(March 25): The recent cyber attack on Malaysia Airports Holdings Bhd (MAHB), where hackers allegedly demanded a US$10 million (RM44.37 million) ransom, was not just an attack on a corporation — it was an attack on Malaysia’s national security.

This incident is a stark reminder that in today’s world, wars are no longer fought solely with missiles and tanks, but with algorithms and malware. At the same time, the Ministry of Defence (Mindef) has raised concerns over the need to strengthen cyber, drone, and nuclear warfare capabilities, including discussions on forming a dedicated cyber force. This is a step in the right direction.

However, military solutions alone will not be enough. The reality is that Malaysia still lacks a comprehensive legal, policy, and strategic framework for cyber warfare.

One of the fundamental challenges in addressing cyber warfare today is that many governments — including Malaysia — are still using 19th- and 20th-century theories of war to respond to 21st-century threats.

Traditional warfare is based on principles of territorial invasion, physical combat, and military occupation. But cyber warfare does not require borders, military bases, or physical presence.

A hostile state or cyber-criminal group can cripple an entire nation’s infrastructure from the other side of the world without a single soldier setting foot on enemy soil. Yet, Malaysia’s legal and strategic framework still relies on conventional defence doctrines, failing to acknowledge that cyber warfare has fundamentally changed the nature of global conflict.

The consequences of this outdated approach are evident. The Cyber Security Act 2024, while a positive step, remains focused on cybercrime, regulatory compliance, and data protection, but does not address the broader legal, military, and diplomatic aspects of cyber warfare.

For instance, the absence of a clear legal definition of cyber warfare makes it difficult to classify and respond to state-sponsored cyber attacks. There is no dedicated Cyber Warfare Command that can pre-emptively neutralise cyber threats rather than merely react to them.

Additionally, Malaysia lacks a legal framework for cyber deterrence, meaning there is no official policy on how the country would respond if a foreign state or cyber terrorist group launched a major digital attack.

The importance of learning from Estonia cannot be overstated.

In 2007, Estonia suffered a coordinated cyber attack, allegedly launched by Russian-backed hackers, that crippled the country’s banking systems, media networks, and government services.

Instead of simply treating it as an IT problem, Estonia recognised cyber attacks as acts of war, integrating cyber warfare into its national defence strategy. The country established the Nato (North Atlantic Treaty Organization) Cooperative Cyber Defence Centre of Excellence in Tallinn, which later developed the Tallinn Manual, the world’s leading legal framework on cyber warfare norms. Today, Tallinn is recognised as the global hub for cyber warfare research and policy, shaping international norms on how nations should respond to digital threats.

Malaysia has an opportunity to do the same.

Cyberjaya can be positioned as a Global Cyber Diplomacy Hub, learning from Estonia’s transformation of Tallinn into a leader in cyber warfare norms. By establishing a Cyber Warfare Legal Framework, Malaysia can not only strengthen its own cyber defence, but also become a regional leader in cyber diplomacy within Asean and the broader Global South. Cyberjaya — already known as Malaysia’s tech hub — has the potential to house an international cyber policy institute, fostering collaboration between governments, the private sector, and academia to develop global cyber governance standards.

Singapore has already taken proactive steps in this direction.

In 2018, Singapore passed the Cybersecurity Act, granting legal authority to the government to secure critical digital infrastructure. The country established the Cybersecurity Agency and the Defence Cyber Organisation to ensure that legal, policy, and military responses are aligned.

Singapore’s approach emphasises cyber diplomacy, forging alliances with global partners to share intelligence and coordinate cyber defences.

Malaysia must not lag behind. If Malaysia does not act swiftly, we will not only be vulnerable to cyber threats, but also risk becoming irrelevant in shaping the future of global cyber governance.

If cybersecurity is national security, then Malaysia’s legal framework must reflect this reality. There are urgent steps that Malaysia must take to address this growing threat.

First, Malaysia must enact a cyber warfare legal framework that legally defines cyber warfare and allows proactive cyber defence. The law must recognise cyber attacks as threats to national security, not just commercial crimes. It must establish legal protocols for cyber deterrence, cyber retaliation, and cross-border cooperation, aligning with international frameworks such as the Tallinn Manual and the Budapest Convention on Cybercrime.

Second, there must be a dedicated cyber warfare command to centralise cyber operations under Mindef and the National Security Council. Cyber defence cannot be scattered across multiple agencies, leading to inefficiencies and jurisdictional conflicts. This Cyber Warfare Command should have legal authority to engage in defensive and counter-offensive cyber operations and integrate artificial intelligence (AI) and cyber intelligence tools to detect and neutralise threats before they escalate.

Third, Malaysia must develop a cyber diplomacy strategy because cyber threats do not recognise borders. Malaysia should lead Asean’s cyber diplomacy efforts, creating a regional cyber defence alliance. The country should strengthen legal cooperation with Estonia, Singapore, and global cybersecurity institutions, while investing in international intelligence-sharing agreements to prevent cyber attacks before they reach Malaysian systems.

Fourth, the Malaysian government must increase investment in cybersecurity. Malaysia currently spends less than 1% of its gross domestic product on cybersecurity — this must be increased to at least 1.5%, aligning with international best practices. This funding should be used to develop AI-driven cyber security technologies, train a new generation of cyber defence specialists, and strengthen public-private sector collaboration in securing Malaysia’s digital infrastructure.

Prime Minister Datuk Seri Anwar Ibrahim’s vision for Malaysia Madani is about building a resilient and forward-thinking nation. But in the digital era, no country can be truly secure without a strong legal and strategic framework for cyber warfare.

The cyberattack on MAHB was just the beginning. If Malaysia does not act now, the next attack could cripple our financial sector, military networks, or energy grid. The time for reactive measures is over — Malaysia must take decisive legal and strategic action now.

As a doctoral candidate at the Ahmad Ibrahim Kulliyyah of Laws of the International Islamic University Malaysia (AIKOL-IIUM) researching cyber warfare legal frameworks, I strongly urge the Malaysian government to prioritise cyber warfare law reform and establish a dedicated Cyber Warfare Command.

My experience as a lawyer, former senator, and former member of Parliament for Balik Pulau has shown me firsthand the importance of strong legislation in protecting national interests. Malaysia must not only prepare for today’s threats, but must also position itself as a leader in shaping the future of cyber warfare norms — before it is too late.

Yusmadi Yusoff, a senior lawyer, former senator, and former MP for Balik Pulau, is currently researching on cyber warfare legal framework for his doctoral thesis at the Ahmad Ibrahim Kulliyyah of Laws, International Islamic University Malaysia (AIKOL-IIUM).