IBB: ChatGPT vs a Collective with few Centuries of Experience

This is story about Malaysia’s newly announced budget plan, ChatGPT, and what a room full of IT industry veterans can bring to the conversation; something which any amount of AI currently, cannot.

It all started with reactions towards the budget allocation of RM10 million towards combatting scams. The cybersecurity podcast team I work with has a lot to say about this.

In fact, many had something to say about the RM10 billion allocation for the NSRC or National Scam Response Centre.

The gist of it is this: if that budget is meant to go towards responding to incidents AFTER they happen, then what is going towards addressing the root cause and nipping the problem at the bud?

To effectively fight scamming activity, what is required is a long, hard, and thorough look at the whole lifecycle of scams, from root cause all the way to putting scammers behind bars and shutting down their servers.

Hence, that budget amount is not only “tak cukup”, its scope is also too narrow.

“Tak cukup” and too Narrow

One particular industry veteran pointed out, “If you notice, all efforts being done are to get some protection, but still nothing is being done to catch scammers!”

He also opined, “Those financial institutions are the biggest culprits! They are just not doing anything unless they are forced to.

“The RM10m should be towards initiatives to NAB scammers….,” he added, stating that ultimately, “We need to hear about scammers being nabbed based on tracing of the links and phone numbers!”

Killswitch – Onus on the user

EITN editor Charles Moreira also very accurately pointed out, “RM10 million is so token. And putting the onus of the kill switch on end users absolves the banks from that responsibility.”

He was referring to the Bank Negara policy for all banking institutions to enable users to immediately freeze their accounts in the event of any suspicious activity. But how adept are users at recognising suspicious activity? Awareness and education is low among bank users to detect if they are being scammed, or if any fraud or withdrawal activity is happening.

So, that’s another can of worms that has to be addressed, because a killswitch appears to be ineffective except for maybe users who are tech-savvy and especially vigilant.

Personal data breaches

Let’s zoom in again on the RM10 million allocated for the NSRC.

One of the major reasons that scammers are so rampant these days, is due to our personal data having been so easily leaked, breached, lost, by various agencies and authorities (note: the great Telco Leak of 2018, and the many others which have happened after that).

This and all the data breaches Malaysia has undergone in past few years is one part of the problem. Users also need to be educated to guard against ‘giving out’ their personal information. There are many other cause factors to think about.

Instead of building a shiny new call centre to help resolve scam problems, how about making it so difficult for scams to happen in the first place?

Wouldn’t RM10 million be better spent on stepping up controls of people, process, technology, and enforcing them at all the locations where personal and confidential data is being stored and being used for transactions? ie. government agencies, financial institutions, healthcare organisations, and more.

There is a reason that these sectors are highly regulated, so why not fortify what is pre-existing for example policies, regulations, and yes.. controls and enforcement?

What ChatGPT says:

When asked about the budget allocation for Malaysia’s cybersecurity industry, the ever-optimistic AI was hopeful that the budget would be used for 6 initiatives which “could help improve Malaysia’s cybersecurity posture and readiness and address the specific needs and challenges the country faces.”

This response is ideal for a college-level essay about cybersecurity for a nation. But it neglects and overlooks the hard, cold realities of the industry, and the painstaking work that goes into operationalising cybersecurity at an organisation or nation-level, and the equally painstaking work that goes into ensuring sustainability of skills, resources, and more, for a resilient cybersecurity posture.

IT BYTES BACK! SAYS:

A collective of experienced IT veterans and EITN identified that to battle scams, effective awareness and training has to be beefed up, along with controls and enforcement, remediation and resiliency. We want long-term solutions, not superficial band-aids to cover superficial wounds! For example, there is ongoing discussion in the chat room, about why a killswitch is detrimental and how to leverage early fraud warning systems, instead.

Lastly, ChatGPT can be useful for repetitive mundane questions, but it needs more training data to come up with more helpful responses to issues like the above.