This article first appeared in Digital Edge, The Edge Malaysia Weekly on September 9, 2024 - September 15, 2024

Developing data centre infrastructure is key to Malaysia’s goal of becoming a digital hub, boosting data capacity and attracting foreign investments. However, this expansion raises concerns about data security and sovereignty, requiring a balance between investment and protection.

The country’s cost competitiveness and favourable business environment make it an attractive destination for investments, as evidenced by the billions pledged by Microsoft, Google and Amazon Web Services (AWS) to develop the infrastructure here.

In May, Microsoft announced US$2.2 billion (RM8.75 billion) in investments over the next four years to support Malaysia’s digital transformation — its single largest investment in the country since it established operations here 32 years ago — with a portion of the investment going towards building cloud and artificial intelligence (AI) infrastructure.

Google has committed US$2 billion to house its first Google data centre and Google Cloud region in Malaysia, putting the nation among 11 other countries where the tech giant has built and operates data centres.

Meanwhile, AWS rolled out its AWS Region on Aug 22 and reiterated its pledge to invest RM29.2 billion in the country by 2038, which it believes will play a pivotal role in advancing the country’s digitisation ambitions.

“Data centres enable businesses to process, store and secure vast amounts of information. Data intelligence drives the adoption of advanced technologies like artificial intelligence, augmented reality and blockchain by supplying the necessary infrastructure and computational power,” says Arun Kumar, Asia-Pacific regional director at ManageEngine, a division of multinational software company Zoho Corp, which specialises in enterprise information technology management software, including software for data centre management.

He notes that the RM144.7 billion in data centre investments between 2021 and 2023 have collectively created close to 40,000 jobs in various verticals, promoted technology transfers across various digital technology domains and assisted businesses by satisfying complex data security demands.

While it is clear that data centres can have a net positive impact economically, Arun points out that they can also become entry points for cyberattacks.

Security operations centres, he says, face sophisticated threats such as zero-day vulnerabilities, phishing, social engineering attacks and advanced persistent threats, where attackers can remain undetected for long periods.

“With the increasing number of data centres, the sheer volume of security data, logs and alerts generated by various tools can overwhelm security operations analysts, desensitising them to security alerts and challenging them to distinguish between real threats and false positives,” says Arun, adding that this has fuelled the demand for cybersecurity professionals.

Apart from the increased attack surface, there are also considerations around data sovereignty, compliance and regulation, says LGMS Bhd chairman Fong Choong-Fook.

“The presence of foreign companies raises questions about data sovereignty and control. It is essential to ensure that data remains within national boundaries and complies with local regulations,” he says, and therefore a balance needs to be struck between being conducive to foreign investments and ensuring regulations that protect data security and sovereignty.

Malaysia gazetted the Cybersecurity Act 2024 (CSA), marking a significant step in bolstering its cyber defences and enhancing resilience against emerging threats.

Serene Kan, partner, IP & Technology practice at Wong & Partners says many countries have cybercrime or cybersecurity laws, although the depth and breadth of these vary widely.

The introduction of the CSA is a pivotal step towards bringing the country’s cybersecurity framework into line with that of countries like Singapore, Thailand and the US, says Kan. “Malaysia’s approach to cybersecurity is similar to most of the aforementioned jurisdictions in that it seeks to impose minimum standards of cyber resilience, focusing on National Critical Information Infrastructure (NCII) entities and mandatory cybersecurity incident reporting measures.”

NCII refers to continuously functioning systems, networks and assets that are deemed essential to a country’s security, national defence or economic well-being.

With the CSA now in force, Kan expects it to result in additional compliance obligations for data centres if they are designated as NCII entities.

As an NCII entity, a data centre will be required to ensure it has the necessary cybersecurity governance frameworks in place to comply with the CSA.

“One such framework is the implementation of cybersecurity incident protocols, along with simulations, to ensure that the NCII entity can respond appropriately in the event of a real cybersecurity incident,” Kan says.

This approach recognises Malaysia’s dependence on digital platforms in daily life and business, highlighting the need to ensure that NCII entities take the necessary steps to secure the digital infrastructure that stores the data provided by users, she says.

However, there are no laws specifically governing the development or operations of data centres here.

Tang Ai Leen, partner, corporate, commercial and securities practice at Wong & Partners, notes that there is no specific licence required for data centre operators unless their business involves providing network services, network service facilities or application services, which she says are uncommon.

The main regulatory approvals required would be for the acquisition of the site, development and completion of the data centres.

“Since land matters are administered by the state government, different states have taken varying approaches in their views on the appropriate zoning and categorisation of land use for data centres,” Tang says.

While there are no standard guidelines for data centres yet, Tang points out that the Town and Country Planning Department under the Housing Ministry is working on guidelines for data centre developments.

Meanwhile, Johor has set up the Johor State Data Centre Development Coordination Committee to assist the state government and local councils in coordinating the development of data centres, providing advice on related matters before planning applications are considered by the local councils.

Following its inaugural meeting in June, the council has decided that data centres in Johor should incorporate features related to energy and water conservation and focus on the use of renewable technology.

In line with its digital hub goals, Malaysia must maintain strong cybersecurity and data integrity frameworks while also ensuring they are regularly reviewed and refined to keep pace with technological development.

“Establishing data integrity is crucial for fostering compliance with multiple data regulatory standards and, in the long run, increasing a nation’s appeal to international investors who are wary of cyberattacks and data breaches. As most organisational decisions are data-driven, it is imperative to guarantee the overall quality of business-critical information at every stage of its life cycle,” says Arun.

Meanwhile, Wong & Partners’ Kan highlighted the strong economic case for regulations like the CSA, which is key to attracting more foreign investment.

“By engendering trust in our digital economy through robust laws and regulations governing the digital space — including the amendments to the Personal Data Protection Act and the upcoming AI Code of Ethics and Governance — Malaysia can drive more foreign direct investment into its data centre space,” she says.

Save by subscribing to us for your print and/or digital copy.

P/S: The Edge is also available on Apple's App Store and Android's Google Play.