Malaysia faces a ‘Digital Fentanyl’ as cyber threats poison everyday communications

• Bad actors have easier access to sophisticated hacking tools, attacks on the rise
• Govt pursues digital sovereignty via regulatory action, urges public vigilance

This is not a drill. “Your WhatsApp account has been hacked, and criminals are using your identity to ask friends for money. Your phone was compromised while you slept, with zero clicks required. That financial transaction you just made? It’s being intercepted right now.” 

According to cybersecurity experts who gathered last week at a media roundtable hosted by BlackBerry’s Cyber Security Center of Excellence in Cyberjaya, these aren’t hypothetical scenarios but real threats that Malaysians face daily.

In a stark warning to journalists and citizens alike, officials from BlackBerry and the Malaysian Communications and Multimedia Commission (MCMC) revealed how criminal networks have dramatically lowered the barriers to sophisticated cyber attacks, turning everyday digital communications into what MCMC Commissioner Derek John Fernandez described as “digital fentanyl” – addictive, widespread, and increasingly dangerous.

The invisible threat

“You need to assume that the networks you’re using are compromised, and therefore, you need to take the necessary actions when your data is falling over those networks and make sure it’s protected,” warned David Wiseman, Vice President of Secure Communications at BlackBerry, setting the tone for a discussion that highlighted how vulnerable our everyday communications have become.

According to the speakers, the disturbing reality is that criminal actors now have easier access to sophisticated hacking tools. “The level of ability that someone needs to be very effective is lower, which means you can have more people making these attacks,” Wiseman explained, noting how this has democratized cyber threats.

The third speaker, Jonathan Jackson, Senior Director of Strategic Technical Solutions APAC at BlackBerry, demonstrated this vulnerability in real time, showing how easily personal information can be exposed through consumer-grade messaging applications. 

“To me, the important message, if I can get any message across, is that if the product is free, you are the product,” Jackson emphasized, revealing how his metadata and location were being tracked by services most people use daily.

Beyond consumer-grade security

The speakers drew clear distinctions between the different communication options available today:

Public telephone networks – Designed primarily for connectivity, with security as a secondary consideration

Consumer messaging apps – Provide some protection like end-to-end encryption but lack identity verification and data sovereignty

Organization collaboration tools – Better but can introduce single points of failure

Dedicated secure systems – Required for critical communications

“For government, critical infrastructures, businesses, it’s not a good choice because you have the identity risk, there’s no data ownership, and you don’t have a concept of digital sovereignty,” Wiseman warned about relying on consumer apps for sensitive communications.

The escalating threat landscape

The roundtable revealed several alarming developments in cyber threats:

Commercial spyware proliferation: “Zero click” attacks that compromise devices without any user interaction

Espionage operations: The Philippines government recently arrested individuals driving around with fake cell towers intercepting calls and messages

Mass identity capture: Criminals harvesting user data for future exploitation

Widespread telecom breaches: “Every single US telecom carrier got hacked,” Wiseman revealed, citing a January Wall Street Journal report. He emphasized that Malaysia and other countries face identical risks since they use the same network equipment and infrastructure worldwide.

Jackson added that artificial intelligence makes attacks more convincing: “It’s become more challenging now with the advent of AI machine learning where deep faking technology of audio and video is now definitely a reality.”

Personal protection strategies

The experts shared practical advice for individuals concerned about digital security: “Every time you physically shut your device down and turn it on, the operating system will run through a series of validation checks,” Jackson recommended as a simple daily practice.

Other recommendations included:

• Turn off your phone at night
• Disable WiFi, Bluetooth and location services when not in use
• Update operating systems promptly
• Use paid VPN services rather than free ones
• Review app permissions carefully
• Verify communications through multiple channels

Fernandez added a crucial tip for verifying suspicious communications: “I’m busy, I’m cooking at the moment, I’ll call you back. Then you call back. The phone won’t ring 90% of the time because they’re spoofing the number.”

Malaysia’s 10 principles focused regulatory response

Fernandez also outlined Malaysia’s approach to addressing these threats, focusing on ten principles (table above) that guide the country’s cybersecurity strategy.

“First of all, there must be the political will to protect the people from cybercrime,” he stated, emphasizing that this commitment must override business concerns. “There can be no compromise… digitalization has benefited a small number of people more than the mass of the public. It brought benefits, but you need to protect your people.”

Fernandez advocated for greater accountability from digital platforms: “Those who profit the most from digitalization owe the greatest responsibility to protect their customers.” He also called for specific regulatory measures:

• A 48-hour cooling-off period for first-time financial transactions
• Mandatory digital insurance for financial services
• Requirements for service providers to deploy acceptable levels of technology
• Treating cybersecurity as capital infrastructure rather than a cost

Malaysia seeks to establish its digital sovereignty

A recurring theme was Malaysia’s effort to establish “digital sovereignty” – the ability to control and secure critical communication infrastructure without depending on foreign entities.

“We are pushing the boundaries on this,” Fernandez explained. “The centre here was set up as a result of a cooperation between the Malaysian government and the Canadian government with BlackBerry to be able to set up a centre to provide expertise and this kind of training.”

This initiative allows Malaysia to maintain fully sovereign, secure communication systems, addressing what Wiseman described as “the threats of unknown people somewhere around the world managing those systems.”

Notably, Malaysia has taken a recent regulatory step by requiring the licensing of social media and messaging platforms with large user bases. “The minister has announced that all these messaging platforms have to be licensed,” Fernandez stated. 

As of January 2025, this requirement has gone into effect, with TikTok and WeChat successfully obtaining licenses while Telegram, Facebook, Instagram, and WhatsApp are still in the licensing process. Platforms X (formerly Twitter) and YouTube have yet to apply, with X disputing whether it meets the eight million user threshold that triggers the requirement. 

While the regulation allows for substantial penalties—fines up to US$112,443 (RM500,000) and imprisonment up to five years—for non-compliance, Communications Minister Fahmi Fadzil has indicated that unlicensed platforms won’t face immediate bans.

This measured rollout raises questions about the enforceability of such regulations against powerful global tech platforms, say industry players. Malaysia finds itself in uncharted territory, attempting to assert sovereignty over digital spaces while lacking clear enforcement mechanisms against companies whose physical assets and operational hubs often exist outside national borders. 

According to industry players, whether this licensing framework will achieve meaningful protection for Malaysian users or become another regulatory aspiration challenged by the borderless nature of digital services remains to be seen. The success of these measures depends on Malaysia’s ability to build international cooperation around similar regulatory frameworks.

A shared responsibility

The roundtable concluded with an emphasis on collective action. While technology providers and regulators have essential roles, users must also adapt their behaviour.

“There’s a lot of things you could do from a technology perspective,” Wiseman summarized, “but at the end of the day, it’s how people use these systems, how they behave, and that’s why the education aspect that we’re providing here in the centre is so key.”

Fernandez concurred. “You can’t believe anything you see anymore. This is the first thing to get into your head. It’s challenging, especially with the rise of deepfakes. It can call you up, and you think you’re talking to your mother. That’s how well-evolved the technology is.”

As cyber threats continue to evolve, this combination of technological solutions, regulatory frameworks, and user education represents Malaysia’s comprehensive approach to building a more secure digital environment for its citizens and critical infrastructure.