Law enforcement alone is inadequate for Thailand to effectively deal with rampant cyber-risks. The country also needs other key elements in place to plug loopholes, according to IT officials.
A recent breach resulting in personal data being leaked by the hacker "9Near" serves as a wake-up call to the nation, especially state authorities in charge of cybersecurity.
Last week a new committee in charge of handling technology complaints under the Personal Data Protection Committee (PDPC) called an urgent meeting of personal data experts to set guidelines to address data breaches in state agencies.
The committee is also expected to examine if all state agency measures for personal data protection meet the required standards. The scrutiny begins with state agencies that have databases of more than 1 million individuals.
Thailand enacted both the Cybersecurity Act and Personal Data Protection Act (PDPA), as well as created dedicated agencies to oversee critical information infrastructure and protect user privacy. Yet IT firms say laws and regulations alone are insufficient.
Data privacy and cybersecurity is the responsibility of everyone.
Collaboration and shared responsibility among all stakeholders, a leadership commitment, a culture of security, and the development of security-minded policies and skills are essential for private organisations, policymakers and citizens to combat cyber-risks, said Prinya Hom-anek, a member of the National Cybersecurity Committee.
SWISS CHEESE MODEL
Mr Prinya, who is one of the victims of the data leak, said we should not blame any particular stakeholder for the incident as hackers are dynamic and sophisticated. There are no magic solutions to completely prevent cyberthreats, he said.
Cybersecurity requires collaboration from every party, with each stakeholder assuming responsibility as protection requires multiple layers of efforts, said Mr Prinya.
He cited James Reason's "Swiss cheese model" of intervention failure. It is a model applied in risk analysis and management in many industrial sectors.
According to the model, there are four keys that cause negative incidents and improving any of the four will enable a more holistic view of security.
The first is organisational influence from management of resources, work environment and processes, and culture within an organisation that leads to problems.
The second oversight includes inadequate supervision, inappropriate work planning, failure to solve known problems, and non-compliance.
For example, cybersecurity is not only an IT responsibility, but also should be a requirement of an organisation's top management, said Mr Prinya.
The third key is an unsecure context environment, such as users lacking security training, making errors in leaking data and not using two-factor authentication to log in.
The fourth key is unsafe actions such as errors in perception, decision-making and personal skills, as well as habitual non-compliance.
THE WEAKEST LINK
He said organisations need to have what he calls "cyber hygiene" to measure and mitigate their risk. There are three components for a foundation of cyber hygiene: people, process and technology.
People is the most important part because it is the weakest link in security systems, with many incidents occurring due to human error.
Mr Prinya said people need security awareness, starting with top management committing to no compromises on any aspect, from budgeting and resources to procuring technology and employee training.
The PDPA law states top management are responsible if organisations experience data breaches because of a lack of cybersecurity.
He said private organisations such as banks have increased awareness of how cyber-risks can impact their business and reputation.
Government leaders should re-prioritise their key missions and improve budgets for cybersecurity, said Mr Prinya. For example, he said public hospitals are often flooded with patients and limited by budget challenges.
If state agency leaders include cybersecurity as a key performance indicator, this will allow them to prioritise it in budgets, said Mr Prinya.
The second component in cyber hygiene is security standards, while the third is technology, he said.
Many organisations purchase technology for protection against cyber-risks, but proactive safeguards require the functions of identify, protect, ability to detect once an attack occurs, and respond and recover after an incident, said Mr Prinya.
"Counting on only laws and punishment while organisations and users lack awareness and preparedness means we cannot solve the problem at its root," he said.
SECURITY BY DESIGN
Rom Hiranpruk, a member of the Policy Board at the National Cyber Security Agency, said privacy cannot exist without proper cybersecurity. He said this is why Cybersecurity Act officials and his agency need to work closely with the PDPC.
Mr Rom said there are some limits of power in the Cybersecurity Act because when it was being drafted, there was public fear of government abuse of power and intercepting people's data.
He said the act has a loophole that could allow small private organisations with critical missions that claim to have little personal data to opt out from the law. The law needs to apply to everyone, regardless of organisational size when it concerns sensitive data, people's lives and national security, said Mr Rom.
Moreover, regulators under the Cybersecurity Act and PDPA are newly established and have budget constraints. He said agencies are doing their best given the resource constraints.
