seems out of reach, though.
According to ThaiCert, the Computer Security Incident Response Team under ETDA, there were 3,798 security incidents in 2016. Malware, intrusion and fraud were the top three threats in the country.
The actual figure is believe to be higher than that, but many organisations chose not to declare their actual damages, hoping to protect their reputation and retain customer confidence.
Banks and capital markets are the only vertically integrated sectors working on cybersecurity collaboration. But cybersecurity is a critical issue in almost every sector, including utilities and infrastructure.
Under the new cybersecurity draft, the National Cybersecurity Committee (NCSC) will be chaired by the prime minister. The defence minister and the DE minister will serve as first and second vice-chairmen.
The NCSC will also cooperate with the governor of the Bank of Thailand, the secretary of the National Broadcasting and Telecommunications Commission, the Royal Thai Police, the National Intelligence Agency and other ministry heads.
The National Cybersecurity Agency will be established as a special independent department under the command of the prime minister.
Lack of data protection law
Thailand is perceived as having inadequate protection for data. In the three years of the current government, a draft data protection bill has seen two versions, one by the ETDA, and the other by Sutham Yunaitham, a former legal adviser to the DE minister.
The two laws have been combined, but little progress has eventuated. Thailand joins Myanmar, Laos, Cambodia and Vietnam as the only countries in the region that lack a data protection and cybersecurity law.
Paiboon Amonpinyokeat, founder of P&P law firm, says data protection laws are an indicator of the digital competitiveness of a country. But progress on the legal framework of data protection and cybersecurity in Thailand has plodded along, though the central bank and financial institutions have prepared their systems, processes and human resources to respond to cyber incidents.
Budsakorn Teerapunyachai, the Bank of Thailand's director of risk management and information system examination, says advance preparation of information systems and processes will lessen the possibility of a huge impact from cyberattacks.
The central bank has mandated an assessment of cyberrisk incident readiness based on the Cyber Resilience Assessment Framework, Mrs Budsakorn says.
In Asia-Pacific, Thailand ranks among the top 10 countries for the number of malware attacks. According to the Microsoft Security Intelligence Report for the first half of 2017, cyberrisks in Thailand are comparable to conditions in the Philippines, Bangladesh, Indonesia and Vietnam, while Hong Kong, Japan and Singapore are at the least risk of malware attacks.
Daryl Pereira, head of cybersecurity at KPMG Singapore, says Asean still lacks cybersecurity investment relative to the US and Europe. Companies in developed countries spend some 20% of revenue on IT, with 10% going to cybersecurity. For some mission-critical sectors, the cybersecurity budget is as high as 25-50% of the total IT budget.
In 2017, healthcare is the top sector for investment in cybersecurity in Asean, due to concerns about protection of patient data, followed by the fintech, telecom and government sectors.
The nature of cyberattacks has evolved. Mr Pereira notes that apart from malware, the primary targets of hackers are Internet of Things devices, the Android mobile operating system and end-user devices.
"Spear phishing", an email or electronic communications scam targeting a specific individual or organisation, is found often in this region. Although hackers often intend to steal data for malicious purposes, they may also install malware on the targeted user's computer.
Cyberrisks and internet security threats are changing rapidly and becoming severer. The collaboration of the government and regulators with other countries is vital.
Dhiraphol Suwanprateep, a partner in the information technology and communications practice at Baker McKenzie, says that when a cyberattack takes place at any entity, the incident should be reported to regulators.
When central authorities receive a report, they can warn the public instantly (without providing the name of the victim to the public) and offer preventive guidelines to the public. This would help mitigate the risk of cyberattacks spreading.
"Cyberattacks have now become global and cross-border, and Thai regulators should collaborate with other countries' regulators and work together on investigations," Mr Dhiraphol says.
The trend of international collaboration can be seen in other jurisdictions. For instance, the General Data Protection Regulation requires data protection officials in the EU member states to cooperate and provide each other with mutual assistance. Such authorities also have formal legal authority to carry out joint operations to more efficiently address cross-border incidents.
In Thailand, general regulations to prevent cyberattacks are already in place. For example, the Computer Crime Act prohibits hacking, sniffing and unauthorised access to the computer systems or data of another.
It remains for the government to shift the focus away from a defensive policy of regulation to a proactive approach. An incident plan that covers the backing up of systems data and includes human resources training will go a long way in dealing with cyberattacks when an incident finally occurs.