The interior Ministry’s Anti-Cybercrime Department director Chea Pov confirms that Cambodia’s much-touted cybercrime law has yet to be finalised.
For the latest Cambodian Business news, visit Khmer Times Business
“There are more debates to take place and more meetings, but it takes time to amend the law according to the threats to the Cambodian people,” he says, adding that it would affect people using internet-connected devices.
“[Because] the law is still under operation, I can’t say more,” he stresses. The Kingdom is still trailing behind regional partners who have either introduced specific legislation to cope with the rising threat of cybercrime or have amended existing laws to include the criminal use of data and devices.
However, the efficacy of cybercrime laws introduced by neighbouring countries is worth questioning, according to Amirudin Abdul Wahab, chief executive officer of CyberSecurity Malaysia and and expert with 20 years of experience in the business.
“Cross-border cyber-attacks and criminal activities have introduced several legal challenges. Laws are to protect national security interests within well-defined geographical boundaries,” he explains.
He cites differing laws on hot-button issues such as freedom of speech – what is acceptable in one country could be considered libellous and defamatory in countries with fewer rights.
Compounding the issue is the difficulty of gathering evidence [from] outside national borders, which can be expensive, time-consuming and almost impossible without full cooperation of the host state, especially for a country such as Cambodia with limited resources.
“As such, most current laws are of limited effectiveness in addressing transnational cybercrimes,” concludes Amirudin.
Amirudin is not alone in his concerns regarding the implementation of legislation.
While he notes that the means of tackling cybercrime are forced to adapt in lockstep with the evolution of criminal means, for Dr Mark van Staalduinen, a cybersecurity expert with TNO – the Netherlands Organisation for Applied Scientific Research – cybercriminals are increasingly seeking higher value targets.
“First, be aware that every organisation can be a target,” he says, warning that “of course a bank is of more interest to a cybercriminal than small or medium enterprises, but ransomware attacks and many other cybercriminal concepts can affect your organisation and benefit the criminals.”
For van Staalduinen, the issue of what will be targeted and by whom is tied intrinsically to the profitability of cybercrime – the more economically developed a nation becomes, the more of a target it inadvertently paints on its back.
“It depends on the target organisation for the attack wherefrom it originates, but it is well known that state actors are participating in the global cyberwarfare as well,” claims van Staalduinen.
“Furthermore, cybercriminals with economic or terrorist motives, script kiddies and unintentional cyber failures contribute to the battlefield as well,” he says, referring to the growing number of inexperienced hackers – “script kiddies” – who use computer programmes designed by other, more experienced coders to launch cyberattacks against computer systems or websites.
Origin of threats
US-based cyber threat intelligence firm IntSights Cyber Intelligence Inc reported earlier this year that Cambodia had been the victim of multiple cyberattacks.
Although this is not new, Kapsersky Labs recorded some 4.5 million web attacks and 21.9 million offline threats in Cambodia last year alone. Online attacks more than doubled from 2017 but what IntSights discovered was that certain attacks appeared to be state-sponsored.
Attacks committed by OceanLotus – a group of cybercriminals otherwise known as APT32 – have been recorded since 2014, predominantly focusing their efforts in Southeast Asia, but more recently specifically in Cambodia according to a 2019 threat briefing from IntSights.
“OceanLotus carried out cyberattacks against foreign governments that could conceivably threaten Vietnam’s economic growth, namely Cambodia,” reads the report.
“Last year’s watering hole campaign targeted a number of Cambodian government sites, such as the Defense Ministry and Ministry of Foreign Affairs and International Cooperation,” IntSights reported, referring to the tactic of cybercriminals to infect a website known to be used by their end targets and gaining access to their computer systems once the infected website is visited.
The report seemingly suggests a link between OceanLotus to state-sponsored cyberwarfare, with the view that “Eliminating economic competition appears to be a primary motive for OceanLotus, indicating a high likelihood they could be associated with the Vietnamese government.”
Intsights also notes an alleged connection with Vietnam’s recent cybersecurity laws, which have been decried by human rights groups, free speech activists and technology companies as draconian and repressive. The move might even have led to a growing number of Vietnamese internet users turning to the “dark” web in search of unfiltered internet access.
This, IntSights suspects, is fuelling the growth of a cybercriminal hub in Vietnam as more internet users learn the tools necessary to evade the one-party nation’s tightening grip on information. Although there’s naturally nothing new about the employment of cyberwarfare to gain economic advantages, Cambodia’s vulnerability to rapidly advancing neighbouring countries raises bigger questions about the Kingdom’s means to defend itself.
Potential for cybercriminals
Shamane Tan, executive advisor to Privasec for Asia and the Pacific – an Australian governance and cybersecurity firm – warns of the growing sophistication in cybercrime, as well as the well-documented increase in volume.
“In the 2019 Global Threat Report released by CrowdStrike, a threat graph showed a capture of 240 billion events every 24 hours, which is more than the number of tweets Twitter processes in an entire year,” she says via email.
“If I were to look at the cybersecurity industry itself, there has been increasing talk and adoption of the MITRE ATT&CK framework to describe the tactics and techniques in a standardised manner,” she adds.
The MITRE ATT&CK knowledge base is a compilation of all known tactics, tools and methods of cyberattacks, but offers simplified, standardised information in a bid to make comprehension of cybersecurity more accessible.
On the issue of state-sponsored cyberwarfare, Tan notes that technological developments have emboldened certain state actors.
“Usual suspects of state-sponsored attacks remain the same as previous years. However, in the breakout time comparison, Russia-based threat actors are almost eight times as fast as North Korea-based adversaries, who themselves are almost twice as fast as intrusion groups from China,” she says. This means that, in recent years, the time it takes a hacker group from gaining initial access to a victim’s computer, to moving laterally through its network is getting shorter.
“Knowing this, organisations can then adjust their target response time taking into context the likely adversaries they will confront given their business sector and regional focus,” explains Tan.
Cambodia is ill-equipped
As such, it’s unlikely that the introduction of new legislation will do much to protect Cambodian businesses, financial institutions or government assets – not without a robust and dedicated body of cybersecurity professionals.
Most experts in Cambodia agree this does not exist yet.
“What we see today on the cybersecurity market in Southeast Asia is not just a looming possibility of the lack of cybersecurity experts, but the factual shortage of professionals,” says a spokesperson for Group-IB, a Singapore-based cybersecurity software firm.
“Asia’s fruitful economic development has made it an attractive target for financially motivated hackers and state-sponsored hacker groups. The existing pool of cybersecurity researchers in the region is simply not enough to deal with the constantly growing number of cybercrimes, whose sophistication has been steadily increasing,” warns Group-IB.
The firm recommends awareness-raising and education activities and, in particular, the training of Cambodian youths in the basics of cybersecurity best practices. These best practices often go ignored by even Cambodian government staff who have been known to use personal email addresses for official business.
“The bringing up of a cyber-savvy workforce in the region has been a cornerstone of Group-IB’s strategy, which is being implemented in close cooperation with universities of the region that adopt the company’s materials for internal courses and send their students to undertake internships at Group-IB.”
Amirudin Abdul Wahab, Dr Mark van Staalduinen and Shamane Tan will be among numerous esteemed guest speakers at the Cyber Security Asia 2019 conference in Phnom Penh on Nov 4 and 5.