With 133% mobile phone penetration, connectivity in Thailand is no longer a problem. This has bought with it 40 million Internet banking accounts, 19 million mobile banking accounts and a rapidly growing e-commerce sector. The question is: what is the Thai government trying to do to ensure that all of this is secure?
Dr Thanachart Numnonda, executive director of IMC Institute attempted to answer this question in a presentation about Thailand 4.0, where the country is headed and the challenges it faces, at CommunicAsia’s Security of Things track organized by the IEEE last week.
To put the issue in context, he said, Thailand is now facing a middle income trap. Five to ten years ago, the country enjoyed a decade of 5-8% GDP growth. That has now fallen to under 4% at most. With that in mind, the government came up with the Thailand 4.0 policy (not to be confused with Industry 4.0).
The “4.0” isn’t a random number to sound techy – as Dr. Thanachart explains, Thailand 1.0 was agrarian; 2.0 was light industry; 3.0 was heavy industry and 4.0 is all about a value-based economy. The idea is to harness technology to innovate and sell more services. It is all about smart devices, robots, mechatronics, embedded IoT technology. It is also about attracting companies in this sector to invest in Thailand. Then there is the huge push for the single payment ID called AnyID (which uses a phone number or citizen ID) and its associated PromptPay electronic money system. Thailand 4.0 is about doing business on the new s-curve.
But with all the growth comes a major cyber security challenge. Thai people still lack security awareness. IT security is typically an insufficient fraction of any given IT budget – and IT budgets themselves are small, relative to the vision that is being pushed. There is also a shortage of skilled professionals to deal with cyber security. Recently 124 Thais took the ISEC (information security expert certification) exam – only 20 passed.
According to the Digital Economy Ministry’s Electronic Transactions Development Agency EDTA), the country was on the receiving end of 4,300 cyber attacks in 2015. Around 87% of companies have experienced data or monetary loss due to cyber attacks. Little wonder a recent MasterCard report said that Thais do not want to use mobile banking due to security concerns.
The numbers get worse
According to Allianz Global, Thailand is the second most popular country for cybercrime. Microsoft puts the country in the top 25 for malware infections, and BitDefender ranks it the 11th highest-risk country in the world (in Asia, it ranks fifth).
The government has an organization called ThaiCERT, under the electronic transactions development agency of the DE Ministry, that works on cyber threats and forensics. The Ministry of Defence has established a cyber offence unit and a cyber security operations center.
Which is nice, but the plethora of new organizations makes it more confusing on who to turn to when you become a cybercrime victim. The Royal Thai Police have a High-Tech Crime Unit, but they will only deal with cases such as pornography or fraud. If it is organized crime or terrorism, then the case would have to go to the Technology Crime Suppression Division – unless it has a censorship or lese majeste component, in which case the case would go to the IT Crime Prevention Bureau of the Digital Economy Ministry.
Even I am confused.
In terms of legislation, Thailand has its new Cybercrime Act that has just gone into force, a new e-commerce bill, cyber security protection bill and a data protection bill. Despite all the criticism, Dr Thanachart said the cyber security protection bill is not that different from Singapore’s – the backlash has been less about the actual content of the bill and more the product of a clueless spokesperson talking to the press about it.
Disruptive.Asia asked Dr Thanachart how Thailand could invite companies to invest in Digital Park Thailand when it has draconian cyber laws on the books, such as Section 16(2) of the Cybercrime Act that criminalizes mere possession of illegal information.
Dr Thanachart noted that he disagrees strongly with the very idea of Digital Park Thailand, and thinks that the tax breaks and incentives should be aimed at those investing in the sector anywhere in Thailand, not just in Sriracha.
On the point of the laws, he said, “We must understand that this is a military government and they see everything in a military context – cyber security threats are threats to the government, and data protection is not about consumers but about military data.”
He said that some articles may be serious, “but it is like all this talk of blocking Facebook. They keep talking about it but they will never be able to do it – but that does not stop some government official saying something. If they ever tried to enforce the law to its fullest, the people would cry out. It is like that in Thailand.”