"We are still early in our cybersecurity journey, unlike other sector regulators that have long histories. We still do not have enough cybersecurity personnel compared with neighbouring developed countries," Mr Rom said.
He said Thailand should consider itself lucky as it does not have cyberwarfare, as seen in other countries.
The nation needs to promote the practices of cyber-resilience and a cautious security mentality, such as "security by design", said Mr Rom.
For example, if developers design applications that are urgently needed, they might overlook adding security. Operating with a security by design mindset, developers will make security a key criteria in creating an app, apart from reliability and user-friendliness.
ZERO TRUST ARCHITECTURE
Ome Sivadith, the national technology officer for Microsoft Thailand, said while the company will not comment on the specifics of the data breach, he agreed that regulations and policies cannot ensure security on their own.
"Cybersecurity is a cat-and-mouse situation where the threat is always evolving, and those defending against attacks must also evolve to be one step ahead," said Mr Ome.
Organisations, whether they are public or private, must always be aware of evolving digital threats and reassess their own security capabilities to effectively defend themselves, he said.
A good example is the US's "Executive Order on Improving the Nation's Cybersecurity", which calls for the federal government to implement zero trust architecture approach.
This is a security model that eliminates implicit trust in any one element, node or service, instead requiring continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.
In essence, a zero trust architecture allows users full access, but only to the bare minimum they need to perform their jobs.
As cybersecurity is an evolving and relevant issue, Microsoft believes it should be on every organisation's agenda, said Mr Ome.
"Any effective cybersecurity measure must encompass people, policy and technology, and we must consider this matter as everyone's responsibility," he said.
Organisations are urged to adopt a zero trust approach to fend off cyber-attacks. Wichan Charoenkiatpakul
RANSOMWARE MENACE
Steven Scheurmann, regional vice-president at Palo Alto Networks Inc for Asean, cited a company report that Thailand registered the most ransomware attacks in Southeast Asia, demonstrating the critical importance of cybersecurity becoming a part of the governance agenda.
Key sectors such as manufacturing, financial institutions, governments and critical infrastructure remain vulnerable to cyber-attacks, which have the potential to disrupt people's lives, he said.
Investments in modern cybersecurity solutions, building a secure workforce and driving public awareness campaigns remain key to keeping pace with new online threats, said Mr Scheurmann.
He said government regulations such as PDPA and the Cybersecurity Act only provide guidance and basic guardrails for cybersecurity.
At the rate technology is advancing, it is arming threat actors with new ways to penetrate organisations and governments, said Mr Scheurmann. Regulations take time to be updated and communicated, which sometimes can result in lags in responses to attacks, leaving governments and businesses exposed to breaches, he said.
"Infrastructure can be anywhere, and everything is increasingly interconnected. With the widening of the attack surface, eliminating entry points for cyber-attacks is even more critical. One should not simply trust IT equipment, such as printers or vendor-supplied hardware and software, because IT and workplace infrastructure are increasingly connected to internet-facing apps that centrally command and orchestrate them. Anything internet-facing is a risk to your organisation," said Mr Scheurmann.
"Zero trust is a strategic approach to cybersecurity that must be adopted by governments to eliminate implicit trust and continuously validate every stage of digital interaction. It's a way for state and local governments to build resilience into their IT environments."
DIGITAL RISK PROTECTION
Rattipong Putthacharoen, senior manager of systems engineering at Fortinet, said attackers will find security gaps and vulnerabilities to attack an organisation, using techniques including artificial intelligence to weaponise attacks, while also sharing attack tool kits with threat actors to make the attacks more advanced.
AI-powered tools such as endpoint detection and response and network detection and response are needed to analyse advanced threats, while all security events from every deployed security tool must be collected, correlated, and analysed in one place to help identify evasive attacks, he said.
Once the incidents are identified, the Security Orchestration, Automation and Response tool must be used to quickly mitigate and contain the threats, as well as recover from the damages.
The Digital Risk Protection (DRP) tool provides a view of what adversaries are seeing, doing and planning to help organisations counter attacks, reducing the risk, time and cost of later-stage threat mitigation, said Mr Rattipong. DRP identifies brand impersonations and monitors data leaks related to the organisation on the dark web.